Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

smitfraud-c.generic svchost.exe access denied

Started by toooldforthis , Feb 19 2012 05:18 PM

  • Please log in to reply

#1
toooldforthis
Posted 19 February 2012 - 05:18 PM

toooldforthis

    New Member

  • Member
  • Pip
  • 4 posts
It seems that i have a number of Malware bugs and none of the removal tools go to completion. The original symtoms: 1)WINRSCMDE STOPPED WORKING AND WAS CLOSED. 2)GOOGLE searches look like they are being spoofed. You can type in the full google search and then hit search before you see any results. Clicking on a result redirects you to another site. I also noticed when I went to scan my machine that Trends was not running and that it would not start.

I downloaded Malwarebytes and ran it. It came back with Trojan.Agent as the result and pointed to file svchost.exe. It kept deleting the file but the bug kept coming back. At this point I tried Spybot. It identified Smitfraud-c.Generic and again the file svchost.exe. I downloaded the Smitfraudfix tool and ran. When i went to step 2 to clean (in safe mode)it went to killiong processes and then i saw numerous messages saying ACCESS DENIED and the program finished and left me on a black screen which said safe mode. I tried this several times after rebooting always with the same results.

After searching around on the forum I noticed the link to GOOGLE redirects and tried that process. I could not run OTM.exe (said it was not a windows 32k application). I was able to run gooredfix.exe and then I ran TDSSKILLER, which identified rootkit.boot.pihar.b. It said it cured it and I rebooted. With all this done, I am still having the same problems.

I have attached the OTL files as requested. Is there anything else you need to point me in the right direction?

OTL logfile created on: 2/19/2012 17:14:33 - Run 1
OTL by OldTimer - Version 3.2.33.0 Folder = K:\
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.21 Gb Available Physical Memory | 55.22% Memory free
8.20 Gb Paging File | 6.16 Gb Available in Paging File | 75.18% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 144.29 Gb Total Space | 83.65 Gb Free Space | 57.97% Space Free | Partition Type: NTFS
Drive D: | 144.04 Gb Total Space | 139.33 Gb Free Space | 96.74% Space Free | Partition Type: NTFS
Drive K: | 3.73 Gb Total Space | 3.42 Gb Free Space | 91.72% Space Free | Partition Type: FAT32
Drive N: | 931.51 Gb Total Space | 885.15 Gb Free Space | 95.02% Space Free | Partition Type: NTFS
Drive O: | 1.88 Gb Total Space | 1.87 Gb Free Space | 99.41% Space Free | Partition Type: FAT32

Computer Name: STEVE-2 | User Name: Steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/19 17:11:06 | 000,583,680 | ---- | M] (OldTimer Tools) -- K:\OTL.exe
PRC - [2012/01/31 17:10:10 | 000,026,264 | ---- | M] (PC Pitstop LLC) -- C:\Program Files (x86)\PCPitstop\Info Center\InfoCenter.exe
PRC - [2012/01/30 21:52:50 | 000,160,328 | ---- | M] (Siber Systems) -- C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2009/07/06 15:04:00 | 001,611,152 | ---- | M] (Philips) -- C:\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe
PRC - [2009/05/03 08:18:30 | 000,091,440 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/03/05 01:38:30 | 000,454,704 | ---- | M] (Egis inc.) -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSMSNLoader32.exe
PRC - [2008/01/25 20:49:06 | 000,204,908 | ---- | M] () -- C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
PRC - [2007/02/14 11:09:06 | 001,313,816 | ---- | M] (Memeo) -- C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackup.exe
PRC - [2007/01/18 13:20:26 | 000,190,008 | ---- | M] (Seagate LLC) -- C:\Program Files (x86)\Seagate\SystemTray\StxMenuMgr.exe
PRC - [2002/08/08 07:49:20 | 000,087,040 | ---- | M] (Lotus Development Corporation) -- D:\lotus\organize\easyclip.exe
PRC - [1999/12/16 15:10:00 | 000,282,624 | ---- | M] (Palm Computing, Inc.) -- C:\Palm\HOTSYNC.EXE


========== Modules (No Company Name) ==========

MOD - [2012/02/16 22:58:57 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\65450889f3742aada2a6c0cf8e6173e3\System.Windows.Forms.ni.dll
MOD - [2012/02/16 22:58:48 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\137696d0416b65dbc1561152971488b4\System.Drawing.ni.dll
MOD - [2012/02/16 22:57:50 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c50133cb67d7c013fa31e1ffb942060b\System.ni.dll
MOD - [2012/01/09 22:04:18 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_cf537c7f\mscorlib.dll
MOD - [2012/01/09 22:04:16 | 000,835,584 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_dcad5970\system.drawing.dll
MOD - [2012/01/09 22:04:12 | 002,088,960 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_3f43b817\system.xml.dll
MOD - [2012/01/09 22:04:09 | 003,035,136 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_e6c8e3d9\system.windows.forms.dll
MOD - [2012/01/09 22:04:04 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_ab43f1b8\system.dll
MOD - [2012/01/09 22:03:59 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2012/01/09 22:03:56 | 002,064,384 | ---- | M] () -- c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
MOD - [2011/10/20 17:45:11 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/07/06 15:04:00 | 000,135,168 | ---- | M] () -- C:\Philips\GoGear VIBE Device Manager\Scsi_nt.dll
MOD - [2009/05/03 08:18:27 | 000,064,664 | ---- | M] () -- C:\Program Files (x86)\Logitech\Desktop Messenger\8876480\8.1.1.87-8876480SL\Program\clntutil.dll
MOD - [2009/01/11 18:09:36 | 001,294,336 | ---- | M] () -- c:\windows\assembly\gac\system.data\1.0.5000.0__b77a5c561934e089\system.data.dll
MOD - [2009/01/11 18:09:36 | 000,126,976 | ---- | M] () -- c:\windows\assembly\gac\system.serviceprocess\1.0.5000.0__b03f5f7f11d50a3a\system.serviceprocess.dll
MOD - [2009/01/11 18:09:35 | 001,339,392 | ---- | M] () -- c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll
MOD - [2009/01/11 18:09:35 | 000,466,944 | ---- | M] () -- c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
MOD - [2009/01/11 18:09:35 | 000,323,584 | ---- | M] () -- c:\windows\assembly\gac\system.runtime.remoting\1.0.5000.0__b77a5c561934e089\system.runtime.remoting.dll
MOD - [2009/01/11 18:09:33 | 000,299,008 | ---- | M] () -- c:\windows\assembly\gac\microsoft.visualbasic\7.0.5000.0__b03f5f7f11d50a3a\microsoft.visualbasic.dll
MOD - [2008/01/25 20:49:06 | 000,204,908 | ---- | M] () -- C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
MOD - [1998/08/28 02:42:46 | 000,220,160 | ---- | M] () -- D:\lotus\organize\ormutil.dll
MOD - [1998/08/28 02:42:46 | 000,153,088 | ---- | M] () -- D:\lotus\organize\ormmime.dll
MOD - [1998/08/28 02:42:46 | 000,138,752 | ---- | M] () -- D:\lotus\organize\ormprot.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/02/16 21:15:42 | 000,275,912 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe -- (Amsp)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/01/31 17:15:56 | 000,091,816 | ---- | M] (PC Pitstop LLC) [On_Demand | Stopped] -- C:\Program Files (x86)\PCPitstop\PCPitstopScheduleService.exe -- (PCPitstop Scheduling)
SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 10:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/03/05 01:38:34 | 000,500,784 | ---- | M] (Egis Incorporated) [On_Demand | Stopped] -- C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe -- (eDataSecurity Service)
SRV - [2008/01/25 20:49:04 | 000,269,448 | ---- | M] (CyberLink) [On_Demand | Stopped] -- C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe -- (Acer HomeMedia Connect Service)
SRV - [2007/12/19 20:09:22 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService)
SRV - [2007/10/17 12:38:20 | 000,028,672 | ---- | M] () [On_Demand | Running] -- C:\Acer\Empowering Technology\ePerformance\MemCheck.exe -- (AcerMemUsageCheckService)
SRV - [2007/09/10 15:28:18 | 000,057,344 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2007/02/14 11:09:06 | 000,056,344 | ---- | M] (Memeo) [On_Demand | Stopped] -- C:\Program Files (x86)\Memeo\AutoBackup\MemeoService.exe -- (BMUService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/02/16 21:15:53 | 000,210,704 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\tmnciesc.sys -- (tmnciesc)
DRV:64bit: - [2012/02/16 21:15:53 | 000,167,696 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\tmcomm.sys -- (tmcomm)
DRV:64bit: - [2012/02/16 21:15:53 | 000,105,744 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\tmtdi.sys -- (tmtdi)
DRV:64bit: - [2012/02/16 21:15:53 | 000,091,920 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\tmactmon.sys -- (tmactmon)
DRV:64bit: - [2012/02/16 21:15:53 | 000,070,928 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\tmevtmgr.sys -- (tmevtmgr)
DRV:64bit: - [2012/02/16 21:15:53 | 000,067,344 | ---- | M] (Trend Micro Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\tmeevw.sys -- (tmeevw)
DRV:64bit: - [2011/07/07 21:21:28 | 000,174,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2011/05/10 07:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/07 12:51:00 | 000,392,704 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\m4cxvst64.sys -- (m4cxvst64)
DRV:64bit: - [2008/03/05 01:39:22 | 000,060,976 | ---- | M] (Egis Incorporated) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\PSDVdisk.sys -- (psdvdisk)
DRV:64bit: - [2008/03/05 01:39:22 | 000,021,040 | ---- | M] (Egis Incorporated) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\PSDNServ.sys -- (PSDNServ)
DRV:64bit: - [2008/03/05 01:39:20 | 000,022,064 | ---- | M] (Egis Incorporated) [File_System | Boot | Running] -- C:\Windows\SysNative\DRIVERS\psdfilter.sys -- (PSDFilter)
DRV:64bit: - [2008/01/20 21:47:27 | 000,214,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2008/01/20 21:46:55 | 000,024,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV:64bit: - [2007/02/02 10:37:48 | 001,453,056 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\smserial.sys -- (smserial)
DRV - [2010/05/04 10:51:46 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/05/04 10:50:54 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2006/10/04 12:45:16 | 000,015,656 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [1999/03/07 23:15:00 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\Windows\SysWOW64\drivers\PMEMNT.SYS -- (PMEM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...&m=aspire_m3641
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...&m=aspire_m3641
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...&m=aspire_m3641
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer...&m=aspire_m3641


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...&m=aspire_m3641
IE - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.10.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.722
FF - prefs.js..extensions.enabledItems: {22C7F6C6-8D67-4534-92B5-529A0EC09405}:6.8.0.1066
FF - prefs.js..extensions.enabledItems: {38783831-6098-4faa-A9C9-1EE1E343F4D2}:7.0.0.1086

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files (x86)\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2629: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files (x86)\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Users\Steve\AppData\Roaming\nprhapengine.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B728AB94-9BC7-49b7-B76A-422BB31B2FD0}: C:\Program Files (x86)\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox [2009/12/27 13:15:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{38783831-6098-4faa-A9C9-1EE1E343F4D2}: C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\firefoxextension [2012/02/16 21:21:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox [2012/01/30 21:53:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ [2012/02/16 21:22:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\program files (x86)\Mozilla Firefox\components [2011/12/26 11:05:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\program files (x86)\Mozilla Firefox\plugins [2012/01/19 21:01:07 | 000,000,000 | ---D | M]

[2008/12/29 17:19:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steve\AppData\Roaming\Mozilla\Extensions
[2012/02/17 19:32:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\rllb8erq.default\extensions
[2010/05/01 10:02:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\rllb8erq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/02/17 19:32:10 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\rllb8erq.default\extensions\[email protected]
[2011/12/21 20:03:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/12/26 11:05:14 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/12/16 20:20:10 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2011/12/16 20:20:10 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/18 03:55:18 | 000,000,882 | RH-- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 94.63.147.16 www.google.com
O1 - Hosts: 94.63.147.17 www.bing.com
O2:64bit: - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1072\TmIEPlg.dll (Trend Micro Inc.)
O2:64bit: - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O2:64bit: - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x64\ActiveToolBand.dll (Egis)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg64.dll (Google Inc.)
O2:64bit: - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.0.1086\7.0.1086\TmBpIe64.dll (Trend Micro Inc.)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (IEPlugin Class) - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\Program Files (x86)\ArcSoft\Media Converter for Philips\Internet Video Downloader\ArcURLRecord.dll (ArcSoft, Inc.)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1072\TmIEPlg32.dll (Trend Micro Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.0.1086\7.0.1086\TmBpIe32.dll (Trend Micro Inc.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x64\eDStoolbar.dll (Egis Incorporated.)
O3:64bit: - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3:64bit: - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x64\eDStoolbar.dll (Egis Incorporated.)
O3 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3:64bit: - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4:64bit: - HKLM..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe ()
O4:64bit: - HKLM..\Run: [Apanel] C:\ACERSW\config\SetApanel.cmd File not found
O4:64bit: - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x64\eDSLoader.exe (Egis Incorporated)
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.dll (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.dll (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [NVRaidService] C:\Windows\SysNative\nvraidservice.exe (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4:64bit: - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4:64bit: - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files (x86)\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files (x86)\Acer Registration\ACE1.exe (Leader Technologies)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files (x86)\Nuance\NaturallySpeaking10\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe File not found
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [Info Center] C:\Program Files (x86)\PCPitstop\Info Center\InfoCenter.exe (PC Pitstop LLC)
O4 - HKLM..\Run: [PCMMediaSharing] C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe ()
O4 - HKU\.DEFAULT..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe File not found
O4 - HKU\.DEFAULT..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-18..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe File not found
O4 - HKU\S-1-5-18..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-19..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000..\Run: [cdloader] C:\Users\Steve\AppData\Roaming\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe File not found
O4 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000..\Run: [RoboForm] C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoBackup Launcher.lnk = C:\Program Files (x86)\Memeo\AutoBackup\MemeoLauncher.exe (Memeo)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8:64bit: - Extra context menu item: Customize Menu - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8:64bit: - Extra context menu item: Fill Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8:64bit: - Extra context menu item: RoboForm Toolbar - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8:64bit: - Extra context menu item: Save Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Customize Menu - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9:64bit: - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:64bit: - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:64bit: - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:64bit: - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:64bit: - Extra Button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:64bit: - Extra 'Tools' menuitem : Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O15 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..Trusted Domains: rhapsody.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKU\S-1-5-21-3751886251-2735378454-4006071929-1000\..Trusted Domains: rhapsody.com ([rhapreg] https in Trusted sites)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcp...ols/pcmatic.cab (PCPitstop Utility)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0387CC52-77EF-478D-801E-673037019A6E}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\bwfile-8876480 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.0.1086\7.0.1086\TmBpIe64.dll (Trend Micro Inc.)
O18:64bit: - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1072\TmIEPlg.dll (Trend Micro Inc.)
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files (x86)\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.0.1086\7.0.1086\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1072\TmIEPlg32.dll (Trend Micro Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img34.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/19 16:38:41 | 000,000,000 | ---D | C] -- C:\Users\Steve\Desktop\GooredFix Backups
[2012/02/19 16:38:15 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Steve\Documents\GooredFix.exe
[2012/02/19 16:13:33 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/02/19 16:12:04 | 000,000,000 | ---D | C] -- C:\tdsskiller
[2012/02/19 15:36:52 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\SmitfraudFix
[2012/02/19 14:39:45 | 000,289,144 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\VCCLSID.exe
[2012/02/19 14:39:45 | 000,288,417 | ---- | C] (S!Ri) -- C:\Windows\SysWow64\SrchSTS.exe
[2012/02/19 14:39:45 | 000,135,168 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swreg.exe
[2012/02/19 14:39:45 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\VACFix.exe
[2012/02/19 14:39:45 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.exe
[2012/02/19 14:39:45 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\IEDFix.C.exe
[2012/02/19 14:39:45 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\404Fix.exe
[2012/02/19 14:39:45 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\o4Patch.exe
[2012/02/19 14:39:45 | 000,079,360 | ---- | C] (SteelWerX) -- C:\Windows\SysWow64\swxcacls.exe
[2012/02/19 14:39:45 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\Windows\SysWow64\Agent.OMZ.Fix.exe
[2012/02/19 14:39:45 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\Windows\SysWow64\Process.exe
[2012/02/19 14:39:34 | 000,000,000 | ---D | C] -- C:\Users\Steve\Documents\SmitfraudFix
[2012/02/19 12:26:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/02/19 12:26:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/02/19 12:26:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/02/18 09:47:07 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2012/02/18 09:46:28 | 003,308,376 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEP64A.dll
[2012/02/18 09:46:28 | 000,426,328 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EED64A.dll
[2012/02/18 09:46:28 | 000,136,024 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEL64A.dll
[2012/02/18 09:46:28 | 000,118,104 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEA64A.dll
[2012/02/18 09:46:28 | 000,074,072 | ---- | C] (Dolby Laboratories) -- C:\Windows\SysNative\R4EEG64A.dll
[2012/02/18 09:46:18 | 002,604,376 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\WavesGUILib.dll
[2012/02/18 09:46:16 | 000,518,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSX64.dll
[2012/02/18 09:46:16 | 000,211,184 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSTSH64.dll
[2012/02/18 09:46:16 | 000,198,896 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSHP64.dll
[2012/02/18 09:46:16 | 000,155,888 | ---- | C] (SRS Labs, Inc.) -- C:\Windows\SysNative\SRSWOW64.dll
[2012/02/18 09:46:14 | 000,221,024 | ---- | C] (Synopsys, Inc.) -- C:\Windows\SysNative\SFNHK64.dll
[2012/02/18 09:46:14 | 000,081,248 | ---- | C] (Synopsys, Inc.) -- C:\Windows\SysNative\SFCOM64.dll
[2012/02/18 09:46:14 | 000,078,688 | ---- | C] (Synopsys, Inc.) -- C:\Windows\SysNative\SFAPO64.dll
[2012/02/18 09:46:14 | 000,074,064 | ---- | C] (Virage Logic Corporation / Sonic Focus) -- C:\Windows\SysWow64\SFCOM.dll
[2012/02/18 09:46:10 | 000,375,128 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEP64A.dll
[2012/02/18 09:46:10 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DHT64.dll
[2012/02/18 09:46:10 | 000,310,104 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RP3DAA64.dll
[2012/02/18 09:46:10 | 000,204,120 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEED64A.dll
[2012/02/18 09:46:10 | 000,101,208 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEL64A.dll
[2012/02/18 09:46:10 | 000,078,680 | ---- | C] (Dolby Laboratories, Inc.) -- C:\Windows\SysNative\RTEEG64A.dll
[2012/02/18 09:46:06 | 003,768,152 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioRealtek.dll
[2012/02/18 09:46:06 | 002,132,824 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioEQ.dll
[2012/02/18 09:46:06 | 000,702,808 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioRealtek2.dll
[2012/02/18 09:46:06 | 000,341,336 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPO30.dll
[2012/02/18 09:46:06 | 000,334,680 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxVolumeSDAPO.dll
[2012/02/18 09:46:06 | 000,318,808 | ---- | C] (Waves Audio Ltd.) -- C:\Windows\SysNative\MaxxAudioAPO20.dll
[2012/02/18 09:46:05 | 000,603,984 | ---- | C] (Knowles Acoustics ) -- C:\Windows\SysNative\KAAPORT64.dll
[2012/02/18 09:46:02 | 002,085,440 | ---- | C] (Fortemedia Corporation) -- C:\Windows\SysNative\FMAPO64.dll
[2012/02/18 09:46:02 | 000,693,352 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSVoiceClarityDLL64.dll
[2012/02/18 09:46:02 | 000,527,872 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSU2PLFX64.dll
[2012/02/18 09:46:02 | 000,515,584 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSU2PGFX64.dll
[2012/02/18 09:46:02 | 000,439,808 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSU2PREC64.dll
[2012/02/18 09:46:01 | 001,756,264 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSS2SpeakerDLL64.dll
[2012/02/18 09:46:01 | 001,568,360 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSS2HeadphoneDLL64.dll
[2012/02/18 09:46:01 | 001,486,952 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSBoostDLL64.dll
[2012/02/18 09:46:01 | 000,728,680 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSBassEnhancementDLL64.dll
[2012/02/18 09:46:01 | 000,712,296 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSSymmetryDLL64.dll
[2012/02/18 09:46:01 | 000,491,112 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSNeoPCDLL64.dll
[2012/02/18 09:46:01 | 000,432,744 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSLimiterDLL64.dll
[2012/02/18 09:46:01 | 000,428,648 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSGainCompensatorDLL64.dll
[2012/02/18 09:46:01 | 000,242,792 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSLFXAPO64.dll
[2012/02/18 09:46:01 | 000,242,792 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSGFXAPO64.dll
[2012/02/18 09:46:01 | 000,241,768 | ---- | C] (DTS) -- C:\Windows\SysNative\DTSGFXAPONS64.dll
[2012/02/18 09:44:46 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2012/02/18 09:21:12 | 000,000,000 | ---D | C] -- C:\ProgramData\PCPitstopDat
[2012/02/17 19:38:35 | 000,000,000 | ---D | C] -- C:\ProgramData\PCPitstop
[2012/02/17 19:38:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Pitstop
[2012/02/17 19:38:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PCPitstop
[2012/02/17 07:24:36 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\ElevatedDiagnostics
[2012/02/16 22:17:56 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trend Micro Titanium Internet Security 2012
[2012/02/16 21:19:28 | 000,210,704 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmnciesc.sys
[2012/02/16 21:19:28 | 000,067,344 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmeevw.sys
[2012/02/16 21:19:25 | 000,105,744 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmtdi.sys
[2012/02/16 21:19:19 | 000,167,696 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmcomm.sys
[2012/02/16 21:19:19 | 000,091,920 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmactmon.sys
[2012/02/16 21:19:19 | 000,070,928 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmevtmgr.sys
[2012/02/16 21:17:53 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/02/15 19:54:26 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Roaming\Malwarebytes
[2012/02/15 19:54:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/02/15 18:45:54 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/02/09 20:14:20 | 000,000,000 | ---D | C] -- C:\Users\Steve\AppData\Local\lanMapdb
[2012/01/30 21:53:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AI RoboForm
[2012/01/23 21:10:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runtime Software
[2012/01/23 21:10:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Runtime Software

========== Files - Modified Within 30 Days ==========

[2012/02/19 16:52:22 | 000,822,486 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/02/19 16:52:22 | 000,686,966 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/02/19 16:52:22 | 000,136,668 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/02/19 16:47:16 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/19 16:45:11 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/19 16:45:11 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/19 16:45:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/19 16:36:42 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Steve\Documents\GooredFix.exe
[2012/02/19 16:32:29 | 000,000,277 | ---- | M] () -- C:\Users\Steve\Desktop\OTM.exe - Shortcut.lnk
[2012/02/19 16:31:16 | 000,282,703 | ---- | M] () -- C:\Users\Steve\Documents\OTM.exe
[2012/02/19 16:22:02 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/19 15:37:46 | 000,002,924 | ---- | M] () -- C:\Windows\SysWow64\tmp.reg
[2012/02/19 15:11:49 | 000,000,691 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\GetValue.vbs
[2012/02/19 15:11:49 | 000,000,035 | ---- | M] () -- C:\Users\Steve\AppData\Roaming\SetValue.bat
[2012/02/19 13:50:26 | 001,872,472 | ---- | M] () -- C:\Users\Steve\Documents\SmitfraudFix.exe
[2012/02/19 12:27:00 | 000,001,101 | ---- | M] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/02/19 11:00:27 | 000,000,434 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{E53CF9B6-4DC6-4449-9B46-2FA26FAEF63E}.job
[2012/02/18 03:55:18 | 000,000,882 | RH-- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/02/17 19:38:36 | 000,001,873 | ---- | M] () -- C:\Users\Steve\Desktop\PC Matic.lnk
[2012/02/17 07:08:38 | 000,400,352 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/02/17 07:05:03 | 000,000,526 | ---- | M] () -- C:\Windows\tasks\NatSpeak Periodic Language Model Optimization.job
[2012/02/16 22:47:59 | 000,000,129 | ---- | M] () -- C:\Windows\SysNative\MRT.INI
[2012/02/16 22:17:58 | 000,001,151 | ---- | M] () -- C:\Users\Steve\Desktop\Trend Micro Titanium Internet Security 2012.lnk
[2012/02/16 21:18:36 | 000,000,056 | ---- | M] () -- C:\Windows\SysNative\SupportTool.exe.bat
[2012/02/16 21:15:53 | 000,210,704 | ---- | M] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmnciesc.sys
[2012/02/16 21:15:53 | 000,167,696 | ---- | M] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmcomm.sys
[2012/02/16 21:15:53 | 000,105,744 | ---- | M] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmtdi.sys
[2012/02/16 21:15:53 | 000,091,920 | ---- | M] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmactmon.sys
[2012/02/16 21:15:53 | 000,070,928 | ---- | M] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmevtmgr.sys
[2012/02/16 21:15:53 | 000,067,344 | ---- | M] (Trend Micro Inc.) -- C:\Windows\SysNative\drivers\tmeevw.sys
[2012/02/16 21:00:18 | 000,000,502 | ---- | M] () -- C:\Windows\tasks\NatSpeak Periodic Acoustic Optimization.job
[2012/02/15 19:33:07 | 000,776,587 | ---- | M] () -- C:\Users\Steve\AppData\Local\census.cache
[2012/02/15 19:33:03 | 000,186,105 | ---- | M] () -- C:\Users\Steve\AppData\Local\ars.cache
[2012/02/15 19:27:22 | 000,000,036 | ---- | M] () -- C:\Users\Steve\AppData\Local\housecall.guid.cache
[2012/02/15 18:45:48 | 552,392,460 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/01/23 21:10:10 | 000,000,979 | ---- | M] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\ShadowCopy.lnk
[2012/01/23 21:10:10 | 000,000,955 | ---- | M] () -- C:\Users\Public\Desktop\ShadowCopy.lnk

========== Files Created - No Company Name ==========

[2012/02/19 16:32:52 | 000,282,703 | ---- | C] () -- C:\Users\Steve\Documents\OTM.exe
[2012/02/19 16:32:29 | 000,000,277 | ---- | C] () -- C:\Users\Steve\Desktop\OTM.exe - Shortcut.lnk
[2012/02/19 14:46:32 | 000,000,691 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\GetValue.vbs
[2012/02/19 14:46:32 | 000,000,035 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\SetValue.bat
[2012/02/19 14:40:12 | 000,002,924 | ---- | C] () -- C:\Windows\SysWow64\tmp.reg
[2012/02/19 14:39:45 | 000,075,776 | ---- | C] () -- C:\Windows\SysWow64\WS2Fix.exe
[2012/02/19 14:39:45 | 000,051,200 | ---- | C] () -- C:\Windows\SysWow64\dumphive.exe
[2012/02/19 14:39:45 | 000,040,960 | ---- | C] () -- C:\Windows\SysWow64\swsc.exe
[2012/02/19 14:38:37 | 001,872,472 | ---- | C] () -- C:\Users\Steve\Documents\SmitfraudFix.exe
[2012/02/19 12:27:00 | 000,001,101 | ---- | C] () -- C:\Users\Steve\Desktop\Spybot - Search & Destroy.lnk
[2012/02/18 09:46:10 | 000,200,468 | ---- | C] () -- C:\Windows\SysNative\drivers\RTAIODAT.DAT
[2012/02/17 19:38:36 | 000,001,873 | ---- | C] () -- C:\Users\Steve\Desktop\PC Matic.lnk
[2012/02/16 22:47:59 | 000,000,129 | ---- | C] () -- C:\Windows\SysNative\MRT.INI
[2012/02/16 22:17:56 | 000,001,151 | ---- | C] () -- C:\Users\Steve\Desktop\Trend Micro Titanium Internet Security 2012.lnk
[2012/02/15 19:10:27 | 000,776,587 | ---- | C] () -- C:\Users\Steve\AppData\Local\census.cache
[2012/02/15 19:09:54 | 000,186,105 | ---- | C] () -- C:\Users\Steve\AppData\Local\ars.cache
[2012/02/15 18:58:03 | 000,000,036 | ---- | C] () -- C:\Users\Steve\AppData\Local\housecall.guid.cache
[2012/02/15 18:45:48 | 552,392,460 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/01/23 21:10:10 | 000,000,979 | ---- | C] () -- C:\Users\Steve\Application Data\Microsoft\Internet Explorer\Quick Launch\ShadowCopy.lnk
[2012/01/23 21:10:10 | 000,000,955 | ---- | C] () -- C:\Users\Public\Desktop\ShadowCopy.lnk
[2011/05/23 18:07:14 | 000,182,924 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2011/01/23 12:09:58 | 000,002,558 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\SAS7_000.DAT
[2011/01/09 00:06:40 | 000,815,104 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2011/01/09 00:06:40 | 000,180,224 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2010/09/19 16:39:31 | 000,000,058 | ---- | C] () -- C:\Windows\OSA.INI
[2010/08/15 12:10:18 | 000,000,000 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\wklnhst.dat
[2010/06/28 18:27:06 | 000,021,504 | ---- | C] () -- C:\Windows\jestertb.dll
[2010/06/13 14:38:22 | 000,000,004 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\2BEAF6
[2010/06/13 14:38:21 | 000,870,128 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\mcs.rma
[2009/12/27 13:25:00 | 004,108,440 | ---- | C] () -- C:\Users\Steve\AppData\Roaming\sa1vbe04k_02_fuz_eng.exe
[2009/02/22 16:00:08 | 000,000,732 | ---- | C] () -- C:\Users\Steve\AppData\Local\d3d9caps64.dat
[2009/01/12 18:11:26 | 000,000,093 | ---- | C] () -- C:\Users\Steve\AppData\Local\fusioncache.dat
[2009/01/07 20:54:00 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2008/12/17 12:54:01 | 000,078,336 | ---- | C] () -- C:\Users\Steve\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2008/03/16 17:38:55 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\Acer GameZone Console
[2008/03/16 17:38:55 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\Acer GameZone Console
[2008/12/17 13:37:23 | 000,000,000 | ---D | M] -- C:\Users\Evelyn\AppData\Roaming\Acer
[2008/03/16 17:38:55 | 000,000,000 | ---D | M] -- C:\Users\Evelyn\AppData\Roaming\Acer GameZone Console
[2008/12/17 13:37:22 | 000,000,000 | ---D | M] -- C:\Users\Evelyn\AppData\Roaming\Leadertech
[2010/08/20 11:12:27 | 000,000,000 | ---D | M] -- C:\Users\Evelyn\AppData\Roaming\mjusbsp
[2011/04/18 18:27:15 | 000,000,000 | ---D | M] -- C:\Users\Evelyn\AppData\Roaming\Nuance
[2009/06/08 19:22:04 | 000,000,000 | ---D | M] -- C:\Users\Evelyn\AppData\Roaming\Serif
[2008/12/15 13:33:06 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Acer
[2008/03/16 17:38:55 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Acer GameZone Console
[2009/12/27 13:34:01 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Binary Fortress Software
[2009/04/19 14:16:27 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\eSobi
[2009/12/27 16:20:48 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\iTunes Agent
[2008/12/15 13:33:05 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Leadertech
[2010/08/20 16:02:03 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\mjusbsp
[2011/01/23 11:31:59 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Nuance
[2009/04/19 15:41:43 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Serif
[2010/08/15 12:10:20 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\Template
[2011/09/06 16:19:33 | 000,000,000 | ---D | M] -- C:\Users\Steve\AppData\Roaming\uPlayer
[2012/02/16 21:00:18 | 000,000,502 | ---- | M] () -- C:\Windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
[2012/02/17 07:05:03 | 000,000,526 | ---- | M] () -- C:\Windows\Tasks\NatSpeak Periodic Language Model Optimization.job
[2012/02/19 16:44:02 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/02/19 11:00:27 | 000,000,434 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{E53CF9B6-4DC6-4449-9B46-2FA26FAEF63E}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 205 bytes -> C:\ProgramData\TEMP:F35A93AD

< End of report >

Attached Files


  • 0

Advertisements

#2
RKinner
Posted 20 February 2012 - 12:56 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
1.
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

2.
ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

3.
Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (allow the Avast Engine)
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply


4.
Copy the text in the code box by highlighting and Ctrl + c 


:OTL
O1 - Hosts: 94.63.147.16 www.google.com
O1 - Hosts: 94.63.147.17 www.bing.com

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
     
:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.


5.
Copy the text in the code box:


nnetsvcs
%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
  • 0

#3
toooldforthis
Posted 21 February 2012 - 09:47 PM

toooldforthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ron, I appreciate the help. I am attaching the 4 files you requested. After the aswMBR scan the fix button was NOT enabled. Let me know if there is anything else you need me to do.

Attached Files


  • 0

#4
RKinner
Posted 22 February 2012 - 12:06 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 17


Get the latest Java at:
http://www.java.com/en/



Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).
sfc  /scannow

(This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP. Vista almost always complains that it can't fix a file so don't worry about it.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Please zip up and attach the file

C:\Users\Steve\Desktop\MBR.dat (should be on your desktop) If you don't have a zip program (7-zip is free and works well: http://downloads.sou...enzip/7z920.msi ) you can just right click on it and rename it to mbr.txt. It has to be attached tho do not try to open it and copy and paste.)

How is it running now?

Ron
  • 0

#5
toooldforthis
Posted 22 February 2012 - 02:13 PM

toooldforthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ron, I've included the files you requested. Google and Bing both seam to be working well. I am no longer getting the WINRSCMDE message or the other microsoft window that kept opening. I can't thank you enough for the help. Steve

Attached Files


  • 0

#6
RKinner
Posted 22 February 2012 - 02:34 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

The following boot-start or system-start driver(s) failed to load: Beep


This error is caused by outdated software that should not be on a 64 bit system as 64 bit systems no longer have a beep driver.

The PMEM service failed to start due to the following error: This driver has been blocked from loading

\??\C:\Windows\SysWOW64\drivers\pmemnt.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


More out-dated software. No clue what it is tho.

The mrtRate service failed to start due to the following error: The system cannot find the file specified.

This is from Quicken. Appears to be left after an uninstall. You can turn it off:
Copy the next line:

sc config mrtRate start= disabled

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

The MCSTRM service failed to start due to the following error: The system cannot find the file specified.

This is from Real Player. Again left over from an uninstall I guess.
You can turn it off:
Copy the next line:

sc config MCSTRM start= disabled

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

That's all I can do anything about. I think we are done:

We need to cleanup System Restore:

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.



You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#7
toooldforthis
Posted 23 February 2012 - 06:18 PM

toooldforthis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Ron,

I can't thank you enough for all the help. I will follow up the last suggestions and cleanup the restore points. Thanks again!!!!

Steve
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP