Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.BHOs keep coming back [Solved]

Started by MissMinerva , May 14 2012 03:43 PM

  • This topic is locked This topic is locked

#1
MissMinerva
Posted 14 May 2012 - 03:43 PM

MissMinerva

    New Member

  • Member
  • Pip
  • 7 posts
Hi all. This is my first post here :) The past month or so these four items - Trojan.BHO - keep coming back up in MBAM scans. MBAM sucessfully removes them each time but, they have been returning. I will notice a bit of a slow down on the 'net and that's when I will run MBAM. I have Win7 on a 4 month old Acer desktop. I just ran OTL and here are the logs:


OTL logfile created on: 5/14/2012 4:11:36 PM - Run 1
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Users\Jan\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.58 Gb Available Physical Memory | 82.48% Memory free
15.96 Gb Paging File | 14.05 Gb Available in Paging File | 88.06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 914.41 Gb Total Space | 869.62 Gb Free Space | 95.10% Space Free | Partition Type: NTFS

Computer Name: JAN-PC | User Name: Jan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/14 16:10:32 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Jan\Desktop\OTL.exe
PRC - [2012/05/01 11:43:49 | 000,400,344 | ---- | M] (Mozilla Messaging) -- C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
PRC - [2012/04/27 15:26:35 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/04/22 11:44:14 | 000,244,624 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe
PRC - [2010/12/20 05:30:38 | 002,656,280 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2010/12/20 05:30:36 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2010/11/06 02:54:22 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/04 15:21:11 | 008,797,856 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
MOD - [2012/05/01 11:43:50 | 001,952,728 | ---- | M] () -- C:\Program Files (x86)\Mozilla Thunderbird\mozjs.dll
MOD - [2012/05/01 11:43:49 | 000,162,776 | ---- | M] () -- C:\Program Files (x86)\Mozilla Thunderbird\nsldap32v60.dll
MOD - [2012/05/01 11:43:49 | 000,021,976 | ---- | M] () -- C:\Program Files (x86)\Mozilla Thunderbird\nsldappr32v60.dll
MOD - [2012/04/27 15:26:35 | 001,952,696 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/04/22 11:44:14 | 000,244,624 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Live Updater Service)
SRV:64bit: - [2011/04/05 20:58:48 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/05/04 15:21:12 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/27 15:26:36 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/05/29 21:54:14 | 000,036,456 | ---- | M] (Acer Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Acer\Registration\GREGsvc.exe -- (GREGService)
SRV - [2010/12/20 05:30:38 | 002,656,280 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2010/12/20 05:30:36 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2010/11/06 02:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel®
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/06/30 01:03:04 | 000,054,784 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\EtronHub3.sys -- (EtronHub3)
DRV:64bit: - [2011/06/30 01:03:02 | 000,077,696 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\EtronXHCI.sys -- (EtronXHCI)
DRV:64bit: - [2011/05/16 09:55:28 | 000,533,096 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/04/19 10:52:20 | 001,254,464 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bcmwlhigh664.sys -- (BCMH43XX)
DRV:64bit: - [2011/04/05 23:11:45 | 009,323,520 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/04/05 20:21:43 | 000,304,128 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/17 07:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/11/06 02:45:48 | 000,438,808 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/10/19 03:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel®
DRV:64bit: - [2010/08/10 22:40:06 | 001,014,624 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = C:\Users\Jan\Desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co...mplete=0&hl=en"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.1
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.15.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {EDA7B1D7-F793-4e03-B074-E6F303317FB0}:1.2.7
FF - prefs.js..extensions.enabledItems: [email protected]:0.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..extensions.enabledItems: [email protected]:0.08
FF - prefs.js..keyword.enabled: false


FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/04/27 15:26:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012/03/11 22:28:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2012/03/10 14:34:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jan\AppData\Roaming\Mozilla\Extensions
[2012/05/06 23:30:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions
[2012/03/10 14:44:17 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2012/03/10 14:44:19 | 000,000,000 | ---D | M] (Compact Menu 2) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\{57068FBE-1506-42ee-AB02-BD183E7999E4}(37)
[2012/03/10 14:44:20 | 000,000,000 | ---D | M] (Menu Editor) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
[2012/03/10 14:44:06 | 000,000,000 | ---D | M] (Mangan) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\mangan@joerg-walter(36).net
[2012/03/10 14:44:17 | 000,000,000 | ---D | M] (Remove New Tab Button) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\[email protected]
[2012/03/10 14:44:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\mangan@joerg-walter(36).net\chrome\windows\mozapps\extensions
[2012/04/27 15:26:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/01/05 17:57:15 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\JAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\D4SXGVA0.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/04/27 15:26:35 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/02/16 05:42:53 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/02/16 05:42:53 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {76C35EAC-22F8-781F-2BE9-60521062166A} - C:\Windows\SysWOW64\FXSCOOM.dll ()
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{38B36B7D-9A61-40D3-8B62-7C9011E87702}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{72632582-F130-4920-A4A3-9564DBB72F85}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/14 16:10:29 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Users\Jan\Desktop\OTL.exe
[2012/05/13 13:17:53 | 000,466,456 | ---- | C] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
[2012/05/13 13:17:52 | 000,444,952 | ---- | C] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
[2012/05/13 13:17:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenAL
[2012/05/13 13:14:13 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Roaming\GameDevo
[2012/05/11 20:12:05 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\3070
[2012/05/06 22:13:24 | 002,075,184 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Jan\Desktop\TDSSKiller.exe
[2012/05/06 22:13:07 | 000,000,000 | ---D | C] -- C:\Users\Jan\Desktop\tdsskiller
[2012/05/01 15:30:02 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Roaming\Jewel Match 3
[2012/04/30 17:22:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Games
[2012/04/27 20:12:06 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\1036
[2012/04/27 15:26:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/04/27 15:26:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/04/26 17:21:01 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{BA729399-69B4-4920-A42C-06CAC40E1064}
[2012/04/26 17:21:01 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{4FE079B1-7D4C-421A-96C1-BC600AFF7F60}
[2012/04/26 17:09:53 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{0C3CCA78-9844-4938-83EF-2258695CF273}
[2012/04/25 18:54:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/04/25 18:54:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/04/25 18:50:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2012/04/25 08:12:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/04/20 20:12:09 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\3069
[2012/04/17 21:16:02 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{A5051C52-2234-423A-A8E2-A07227A58673}
[2012/04/17 21:15:41 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{D2EB3437-31E4-485C-BA94-84C3C73DD93D}

========== Files - Modified Within 30 Days ==========

[2012/05/14 16:10:32 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Jan\Desktop\OTL.exe
[2012/05/14 15:20:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/14 15:19:01 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\WpsUpdateTask_Jan.job
[2012/05/14 09:34:13 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/14 09:34:13 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/14 09:31:15 | 000,729,688 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/05/14 09:31:15 | 000,626,040 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/05/14 09:31:15 | 000,107,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/05/14 09:27:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/14 09:26:57 | 2131,955,711 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/13 13:17:53 | 000,466,456 | ---- | M] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
[2012/05/13 13:17:52 | 000,444,952 | ---- | M] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
[2012/05/13 13:14:04 | 000,001,686 | ---- | M] () -- C:\Users\Jan\Desktop\Malice_TwoSisters - Shortcut.lnk
[2012/05/12 20:12:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At2.job
[2012/05/12 13:01:14 | 000,076,767 | ---- | M] () -- C:\Users\Jan\Desktop\apts.jpg
[2012/05/11 20:12:05 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012/05/11 20:12:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At3.job
[2012/05/10 14:31:17 | 000,007,610 | ---- | M] () -- C:\Users\Jan\AppData\Local\Resmon.ResmonCfg
[2012/05/09 11:42:34 | 000,000,460 | ---- | M] () -- C:\Users\Jan\Documents\cc_20120509_114227.reg
[2012/05/09 10:55:20 | 000,266,848 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/05/06 23:03:29 | 000,001,598 | ---- | M] () -- C:\Users\Jan\Documents\cc_20120506_230322.reg
[2012/05/03 17:00:46 | 000,000,935 | ---- | M] () -- C:\Users\Jan\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/05/02 10:00:04 | 002,075,184 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Jan\Desktop\TDSSKiller.exe
[2012/04/30 17:22:12 | 000,002,039 | ---- | M] () -- C:\Users\Jan\Desktop\Jewel Match 3.lnk
[2012/04/30 12:39:40 | 000,067,584 | ---- | M] () -- C:\Users\Jan\Desktop\ick.wps
[2012/04/27 16:30:23 | 000,302,592 | ---- | M] () -- C:\Users\Jan\Desktop\test.exe.exe
[2012/04/25 08:12:41 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/04/25 08:12:34 | 000,743,066 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI

========== Files Created - No Company Name ==========

[2012/05/13 13:14:04 | 000,001,686 | ---- | C] () -- C:\Users\Jan\Desktop\Malice_TwoSisters - Shortcut.lnk
[2012/05/12 13:01:14 | 000,076,767 | ---- | C] () -- C:\Users\Jan\Desktop\apts.jpg
[2012/05/10 14:31:17 | 000,007,610 | ---- | C] () -- C:\Users\Jan\AppData\Local\Resmon.ResmonCfg
[2012/05/09 11:42:30 | 000,000,460 | ---- | C] () -- C:\Users\Jan\Documents\cc_20120509_114227.reg
[2012/05/06 23:03:26 | 000,001,598 | ---- | C] () -- C:\Users\Jan\Documents\cc_20120506_230322.reg
[2012/05/03 17:00:46 | 000,000,935 | ---- | C] () -- C:\Users\Jan\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/04/30 17:22:12 | 000,002,039 | ---- | C] () -- C:\Users\Jan\Desktop\Jewel Match 3.lnk
[2012/04/30 12:39:39 | 000,067,584 | ---- | C] () -- C:\Users\Jan\Desktop\ick.wps
[2012/04/27 16:30:20 | 000,302,592 | ---- | C] () -- C:\Users\Jan\Desktop\test.exe.exe
[2012/04/13 22:11:57 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2012/03/11 00:39:41 | 000,743,066 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/11/17 01:52:47 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/07/20 07:41:44 | 000,003,949 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/04/06 01:09:48 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2010/11/20 22:25:11 | 000,196,608 | ---- | C] () -- C:\Windows\SysWow64\mffds.dll
[2010/11/20 22:24:51 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\OnLiineIDCpl.dll
[2010/11/20 22:24:32 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\diskppart.exe
[2010/11/20 22:24:28 | 000,196,608 | ---- | C] () -- C:\Windows\SysWow64\syssettup.dll
[2010/11/20 22:23:55 | 000,196,608 | ---- | C] () -- C:\Windows\SysWow64\inettmib1.dll

========== LOP Check ==========

[2012/03/26 21:24:11 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\Foxit Software
[2012/05/13 13:14:13 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\GameDevo
[2012/03/10 22:55:53 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\IObit
[2012/05/13 19:06:41 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\Jewel Match 3
[2012/03/29 16:10:21 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\Kingsoft
[2012/03/10 11:20:25 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\OEM
[2012/03/11 22:28:25 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\Thunderbird
[2012/05/11 15:15:35 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\uTorrent
[2012/03/11 14:50:22 | 000,000,000 | ---D | M] -- C:\Users\Jan\AppData\Roaming\Windows Live Writer
[2012/05/11 20:12:05 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2012/05/12 20:12:00 | 000,000,352 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2012/05/11 20:12:00 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\At3.job
[2009/07/14 00:08:49 | 000,028,958 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/05/14 15:19:01 | 000,000,370 | ---- | M] () -- C:\Windows\Tasks\WpsUpdateTask_Jan.job

========== Purity Check ==========



========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\system64] -> \systemroot\system32 -> Mount Point

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:6F0C95A1
@Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 104 bytes -> C:\ProgramData\Temp:C3C72D5F
@Alternate Data Stream - 101 bytes -> C:\ProgramData\Temp:8A6A2C1E
@Alternate Data Stream - 100 bytes -> C:\ProgramData\Temp:640EA6E8

< End of report >


OTL Extras logfile created on: 5/14/2012 4:11:36 PM - Run 1
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Users\Jan\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.58 Gb Available Physical Memory | 82.48% Memory free
15.96 Gb Paging File | 14.05 Gb Available in Paging File | 88.06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 914.41 Gb Total Space | 869.62 Gb Free Space | 95.10% Space Free | Partition Type: NTFS

Computer Name: JAN-PC | User Name: Jan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03C4E8B8-3B2B-4884-A7A2-AB9B96E2156A}" = lport=10243 | protocol=6 | dir=in | app=system |
"{10D0B025-9F10-4D61-86DD-C2812BC72D92}" = lport=2869 | protocol=6 | dir=in | app=system |
"{11D2468F-23CC-4E09-8482-DB9B98A56B68}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1B4F0026-94BF-40C3-BEC3-EB104392506E}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{2881B118-5DFD-4E70-8B80-B5161B4296FC}" = lport=139 | protocol=6 | dir=in | app=system |
"{29D989B0-018F-4234-91DF-0DF793663AB5}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{2A51AF02-9ECF-4CA4-9CCD-C07EC68B23BB}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{45351701-01C8-48BE-8DA5-97E83ECA9957}" = lport=445 | protocol=6 | dir=in | app=system |
"{502FE685-4E76-4EFC-9058-AB71C3673A4A}" = lport=138 | protocol=17 | dir=in | app=system |
"{51625297-2DA5-4A86-BB4A-06241CC59E89}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5B9308F6-C968-41CF-9B95-AB6FB98A9D50}" = rport=445 | protocol=6 | dir=out | app=system |
"{823A0215-0182-4933-A1A4-C5ECEA7666F2}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{837D218B-ADA3-4BAD-A158-97BBCBC873CE}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{95ED8863-4F4E-4B23-A597-474FF4F2A953}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9CB1E6E4-9382-487A-B045-E2720592D2D8}" = rport=10243 | protocol=6 | dir=out | app=system |
"{A6F0183D-E417-4A5C-9EF7-EF80862AFF38}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{BA10B1D7-B5D4-4D9D-9DB7-25F88AE4223B}" = rport=138 | protocol=17 | dir=out | app=system |
"{BD6EF95D-3605-47D4-B81B-A63347024058}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{BDB54578-88EA-4EE2-994D-9D19DD547A9B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{C27523BC-0A28-4C78-B4F5-1AD5086484F9}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DE626B4E-05BA-47F4-A3AE-94D1E2936E16}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{E0A7D21C-5B66-4D03-B02E-3A5E877526F3}" = lport=137 | protocol=17 | dir=in | app=system |
"{EA879CF8-C0C5-4E51-91F7-3D4B58158F71}" = rport=139 | protocol=6 | dir=out | app=system |
"{FD0C0173-C9C0-4C2E-89BA-E04AAD7B9E7F}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{FDF3E085-E4F0-486C-AA12-B37B28A6EACB}" = rport=137 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{093F99D4-BEDC-423A-9597-6253F2ED6437}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{0B27C622-CA6A-4DC2-8A6F-095185354751}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{0E9AEDD2-358D-4660-8D1F-EFBA4613577D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1995CFB3-840D-45E1-BD6F-6A03712F77A5}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1B82B1D6-C4BF-4D4E-B355-A9E006BFF158}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{2F3C862F-01A7-4330-8FC8-D8EA60B1B13A}" = protocol=1 | dir=out | [email protected],-28544 |
"{33129BAE-1BC3-4F32-8262-7EB5ACA4973C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{39719E93-BED6-44B4-BB7D-EBC204E06BB7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{53B213BE-7337-4958-B3C0-7A930BF198C8}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{55686CE4-2012-4EAC-821C-35C9634A1E1F}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{5E86B1CF-5840-4484-B054-B8DBCAABCC6B}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{6BD52674-7F2F-4DBD-8DF3-9CD74C431054}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{749E055F-D62B-4769-9DD0-606844F24906}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{78500E54-D281-40C5-B871-839278C7D252}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{9659F02E-488F-4317-91B7-A5168A034B18}" = protocol=58 | dir=out | [email protected],-28546 |
"{9715BD8F-8F58-4ACA-BF28-1E5B12A98A91}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{9AC938BA-6A49-4FD0-B098-BBB4B9463A7B}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D0ED85A3-3C3F-400D-8F77-007A245EA24A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{DCB1AB17-2578-43E2-8C0C-A7A5CD9964DB}" = protocol=58 | dir=in | [email protected],-28545 |
"{F08A577E-03D2-4C1D-BE3D-D497B96FB7C3}" = protocol=1 | dir=in | [email protected],-28543 |
"{F3BDA8AA-9EB2-4176-A02A-D61650FE0A97}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{FE193114-6745-400C-BC9D-A40241901F44}" = protocol=6 | dir=out | app=system |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{112F562D-96D7-13A7-762F-AFDB7A7B4F5E}" = ATI Catalyst Install Manager
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1BB09194-79C6-9E8B-88E2-F595A39778C7}" = AMD Drag and Drop Transcoding
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{60CD3C62-0A69-3A99-5DD3-1F638AC4F017}" = ATI AVIVO64 Codecs
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9D046B26-7978-47CD-91E6-AC3C1DFBC3D0}" = Microsoft Security Client
"{AB5D69FE-CA21-6BF9-664C-E3B640E92F88}" = ccc-utility64
"{D07A61E5-A59C-433C-BCBD-22025FA2287B}" = Windows Live Language Selector
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{EEA0A907-FB4B-5A25-4522-347E7C085663}" = WMV9/VC-1 Video Playback
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0069C69F-5FC3-4C65-BB93-647BC2BD936C}" = Catalyst Control Center - Branding
"{05E30340-C668-3B68-79D5-6D65FE01D768}" = CCC Help Czech
"{05E379CC-F626-4E7D-8354-463865B303BF}" = Windows Live UX Platform Language Pack
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1D276FAB-6EBB-2977-E111-9189B658A56C}" = CCC Help Greek
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FD68CD2-0A79-885D-51A1-FC2959EB3201}" = CCC Help Danish
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{21495BEF-CA45-C720-8B77-3D6EAE1AAB84}" = CCC Help Hungarian
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34319F1F-7CF2-4CC9-B357-1AE7D2FF3AC5}" = Windows Live
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3621491D-4A10-5BAC-0EE1-CF2E7B322A99}" = Catalyst Control Center Localization All
"{3B350140-0515-49EF-2D07-43385BB72F62}" = CCC Help Norwegian
"{3B9A92DA-6374-4872-B646-253F18624D5F}" = Windows Live Writer
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel® Rapid Storage Technology
"{488F0347-C4A7-4374-91A7-30818BEDA710}" = Galerie de photos Windows Live
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{504FA6D8-2041-40BA-7618-01F0870C9E7C}" = CCC Help French
"{5337ABB2-8E1D-815F-A9F4-07A4D7101F77}" = CCC Help Chinese Standard
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5F1DA083-E367-FD9F-A86A-9A505AE8360B}" = CCC Help Finnish
"{5FC1276A-B7DC-2AE3-9E06-8EC07A2E9693}" = Catalyst Control Center InstallProxy
"{60507E64-F73A-A31B-09FF-C010F4070F87}" = CCC Help Swedish
"{62687B11-58B5-4A18-9BC3-9DF4CE03F194}" = Windows Live Writer Resources
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components
"{673F2B1C-37AB-8769-6B0F-2CE1009EEE7F}" = CCC Help English
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6AAB329C-E1B4-D6DA-254B-B20989B42971}" = CCC Help Portuguese
"{6DEC8BD5-7574-47FA-B080-492BBBE2FEA3}" = Windows Live Movie Maker
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7B1ABE35-7D5D-32CF-6B4A-814D37A77E0C}" = CCC Help Korean
"{7ED7C59A-FE22-9F2C-6CBA-0260A71091DE}" = CCC Help Turkish
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95AEA460-60DD-6836-3968-08274062E735}" = CCC Help Chinese Traditional
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{C55E96FE-BD89-33F2-4C7B-47D01CCE5E53}" = CCC Help Italian
"{C72496EC-1FD4-8E4B-2687-4871456203C5}" = CCC Help Spanish
"{C893D8C0-1BA0-4517-B11C-E89B65E72F70}" = Windows Live Photo Common
"{C9205971-615E-D1A7-4C21-323C1FB21363}" = CCC Help German
"{CA42EE75-5FA8-E27A-B539-115C4F4BCA49}" = CCC Help Russian
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D6A82326-A0B0-C051-6877-12DD6843563D}" = CCC Help Polish
"{D8BF9DE8-B682-B605-6BE9-E164D6E78948}" = Catalyst Control Center
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DFBB738C-71D8-4DC5-B8D2-D65C37680E27}" = Etron USB3.0 Host Controller
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E2B2991D-23C9-4C70-AEEA-3CC938FC7C1C}" = CCC Help Dutch
"{EE171732-BEB4-4576-887D-CB62727F01CA}" = Acer Updater
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7D04AA1-A384-CCC2-A9E5-C75D89BB47FF}" = CCC Help Japanese
"{F957240F-AC1F-E12A-6168-2DBB62DCE487}" = CCC Help Thai
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Acer Registration" = Acer Registration
"Acer Welcome Center" = Welcome Center
"Foxit Reader_is1" = Foxit Reader 5.1
"Identity Card" = Identity Card
"Jewel Match 3 1.00" = Jewel Match 3 1.00
"Kingsoft Writer" = Kingsoft Writer (8.1.0.3008)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"Mozilla Thunderbird 12.0.1 (x86 en-US)" = Mozilla Thunderbird 12.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"OpenAL" = OpenAL
"SpywareBlaster_is1" = SpywareBlaster 4.6
"uTorrent" = µTorrent
"WinLiveSuite" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/17/2012 12:07:00 PM | Computer Name = Jan-PC | Source = ESENT | ID = 455
Description = Windows (2932) Windows: Error -1811 occurred while opening logfile
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00071.log.

Error - 4/17/2012 12:07:00 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 9000
Description =

Error - 4/17/2012 12:07:00 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 7040
Description =

Error - 4/17/2012 12:07:01 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 7042
Description =

Error - 4/17/2012 12:07:01 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 9002
Description =

Error - 4/17/2012 12:07:01 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 3029
Description =

Error - 4/17/2012 12:07:01 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 3029
Description =

Error - 4/17/2012 12:07:01 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 3028
Description =

Error - 4/17/2012 12:07:01 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 3058
Description =

Error - 4/17/2012 12:07:01 PM | Computer Name = Jan-PC | Source = Windows Search Service | ID = 7010
Description =

[ System Events ]
Error - 4/22/2012 11:06:14 AM | Computer Name = Jan-PC | Source = Service Control Manager | ID = 7024
Description = The Windows Search service terminated with service-specific error
%%-1073473535.

Error - 4/22/2012 11:06:14 AM | Computer Name = Jan-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 4/23/2012 1:42:04 AM | Computer Name = Jan-PC | Source = DCOM | ID = 10010
Description =

Error - 4/23/2012 12:12:58 PM | Computer Name = Jan-PC | Source = Service Control Manager | ID = 7024
Description = The Windows Search service terminated with service-specific error
%%-1073473535.

Error - 4/23/2012 12:12:58 PM | Computer Name = Jan-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 4/24/2012 1:15:40 AM | Computer Name = Jan-PC | Source = DCOM | ID = 10010
Description =

Error - 4/24/2012 11:18:12 AM | Computer Name = Jan-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 4/24/2012 11:20:08 AM | Computer Name = Jan-PC | Source = Service Control Manager | ID = 7024
Description = The Windows Search service terminated with service-specific error
%%-1073473535.

Error - 4/24/2012 11:20:08 AM | Computer Name = Jan-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 4/25/2012 1:03:00 AM | Computer Name = Jan-PC | Source = DCOM | ID = 10010
Description =


< End of report >

Thanks in advance for any help with this. Let me know if I've forgotten anything!
  • 0

Advertisements

#2
jeffce
Posted 14 May 2012 - 08:35 PM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

First we need to make all files and folders VISIBLE:

  • Go to start>control panel>folder options>view
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with OK
---------

Please download aswMBR to your desktop.

  • Right click and Run as Administrator the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Posted Image
Click the image to enlarge it
----------
  • 0

#3
MissMinerva
Posted 14 May 2012 - 10:32 PM

MissMinerva

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Jeff! Thanks for you help. I followed your instructions so far and here is the aswMBR log. I also ran TDSSKiller a few days ago and it came up clean.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-14 23:22:40
-----------------------------
23:22:40.732 OS Version: Windows x64 6.1.7601 Service Pack 1
23:22:40.733 Number of processors: 4 586 0x2A07
23:22:40.733 ComputerName: JAN-PC UserName: Jan
23:22:43.036 Initialize success
23:23:12.936 The log file has been saved successfully to "C:\Users\Jan\Desktop\aswMBR.txt"


Time to get some sleep. Thanks again!
  • 0

#4
jeffce
Posted 15 May 2012 - 05:41 AM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Services

:OTL
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[2012/02/16 05:42:53 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[2012/05/12 20:12:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At2.job
[2012/05/11 20:12:05 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012/05/11 20:12:00 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\At3.job

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
----------

In your next reply please post the logs made by OTL and ComboFix. :)
  • 0

#5
MissMinerva
Posted 15 May 2012 - 03:12 PM

MissMinerva

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, Jeff. Here are latest OTL and Combofix logs

OTL logfile created on: 5/15/2012 3:48:18 PM - Run 4
OTL by OldTimer - Version 3.2.43.0 Folder = C:\Users\Jan\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.98 Gb Total Physical Memory | 6.60 Gb Available Physical Memory | 82.66% Memory free
15.96 Gb Paging File | 14.37 Gb Available in Paging File | 90.03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 914.41 Gb Total Space | 870.62 Gb Free Space | 95.21% Space Free | Partition Type: NTFS

Computer Name: JAN-PC | User Name: Jan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/14 16:10:32 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Jan\Desktop\OTL.exe
PRC - [2012/04/27 15:26:35 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/04/22 11:44:14 | 000,244,624 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe
PRC - [2010/12/20 05:30:38 | 002,656,280 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2010/12/20 05:30:36 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2010/11/06 02:54:22 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/04 15:21:11 | 008,797,856 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
MOD - [2012/04/27 15:26:35 | 001,952,696 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/04/22 11:44:14 | 000,244,624 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Live Updater Service)
SRV:64bit: - [2011/04/05 20:58:48 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/05/04 15:21:12 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/27 15:26:36 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/05/29 21:54:14 | 000,036,456 | ---- | M] (Acer Incorporated) [Disabled | Stopped] -- C:\Program Files (x86)\Acer\Registration\GREGsvc.exe -- (GREGService)
SRV - [2010/12/20 05:30:38 | 002,656,280 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2010/12/20 05:30:36 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2010/11/06 02:54:22 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel®
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/06/30 01:03:04 | 000,054,784 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\EtronHub3.sys -- (EtronHub3)
DRV:64bit: - [2011/06/30 01:03:02 | 000,077,696 | ---- | M] (Etron Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\EtronXHCI.sys -- (EtronXHCI)
DRV:64bit: - [2011/05/16 09:55:28 | 000,533,096 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/04/19 10:52:20 | 001,254,464 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bcmwlhigh664.sys -- (BCMH43XX)
DRV:64bit: - [2011/04/05 23:11:45 | 009,323,520 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/04/05 20:21:43 | 000,304,128 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/17 07:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/11/06 02:45:48 | 000,438,808 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/10/19 03:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel®
DRV:64bit: - [2010/08/10 22:40:06 | 001,014,624 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr28x.sys -- (netr28x)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = C:\Users\Jan\Desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co...mplete=0&hl=en"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.1
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.15.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {EDA7B1D7-F793-4e03-B074-E6F303317FB0}:1.2.7
FF - prefs.js..extensions.enabledItems: [email protected]:0.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..extensions.enabledItems: [email protected]:0.08
FF - prefs.js..keyword.enabled: false


FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/04/27 15:26:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012/03/11 22:28:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2012/03/10 14:34:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jan\AppData\Roaming\Mozilla\Extensions
[2012/05/06 23:30:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions
[2012/03/10 14:44:17 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2012/03/10 14:44:19 | 000,000,000 | ---D | M] (Compact Menu 2) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\{57068FBE-1506-42ee-AB02-BD183E7999E4}(37)
[2012/03/10 14:44:20 | 000,000,000 | ---D | M] (Menu Editor) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
[2012/03/10 14:44:06 | 000,000,000 | ---D | M] (Mangan) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\mangan@joerg-walter(36).net
[2012/03/10 14:44:17 | 000,000,000 | ---D | M] (Remove New Tab Button) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\[email protected]
[2012/03/10 14:44:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\extensions\mangan@joerg-walter(36).net\chrome\windows\mozapps\extensions
[2012/04/27 15:26:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/01/05 17:57:15 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\JAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\D4SXGVA0.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/04/27 15:26:35 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/02/16 05:42:53 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/06/10 16:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{38B36B7D-9A61-40D3-8B62-7C9011E87702}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{72632582-F130-4920-A4A3-9564DBB72F85}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/15 15:30:15 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/05/15 15:25:56 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/05/15 15:24:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/05/15 15:24:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2012/05/15 13:32:07 | 004,494,423 | ---- | C] (Swearware) -- C:\Users\Jan\Desktop\ComboFix.exe
[2012/05/15 13:30:55 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Jan\Desktop\erunt-setup.exe
[2012/05/14 23:20:51 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Jan\Desktop\aswMBR.exe
[2012/05/14 16:10:29 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Users\Jan\Desktop\OTL.exe
[2012/05/13 13:17:53 | 000,466,456 | ---- | C] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
[2012/05/13 13:17:53 | 000,122,904 | ---- | C] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysNative\OpenAL32.dll
[2012/05/13 13:17:52 | 000,444,952 | ---- | C] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
[2012/05/13 13:17:52 | 000,109,080 | ---- | C] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysWow64\OpenAL32.dll
[2012/05/13 13:17:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenAL
[2012/05/13 13:14:13 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Roaming\GameDevo
[2012/05/11 20:12:05 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\3070
[2012/05/09 10:36:08 | 005,559,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2012/05/09 10:36:08 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2012/05/09 10:36:08 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2012/05/09 10:36:06 | 001,544,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2012/05/06 22:13:24 | 002,075,184 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Jan\Desktop\TDSSKiller.exe
[2012/05/06 22:13:07 | 000,000,000 | ---D | C] -- C:\Users\Jan\Desktop\tdsskiller
[2012/05/01 15:30:02 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Roaming\Jewel Match 3
[2012/04/30 17:22:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Games
[2012/04/27 20:12:06 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\1036
[2012/04/27 15:26:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/04/27 15:26:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/04/26 17:21:01 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{BA729399-69B4-4920-A42C-06CAC40E1064}
[2012/04/26 17:21:01 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{4FE079B1-7D4C-421A-96C1-BC600AFF7F60}
[2012/04/26 17:09:53 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{0C3CCA78-9844-4938-83EF-2258695CF273}
[2012/04/25 18:54:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/04/25 18:54:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/04/25 18:50:18 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2012/04/25 18:50:18 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/04/25 18:50:18 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/04/25 18:50:18 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/04/25 18:50:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2012/04/25 08:12:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/04/20 20:12:09 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\3069
[2012/04/17 21:16:02 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{A5051C52-2234-423A-A8E2-A07227A58673}
[2012/04/17 21:15:41 | 000,000,000 | ---D | C] -- C:\Users\Jan\AppData\Local\{D2EB3437-31E4-485C-BA94-84C3C73DD93D}

========== Files - Modified Within 30 Days ==========

[2012/05/15 15:38:18 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/15 15:38:18 | 000,016,976 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/15 15:35:28 | 000,729,688 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/05/15 15:35:28 | 000,626,040 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/05/15 15:35:28 | 000,107,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/05/15 15:31:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/15 15:31:08 | 2131,955,711 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/15 15:24:55 | 000,001,072 | ---- | M] () -- C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/05/15 15:24:17 | 000,000,892 | ---- | M] () -- C:\Users\Jan\Desktop\NTREGOPT.lnk
[2012/05/15 15:24:17 | 000,000,873 | ---- | M] () -- C:\Users\Jan\Desktop\ERUNT.lnk
[2012/05/15 15:20:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/15 15:19:01 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\WpsUpdateTask_Jan.job
[2012/05/15 13:32:38 | 004,494,423 | ---- | M] (Swearware) -- C:\Users\Jan\Desktop\ComboFix.exe
[2012/05/15 13:31:02 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Users\Jan\Desktop\erunt-setup.exe
[2012/05/14 23:22:17 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Jan\Desktop\aswMBR.exe
[2012/05/14 16:10:32 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Jan\Desktop\OTL.exe
[2012/05/13 13:17:53 | 000,466,456 | ---- | M] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
[2012/05/13 13:17:53 | 000,122,904 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysNative\OpenAL32.dll
[2012/05/13 13:17:52 | 000,444,952 | ---- | M] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
[2012/05/13 13:17:52 | 000,109,080 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysWow64\OpenAL32.dll
[2012/05/12 13:01:14 | 000,076,767 | ---- | M] () -- C:\Users\Jan\Desktop\apts.jpg
[2012/05/10 14:31:17 | 000,007,610 | ---- | M] () -- C:\Users\Jan\AppData\Local\Resmon.ResmonCfg
[2012/05/09 11:42:34 | 000,000,460 | ---- | M] () -- C:\Users\Jan\Documents\cc_20120509_114227.reg
[2012/05/09 10:55:20 | 000,266,848 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/05/06 23:03:29 | 000,001,598 | ---- | M] () -- C:\Users\Jan\Documents\cc_20120506_230322.reg
[2012/05/04 15:21:11 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/05/04 15:21:11 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/05/04 15:21:02 | 008,744,608 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerInstaller.exe
[2012/05/03 17:00:46 | 000,000,935 | ---- | M] () -- C:\Users\Jan\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/05/02 10:00:04 | 002,075,184 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Jan\Desktop\TDSSKiller.exe
[2012/04/30 17:22:12 | 000,002,039 | ---- | M] () -- C:\Users\Jan\Desktop\Jewel Match 3.lnk
[2012/04/30 12:39:40 | 000,067,584 | ---- | M] () -- C:\Users\Jan\Desktop\ick.wps
[2012/04/27 16:30:23 | 000,302,592 | ---- | M] () -- C:\Users\Jan\Desktop\test.exe.exe
[2012/04/25 18:50:08 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2012/04/25 18:50:08 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/04/25 18:50:08 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/04/25 18:50:08 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/04/25 08:12:41 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/04/25 08:12:34 | 000,743,066 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI

========== Files Created - No Company Name ==========

[2012/05/15 15:24:55 | 000,001,072 | ---- | C] () -- C:\Users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/05/15 15:24:17 | 000,000,892 | ---- | C] () -- C:\Users\Jan\Desktop\NTREGOPT.lnk
[2012/05/15 15:24:17 | 000,000,873 | ---- | C] () -- C:\Users\Jan\Desktop\ERUNT.lnk
[2012/05/12 13:01:14 | 000,076,767 | ---- | C] () -- C:\Users\Jan\Desktop\apts.jpg
[2012/05/10 14:31:17 | 000,007,610 | ---- | C] () -- C:\Users\Jan\AppData\Local\Resmon.ResmonCfg
[2012/05/09 11:42:30 | 000,000,460 | ---- | C] () -- C:\Users\Jan\Documents\cc_20120509_114227.reg
[2012/05/06 23:03:26 | 000,001,598 | ---- | C] () -- C:\Users\Jan\Documents\cc_20120506_230322.reg
[2012/05/03 17:00:46 | 000,000,935 | ---- | C] () -- C:\Users\Jan\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/04/30 17:22:12 | 000,002,039 | ---- | C] () -- C:\Users\Jan\Desktop\Jewel Match 3.lnk
[2012/04/30 12:39:39 | 000,067,584 | ---- | C] () -- C:\Users\Jan\Desktop\ick.wps
[2012/04/27 16:30:20 | 000,302,592 | ---- | C] () -- C:\Users\Jan\Desktop\test.exe.exe
[2012/04/13 22:11:57 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2012/03/11 00:39:41 | 000,743,066 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/11/17 01:52:47 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/07/20 07:41:44 | 000,003,949 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/04/06 01:09:48 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2010/11/20 22:25:11 | 000,196,608 | ---- | C] () -- C:\Windows\SysWow64\mffds.dll
[2010/11/20 22:24:51 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\OnLiineIDCpl.dll
[2010/11/20 22:24:32 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\diskppart.exe
[2010/11/20 22:24:28 | 000,196,608 | ---- | C] () -- C:\Windows\SysWow64\syssettup.dll
[2010/11/20 22:23:55 | 000,196,608 | ---- | C] () -- C:\Windows\SysWow64\inettmib1.dll

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\system64] -> \systemroot\system32 -> Mount Point

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:6F0C95A1
@Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 104 bytes -> C:\ProgramData\Temp:C3C72D5F
@Alternate Data Stream - 101 bytes -> C:\ProgramData\Temp:8A6A2C1E
@Alternate Data Stream - 100 bytes -> C:\ProgramData\Temp:640EA6E8

< End of report >


ComboFix 12-05-15.04 - Jan 05/15/2012 16:02:13.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8172.6872 [GMT -5:00]
Running from: c:\users\Jan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-15 to 2012-05-15 )))))))))))))))))))))))))))))))
.
.
2012-05-15 21:04 . 2012-05-15 21:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-15 20:30 . 2012-05-15 20:30 -------- d-----w- C:\_OTL
2012-05-15 20:24 . 2012-05-15 20:24 -------- d-----w- c:\program files (x86)\ERUNT
2012-05-15 20:21 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4562C3DA-CFA7-4613-A34B-B2F0D2EE78D2}\mpengine.dll
2012-05-14 20:14 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-13 18:17 . 2012-05-13 18:17 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-05-13 18:17 . 2012-05-13 18:17 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-05-13 18:17 . 2012-05-13 18:17 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-05-13 18:17 . 2012-05-13 18:17 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-05-13 18:17 . 2012-05-13 18:17 -------- d-----w- c:\program files (x86)\OpenAL
2012-05-13 18:14 . 2012-05-13 18:14 -------- d-----w- c:\users\Jan\AppData\Roaming\GameDevo
2012-05-12 01:12 . 2012-05-12 01:12 -------- d-----w- c:\windows\SysWow64\3070
2012-05-09 15:36 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 15:36 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 15:36 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-09 15:36 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-09 15:36 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-09 15:36 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 15:36 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-09 15:36 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-09 15:36 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 15:36 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-01 20:30 . 2012-05-15 04:09 -------- d-----w- c:\users\Jan\AppData\Roaming\Jewel Match 3
2012-04-30 22:22 . 2012-05-06 22:57 -------- d-----w- c:\program files (x86)\Games
2012-04-28 01:12 . 2012-05-12 01:12 -------- d-----w- c:\windows\SysWow64\1036
2012-04-27 20:26 . 2012-04-27 20:26 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-04-27 20:26 . 2012-04-27 20:26 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-27 20:26 . 2012-04-27 20:26 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe
2012-04-25 23:54 . 2012-04-25 23:54 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-04-25 23:50 . 2012-04-25 23:50 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-04-25 23:50 . 2012-04-25 23:50 -------- d-----w- c:\program files (x86)\Java
2012-04-25 13:12 . 2012-04-25 13:12 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-04-21 01:12 . 2012-04-28 01:12 -------- d-----w- c:\windows\SysWow64\3069
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 20:21 . 2012-04-04 15:59 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-04 20:21 . 2011-07-20 12:18 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-04 20:21 . 2012-04-05 04:20 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-04 20:56 . 2012-04-05 03:52 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 01:44 . 2011-04-27 21:25 98688 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 01:44 . 2011-04-18 19:18 203888 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-10 18:24 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-03-01 06:46 . 2012-04-11 15:17 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-11 15:17 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-11 15:17 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-11 15:17 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-11 15:17 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-11 15:17 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-11 15:17 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-02-28 06:56 . 2012-04-11 15:19 2311168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 06:49 . 2012-04-11 15:19 1390080 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 06:48 . 2012-04-11 15:19 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 06:42 . 2012-04-11 15:19 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-28 01:18 . 2012-04-11 15:19 1799168 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-02-28 01:11 . 2012-04-11 15:19 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11 . 2012-04-11 15:19 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-02-28 01:03 . 2012-04-11 15:19 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-02-17 06:38 . 2012-03-14 15:36 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 15:36 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 15:36 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 15:36 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-15_20.59.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-05-15 21:01 41266 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-15 21:01 35842 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-11-21 03:09 . 2012-05-15 21:01 41266 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-15 21:01 35842 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-10 16:17 . 2012-05-15 21:01 7566 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4207622835-2788237351-2079300428-1000_UserData.bin
+ 2012-03-10 16:17 . 2012-05-15 21:01 7566 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4207622835-2788237351-2079300428-1000_UserData.bin
+ 2012-05-15 21:05 . 2012-05-15 21:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-05-15 20:59 . 2012-05-15 20:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-05-15 20:58 230260 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-05-15 21:04 230260 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-06 336384]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
c:\users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-20 2656280]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 257696]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-27 129976]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2011-05-30 36456]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2011-04-22 244624]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 20:21]
.
2012-05-15 c:\windows\Tasks\WpsUpdateTask_Jan.job
- c:\program files (x86)\Kingsoft\Kingsoft Writer\office6\wpsupdate.exe [2011-11-03 16:00]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-30 11660904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://acer.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Jan\AppData\Roaming\Mozilla\Firefox\Profiles\d4sxgva0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?complete=0&hl=en
FF - prefs.js: keyword.enabled - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-15 16:06:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-15 21:06
ComboFix2.txt 2012-05-15 21:01
.
Pre-Run: 934,327,693,312 bytes free
Post-Run: 934,046,715,904 bytes free
.
- - End Of File - - E1CC7EDB4202EADDF3B845FE8DAF15D2


Thanks, again! Hope I did this right :unsure:
  • 0

#6
jeffce
Posted 15 May 2012 - 06:25 PM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Hi,

Yes you are doing everything just right. :)

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Right-click and Run as Administrator SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
c:\windows\SysWow64\3070 /s
c:\windows\SysWow64\1036 /s
c:\windows\SysWow64\3069 /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
  • 0

#7
MissMinerva
Posted 15 May 2012 - 07:36 PM

MissMinerva

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
SystemLook 30.07.11 by jpshortstuff
Log created at 20:33 on 15/05/2012 by Jan
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

c:\windows\SysWow64\3070 - Parameters: "/s"

---Files---
inf3070.dat --a---- 7029 bytes [01:12 12/05/2012] [20:39 14/05/2012]

No folders found.

c:\windows\SysWow64\1036 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\windows\SysWow64\3069 - Parameters: "/s"

---Files---
None found.

No folders found.

-= EOF =-
  • 0

#8
jeffce
Posted 15 May 2012 - 07:56 PM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Hi,

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.
  • Do not use this instance of your browser for anything besides doing this scan
  • When the scan is complete and the results saved, close that instance of your browser
  • Open a new one the usual way and post the results in this topic.


  • Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Back button.
  • Push Finish
http://www.eset.com/onlinescan/
----------

In your next reply please post the logs made by Malwarebytes and ESET online scanner. :)
  • 0

#9
MissMinerva
Posted 16 May 2012 - 02:42 PM

MissMinerva

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry for the delay. ESET found no threats so was not able to get a log. Here is Malwarebytes:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.16.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jan :: JAN-PC [administrator]

5/16/2012 3:37:57 PM
mbam-log-2012-05-16 (15-37-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199381
Time elapsed: 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Thanks, Jeff
  • 0

#10
jeffce
Posted 16 May 2012 - 04:42 PM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Great! How is your system running? :)
  • 0

#11
MissMinerva
Posted 16 May 2012 - 05:32 PM

MissMinerva

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Running great! :thumbsup: Does this mean we're done confusing me? :wacko:
  • 0

#12
jeffce
Posted 16 May 2012 - 06:45 PM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Hi,

I think that we are finished... :D

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.
----------

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)

Posted Image
----------

Clean up with OTL:
  • Right-click and Run as Administrator OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
  • Open Internet Explorer
  • Click on Tools > Internet Options
  • Press Security tab
  • Select Internet zone then place check next to Enable Protected Mode if not already done
  • Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
  • Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7.Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.
  • 0

#13
MissMinerva
Posted 16 May 2012 - 08:15 PM

MissMinerva

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks a million, Jeff! I've got a few changes to make per your recommendations. Downloading Online Armor right now.

:cheers:
  • 0

#14
jeffce
Posted 17 May 2012 - 05:56 AM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Great!! Glad that I could help! :wave:
  • 0

#15
jeffce
Posted 17 May 2012 - 07:30 AM

jeffce

    Trusted Helper

  • Malware Removal
  • 216 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP