Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Daughter needs help with Vista Home Premium SP 2 Malware Help Needed [


  • This topic is locked This topic is locked

#31
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Step 1

Click Start and type cmd into the search box.
Right click on cmd and click on Run as Administrator
Type the following command, and then press Enter:

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >%userprofile%\Desktop\sfcdetails.txt

The sfcdetails.txt file should be on your desktop. Please post this file in your next reply.


Step 2

Can you tell me what file Webroot removed and its location?


Things I want to see in your next reply

  • sfcdetails.txt
  • Answer to my question

  • 0

Advertisements


#32
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hello,

The best I can remember, either W32 or Win32 Trojan was removed. I did search the various Webroot settings & log files, but it was not obviously apparent exactly what was removed. Here is the sfc scan details below.

2012-02-16 04:23:32, Info CSI 00000006 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:23:32, Info CSI 00000007 [SR] Beginning Verify and Repair transaction
2012-02-16 04:23:40, Info CSI 00000009 [SR] Verify complete
2012-02-16 04:23:40, Info CSI 0000000a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:23:40, Info CSI 0000000b [SR] Beginning Verify and Repair transaction
2012-02-16 04:23:49, Info CSI 0000000d [SR] Verify complete
2012-02-16 04:23:49, Info CSI 0000000e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:23:49, Info CSI 0000000f [SR] Beginning Verify and Repair transaction
2012-02-16 04:23:53, Info CSI 00000011 [SR] Verify complete
2012-02-16 04:23:54, Info CSI 00000012 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:23:54, Info CSI 00000013 [SR] Beginning Verify and Repair transaction
2012-02-16 04:23:57, Info CSI 00000015 [SR] Verify complete
2012-02-16 04:23:57, Info CSI 00000016 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:23:57, Info CSI 00000017 [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:00, Info CSI 00000019 [SR] Verify complete
2012-02-16 04:24:01, Info CSI 0000001a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:01, Info CSI 0000001b [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:05, Info CSI 0000001d [SR] Verify complete
2012-02-16 04:24:06, Info CSI 0000001e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:06, Info CSI 0000001f [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:09, Info CSI 00000021 [SR] Verify complete
2012-02-16 04:24:10, Info CSI 00000022 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:10, Info CSI 00000023 [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:14, Info CSI 00000025 [SR] Verify complete
2012-02-16 04:24:15, Info CSI 00000026 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:15, Info CSI 00000027 [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:20, Info CSI 00000029 [SR] Verify complete
2012-02-16 04:24:21, Info CSI 0000002a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:21, Info CSI 0000002b [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:28, Info CSI 0000002d [SR] Verify complete
2012-02-16 04:24:28, Info CSI 0000002e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:28, Info CSI 0000002f [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:33, Info CSI 00000031 [SR] Verify complete
2012-02-16 04:24:34, Info CSI 00000032 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:34, Info CSI 00000033 [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:39, Info CSI 00000035 [SR] Verify complete
2012-02-16 04:24:39, Info CSI 00000036 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:39, Info CSI 00000037 [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:45, Info CSI 00000039 [SR] Verify complete
2012-02-16 04:24:46, Info CSI 0000003a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:46, Info CSI 0000003b [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:52, Info CSI 0000003d [SR] Verify complete
2012-02-16 04:24:53, Info CSI 0000003e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:53, Info CSI 0000003f [SR] Beginning Verify and Repair transaction
2012-02-16 04:24:57, Info CSI 00000041 [SR] Verify complete
2012-02-16 04:24:58, Info CSI 00000042 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:24:58, Info CSI 00000043 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:02, Info CSI 00000045 [SR] Verify complete
2012-02-16 04:25:03, Info CSI 00000046 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:03, Info CSI 00000047 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:07, Info CSI 00000049 [SR] Verify complete
2012-02-16 04:25:08, Info CSI 0000004a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:08, Info CSI 0000004b [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:12, Info CSI 0000004d [SR] Verify complete
2012-02-16 04:25:13, Info CSI 0000004e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:13, Info CSI 0000004f [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:17, Info CSI 00000051 [SR] Verify complete
2012-02-16 04:25:18, Info CSI 00000052 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:18, Info CSI 00000053 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:21, Info CSI 00000055 [SR] Verify complete
2012-02-16 04:25:22, Info CSI 00000056 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:22, Info CSI 00000057 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:26, Info CSI 00000059 [SR] Verify complete
2012-02-16 04:25:27, Info CSI 0000005a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:27, Info CSI 0000005b [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:30, Info CSI 0000005d [SR] Verify complete
2012-02-16 04:25:31, Info CSI 0000005e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:31, Info CSI 0000005f [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:34, Info CSI 00000061 [SR] Verify complete
2012-02-16 04:25:35, Info CSI 00000062 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:35, Info CSI 00000063 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:38, Info CSI 00000065 [SR] Verify complete
2012-02-16 04:25:38, Info CSI 00000066 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:38, Info CSI 00000067 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:42, Info CSI 00000069 [SR] Verify complete
2012-02-16 04:25:43, Info CSI 0000006a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:43, Info CSI 0000006b [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:48, Info CSI 0000006d [SR] Verify complete
2012-02-16 04:25:48, Info CSI 0000006e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:48, Info CSI 0000006f [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:51, Info CSI 00000071 [SR] Verify complete
2012-02-16 04:25:51, Info CSI 00000072 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:51, Info CSI 00000073 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:53, Info CSI 00000075 [SR] Verify complete
2012-02-16 04:25:54, Info CSI 00000076 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:54, Info CSI 00000077 [SR] Beginning Verify and Repair transaction
2012-02-16 04:25:56, Info CSI 00000079 [SR] Verify complete
2012-02-16 04:25:56, Info CSI 0000007a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:25:56, Info CSI 0000007b [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:00, Info CSI 0000007d [SR] Verify complete
2012-02-16 04:26:01, Info CSI 0000007e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:01, Info CSI 0000007f [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:03, Info CSI 00000081 [SR] Verify complete
2012-02-16 04:26:03, Info CSI 00000082 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:03, Info CSI 00000083 [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:05, Info CSI 00000085 [SR] Verify complete
2012-02-16 04:26:06, Info CSI 00000086 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:06, Info CSI 00000087 [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:08, Info CSI 00000089 [SR] Verify complete
2012-02-16 04:26:08, Info CSI 0000008a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:08, Info CSI 0000008b [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:13, Info CSI 0000008d [SR] Verify complete
2012-02-16 04:26:13, Info CSI 0000008e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:13, Info CSI 0000008f [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:19, Info CSI 00000091 [SR] Verify complete
2012-02-16 04:26:19, Info CSI 00000092 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:19, Info CSI 00000093 [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:24, Info CSI 00000095 [SR] Verify complete
2012-02-16 04:26:25, Info CSI 00000096 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:25, Info CSI 00000097 [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:30, Info CSI 0000009a [SR] Verify complete
2012-02-16 04:26:30, Info CSI 0000009b [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:30, Info CSI 0000009c [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:36, Info CSI 0000009f [SR] Verify complete
2012-02-16 04:26:36, Info CSI 000000a0 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:36, Info CSI 000000a1 [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:42, Info CSI 000000a3 [SR] Verify complete
2012-02-16 04:26:42, Info CSI 000000a4 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:42, Info CSI 000000a5 [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:52, Info CSI 000000af [SR] Verify complete
2012-02-16 04:26:53, Info CSI 000000b0 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:26:53, Info CSI 000000b1 [SR] Beginning Verify and Repair transaction
2012-02-16 04:26:59, Info CSI 000000b3 [SR] Verify complete
2012-02-16 04:27:00, Info CSI 000000b4 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:27:00, Info CSI 000000b5 [SR] Beginning Verify and Repair transaction
2012-02-16 04:27:05, Info CSI 000000b7 [SR] Verify complete
2012-02-16 04:27:06, Info CSI 000000b8 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:27:06, Info CSI 000000b9 [SR] Beginning Verify and Repair transaction
2012-02-16 04:27:11, Info CSI 000000bb [SR] Verify complete
2012-02-16 04:27:12, Info CSI 000000bc [SR] Verifying 100 (0x00000064) components
2012-02-16 04:27:12, Info CSI 000000bd [SR] Beginning Verify and Repair transaction
2012-02-16 04:27:18, Info CSI 000000bf [SR] Verify complete
2012-02-16 04:27:19, Info CSI 000000c0 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:27:19, Info CSI 000000c1 [SR] Beginning Verify and Repair transaction
2012-02-16 04:27:29, Info CSI 000000c3 [SR] Verify complete
2012-02-16 04:27:29, Info CSI 000000c4 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:27:29, Info CSI 000000c5 [SR] Beginning Verify and Repair transaction
2012-02-16 04:27:42, Info CSI 000000c9 [SR] Verify complete
2012-02-16 04:27:42, Info CSI 000000ca [SR] Verifying 100 (0x00000064) components
2012-02-16 04:27:42, Info CSI 000000cb [SR] Beginning Verify and Repair transaction
2012-02-16 04:27:56, Info CSI 000000cd [SR] Verify complete
2012-02-16 04:27:56, Info CSI 000000ce [SR] Verifying 100 (0x00000064) components
2012-02-16 04:27:56, Info CSI 000000cf [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:11, Info CSI 000000d1 [SR] Verify complete
2012-02-16 04:28:12, Info CSI 000000d2 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:12, Info CSI 000000d3 [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:16, Info CSI 000000d5 [SR] Verify complete
2012-02-16 04:28:16, Info CSI 000000d6 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:16, Info CSI 000000d7 [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:19, Info CSI 000000d9 [SR] Verify complete
2012-02-16 04:28:19, Info CSI 000000da [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:19, Info CSI 000000db [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:22, Info CSI 000000dd [SR] Verify complete
2012-02-16 04:28:23, Info CSI 000000de [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:23, Info CSI 000000df [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:35, Info CSI 000000fd [SR] Verify complete
2012-02-16 04:28:35, Info CSI 000000fe [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:35, Info CSI 000000ff [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:38, Info CSI 00000101 [SR] Verify complete
2012-02-16 04:28:38, Info CSI 00000102 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:38, Info CSI 00000103 [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:42, Info CSI 00000105 [SR] Verify complete
2012-02-16 04:28:42, Info CSI 00000106 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:42, Info CSI 00000107 [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:46, Info CSI 00000109 [SR] Verify complete
2012-02-16 04:28:46, Info CSI 0000010a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:46, Info CSI 0000010b [SR] Beginning Verify and Repair transaction
2012-02-16 04:28:53, Info CSI 0000010d [SR] Verify complete
2012-02-16 04:28:53, Info CSI 0000010e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:28:53, Info CSI 0000010f [SR] Beginning Verify and Repair transaction
2012-02-16 04:29:04, Info CSI 00000112 [SR] Verify complete
2012-02-16 04:29:05, Info CSI 00000113 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:29:05, Info CSI 00000114 [SR] Beginning Verify and Repair transaction
2012-02-16 04:29:08, Info CSI 00000116 [SR] Verify complete
2012-02-16 04:29:09, Info CSI 00000117 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:29:09, Info CSI 00000118 [SR] Beginning Verify and Repair transaction
2012-02-16 04:29:18, Info CSI 0000011a [SR] Verify complete
2012-02-16 04:29:18, Info CSI 0000011b [SR] Verifying 100 (0x00000064) components
2012-02-16 04:29:18, Info CSI 0000011c [SR] Beginning Verify and Repair transaction
2012-02-16 04:29:23, Info CSI 0000011e [SR] Verify complete
2012-02-16 04:29:23, Info CSI 0000011f [SR] Verifying 100 (0x00000064) components
2012-02-16 04:29:23, Info CSI 00000120 [SR] Beginning Verify and Repair transaction
2012-02-16 04:29:28, Info CSI 00000122 [SR] Verify complete
2012-02-16 04:29:29, Info CSI 00000123 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:29:29, Info CSI 00000124 [SR] Beginning Verify and Repair transaction
2012-02-16 04:29:39, Info CSI 0000012c [SR] Verify complete
2012-02-16 04:29:39, Info CSI 0000012d [SR] Verifying 100 (0x00000064) components
2012-02-16 04:29:39, Info CSI 0000012e [SR] Beginning Verify and Repair transaction
2012-02-16 04:29:51, Info CSI 0000014d [SR] Verify complete
2012-02-16 04:29:51, Info CSI 0000014e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:29:51, Info CSI 0000014f [SR] Beginning Verify and Repair transaction
2012-02-16 04:30:00, Info CSI 00000151 [SR] Verify complete
2012-02-16 04:30:01, Info CSI 00000152 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:30:01, Info CSI 00000153 [SR] Beginning Verify and Repair transaction
2012-02-16 04:30:23, Info CSI 00000155 [SR] Verify complete
2012-02-16 04:30:24, Info CSI 00000156 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:30:24, Info CSI 00000157 [SR] Beginning Verify and Repair transaction
2012-02-16 04:30:36, Info CSI 00000159 [SR] Verify complete
2012-02-16 04:30:36, Info CSI 0000015a [SR] Verifying 100 (0x00000064) components
2012-02-16 04:30:36, Info CSI 0000015b [SR] Beginning Verify and Repair transaction
2012-02-16 04:30:48, Info CSI 0000015d [SR] Verify complete
2012-02-16 04:30:48, Info CSI 0000015e [SR] Verifying 100 (0x00000064) components
2012-02-16 04:30:48, Info CSI 0000015f [SR] Beginning Verify and Repair transaction
2012-02-16 04:30:56, Info CSI 00000161 [SR] Verify complete
2012-02-16 04:30:56, Info CSI 00000162 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:30:56, Info CSI 00000163 [SR] Beginning Verify and Repair transaction
2012-02-16 04:31:01, Info CSI 00000165 [SR] Verify complete
2012-02-16 04:31:02, Info CSI 00000166 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:31:02, Info CSI 00000167 [SR] Beginning Verify and Repair transaction
2012-02-16 04:31:08, Info CSI 0000016a [SR] Verify complete
2012-02-16 04:31:08, Info CSI 0000016b [SR] Verifying 100 (0x00000064) components
2012-02-16 04:31:08, Info CSI 0000016c [SR] Beginning Verify and Repair transaction
2012-02-16 04:31:25, Info CSI 0000016e [SR] Verify complete
2012-02-16 04:31:26, Info CSI 0000016f [SR] Verifying 100 (0x00000064) components
2012-02-16 04:31:26, Info CSI 00000170 [SR] Beginning Verify and Repair transaction
2012-02-16 04:31:33, Info CSI 00000172 [SR] Verify complete
2012-02-16 04:31:33, Info CSI 00000173 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:31:33, Info CSI 00000174 [SR] Beginning Verify and Repair transaction
2012-02-16 04:31:42, Info CSI 00000176 [SR] Verify complete
2012-02-16 04:31:43, Info CSI 00000177 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:31:43, Info CSI 00000178 [SR] Beginning Verify and Repair transaction
2012-02-16 04:31:54, Info CSI 0000017a [SR] Verify complete
2012-02-16 04:31:54, Info CSI 0000017b [SR] Verifying 100 (0x00000064) components
2012-02-16 04:31:54, Info CSI 0000017c [SR] Beginning Verify and Repair transaction
2012-02-16 04:32:01, Info CSI 0000017e [SR] Verify complete
2012-02-16 04:32:01, Info CSI 0000017f [SR] Verifying 100 (0x00000064) components
2012-02-16 04:32:01, Info CSI 00000180 [SR] Beginning Verify and Repair transaction
2012-02-16 04:32:10, Info CSI 00000182 [SR] Verify complete
2012-02-16 04:32:10, Info CSI 00000183 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:32:10, Info CSI 00000184 [SR] Beginning Verify and Repair transaction
2012-02-16 04:32:23, Info CSI 00000187 [SR] Verify complete
2012-02-16 04:32:23, Info CSI 00000188 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:32:23, Info CSI 00000189 [SR] Beginning Verify and Repair transaction
2012-02-16 04:32:29, Info CSI 0000018b [SR] Verify complete
2012-02-16 04:32:30, Info CSI 0000018c [SR] Verifying 100 (0x00000064) components
2012-02-16 04:32:30, Info CSI 0000018d [SR] Beginning Verify and Repair transaction
2012-02-16 04:32:37, Info CSI 0000018f [SR] Verify complete
2012-02-16 04:32:37, Info CSI 00000190 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:32:37, Info CSI 00000191 [SR] Beginning Verify and Repair transaction
2012-02-16 04:32:44, Info CSI 00000193 [SR] Verify complete
2012-02-16 04:32:45, Info CSI 00000194 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:32:45, Info CSI 00000195 [SR] Beginning Verify and Repair transaction
2012-02-16 04:32:55, Info CSI 0000019a [SR] Verify complete
2012-02-16 04:32:56, Info CSI 0000019b [SR] Verifying 100 (0x00000064) components
2012-02-16 04:32:56, Info CSI 0000019c [SR] Beginning Verify and Repair transaction
2012-02-16 04:33:04, Info CSI 0000019e [SR] Verify complete
2012-02-16 04:33:05, Info CSI 0000019f [SR] Verifying 100 (0x00000064) components
2012-02-16 04:33:05, Info CSI 000001a0 [SR] Beginning Verify and Repair transaction
2012-02-16 04:33:15, Info CSI 000001a2 [SR] Verify complete
2012-02-16 04:33:15, Info CSI 000001a3 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:33:15, Info CSI 000001a4 [SR] Beginning Verify and Repair transaction
2012-02-16 04:33:21, Info CSI 000001a6 [SR] Verify complete
2012-02-16 04:33:21, Info CSI 000001a7 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:33:21, Info CSI 000001a8 [SR] Beginning Verify and Repair transaction
2012-02-16 04:33:28, Info CSI 000001aa [SR] Verify complete
2012-02-16 04:33:28, Info CSI 000001ab [SR] Verifying 100 (0x00000064) components
2012-02-16 04:33:28, Info CSI 000001ac [SR] Beginning Verify and Repair transaction
2012-02-16 04:33:39, Info CSI 000001ae [SR] Verify complete
2012-02-16 04:33:40, Info CSI 000001af [SR] Verifying 100 (0x00000064) components
2012-02-16 04:33:40, Info CSI 000001b0 [SR] Beginning Verify and Repair transaction
2012-02-16 04:33:48, Info CSI 000001b2 [SR] Verify complete
2012-02-16 04:33:48, Info CSI 000001b3 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:33:48, Info CSI 000001b4 [SR] Beginning Verify and Repair transaction
2012-02-16 04:34:07, Info CSI 000001b6 [SR] Verify complete
2012-02-16 04:34:07, Info CSI 000001b7 [SR] Verifying 100 (0x00000064) components
2012-02-16 04:34:07, Info CSI 000001b8 [SR] Beginning Verify and Repair transaction
2012-02-16 04:34:13, Info CSI 000001ba [SR] Verify complete
2012-02-16 04:34:13, Info CSI 000001bb [SR] Verifying 100 (0x00000064) components
2012-02-16 04:34:13, Info CSI 000001bc [SR] Beginning Verify and Repair transaction
2012-02-16 04:34:18, Info CSI 000001be [SR] Verify complete
2012-02-16 04:34:18, Info CSI 000001bf [SR] Verifying 100 (0x00000064) components
2012-02-16 04:34:18, Info CSI 000001c0 [SR] Beginning Verify and Repair transaction
2012-02-16 04:34:28, Info CSI 000001cb [SR] Verify complete
2012-02-16 04:34:28, Info CSI 000001cc [SR] Verifying 47 (0x0000002f) components
2012-02-16 04:34:28, Info CSI 000001cd [SR] Beginning Verify and Repair transaction
2012-02-16 04:34:31, Info CSI 000001cf [SR] Verify complete
2012-02-16 04:34:31, Info CSI 000001d0 [SR] Repairing 0 components
2012-02-16 04:34:31, Info CSI 000001d1 [SR] Beginning Verify and Repair transaction
2012-02-16 04:34:31, Info CSI 000001d3 [SR] Repair complete
  • 0

#33
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Does the error occur with one specific KB or for all of them?


Lets try this tool:


Download Windows Repair (all in one) from this site.

Install the program then let it run.

Go to Step 2 and allow it to run Disc Check.

Posted Image


Once that is done then go to Step 3 and allow it to run System File Checker.

Posted Image


On the Start Repairs tab select Advanced Mode and click Start.

Posted Image


Select the items in the red surround (remove the ticks from the rest) and tick Restart System When Finished then click Start.

Posted Image


Does Windows Update now work?


Things I want to see in your next reply

  • Answers to my questions

  • 0

#34
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Microsoft SmartScreen Filter is blocking the download of Windows Repair (All In One). I tried saving the file and running it. One of the errors I get is: "tweaking.com_windows_repair_aio_setup.exe is unsafe to download and was blocked by SmartScreen Filter." There is a link to 'Learn More' Here is the URL: http://www.microsoft...IE-malware.aspx I'm note sure how to get around this.

As far as the errors I receive on Windows Update: Here's the results of trying to do Windows Update on one important update at a time:

For update: KB2393802 - This fails with error code: 80096001
For update: KB2556532 - This fails with error code: 80096001
For update: KB2567053 - This fails with error code: 80096001
For update: KB890830 - This fails with error code: 80096001
For uodate: Windows Internet Explorer 9 for Windows Vista - This fails with error code: 80096001
  • 0

#35
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Lets disable Microsoft SmartScreen Filter. It is important to enable it after you have completed the steps in my previous post.

  • Open Internet Explorer.
  • Click the Tools button (the cog next to favourites) then Safety, point to SmartScreen Filter, and then click Turn Off SmartScreen Filter.
  • In the Microsoft SmartScreen Filter dialog box, click OK.

After turning the Microsoft SmartScreen Filter off, follow the instructions in my previous post.
  • 0

#36
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Nedklaw,

I temporarily turned off SmartSCreen Filter per post #33 and downloaded & run the Windows Repair (All In One). I'm still receiving errors for blocked programs upon a reboot. I'm now also receiving errors stating Windows can't check for new updates. I also tried to run Windows Update manually and received the following error: Code 8024001F. After trying this with SmartScreen Filter off, I turned on the Microsoft SmartScreen Filter. I get the same error running Windows Update.

I apologize. I was trying to do the updates without a valid Internet connection. I corrected this situation and reran Windows Update with the SmartScreen Filter turned on and the laptop took approximately 29 updates. I deferred Internet Explorer 9 for the time being. I'll keep you posted.

Edited by beabruin, 23 February 2012 - 07:42 AM.

  • 0

#37
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Update:

Windows Update works. In addition to the 29 updates I went back and updated Internet Explorer 9 and 5 optional updates. Other than two optional updates that failed: (Intel Display Mobile Intel® Express Chipset) error code 800705B3 AND (Synaptics Input Synaptics PS/2 Port Touchpad) error code 80240016, everything else worked.

I'm still receiving the dialog box "Windows has blocked some startup programs" upon reboot. A search for programs blocked are:

VCAST Backup Scheduler.exe
AgVQVkFpNfmITWf.exe
bcont.exe (SupportSoft, Inc.)
  • 0

#38
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

  • Open OTL and select the "Scan All Users" box.
  • Under the Custom Scan box paste this in:

    netsvcs
  • Click the Quick Scan button. Post the log it produces in your next reply.

Things I want to see in your next reply

  • OTL.txt

  • 0

#39
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I ran the OTL Quick Scan with the custom scan "netsvcs". The laptop was running on battery and the screen blanked out while running it. I quickly noticed this and plugged in the battery charger/power supply and had to press the power button to "refresh" the screen. The scan was still running whrn the screen came back. Hopefully the scan ran as intended. Here's the OTL scan log:

OTL logfile created on: 2/25/2012 6:24:16 AM - Run 8
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\_admin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.80 Gb Available Physical Memory | 60.14% Memory free
6.18 Gb Paging File | 5.01 Gb Available in Paging File | 81.06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.19 Gb Total Space | 137.90 Gb Free Space | 62.34% Space Free | Partition Type: NTFS
Drive D: | 11.69 Gb Total Space | 2.03 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 1.90 Gb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: CARUDA | User Name: _admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\Webroot\WRSA.exe (Webroot)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Users\_admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
PRC - C:\Program Files\Panda USB Vaccine\USBVaccine.exe (Panda Security)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE (CANON INC.)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
MOD - C:\Windows\System32\igfxTMM.dll ()


========== Win32 Services (SafeList) ==========

SRV - (WRSVC) -- C:\Program Files\Webroot\WRSA.exe (Webroot)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MotoHelper) -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (WRkrn) -- C:\Windows\System32\drivers\WRkrn.sys (Webroot)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (motccgp) -- C:\Windows\System32\drivers\motccgp.sys (Motorola)
DRV - (motmodem) -- C:\Windows\System32\drivers\motmodem.sys (Motorola)
DRV - (Motousbnet) -- C:\Windows\System32\drivers\Motousbnet.sys (Motorola)
DRV - (motusbdevice) -- C:\Windows\System32\drivers\motusbdevice.sys (Motorola Inc)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (BVRPMPR5) -- C:\Windows\System32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (motccgpfl) -- C:\Windows\System32\drivers\motccgpfl.sys (Motorola)
DRV - (BTCFilterService) -- C:\Windows\System32\drivers\motfilt.sys (Motorola Inc)
DRV - (NETw5v32) Intel® -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (MotoSwitchService) -- C:\Windows\System32\drivers\motswch.sys (Motorola)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/02 19:22:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/02 19:22:11 | 000,000,000 | ---D | M]

[2009/12/23 10:18:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Extensions
[2012/01/19 20:10:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions
[2009/12/23 11:02:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/16 06:52:15 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/12/09 05:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/08 07:13:49 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [WRSVC] C:\Program Files\Webroot\WRSA.exe (Webroot)
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001..\Run: [WindowsWelcomeCenter] "C:\Windows\system32\rundll32.exe" oobefldr.dll,ShowWelcomeCenter File not found
O4 - Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welcome Center.lnk = C:\Windows\System32\control.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE41FC19-29CB-4C60-8950-CADE512413A1}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/01 08:18:01 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/02/23 07:04:58 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/02/23 04:50:26 | 000,303,616 | ---- | C] ( ) -- C:\SetACL.exe
[2012/02/23 04:29:39 | 000,000,000 | ---D | C] -- C:\Reg_Backup
[2012/02/23 03:55:56 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2012/02/23 03:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2012/02/16 04:17:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2
[2012/01/26 08:57:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot SecureAnywhere
[2012/01/26 08:56:46 | 000,145,528 | ---- | C] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/01/26 08:56:45 | 000,109,520 | ---- | C] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[2012/01/26 08:56:37 | 000,000,000 | ---D | C] -- C:\ProgramData\WRData
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/25 06:29:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/25 06:17:01 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/25 06:17:01 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/25 06:09:53 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/25 06:09:53 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/25 06:09:50 | 000,000,699 | ---- | M] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/02/25 06:09:18 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/23 09:23:54 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 08:22:53 | 000,315,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/23 07:05:04 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,002,008 | ---- | M] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/16 04:12:40 | 271,320,429 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/02/08 07:13:49 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/02/07 22:12:33 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/07 17:43:44 | 000,145,528 | ---- | M] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/02/07 17:43:44 | 000,109,520 | ---- | M] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[3 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/23 09:49:33 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/23 09:23:54 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 09:23:26 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
[2012/02/23 03:54:46 | 000,002,008 | ---- | C] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/01/26 08:56:47 | 000,000,699 | ---- | C] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/01/19 20:40:52 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/19 20:40:52 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/19 20:40:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/19 20:40:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/19 20:40:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/11/05 15:27:31 | 000,000,680 | ---- | C] () -- C:\Users\_admin\AppData\Local\d3d9caps.dat
[2011/05/28 01:04:09 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/07/07 15:04:12 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/04/24 07:43:07 | 000,004,608 | ---- | C] () -- C:\Users\_admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/10 21:12:37 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/10 21:12:36 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008/12/13 15:58:21 | 000,121,368 | ---- | C] () -- C:\Windows\hpoins15.dat
[2008/12/13 15:58:21 | 000,001,037 | ---- | C] () -- C:\Windows\hpomdl15.dat
[2008/08/31 20:26:32 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/08/31 20:26:32 | 000,000,063 | ---- | C] () -- C:\Windows\mdm.ini
[2008/08/31 20:26:18 | 000,000,000 | ---- | C] () -- C:\Windows\NSREX.INI
[2008/08/30 21:39:06 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/07/19 02:56:53 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/07/01 08:33:22 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/09/13 10:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/09/13 10:22:46 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/13 10:22:46 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/09/13 10:11:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,315,440 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 15:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[1999/01/22 06:46:56 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/09/01 08:06:38 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\acccore
[2010/06/21 19:30:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Facebook
[2010/11/02 19:18:16 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ooVoo Details
[2012/02/23 13:09:33 | 000,032,576 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

#40
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Step 1

If you have Malwarebytes 1.6 or later installed, please disable it for the duration of this run.

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :Reg
    [HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run]
    "AgVQVkFpNfmITWf.exe"=-
    [HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run]
    "Desktop Software"=-
    [HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run]
    "HLBackupScheduler"=-
    [-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions] 
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [emptytemp]
    [CREATERESTOREPOINT] 
    [Reboot]

  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post the log that appears upon reboot in your next reply.
  • If no log appears upon reboot, the OTL Fix log should be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.
  • Open OTL again and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Step 2

Have the blocked program warnings stopped popping up?


Things I want to see in your next reply

  • OTL Fix Log
  • OTL.txt

  • 0

Advertisements


#41
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I disabled Malwarebytes to run the OTL Run Fix & Quick Scan. I reboot the computer after the Run Fix as requested. After both runs of OTL, I logged off, reboot, and logged on as caruda. The Blocked Startup Programs popup, for the same (3) programs, is still recurring. I re-enabled Malwarebytes. Below are the OTL logs:

*****OTL RunFix Logs*****
*************************
All processes killed
========== REGISTRY ==========
Registry key HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\_admin\Desktop\cmd.bat deleted successfully.
C:\Users\_admin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: owner
->Temp folder emptied: 15023741 bytes
->Temporary Internet Files folder emptied: 48615360 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 33802464 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 8198248 bytes

User: Public
->Temp folder emptied: 0 bytes

User: _admin
->Temp folder emptied: 383761 bytes
->Temporary Internet Files folder emptied: 11464656 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 11232902 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 756 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 3301376 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8586561 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 134.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 02282012_035949

Files\Folders moved on Reboot...
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CAF0ARD\fastbutton[1].htm moved successfully.

Registry entries deleted on Reboot...
*
*****OTL QuickScan Logs*****
****************************
*
OTL logfile created on: 2/28/2012 4:07:30 AM - Run 9
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\_admin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.52 Gb Available Physical Memory | 50.76% Memory free
6.18 Gb Paging File | 4.79 Gb Available in Paging File | 77.51% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.19 Gb Total Space | 136.94 Gb Free Space | 61.91% Space Free | Partition Type: NTFS
Drive D: | 11.69 Gb Total Space | 2.03 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 1.90 Gb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: CARUDA | User Name: _admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\Webroot\WRSA.exe (Webroot)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Users\_admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
PRC - C:\Program Files\Panda USB Vaccine\USBVaccine.exe (Panda Security)
PRC - \\?\C:\Windows\System32\wbem\WMIADAP.EXE ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE (CANON INC.)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
MOD - C:\Windows\System32\igfxTMM.dll ()


========== Win32 Services (SafeList) ==========

SRV - (WRSVC) -- C:\Program Files\Webroot\WRSA.exe (Webroot)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MotoHelper) -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (WRkrn) -- C:\Windows\System32\drivers\WRkrn.sys (Webroot)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (motccgp) -- C:\Windows\System32\drivers\motccgp.sys (Motorola)
DRV - (motmodem) -- C:\Windows\System32\drivers\motmodem.sys (Motorola)
DRV - (Motousbnet) -- C:\Windows\System32\drivers\Motousbnet.sys (Motorola)
DRV - (motusbdevice) -- C:\Windows\System32\drivers\motusbdevice.sys (Motorola Inc)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (BVRPMPR5) -- C:\Windows\System32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (motccgpfl) -- C:\Windows\System32\drivers\motccgpfl.sys (Motorola)
DRV - (BTCFilterService) -- C:\Windows\System32\drivers\motfilt.sys (Motorola Inc)
DRV - (NETw5v32) Intel® -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (MotoSwitchService) -- C:\Windows\System32\drivers\motswch.sys (Motorola)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/02 19:22:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/02 19:22:11 | 000,000,000 | ---D | M]

[2009/12/23 10:18:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Extensions
[2012/02/27 22:07:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions
[2009/12/23 11:02:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/16 06:52:15 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/02/27 22:07:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\staged
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/12/09 05:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/08 07:13:49 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [WRSVC] C:\Program Files\Webroot\WRSA.exe (Webroot)
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001..\Run: [WindowsWelcomeCenter] "C:\Windows\system32\rundll32.exe" oobefldr.dll,ShowWelcomeCenter File not found
O4 - Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welcome Center.lnk = C:\Windows\System32\control.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE41FC19-29CB-4C60-8950-CADE512413A1}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/01 08:18:01 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/23 07:04:58 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/02/23 04:50:26 | 000,303,616 | ---- | C] ( ) -- C:\SetACL.exe
[2012/02/23 04:29:39 | 000,000,000 | ---D | C] -- C:\Reg_Backup
[2012/02/23 03:55:56 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2012/02/23 03:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2012/02/16 04:17:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2

========== Files - Modified Within 30 Days ==========

[2012/02/28 04:09:03 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/28 04:09:03 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/28 04:02:07 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/28 04:02:07 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/28 04:02:04 | 000,000,699 | ---- | M] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/02/28 04:02:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/28 04:02:01 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/23 09:23:54 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 08:22:53 | 000,315,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/23 07:05:04 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,002,008 | ---- | M] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/16 04:12:40 | 271,320,429 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/02/08 07:13:49 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/02/07 22:12:33 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/07 17:43:44 | 000,145,528 | ---- | M] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/02/07 17:43:44 | 000,109,520 | ---- | M] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys

========== Files Created - No Company Name ==========

[2012/02/23 09:49:33 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/23 09:23:54 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 09:23:26 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
[2012/02/23 03:54:46 | 000,002,008 | ---- | C] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/01/19 20:40:52 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/19 20:40:52 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/19 20:40:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/19 20:40:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/19 20:40:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/11/05 15:27:31 | 000,000,680 | ---- | C] () -- C:\Users\_admin\AppData\Local\d3d9caps.dat
[2011/05/28 01:04:09 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/07/07 15:04:12 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/04/24 07:43:07 | 000,004,608 | ---- | C] () -- C:\Users\_admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/10 21:12:37 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/10 21:12:36 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008/12/13 15:58:21 | 000,121,368 | ---- | C] () -- C:\Windows\hpoins15.dat
[2008/12/13 15:58:21 | 000,001,037 | ---- | C] () -- C:\Windows\hpomdl15.dat
[2008/08/31 20:26:32 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/08/31 20:26:32 | 000,000,063 | ---- | C] () -- C:\Windows\mdm.ini
[2008/08/31 20:26:18 | 000,000,000 | ---- | C] () -- C:\Windows\NSREX.INI
[2008/08/30 21:39:06 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/07/19 02:56:53 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/07/01 08:33:22 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/09/13 10:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/09/13 10:22:46 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/13 10:22:46 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/09/13 10:11:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,315,440 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 15:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[1999/01/22 06:46:56 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/09/01 08:06:38 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\acccore
[2010/06/21 19:30:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Facebook
[2010/11/02 19:18:16 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ooVoo Details
[2012/02/28 04:00:59 | 000,032,576 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

#42
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by double-clicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      Click NO.
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!).
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
Note: If you receive any warning message about scripts, please choose to allow the script to run.


Things I want to see in your next reply

  • Silent Runners Log

  • 0

#43
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Here is the Silent Runners log.
*******************************
"Silent Runners.vbs", revision 63, http://www.silentrunners.org/
Operating System: Windows Vista SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"WindowsWelcomeCenter" = ""C:\Windows\system32\rundll32.exe" oobefldr.dll,ShowWelcomeCenter" [MS]
"HPADVISOR" = ""C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autoRun" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
"CanonSolutionMenu" = ""C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logon" ["CANON INC."]
"CanonMyPrinter" = ""C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon" ["CANON INC."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"RtHDVCpl" = "C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" ["Realtek Semiconductor"]
"AppleSyncNotifier" = ""C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe"" ["Apple Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Common Files\Java\Java Update\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Malwarebytes' Anti-Malware" = ""C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray" ["Malwarebytes Corporation"]
"WRSVC" = ""C:\Program Files\Webroot\WRSA.exe" -ul" ["Webroot"]
"SMSERIAL" = "C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" ["Motorola Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar Loader"
-> {HKLM...CLSID} = "Winamp Toolbar Loader"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java™ Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\(Default) = "HP Smart BHO Class"
-> {HKLM...CLSID} = "HP Smart BHO Class"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll" ["Hewlett-Packard Co."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\Windows\System32\ShellvRTF.dll" ["XSS"]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics Incorporated"]

"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\1033\UNBIND.DLL" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" = "Auto Update Property Sheet Extension"
-> {HKLM...CLSID} = "Auto Update Property Sheet Extension"
\InProcServer32\(Default) = "C:\Windows\system32\wuaucpl.cpl" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> ms-itss\CLSID = "{0A9007C0-4076-11D3-8789-0000F8105754}"
-> {HKLM...CLSID} = "Microsoft Infotech Storage Protocol for IE 4.0"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

WRShellExt\(Default) = "{69D72956-317C-44bd-B369-8E44D4EF9802}"
-> {HKLM...CLSID} = "WRShellExt"
\InProcServer32\(Default) = "C:\Windows\system32\WRusr.dll" ["Webroot"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

igfxcui\(Default) = "{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}"
-> {HKLM...CLSID} = "GraphicsShellExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\igfxpph.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

WRShellExt\(Default) = "{69D72956-317C-44bd-B369-8E44D4EF9802}"
-> {HKLM...CLSID} = "WRShellExt"
\InProcServer32\(Default) = "C:\Windows\system32\WRusr.dll" ["Webroot"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\web\wallpaper\HPRadiance.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\windows\web\wallpaper\HPRadiance.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

HPAutoplayPSE\
"Provider" = "HP Photosmart Essential 2.5"
"InvokeProgID" = "HpqPSApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = "{A6873065-D632-4615-A3A9-C5F05EE109C1}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HpqPsApl.exe" ["Hewlett-Packard"]

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

muveeVideoCameraArrival\
"Provider" = "muvee autoProducer 6.1"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\muvee Technologies\muvee autoProducer 6.1 - SE\muveeapp.exe" /RECORD"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

P2GCDBurningOnArrival\
"Provider" = "Power2Go"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPower2Go"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPower2Go\Command\(Default) = ""C:\Program Files\CyberLink\Power2Go\Power2Go.exe"" ["CyberLink Corp."]

PDirDVArrival\
"Provider" = "PowerDirector"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\CyberLink\PowerDirector\PDR.exe" /DV"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

Power2GoPlayCDAudioOnArrival\
"Provider" = "Power2Go"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPower2Go"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPower2Go\Command\(Default) = ""C:\Program Files\CyberLink\Power2Go\Power2Go.exe" /AudioRipper "%L"" ["CyberLink Corp."]

PStarterBlankCDArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" ["CyberLink"]

PStarterDVDBurningOnArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "BlankDVD"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" ["CyberLink"]

PStarterMixedCDArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "MixedContent"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\MixedContent\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" ["CyberLink"]

PStarterMusicFilesArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "MusicFiles"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\MusicFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" ["CyberLink"]

PStarterPicturesArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "BlankCD"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" ["CyberLink"]

PStarterPlayCDAudioOnArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerStarter"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

PStarterPlayDVDMovieOnArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerStarter"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

PStarterVideoFilesArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "VideoFiles"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\VideoFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" ["CyberLink"]

QuickPlayDCameraArrival\
"Provider" = "HP QuickPlay"
"InvokeProgID" = "Picture"
"InvokeVerb" = "PlayWithQuickPlay"
HKLM\SOFTWARE\Classes\Picture\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY DSC "%L"" ["CyberLink Corp."]

QuickPlayDVArrival\
"Provider" = "HP QuickPlay"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\HP\QuickPlay\QP.exe" DV "%L""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

QuickPlayMusicFilesArrival\
"Provider" = "HP QuickPlay"
"InvokeProgID" = "MusicFiles"
"InvokeVerb" = "PlayWithQuickPlay"
HKLM\SOFTWARE\Classes\MusicFiles\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MUSIC "%L"" ["CyberLink Corp."]

QuickPlayPlayCDAudioOnArrival\
"Provider" = "HP QuickPlay"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithQuickPlay"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY CD "%L"" ["CyberLink Corp."]

QuickPlayPlayDVDMovieOnArrival\
"Provider" = "HP QuickPlay"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithQuickPlay"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

QuickPlayPlayVideoCDMovieOnArrival\
"Provider" = "HP QuickPlay"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithQuickPlay"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

WIA_{7DAA6E34-45C2-4EA8-938F-8DFB62C686A5}\
"Provider" = "HP Photosmart Essential 2.5"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files\HP\Digital Imaging\bin\HpqPsApl.exe;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

WIA_{C3CDC176-15B7-47b2-8D40-2CF932067CB4}\
"Provider" = "muvee autoProducer 6.1"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files\muvee Technologies\muvee autoProducer 6.1 - SE\muveeapp.exe /StiDevice:%1 /StiEvent:%2;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Users\owner\Desktop\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Users\owner\Desktop\Winamp\winamp.exe" "%1"" ["Nullsoft, Inc."]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Users\owner\Desktop\Winamp\winamp.exe"" ["Nullsoft, Inc."]


Windows Sidebar Gadgets:
------------------------

C:\Users\_admin\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
%PROGRAMFILES%\windows sidebar\gadgets\Clock.gadget
%PROGRAMFILES%\windows sidebar\gadgets\SlideShow.Gadget
%PROGRAMFILES%\windows sidebar\gadgets\RSSFeeds.Gadget


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"MotoHelper MUM" -> launches: ""C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe" -MUM" [null data]
"MotoHelper Routing" -> launches: ""C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe" -r" [null data]
"MotoHelper Update" -> launches: ""C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe" -d -silent" [null data]
"PandaUSBVaccine" -> launches: ""C:\Program Files\Panda USB Vaccine\RunInteractiveWin.exe" "C:\Program Files\Panda USB Vaccine\USBVaccine.exe" /resident /agreelicense" [null data]
"Scheduled Update for Ask Toolbar" -> launches: "C:\Program Files\Ask.com\UpdateTask.exe" [file not found]
"User_Feed_Synchronization-{E1A9A328-9BA6-43D8-81A5-194A0FF972ED}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]
"User_Feed_Synchronization-{EDEE427B-354E-4486-8B6D-3D43D9D9D132}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]
"{5AEBADDC-6EEC-4BAD-B3FD-0E0C4169F174}" -> launches: "C:\Program Files\Skype\Phone\Skype.exe" [file not found]
"{B35C7A30-6440-4C3A-8A1D-EE0465A3CACE}" -> launches: "C:\Windows\system32\pcalua.exe -a E:\sansa-installer.exe -d E:\" [MS]
"{C68EA603-CFAE-4FFA-867E-E47362F3A226}" -> launches: ""c:\program files\mozilla firefox\firefox.exe" http://ui.skype.com/...ed;madedefault" ["Mozilla Corporation"]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ManualDefrag" -> launches: "%windir%\system32\defrag.exe \\?\Volume{f498c033-7716-11dd-a36c-806e6f6e6963}\" [MS]
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i -g" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}"
-> {HKLM...CLSID} = "Transient Multi-Monitor Manager"
\InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {HKLM...CLSID} = "Nap ITask Handler Implementation"
\InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Shell
"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {HKLM...CLSID} = "CrawlStartPages Task Handler"
\InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
"WSHReset" -> (HIDDEN!) launches: "%systemroot%\system32\netsh.exe interface tcp set heuristic wsh=default" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Wired
"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows Defender
"MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

C:\Windows\System32\Tasks\WPD
"SqmUpload_S-1-5-21-1643871695-1882474329-1398546539-1000" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe portabledeviceapi.dll,#1" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000007\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 28


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"
-> {HKLM...CLSID} = "Winamp Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"
-> {HKLM...CLSID} = "Winamp Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{58ECB495-38F0-49CB-A538-10282ABF65E7}\
"ButtonText" = "HP Smart Select"

{DDE87865-83C5-48C4-8357-2F5B1AA84522}\
"ButtonText" = "HP Smart Select"
"CLSIDExtension" = "{DDE87865-83C5-48c4-8357-2F5B1AA84522}"
-> {HKLM...CLSID} = "ClipBookBtn Class"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll" ["Hewlett-Packard Co."]


Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "bkup_Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS]
<<H>> "tbNumber" = "1" [file not found]


HOSTS file
----------

C:\Windows\System32\drivers\etc\HOSTS

maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"" ["Apple Inc."]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
CNG Key Isolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Computer Browser, Browser, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
Extensible Authentication Protocol, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
HP Health Check Service, HP Health Check Service, ""c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe"" [null data]
hpqwmiex, hpqwmiex, "C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe" ["Hewlett-Packard Development Company, L.P."]
Human Interface Device Access, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\hidserv.dll" [MS]}
Intel® Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe" ["Intel Corporation"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
MBAMService, MBAMService, ""C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"" ["Malwarebytes Corporation"]
MotoHelper Service, MotoHelper, "C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe" [null data]
PIXMA Extended Survey Program, IJPLMSVC, "C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE" [null data]
QuickPlay Background Capture Service (QBCS), QPCapSvc, ""C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe"" [empty string]
QuickPlay Task Scheduler (QTS), QPSched, ""C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe"" [empty string]
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Font Cache Service, FontCache, "C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation" {"C:\Windows\system32\FntCache.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
WLAN AutoConfig, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
WRSVC, WRSVC, ""C:\Program Files\Webroot\WRSA.exe" -service" ["Webroot"]


Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> WRkrn, "Driver"
<<!>> WRSVC, "Service"


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor iP4500 series\Driver = "CNMLM92.DLL" ["CANON INC."]
EPSON Artisan 800 Series 32MonitorBA\Driver = "E_FLBEMA.DLL" ["SEIKO EPSON CORPORATION"]


---------- (launch time: 2012-03-02 05:33:46)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 61 seconds, including 18 seconds for message boxes)
  • 0

#44
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

Are all three programs still being blocked upon startup?
  • 0

#45
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

Please run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked.
  • Click Scan. (This scan can take several hours, so please be patient).
  • Once the scan is completed, you may close the window.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Things I want to see in your next reply

  • log.txt

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP