Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

virus/trojan/rootkit? help please [Closed]


  • This topic is locked This topic is locked

#1
liimamasbigdaddy

liimamasbigdaddy

    New Member

  • Member
  • Pip
  • 6 posts
I am running Windows vista 32-bit.

I installed and ran Malwarebytes in Safemode. It pulled 2 instances and removed them (can't find logs).

I have run Microsoft Security Essentials scans, that pulled and removed:
Rogue:Win32/Winwebsec
TrojanDropper:Win32/Sirefef.gen!A
Backdoor:Win32/Cybot!cfg

I have run TDSSKiller. It pulled and removed a rootkit (can't find logs)

I have run Rogue-Killer. It has found several registry entries (hijacks)along with some TMP files it didn't like.

All of that and I am still having troubles.

Initially there was only one user on this computer. After scans and such I tried to create a new user as an administrator. I tried setting the other user (ccdc) as a standard user. I have no problems with that newly created user so far. However the initial user's (ccdc) icons continue to dissappear. I can run Rogue-Killer and the icons re-appear. When i reboot the dissappear again.

I'm pretty sure the rootkit is still there. I am not sure how to fix this. I've tried unhide.exe but that does not help either.

Thanks in advance for any and all help

I am attaching the OTL results:
OTL logfile created on: 8/19/2012 9:21:13 AM - Run 1
OTL by OldTimer - Version 3.2.58.0 Folder = E:\
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.91 Gb Available Physical Memory | 48.37% Memory free
3.99 Gb Paging File | 2.92 Gb Available in Paging File | 73.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 291.83 Gb Total Space | 199.48 Gb Free Space | 68.36% Space Free | Partition Type: NTFS
Drive D: | 6.26 Gb Total Space | 0.87 Gb Free Space | 13.97% Space Free | Partition Type: NTFS
Drive E: | 3.77 Gb Total Space | 0.37 Gb Free Space | 9.71% Space Free | Partition Type: FAT32

Computer Name: CCDC-PC | User Name: ccdc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/19 09:20:36 | 000,598,016 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2012/07/12 08:29:47 | 000,136,616 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/07/12 08:28:56 | 000,374,184 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2011/09/16 16:10:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/27 16:19:42 | 000,032,768 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
PRC - [2008/05/26 03:28:04 | 000,704,512 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\FTPServer.exe
PRC - [2008/05/26 03:21:08 | 000,548,864 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\nsapp.exe
PRC - [2007/07/19 10:54:24 | 000,143,408 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\ImApp.exe
PRC - [2006/12/08 17:51:12 | 004,227,072 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/27 08:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 08:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/06/15 03:36:36 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll
MOD - [2011/06/15 03:36:27 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll
MOD - [2011/06/15 03:35:26 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll
MOD - [2011/06/15 03:35:06 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2008/07/28 10:51:40 | 000,131,072 | ---- | M] () -- C:\Windows\assembly\GAC\Interop.SHDocVw\1.1.0.0__ab3d4581d2618b4b\Interop.SHDocVw.dll
MOD - [2008/07/28 10:51:39 | 000,036,864 | ---- | M] () -- C:\Windows\assembly\GAC\Kinkos.Jupiter.PlugIn.IEPlugIn\1.0.0.0__ab3d4581d2618b4b\Kinkos.Jupiter.PlugIn.IEPlugIn.dll
MOD - [2008/05/26 03:42:02 | 000,434,176 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\SCprMfpif.dll
MOD - [2008/05/26 03:34:24 | 000,006,144 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\discoveryps.dll
MOD - [2008/05/26 03:28:18 | 000,217,088 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\FtpServerps.dll
MOD - [2007/07/19 10:56:06 | 000,065,594 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImAppRU.dll
MOD - [2007/07/19 10:54:32 | 000,073,780 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImComUtlU.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/07/12 08:29:47 | 000,136,616 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/07/12 08:28:56 | 000,374,184 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2011/09/06 20:12:06 | 000,045,056 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2009/07/14 14:36:00 | 000,066,056 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus®
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/07/12 08:29:01 | 000,083,392 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/09/16 16:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/09/16 16:10:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/08/01 20:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2008/02/21 14:36:10 | 000,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/02/21 14:36:05 | 000,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/07/06 21:15:00 | 007,568,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2006/11/02 03:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search...p={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{18D5F9FB-0EC3-4BA8-888C-2943130A378C}: "URL" = http://delicious.com...p={searchTerms}
IE - HKCU\..\SearchScopes\{411504AC-7C41-4F75-9605-6572451E2CC3}: "URL" = http://search.yahoo....f-8&fr=chr-yie8
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{6F7650C0-55D2-4944-8384-1B4431EDC203}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...}&iy=b&ychte=us
IE - HKCU\..\SearchScopes\{F20300DF-8181-4369-88FD-975DF2E07345}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@ei.DictionaryBoss.com/Plugin: C:\Program Files\DictionaryBossEI\Installr\1.bin\NPv4EISB.dll (DictionaryBoss)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2012/08/16 23:01:01 | 000,000,021 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [FtpServer.exe] C:\Program Files\Sharp\Sharpdesk\FtpServer.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [IndexTray] C:\Program Files\Sharp\Sharpdesk\IndexTray.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SharpTray] C:\Program Files\Sharp\Sharpdesk\SharpTray.exe (SHARP CORPORATION)
O4 - HKCU..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} http://dlm.tools.aka...vex-2.2.1.0.cab (DownloadManager Control)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://setup.bellso...aller_6-1-2.cab (Reg Error: Value error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.0.10 172.16.0.11 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BB4CBB51-2559-4E46-B797-474800416431}: DhcpNameServer = 172.16.0.10 172.16.0.11 8.8.8.8 8.8.4.4
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/19 08:43:30 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/17 07:42:32 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Desktop\temp
[2012/08/16 22:27:06 | 000,000,000 | ---D | C] -- C:\Users\ccdc\AppData\Local\ElevatedDiagnostics
[2012/08/16 22:00:22 | 010,288,512 | ---- | C] (Microsoft Corporation) -- C:\Users\ccdc\Desktop\mseinstall.exe
[2012/08/16 21:29:06 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/08/16 18:51:59 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Desktop\New Folder
[2012/08/16 18:18:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/16 18:18:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/19 09:13:55 | 000,388,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/08/19 09:13:54 | 000,004,896 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/19 09:13:54 | 000,004,896 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/19 09:13:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/19 09:13:36 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/19 08:43:17 | 000,007,944 | ---- | M] () -- C:\Users\ccdc\AppData\Local\d3d9caps.dat
[2012/08/18 22:50:50 | 000,000,416 | ---- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{763DA8C3-9E2D-4ACB-8788-3E97DADC57CB}.job
[2012/08/17 18:39:40 | 000,069,408 | ---- | M] () -- C:\Users\ccdc\Documents\registrybeforechanges.reg
[2012/08/17 07:36:32 | 000,003,306 | ---- | M] () -- C:\Users\ccdc\Documents\cc_20120817_073627.reg
[2012/08/16 22:02:25 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/08/16 22:00:33 | 010,288,512 | ---- | M] (Microsoft Corporation) -- C:\Users\ccdc\Desktop\mseinstall.exe
[2012/08/16 21:31:41 | 000,630,558 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/16 21:31:41 | 000,113,894 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/16 21:28:11 | 000,000,940 | ---- | M] () -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/08/16 18:18:14 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/08/19 08:44:20 | 2011,750,400 | -HS- | C] () -- C:\hiberfil.sys
[2012/08/17 18:39:40 | 000,069,408 | ---- | C] () -- C:\Users\ccdc\Documents\registrybeforechanges.reg
[2012/08/17 07:36:30 | 000,003,306 | ---- | C] () -- C:\Users\ccdc\Documents\cc_20120817_073627.reg
[2012/08/16 22:02:13 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/08/16 20:19:29 | 000,000,940 | ---- | C] () -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/08/16 18:18:14 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/11/18 15:51:16 | 000,000,304 | ---- | C] () -- C:\ProgramData\~H0WeK3WVEJ40SL
[2011/11/18 15:51:16 | 000,000,232 | ---- | C] () -- C:\ProgramData\~H0WeK3WVEJ40SLr
[2011/11/18 15:51:12 | 000,000,456 | ---- | C] () -- C:\ProgramData\H0WeK3WVEJ40SL
[2011/03/24 10:03:12 | 000,000,026 | ---- | C] () -- C:\Windows\FPKPMSV.INI
[2009/09/24 11:39:57 | 000,729,470 | ---- | C] () -- C:\Users\ccdc\AppData\Roaming\fontlst2.opf
[2008/01/10 09:38:36 | 000,007,944 | ---- | C] () -- C:\Users\ccdc\AppData\Local\d3d9caps.dat
[2007/04/13 11:28:08 | 000,000,092 | ---- | C] () -- C:\Users\ccdc\AppData\Local\fusioncache.dat
[2007/04/13 11:27:45 | 000,057,856 | ---- | C] () -- C:\Users\ccdc\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

< End of report >

Attached Files

  • Attached File  OTL.Txt   42.24KB   54 downloads

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there ... Could you locate and attach the TDSSKiller log it should be at C:\TDSSKiller date time

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image

    :OTL
    [2011/11/18 15:51:16 | 000,000,304 | ---- | C] () -- C:\ProgramData\~H0WeK3WVEJ40SL
    [2011/11/18 15:51:16 | 000,000,232 | ---- | C] () -- C:\ProgramData\~H0WeK3WVEJ40SLr
    [2011/11/18 15:51:12 | 000,000,456 | ---- | C] () -- C:\ProgramData\H0WeK3WVEJ40SL
    [2011/03/24 10:03:12 | 000,000,026 | ---- | C] () -- C:\Windows\FPKPMSV.INI
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0

#3
liimamasbigdaddy

liimamasbigdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I still have no icons. I could not find the logs for TDSSKiller, I clicked cleanup after I ran this this morning before contacting you. That may have removed the log. However, I found the TDSSKiller_Quarantine folder, I zipped and am attaching to this. I don't believe the computer has rebooted since running OTL. After running Combofix it didn't ask for or automatically reboot. Same for FSS. Here are the following logs you asked for after following your directions:

OTL Log:
OTL logfile created on: 8/19/2012 11:49:24 AM - Run 2
OTL by OldTimer - Version 3.2.58.0 Folder = E:\Fixes round1
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.93 Gb Available Physical Memory | 49.44% Memory free
3.98 Gb Paging File | 2.99 Gb Available in Paging File | 75.04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 291.83 Gb Total Space | 200.43 Gb Free Space | 68.68% Space Free | Partition Type: NTFS
Drive D: | 6.26 Gb Total Space | 0.87 Gb Free Space | 13.97% Space Free | Partition Type: NTFS
Drive E: | 3.77 Gb Total Space | 0.36 Gb Free Space | 9.57% Space Free | Partition Type: FAT32

Computer Name: CCDC-PC | User Name: ccdc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/19 09:20:36 | 000,598,016 | ---- | M] (OldTimer Tools) -- E:\Fixes round1\OTL.exe
PRC - [2012/07/12 08:29:47 | 000,136,616 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/07/12 08:28:56 | 000,374,184 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2011/09/16 16:10:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/27 16:19:42 | 000,032,768 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
PRC - [2008/05/26 03:28:04 | 000,704,512 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\FTPServer.exe
PRC - [2008/05/26 03:21:08 | 000,548,864 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\nsapp.exe
PRC - [2007/07/19 10:54:24 | 000,143,408 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\ImApp.exe
PRC - [2006/12/08 17:51:12 | 004,227,072 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/27 08:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 08:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/06/15 03:36:36 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll
MOD - [2011/06/15 03:36:27 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll
MOD - [2011/06/15 03:35:26 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll
MOD - [2011/06/15 03:35:06 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2008/07/28 10:51:40 | 000,131,072 | ---- | M] () -- C:\Windows\assembly\GAC\Interop.SHDocVw\1.1.0.0__ab3d4581d2618b4b\Interop.SHDocVw.dll
MOD - [2008/07/28 10:51:39 | 000,036,864 | ---- | M] () -- C:\Windows\assembly\GAC\Kinkos.Jupiter.PlugIn.IEPlugIn\1.0.0.0__ab3d4581d2618b4b\Kinkos.Jupiter.PlugIn.IEPlugIn.dll
MOD - [2008/05/26 03:42:02 | 000,434,176 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\SCprMfpif.dll
MOD - [2008/05/26 03:34:24 | 000,006,144 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\discoveryps.dll
MOD - [2008/05/26 03:28:18 | 000,217,088 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\FtpServerps.dll
MOD - [2007/07/19 10:56:06 | 000,065,594 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImAppRU.dll
MOD - [2007/07/19 10:54:32 | 000,073,780 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImComUtlU.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/07/12 08:29:47 | 000,136,616 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/07/12 08:28:56 | 000,374,184 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2011/09/06 20:12:06 | 000,045,056 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2009/07/14 14:36:00 | 000,066,056 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus®
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/07/12 08:29:01 | 000,083,392 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/09/16 16:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/09/16 16:10:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/08/01 20:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2008/02/21 14:36:10 | 000,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/02/21 14:36:05 | 000,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/07/06 21:15:00 | 007,568,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2006/11/02 03:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search...p={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{18D5F9FB-0EC3-4BA8-888C-2943130A378C}: "URL" = http://delicious.com...p={searchTerms}
IE - HKCU\..\SearchScopes\{411504AC-7C41-4F75-9605-6572451E2CC3}: "URL" = http://search.yahoo....f-8&fr=chr-yie8
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{6F7650C0-55D2-4944-8384-1B4431EDC203}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...}&iy=b&ychte=us
IE - HKCU\..\SearchScopes\{F20300DF-8181-4369-88FD-975DF2E07345}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@ei.DictionaryBoss.com/Plugin: C:\Program Files\DictionaryBossEI\Installr\1.bin\NPv4EISB.dll (DictionaryBoss)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2012/08/19 11:42:56 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [FtpServer.exe] C:\Program Files\Sharp\Sharpdesk\FtpServer.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [IndexTray] C:\Program Files\Sharp\Sharpdesk\IndexTray.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SharpTray] C:\Program Files\Sharp\Sharpdesk\SharpTray.exe (SHARP CORPORATION)
O4 - HKCU..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} http://dlm.tools.aka...vex-2.2.1.0.cab (DownloadManager Control)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://setup.bellso...aller_6-1-2.cab (Reg Error: Value error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.0.10 172.16.0.11 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BB4CBB51-2559-4E46-B797-474800416431}: DhcpNameServer = 172.16.0.10 172.16.0.11 8.8.8.8 8.8.4.4
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/19 08:43:30 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/17 07:42:32 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Desktop\temp
[2012/08/16 22:27:06 | 000,000,000 | ---D | C] -- C:\Users\ccdc\AppData\Local\ElevatedDiagnostics
[2012/08/16 21:29:06 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/08/16 18:51:59 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Desktop\New Folder
[2012/08/16 18:18:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/16 18:18:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

========== Files - Modified Within 30 Days ==========

[2012/08/19 11:45:39 | 000,004,896 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/19 11:45:39 | 000,004,896 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/19 11:45:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/19 11:45:30 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/19 11:42:56 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/08/19 11:40:13 | 000,007,944 | ---- | M] () -- C:\Users\ccdc\AppData\Local\d3d9caps.dat
[2012/08/19 09:13:55 | 000,388,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/08/18 22:50:50 | 000,000,416 | ---- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{763DA8C3-9E2D-4ACB-8788-3E97DADC57CB}.job
[2012/08/17 18:39:40 | 000,069,408 | ---- | M] () -- C:\Users\ccdc\Documents\registrybeforechanges.reg
[2012/08/17 07:36:32 | 000,003,306 | ---- | M] () -- C:\Users\ccdc\Documents\cc_20120817_073627.reg
[2012/08/16 22:02:25 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/08/16 21:31:41 | 000,630,558 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/16 21:31:41 | 000,113,894 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/16 21:28:11 | 000,000,940 | ---- | M] () -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/08/16 18:18:14 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/08/19 08:44:20 | 2011,750,400 | -HS- | C] () -- C:\hiberfil.sys
[2012/08/17 18:39:40 | 000,069,408 | ---- | C] () -- C:\Users\ccdc\Documents\registrybeforechanges.reg
[2012/08/17 07:36:30 | 000,003,306 | ---- | C] () -- C:\Users\ccdc\Documents\cc_20120817_073627.reg
[2012/08/16 22:02:13 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/08/16 20:19:29 | 000,000,940 | ---- | C] () -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/08/16 18:18:14 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2009/09/24 11:39:57 | 000,729,470 | ---- | C] () -- C:\Users\ccdc\AppData\Roaming\fontlst2.opf
[2008/01/10 09:38:36 | 000,007,944 | ---- | C] () -- C:\Users\ccdc\AppData\Local\d3d9caps.dat
[2007/04/13 11:28:08 | 000,000,092 | ---- | C] () -- C:\Users\ccdc\AppData\Local\fusioncache.dat
[2007/04/13 11:27:45 | 000,057,856 | ---- | C] () -- C:\Users\ccdc\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2010/10/20 09:28:22 | 000,000,000 | ---D | M] -- C:\Users\ccdc\AppData\Roaming\AVG10
[2010/10/04 12:25:53 | 000,000,000 | ---D | M] -- C:\Users\ccdc\AppData\Roaming\AVG9
[2012/08/17 07:10:20 | 000,000,000 | ---D | M] -- C:\Users\ccdc\AppData\Roaming\C08BB
[2008/07/28 10:47:51 | 000,000,000 | ---D | M] -- C:\Users\ccdc\AppData\Roaming\Downloaded Installations
[2009/06/05 10:36:10 | 000,000,000 | ---D | M] -- C:\Users\ccdc\AppData\Roaming\Kinko's
[2009/09/24 11:40:08 | 000,000,000 | ---D | M] -- C:\Users\ccdc\AppData\Roaming\Sharpdesk
[2012/08/19 11:44:11 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/08/18 22:50:50 | 000,000,416 | ---- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{763DA8C3-9E2D-4ACB-8788-3E97DADC57CB}.job

========== Purity Check ==========



< End of report >


ComboFix log:
ComboFix 12-08-18.03 - ccdc 08/19/2012 12:02:53.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1918.898 [GMT -4:00]
Running from: c:\users\ccdc\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\DictionaryBossEI
c:\program files\DictionaryBossEI\Installr\1.bin\NPv4EISb.dll
c:\program files\DictionaryBossEI\Installr\1.bin\v4EIPlug.dll
c:\program files\DictionaryBossEI\Installr\1.bin\v4EZSETP.dll
c:\users\dharrig\AppData\Local\mrmrtdqbx.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-19 to 2012-08-19 )))))))))))))))))))))))))))))))
.
.
2012-08-19 16:22 . 2012-08-19 16:22 -------- d-----w- c:\users\ccdc\AppData\Local\temp
2012-08-19 15:56 . 2012-08-19 15:56 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{46FAF5C5-A575-4322-9FC5-441D4978D885}\offreg.dll
2012-08-19 12:43 . 2012-08-19 12:43 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-19 12:32 . 2012-08-19 12:32 999840 ----a-w- c:\programdata\Microsoft\Windows\DRM\install_flashplayer.exe
2012-08-19 12:32 . 2012-08-19 05:00 122880 ----a-w- c:\programdata\Microsoft\Windows\DRM\ncrypt.dll
2012-08-19 06:43 . 2012-06-29 05:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{46FAF5C5-A575-4322-9FC5-441D4978D885}\mpengine.dll
2012-08-19 05:00 . 2012-08-19 05:00 122880 ----a-w- c:\programdata\Microsoft\Windows\DRM\9399.tmp
2012-08-19 04:07 . 2012-08-19 04:08 -------- d-----w- c:\users\CCDC1
2012-08-18 23:09 . 2012-06-29 05:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-17 02:27 . 2012-08-17 02:27 -------- d-----w- c:\users\ccdc\AppData\Local\ElevatedDiagnostics
2012-08-17 02:06 . 2012-08-17 02:04 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{06DD3764-A486-41B8-B4C8-E397765A7C4C}\gapaengine.dll
2012-08-16 22:18 . 2012-08-16 22:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-16 21:49 . 2012-08-16 23:01 -------- d-----w- c:\users\dharrig
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-12 12:29 . 2011-11-19 00:18 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 12:29 . 2011-11-19 00:18 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-07-12 12:28 . 2011-11-19 00:18 30624 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 12:28 . 2011-11-19 00:18 87456 ----a-w- c:\windows\system32\LMIinit.dll
2012-06-07 00:59 . 2012-06-07 00:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2007-07-19 208946]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2008-05-27 32768]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-08 4227072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2008-05-27 106496]
"FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2008-05-26 704512]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1804446206-3594188270-3370918733-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-19 c:\windows\Tasks\User_Feed_Synchronization-{763DA8C3-9E2D-4ACB-8788-3E97DADC57CB}.job
- c:\windows\system32\msfeedssync.exe [2011-06-15 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 172.16.0.10 172.16.0.11 8.8.8.8 8.8.4.4
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-38521923.sys
MSConfigStartUp-8F3 - c:\program files\LP\1C9C\8F3.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-19 12:22
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-19 12:24:38
ComboFix-quarantined-files.txt 2012-08-19 16:24
.
Pre-Run: 215,155,920,896 bytes free
Post-Run: 214,391,115,776 bytes free
.
- - End Of File - - 39C639EF30C9CAFF637930A06F1012F8


FSS Log:
Farbar Service Scanner Version: 06-08-2012
Ran by ccdc (administrator) on 19-08-2012 at 12:29:14
Running from "E:\Fixes round1"
Microsoft® Windows Vista™ Business Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Attempt to access Google.com returned error: Google.com is offline
Attempt to access Yahoo IP returned error: Yahoo IP is offline
Attempt to access Yahoo.com returned error: Yahoo.com is offline


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll
[2008-05-29 19:28] - [2008-01-19 03:34] - 0204288 ____A (Microsoft Corporation) 43A988A9C10333476CB5FB667CBD629D

C:\Windows\system32\Drivers\afd.sys
[2011-06-14 21:01] - [2011-04-21 09:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2010-08-10 17:08] - [2010-06-16 11:55] - 0902032 ____A (Microsoft Corporation) 6216A954ED7045B62880A92D6C9B9FC7

C:\Windows\system32\dnsrslvr.dll
[2011-04-14 21:22] - [2011-03-02 10:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D

C:\Windows\system32\mpssvc.dll
[2008-05-29 19:29] - [2008-01-19 03:34] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B

C:\Windows\system32\bfe.dll
[2010-08-10 17:08] - [2010-06-16 11:09] - 0328704 ____A (Microsoft Corporation) D3E6D78285529962349A7F1617035938

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2008-05-29 19:29] - [2008-01-19 03:33] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23

C:\Windows\system32\wscsvc.dll
[2008-05-29 19:29] - [2008-01-19 03:37] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C

C:\Windows\system32\wbem\WMIsvc.dll
[2008-05-29 19:28] - [2008-01-19 03:36] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5

C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2008-05-29 19:29] - [2008-01-19 03:36] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D

C:\Windows\system32\es.dll
[2008-08-13 21:47] - [2008-04-18 01:48] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465

C:\Windows\system32\cryptsvc.dll
[2008-05-29 19:28] - [2008-01-19 03:34] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll
[2008-05-29 19:28] - [2008-01-19 03:34] - 0288256 ____A (Microsoft Corporation) E1499BD0FF76B1B2FBBF1AF339D91165

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2009-04-15 15:44] - [2009-03-03 00:39] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830



**** End of log ****
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets have a look with RogueKiller

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.
  • 0

#5
liimamasbigdaddy

liimamasbigdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The desktop icons have returned. I have not rebooted after running the Rogue-Killer. I will wait for your directions on what to do next. Previously when Rogue-killer brought the icons back, after reboot they would dissappear again. Here are the reports

Report1:
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: ccdc [Admin rights]
Mode: Scan -- Date: 08/19/2012 18:44:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332082 0AS SCSI Disk Device +++++
--- User ---
[MBR] c38a338aab2cf5f279c46dd63368a430
[BSP] b6be6e9d0f0336d35e5e33756ce073f7 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 298834 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 612012240 | Size: 6408 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Corsair Flash Voyager USB Device +++++
--- User ---
[MBR] 95ef675be7e1ac295e2d38aef8ef9a7c
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 3871 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



Report2:
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: ccdc [Admin rights]
Mode: Remove -- Date: 08/19/2012 18:46:49

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332082 0AS SCSI Disk Device +++++
--- User ---
[MBR] c38a338aab2cf5f279c46dd63368a430
[BSP] b6be6e9d0f0336d35e5e33756ce073f7 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 298834 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 612012240 | Size: 6408 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Corsair Flash Voyager USB Device +++++
--- User ---
[MBR] 95ef675be7e1ac295e2d38aef8ef9a7c
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 3871 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



Report3:
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: ccdc [Admin rights]
Mode: Shortcuts HJfix -- Date: 08/19/2012 18:48:06

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 2 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 74 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 12 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 175 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume9 -- 0x2 --> Restored
[F:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[H:] \Device\HarddiskVolume6 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[K:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  • 0

#6
liimamasbigdaddy

liimamasbigdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
My curiosity got the best of me. I rebooted and the icons disappeared again. I re-ran Rogue-Killer doing Scan, Delete, and Fix Shortcuts. Here are the logs:

Report1:
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: ccdc [Admin rights]
Mode: Scan -- Date: 08/20/2012 07:57:11

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332082 0AS SCSI Disk Device +++++
--- User ---
[MBR] c38a338aab2cf5f279c46dd63368a430
[BSP] b6be6e9d0f0336d35e5e33756ce073f7 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 298834 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 612012240 | Size: 6408 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



Report2:
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: ccdc [Admin rights]
Mode: Remove -- Date: 08/20/2012 07:58:15

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332082 0AS SCSI Disk Device +++++
--- User ---
[MBR] c38a338aab2cf5f279c46dd63368a430
[BSP] b6be6e9d0f0336d35e5e33756ce073f7 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 298834 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 612012240 | Size: 6408 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



Report3:
RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User: ccdc [Admin rights]
Mode: Shortcuts HJfix -- Date: 08/20/2012 07:58:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 2 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 7 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 2 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[F:] \Device\HarddiskVolume3 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[H:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume6 -- 0x2 --> Restored
[K:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



Thanks
  • 0

#7
liimamasbigdaddy

liimamasbigdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I forgot to mention that the icons came back again once I ran Rogue-Killer again.
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK could you run OTL for me but ensure that all users is selected

Posted Image
  • 0

#9
liimamasbigdaddy

liimamasbigdaddy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I did not have the option to pick 64-bit scan but all users was checked.

report:

OTL logfile created on: 8/20/2012 9:03:16 PM - Run 3
OTL by OldTimer - Version 3.2.58.0 Folder = E:\Fixes
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.45% Memory free
3.98 Gb Paging File | 3.10 Gb Available in Paging File | 77.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 291.83 Gb Total Space | 199.99 Gb Free Space | 68.53% Space Free | Partition Type: NTFS
Drive D: | 6.26 Gb Total Space | 0.87 Gb Free Space | 13.97% Space Free | Partition Type: NTFS
Drive E: | 3.77 Gb Total Space | 0.36 Gb Free Space | 9.49% Space Free | Partition Type: FAT32

Computer Name: CCDC-PC | User Name: ccdc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/19 09:20:36 | 000,598,016 | ---- | M] (OldTimer Tools) -- E:\Fixes\OTL.exe
PRC - [2012/07/12 08:29:47 | 000,136,616 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/07/12 08:28:56 | 000,374,184 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2011/09/16 16:10:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/27 16:19:42 | 000,032,768 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
PRC - [2008/05/26 03:28:04 | 000,704,512 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\FTPServer.exe
PRC - [2008/05/26 03:21:08 | 000,548,864 | ---- | M] (SHARP CORPORATION) -- C:\Program Files\Sharp\Sharpdesk\nsapp.exe
PRC - [2007/07/19 10:54:24 | 000,143,408 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\ImApp.exe
PRC - [2006/12/08 17:51:12 | 004,227,072 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/27 08:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 08:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/06/15 03:36:36 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll
MOD - [2011/06/15 03:36:27 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll
MOD - [2011/06/15 03:35:26 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll
MOD - [2011/06/15 03:35:06 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2008/07/28 10:51:40 | 000,131,072 | ---- | M] () -- C:\Windows\assembly\GAC\Interop.SHDocVw\1.1.0.0__ab3d4581d2618b4b\Interop.SHDocVw.dll
MOD - [2008/07/28 10:51:39 | 000,036,864 | ---- | M] () -- C:\Windows\assembly\GAC\Kinkos.Jupiter.PlugIn.IEPlugIn\1.0.0.0__ab3d4581d2618b4b\Kinkos.Jupiter.PlugIn.IEPlugIn.dll
MOD - [2008/05/26 03:42:02 | 000,434,176 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\SCprMfpif.dll
MOD - [2008/05/26 03:34:24 | 000,006,144 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\discoveryps.dll
MOD - [2008/05/26 03:28:18 | 000,217,088 | ---- | M] () -- C:\Program Files\Sharp\Sharpdesk\FtpServerps.dll
MOD - [2007/07/19 10:56:06 | 000,065,594 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImAppRU.dll
MOD - [2007/07/19 10:54:32 | 000,073,780 | ---- | M] () -- C:\Program Files\IncrediMail\bin\ImComUtlU.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/07/12 08:29:47 | 000,136,616 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/07/12 08:28:56 | 000,374,184 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2011/09/06 20:12:06 | 000,045,056 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2009/07/14 14:36:00 | 000,066,056 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus®
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ccdc\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/07/12 08:29:01 | 000,083,392 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/09/16 16:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/09/16 16:10:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/08/01 20:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2008/02/21 14:36:10 | 000,019,712 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/02/21 14:36:05 | 000,018,304 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/07/06 21:15:00 | 007,568,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2006/11/02 03:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search...p={searchTerms}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes\{18D5F9FB-0EC3-4BA8-888C-2943130A378C}: "URL" = http://delicious.com...p={searchTerms}
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes\{411504AC-7C41-4F75-9605-6572451E2CC3}: "URL" = http://search.yahoo....f-8&fr=chr-yie8
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes\{6F7650C0-55D2-4944-8384-1B4431EDC203}: "URL" = http://rover.ebay.co...e={searchTerms}
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...}&iy=b&ychte=us
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\..\SearchScopes\{F20300DF-8181-4369-88FD-975DF2E07345}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@ei.DictionaryBoss.com/Plugin: C:\Program Files\DictionaryBossEI\Installr\1.bin\NPv4EISB.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2012/08/19 12:22:33 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [FtpServer.exe] C:\Program Files\Sharp\Sharpdesk\FtpServer.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [IndexTray] C:\Program Files\Sharp\Sharpdesk\IndexTray.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SharpTray] C:\Program Files\Sharp\Sharpdesk\SharpTray.exe (SHARP CORPORATION)
O4 - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1804446206-3594188270-3370918733-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} http://dlm.tools.aka...vex-2.2.1.0.cab (DownloadManager Control)
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} https://setup.bellso...aller_6-1-2.cab (Reg Error: Value error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.0.10 172.16.0.11 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BB4CBB51-2559-4E46-B797-474800416431}: DhcpNameServer = 172.16.0.10 172.16.0.11 8.8.8.8 8.8.4.4
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Dock.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/19 18:42:17 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Desktop\RK_Quarantine
[2012/08/19 12:24:44 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/08/19 12:24:41 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/08/19 12:24:41 | 000,000,000 | ---D | C] -- C:\Users\ccdc\AppData\Local\temp
[2012/08/19 12:00:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/08/19 12:00:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/08/19 12:00:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/08/19 12:00:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/08/19 11:58:46 | 004,735,580 | R--- | C] (Swearware) -- C:\Users\ccdc\Desktop\ComboFix.exe
[2012/08/19 08:43:30 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/17 07:42:32 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Desktop\temp
[2012/08/16 22:27:06 | 000,000,000 | ---D | C] -- C:\Users\ccdc\AppData\Local\ElevatedDiagnostics
[2012/08/16 22:00:22 | 010,288,512 | ---- | C] (Microsoft Corporation) -- C:\Users\ccdc\Desktop\mseinstall.exe
[2012/08/16 21:29:06 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/08/16 18:51:59 | 000,000,000 | ---D | C] -- C:\Users\ccdc\Desktop\New Folder
[2012/08/16 18:18:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/16 18:18:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

========== Files - Modified Within 30 Days ==========

[2012/08/20 20:48:51 | 000,004,896 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/20 20:48:51 | 000,004,896 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/20 20:48:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/20 20:48:44 | 2011,750,400 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/19 23:31:30 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{763DA8C3-9E2D-4ACB-8788-3E97DADC57CB}.job
[2012/08/19 18:40:52 | 001,558,528 | ---- | M] () -- C:\Users\ccdc\Desktop\RogueKiller.exe
[2012/08/19 12:22:33 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/08/19 11:40:13 | 000,007,944 | ---- | M] () -- C:\Users\ccdc\AppData\Local\d3d9caps.dat
[2012/08/19 11:36:54 | 004,735,580 | R--- | M] (Swearware) -- C:\Users\ccdc\Desktop\ComboFix.exe
[2012/08/19 09:13:55 | 000,388,160 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/08/17 18:39:40 | 000,069,408 | ---- | M] () -- C:\Users\ccdc\Documents\registrybeforechanges.reg
[2012/08/17 07:36:32 | 000,003,306 | ---- | M] () -- C:\Users\ccdc\Documents\cc_20120817_073627.reg
[2012/08/16 22:02:25 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/08/16 22:00:33 | 010,288,512 | ---- | M] (Microsoft Corporation) -- C:\Users\ccdc\Desktop\mseinstall.exe
[2012/08/16 21:31:41 | 000,630,558 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/08/16 21:31:41 | 000,113,894 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/08/16 21:28:11 | 000,000,940 | ---- | M] () -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/08/16 18:18:14 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/08/19 18:41:31 | 001,558,528 | ---- | C] () -- C:\Users\ccdc\Desktop\RogueKiller.exe
[2012/08/19 12:00:15 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/08/19 12:00:15 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/08/19 12:00:15 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/08/19 12:00:15 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/08/19 12:00:15 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/08/19 08:44:20 | 2011,750,400 | -HS- | C] () -- C:\hiberfil.sys
[2012/08/17 18:39:40 | 000,069,408 | ---- | C] () -- C:\Users\ccdc\Documents\registrybeforechanges.reg
[2012/08/17 07:36:30 | 000,003,306 | ---- | C] () -- C:\Users\ccdc\Documents\cc_20120817_073627.reg
[2012/08/16 22:02:13 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/08/16 20:19:29 | 000,000,940 | ---- | C] () -- C:\Users\ccdc\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/08/16 18:18:14 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2009/09/24 11:39:57 | 000,729,470 | ---- | C] () -- C:\Users\ccdc\AppData\Roaming\fontlst2.opf
[2008/01/10 09:38:36 | 000,007,944 | ---- | C] () -- C:\Users\ccdc\AppData\Local\d3d9caps.dat
[2007/04/13 11:28:08 | 000,000,092 | ---- | C] () -- C:\Users\ccdc\AppData\Local\fusioncache.dat
[2007/04/13 11:27:45 | 000,057,856 | ---- | C] () -- C:\Users\ccdc\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

< End of report >
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Are the icons still disappearing on boot ?

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP