Admin OK'd starting new thread. I would take the time to clean it up later but don't want to bounce forward again.
Original thread by truthintaxation2
For RKinner anyone who can direct me to a site to learn about this new Java exploit please PM
PM Thisstinks to RKinner
I am Jim the one with the thread you are helping with. I cannot log in to geekstogo it always says you are a new user, so first I was Truthintaxation, then truthintaxation2 then 3, now I have created this account to get on because when I can't even contact support because it says Askimet thinks you are spam.
Maybe you know what to do but most likely only support can help. Could you contact support for me so I can get back on the forum, thenk you thank you.
I tried to reply to the thread under this id but it won't let me and I dont want to cluttler things up with a new thread but I am going to try to find a login help thread.
In the mean time
For support - please ask them to contact me
Sent 22 August 2012 - 10:44 PM
POST PM RKinner to Thisstinks
Are you clicking on the Sign In (to the left of the facebook f) and not on the Join Now button?
I have forwarded your message to our admin. As a work around you can send me the logs via PM and I can add them to your topic.
Sent 23 August 2012 - 01:35 AM
POST RKinner to Thisstinks
Admin tells me he thinks malware is interfering with your javascript and suggests you try disabling javascript off in your browser.
http://www.mistered..../browsers.shtml
Group: Member Posts: 1 Joined: 22-August 12
Sent 23 August 2012 - 08:11 AM
POST Thisstinks to RKinner
I have disabled javascript but will still send the details now for the next few items via PM. Then will add some snips when I get back to where I can ad some attachments.
1. Discover that even though I ran otl.exe as admin, and answered affirmative for all Comodo challenges --- Comodo reports otl was run in the sandbox mode. I have removed otl.exe from the sandbox and defined as trusted. But will not rerun until asked to. appears suspect
2. Java Clear of temp files --- to laymen appeared fine
3. TFC ran for 11 full minutes, completed, asked me to reboot --- appeared fine but timing mismatch to your post indicates suspect
4. Ran the process explorer but is similar to otl.exe, I answered all Comodo challenges affirmative and it is not sandboxed but Comodo reports it blocked procexp.exe over 400 times in 17 minutes. The flag is Accessing Memory, the target is Comodo\ComodoInternetSecurity\cmdagent.exe
Everything shows verified and I will post later --- appears suspect
5. disk check = after Tools. Error Checking. Check now. Was unable to check box two, recovery.
6. sfc /scannow reported issues.
I apologize but I need to get to work will continue as soon as possible, may not be for a while as I have some meeting scheduled, expect about 2 pm EDT As always Thx
Report
Reply
Edit
Delete
RKinner
Malware Expert
Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 23 August 2012 - 12:27 PM
Comodo is going to have to go. We can't have it blocking the tools. There is nothing wrong with OTL or with procexp. The fact that it is blocking things and sending them to the sandbox shows it is also an anti-virus and not just a firewall. If you need a firewall then use the free Online Armor.
http://www.online-ar...-armor-free.php
I have Comodo Exited but not uninstalled, Windows Firewall is on.
MS Security Essentials is off, Lavasoft is on, no point in trying to install Avast until later.
I have uninstalled the Kodak ap, accepting the yellow UAC warning on the .msi action.
Reran OTL in quick mode, then realized ran reg mode last time. the regular mode follows but can post thew quick if you need it. Sorry this is so slow but I never realized that disabling the active java scripting would effect so many things that just getting around the web has been slow for me.
I will reclear java cache, rerun TFC and take a new snapshot of Procexp when you give the OTL OK
Thanks, Jim
OTL logfile created on: 8/25/2012 12:49:31 AM - Run 4
OTL by OldTimer - Version 3.2.58.1 Folder = C:\Users\Historic Inn\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
5.48 Gb Total Physical Memory | 3.45 Gb Available Physical Memory | 62.90% Memory free
10.95 Gb Paging File | 9.25 Gb Available in Paging File | 84.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.54 Gb Total Space | 284.26 Gb Free Space | 62.95% Space Free | Partition Type: NTFS
Drive D: | 13.92 Gb Total Space | 1.55 Gb Free Space | 11.16% Space Free | Partition Type: NTFS
Computer Name: HISTORICINN | User Name: Historic Inn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
========== Processes (All) ==========
PRC - C:\Users\Historic Inn\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe (Lavasoft Limited)
PRC - C:\Program Files (x86)\Ad-Aware Antivirus\AdAware.exe (Lavasoft Limited)
PRC - C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe (Microsoft Corp.)
PRC - C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe (GFI Software)
PRC - C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
PRC - C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe (CyberLink)
========== Modules (No Company Name) ==========
========== Win32 Services (SafeList) ==========
SRV:64bit: - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
SRV:64bit: - (Carbonite-Mirror-Image-Svc) -- C:\Program Files\Carbonite\Carbonite Mirror Image\CarboniteMirrorImage.exe (Carbonite)
SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (cmdAgent) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AMD FUEL Service) -- C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe (Advanced Micro Devices, Inc.)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (Ad-Aware Service) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe (Lavasoft Limited)
SRV - (IconMan_R) -- C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe (Realsil Microelectronics Inc.)
SRV - (BingDesktopUpdate) -- C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe (Microsoft Corp.)
SRV - (HPWMISVC) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe (Hewlett-Packard Development Company, L.P.)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SBAMSvc) -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe (GFI Software)
SRV - (hpCMSrv) -- C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe (Hewlett-Packard Development Company L.P.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (ACDaemon) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
========== Driver Services (SafeList) ==========
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )
DRV:64bit: - (RTL8192Ce) -- C:\Windows\SysNative\drivers\rtl8192ce.sys (Realtek Semiconductor Corporation )
DRV:64bit: - (STHDA) -- C:\Windows\SysNative\drivers\stwrt64.sys (IDT, Inc.)
DRV:64bit: - (RSPCIESTOR) -- C:\Windows\SysNative\drivers\RtsPStor.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (sbhips) -- C:\Windows\SysNative\drivers\sbhips.sys (GFI Software)
DRV:64bit: - (sbapifs) -- C:\Windows\SysNative\drivers\sbapifs.sys (GFI Software)
DRV:64bit: - (SBRE) -- C:\Windows\SysNative\drivers\sbredrv.sys (GFI Software)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amd_sata) -- C:\Windows\SysNative\drivers\amd_sata.sys (Advanced Micro Devices)
DRV:64bit: - (amd_xata) -- C:\Windows\SysNative\drivers\amd_xata.sys (Advanced Micro Devices)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV:64bit: - (clwvd) -- C:\Windows\SysNative\drivers\clwvd.sys (CyberLink Corporation)
DRV:64bit: - (amdiox64) -- C:\Windows\SysNative\drivers\amdiox64.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (SrvHsfV92) -- C:\Windows\SysNative\drivers\VSTDPV6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (SrvHsfWinac) -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (SrvHsfHDA) -- C:\Windows\SysNative\drivers\VSTAZL6.SYS (Conexant Systems, Inc.)
DRV:64bit: - (NVENETFD) -- C:\Windows\SysNative\drivers\nvm62x64.sys (NVIDIA Corporation)
DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\drivers\BCMWL664.SYS (Broadcom Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (SBRE) -- C:\Windows\SysWOW64\drivers\SBREDrv.sys (GFI Software)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
========== Standard Registry (All) ==========
========== Internet Explorer ==========
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 07 12 42 CD DD 3C CD 01 [binary data]
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - user.js - File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012/05/18 23:35:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 14.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins
[2012/04/07 09:20:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Historic Inn\AppData\Roaming\mozilla\Extensions
[2012/05/03 09:39:12 | 000,564,732 | ---- | M] () (No name found) -- C:\USERS\HISTORIC INN\APPDATA\ROAMING\THUNDERBIRD\PROFILES\Z4Y0VCJ6.DEFAULT\EXTENSIONS\[email protected]
O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (LastPass Vault) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Ad-Aware Antivirus] C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher.exe (Lavasoft Limited)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKCU..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8:64bit: - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8:64bit: - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: LastPass - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Historic Inn\AppData\LocalLow\LastPass\context.html?cmd=fillforms File not found
O9:64bit: - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9:64bit: - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O9 - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files (x86)\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000001 [] - C:\Windows\SysNative\nlaapi.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000002 [] - C:\Windows\SysNative\NapiNSP.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Windows\SysNative\winrnr.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWOW64\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWOW64\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysWOW64\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{579B1970-7426-4C37-A8E1-C2AC490679A1}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O30:64bit: - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (kerberos) - C:\Windows\SysNative\kerberos.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (schannel) - C:\Windows\SysNative\schannel.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (wdigest) - C:\Windows\SysNative\wdigest.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (tspkg) - C:\Windows\SysNative\tspkg.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\SysWow64\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\SysWow64\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\SysWow64\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\SysWow64\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell - "" = AutoRun
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell\AutoRun\command - "" = G:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell - "" = AutoRun
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell\AutoRun\command - "" = F:\KODAK_Camera_Setup_App.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2012/08/22 20:30:10 | 002,691,192 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp.exe
[2012/08/22 09:01:25 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\TFC.exe
[2012/08/22 00:45:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/08/22 00:44:52 | 000,821,736 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2012/08/22 00:44:52 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012/08/22 00:44:38 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012/08/22 00:44:38 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012/08/22 00:44:38 | 000,095,208 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012/08/21 04:11:42 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2012/08/21 04:11:42 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2012/08/21 04:11:42 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe
[2012/08/21 03:58:41 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2012/08/20 16:28:36 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\adaware
[2012/08/20 16:28:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection
[2012/08/20 16:28:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ad-Aware Antivirus
[2012/08/20 16:28:23 | 000,060,536 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\sbhips.sys
[2012/08/20 16:28:21 | 000,057,976 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\sbredrv.sys
[2012/08/20 16:28:21 | 000,045,936 | ---- | C] (GFI Software) -- C:\Windows\SysNative\sbbd.exe
[2012/08/20 16:28:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2012/08/20 16:28:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus
[2012/08/20 16:27:35 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\Downloaded Installations
[2012/08/20 16:26:15 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Roaming\Ad-Aware Antivirus
[2012/08/19 21:41:02 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\OTL.exe
[2012/08/14 22:17:40 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2012/08/14 22:11:14 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/08/14 22:11:14 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/08/14 22:11:13 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/08/14 22:11:13 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/08/14 22:11:11 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/08/14 22:11:11 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/08/14 22:11:11 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/08/14 22:11:11 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/08/14 22:11:10 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/08/14 22:11:10 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/08/14 22:11:10 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/08/14 22:11:08 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/08/14 22:11:08 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/08/14 22:07:43 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll
[2012/08/14 22:07:43 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll
[2012/08/14 22:07:42 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll
[2012/08/14 00:28:19 | 000,000,000 | ---D | C] -- C:\Users\Historic Inn\AppData\Local\ElevatedDiagnostics
[2012/08/10 09:08:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/07/28 00:25:55 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
[2012/02/27 18:52:20 | 006,221,896 | ---- | C] (LastPass) -- C:\Program Files (x86)\Common Files\lpuninstall.exe
========== Files - Modified Within 30 Days ==========
[2012/08/25 00:50:56 | 002,883,584 | -HS- | M] () -- C:\Users\Historic Inn\ntuser.dat
[2012/08/24 13:59:25 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/24 13:59:25 | 000,032,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/24 13:59:20 | 000,001,828 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2012/08/24 13:51:35 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2012/08/24 13:50:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/24 13:50:32 | 116,449,279 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/24 07:17:36 | 002,300,810 | -H-- | M] () -- C:\Users\Historic Inn\AppData\Local\IconCache.db
[2012/08/23 07:35:23 | 000,018,050 | ---- | M] () -- C:\Users\Historic Inn\Desktop\fieewall event gap.PNG
[2012/08/22 22:28:38 | 009,506,816 | ---- | M] () -- C:\Users\Historic Inn\Documents\cleared application log.evtx
[2012/08/22 22:27:45 | 020,975,616 | ---- | M] () -- C:\Users\Historic Inn\Documents\cleared system log.evtx
[2012/08/22 21:54:36 | 000,250,639 | ---- | M] () -- C:\Users\Historic Inn\Desktop\geekstogo.PNG
[2012/08/22 20:30:11 | 002,691,192 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Historic Inn\Desktop\procexp.exe
[2012/08/22 20:12:07 | 000,000,360 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForHistoric Inn.job
[2012/08/22 09:01:26 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\TFC.exe
[2012/08/22 08:51:42 | 000,233,880 | ---- | M] () -- C:\Users\Historic Inn\Desktop\Comodo blocks 08 21and22 2012.PNG
[2012/08/22 00:56:49 | 000,063,861 | ---- | M] () -- C:\Users\Historic Inn\Desktop\2kodak uninstall.PNG
[2012/08/22 00:56:08 | 000,063,809 | ---- | M] () -- C:\Users\Historic Inn\Desktop\kodak uninstall.PNG
[2012/08/22 00:44:20 | 000,095,208 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2012/08/22 00:44:16 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2012/08/22 00:44:16 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2012/08/22 00:44:15 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2012/08/22 00:44:13 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2012/08/21 04:08:10 | 000,335,656 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/08/19 22:01:02 | 136,114,056 | ---- | M] () -- C:\Users\Historic Inn\Desktop\setup_11.0.0.1245.x01_2012_08_20_04_26.exe
[2012/08/19 21:41:18 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Historic Inn\Desktop\OTL.exe
[2012/08/02 10:29:31 | 000,001,069 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/29 10:10:49 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/07/29 10:10:49 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
========== Files Created - No Company Name ==========
[2012/08/23 07:35:23 | 000,018,050 | ---- | C] () -- C:\Users\Historic Inn\Desktop\fieewall event gap.PNG
[2012/08/22 22:28:38 | 009,506,816 | ---- | C] () -- C:\Users\Historic Inn\Documents\cleared application log.evtx
[2012/08/22 22:27:44 | 020,975,616 | ---- | C] () -- C:\Users\Historic Inn\Documents\cleared system log.evtx
[2012/08/22 21:54:36 | 000,250,639 | ---- | C] () -- C:\Users\Historic Inn\Desktop\geekstogo.PNG
[2012/08/22 09:14:24 | 002,300,810 | -H-- | C] () -- C:\Users\Historic Inn\AppData\Local\IconCache.db
[2012/08/22 08:51:42 | 000,233,880 | ---- | C] () -- C:\Users\Historic Inn\Desktop\Comodo blocks 08 21and22 2012.PNG
[2012/08/22 00:56:49 | 000,063,861 | ---- | C] () -- C:\Users\Historic Inn\Desktop\2kodak uninstall.PNG
[2012/08/22 00:56:08 | 000,063,809 | ---- | C] () -- C:\Users\Historic Inn\Desktop\kodak uninstall.PNG
[2012/08/20 16:28:28 | 000,001,828 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2012/08/19 21:57:59 | 136,114,056 | ---- | C] () -- C:\Users\Historic Inn\Desktop\setup_11.0.0.1245.x01_2012_08_20_04_26.exe
[2012/08/02 10:29:31 | 000,001,069 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/26 23:29:48 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat{bd979e0f-a7a8-11e1-bd93-ee5cfcd27e86}.TMContainer00000000000000000002.regtrans-ms
[2012/05/26 23:29:48 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat{bd979e0f-a7a8-11e1-bd93-ee5cfcd27e86}.TMContainer00000000000000000001.regtrans-ms
[2012/05/26 23:29:48 | 000,065,536 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat{bd979e0f-a7a8-11e1-bd93-ee5cfcd27e86}.TM.blf
[2012/04/04 14:11:40 | 000,540,672 | ---- | C] () -- C:\Windows\SysWow64\TX32.dll
[2012/04/04 14:11:40 | 000,000,478 | ---- | C] () -- C:\Windows\SysWow64\ic32.ini
[2012/04/04 14:11:38 | 000,109,056 | ---- | C] () -- C:\Windows\SysWow64\reg.dll
[2012/02/23 05:59:05 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/02/23 05:57:40 | 000,451,072 | ---- | C] () -- C:\Windows\SysWow64\ISSRemoveSP.exe
[2012/02/23 05:53:00 | 000,796,420 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/23 03:31:55 | 000,074,008 | ---- | C] () -- C:\Users\Historic Inn\AppData\Local\GDIPFONTCACHEV1.DAT
[2012/02/23 03:29:55 | 002,883,584 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.dat
[2012/02/23 03:29:55 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2012/02/23 03:29:55 | 000,524,288 | -HS- | C] () -- C:\Users\Historic Inn\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2012/02/23 03:29:55 | 000,065,536 | -HS- | C] () -- C:\Users\Historic Inn\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2012/02/23 03:29:55 | 000,000,020 | -HS- | C] () -- C:\Users\Historic Inn\ntuser.ini
[2011/03/21 23:56:22 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/03/17 18:51:46 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
========== LOP Check ==========
[2012/08/20 22:19:15 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Ad-Aware Antivirus
[2012/02/28 21:40:44 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\OpenOffice.org
[2012/02/23 03:31:28 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Synaptics
[2012/04/07 09:20:48 | 000,000,000 | ---D | M] -- C:\Users\Historic Inn\AppData\Roaming\Thunderbird
[2012/08/23 17:11:43 | 000,032,646 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
< End of report >
Report
Reply
Edit
Delete
RKinner
Malware Expert
Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 25 August 2012 - 02:18 AM
Copy the text in the code box by highlighting and Ctrl + c
:OTL
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell - "" = AutoRun
O33 - MountPoints2\{0a64e065-a0ea-11e1-b1f0-2c27d7e76de4}\Shell\AutoRun\command - "" = G:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell - "" = AutoRun
O33 - MountPoints2\{7ae31c37-b618-11e1-866d-f7233a4f0e6b}\Shell\AutoRun\command - "" = F:\KODAK_Camera_Setup_App.exe
:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]
then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.
You need to uninstall Ad-Aware Anti-virus. You should not be running it with Microsoft Security Essentials.
Go on with the other steps from before.
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks
New Member
Group: Member Posts: 1 Joined: 22-August 12
Sent 25 August 2012 - 07:30 PM
The script has G: drive and F: drive, so I want to clarify....
I run an external Seagate Goflex 2Tb hard drive, single drive partitioned.
G: is for Carbonite mirror image and F; is for docs, photos and video. I disconnected this drive as soon as I thought something was wrong. Just now, I ran the script and it completed in seconds and rebooted. But the externaldrive was not reconnected.
I am going to reconnect the external drive and rerun OTL. This is just to document what I have done should I have made a mistake that will cause any trouble.
Jim
Report
Reply
Edit
Delete
thisstinks
New Member
Group: Member Posts: 1 Joined: 22-August 12
Sent 26 August 2012 - 04:17 PM
PS I have uninstalled Comodo firewall and Ad aware scanner. Turned Windows firewall back on but never ran the two simultaneously. Use Ad Aware for scanning but did not use real time protection or any other paid features, MS Essentials has been the only real-time protection or lack there of.
Report
Reply
Edit
Delete
RKinner
Malware Expert
Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 26 August 2012 - 07:54 PM
Can you run Process Explorer now that Comodo is not in the way?
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks
New Member
Group: Member Posts: 1 Joined: 22-August 12
Sent 26 August 2012 - 09:35 PM
RKinner, on 26 August 2012 - 07:54 PM, said:
Can you run Process Explorer now that Comodo is not in the way?
The admin PM'd and said system cleaner might fix the login be blocked by malware issue. I do not know what it is and have run nothing.
I cannot run ESET online scanner. I cannot accept the license agreement with active scripting off. If I turn it on I can accept the agreement but then the downloader windoe comes up and says Initialization Failed, Cannot Get Update, Is proxy configured?
Here is Processexplorer
Process PID CPU Private Bytes Working Set Description Company Name Verified Signer User Name
System Idle Process 0 91.41 0 K 24 K NT AUTHORITY\SYSTEM
procexp64.exe 3112 4.64 24,548 K 44,556 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Sysinternals HistoricInn\Historic Inn
Interrupts n/a 1.81 0 K 0 K Hardware Interrupts and DPCs
csrss.exe 488 0.55 2,760 K 5,960 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
dwm.exe 2160 0.55 32,544 K 30,020 K Desktop Window Manager Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
System 4 0.40 396 K 1,144 K NT AUTHORITY\SYSTEM
CarboniteUI.exe 2712 0.16 14,076 K 30,336 K Carbonite User Interface Carbonite, Inc. (Verified) Carbonite, Inc HistoricInn\Historic Inn
CarboniteService.exe 1512 0.13 8,952 K 21,596 K Carbonite Secure Backup Engine Carbonite, Inc. (www.carbonite.com) (Verified) Carbonite, Inc NT AUTHORITY\SYSTEM
explorer.exe 2220 0.12 40,944 K 67,544 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
iexplore.exe 396 0.06 121,796 K 133,932 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
MsMpEng.exe 796 0.05 73,416 K 47,012 K Antimalware Service Executable Microsoft Corporation (Verified) Microsoft Corporation NT AUTHORITY\SYSTEM
msseces.exe 2592 0.05 7,244 K 18,532 K Microsoft Security Client User Interface Microsoft Corporation (Verified) Microsoft Corporation HistoricInn\Historic Inn
iexplore.exe 2700 0.01 8,648 K 21,708 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
svchost.exe 904 0.01 9,028 K 15,768 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 284 0.01 33,920 K 54,920 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
peerblock.exe 2644 < 0.01 16,136 K 19,408 K PeerBlock PeerBlock, LLC (Verified) PeerBlock, LLC HistoricInn\Historic Inn
svchost.exe 1084 < 0.01 14,268 K 15,512 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\NETWORK SERVICE
YCMMirage.exe 2884 < 0.01 1,580 K 872 K YouCam Mirage CyberLink (Verified) CyberLink HistoricInn\Historic Inn
services.exe 516 < 0.01 6,132 K 11,680 K Services and Controller app Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SearchIndexer.exe 2896 < 0.01 24,300 K 17,232 K Microsoft Windows Search Indexer Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SMSvcHost.exe 1608 < 0.01 33,324 K 23,448 K SMSvcHost.exe Microsoft Corporation (Verified) Microsoft Corporation NT AUTHORITY\LOCAL SERVICE
svchost.exe 1544 < 0.01 7,736 K 25,188 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 660 < 0.01 4,372 K 9,888 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SearchProtocolHost.exe 3816 < 0.01 2,344 K 7,508 K Microsoft Windows Search Protocol Host Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
svchost.exe 1824 < 0.01 161,656 K 163,500 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
WmiPrvSE.exe 3636 2,608 K 6,004 K WMI Provider Host Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
winlogon.exe 864 3,004 K 7,100 K Windows Logon Application Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
wininit.exe 456 1,480 K 4,356 K Windows Start-Up Application Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
taskhost.exe 1784 3,264 K 7,568 K Host Process for Windows Tasks Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
taskeng.exe 2812 2,024 K 5,744 K Task Scheduler Engine Microsoft Corporation (Verified) Microsoft Windows HistoricInn\Historic Inn
svchost.exe 1004 8,336 K 17,224 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
svchost.exe 1396 10,452 K 14,064 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 972 20,508 K 18,108 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
svchost.exe 736 3,972 K 7,808 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\NETWORK SERVICE
svchost.exe 1796 1,776 K 5,392 K Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\LOCAL SERVICE
spoolsv.exe 1368 6,308 K 11,404 K Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
smss.exe 268 468 K 1,104 K Windows Session Manager Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
SearchFilterHost.exe 3488 1,832 K 4,832 K Microsoft Windows Search Filter Host Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
lsm.exe 544 2,332 K 4,100 K Local Session Manager Service Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
lsass.exe 536 4,352 K 10,916 K Local Security Authority Process Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
FlashUtil32_11_3_300_268_ActiveX.exe 1100 3,132 K 8,136 K Adobe® Flash® Player Installer/Uninstaller 11.3 r300 Adobe Systems Incorporated (Verified) Adobe Systems Incorporated HistoricInn\Historic Inn
dllhost.exe 1256 7,584 K 11,380 K COM Surrogate Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\NETWORK SERVICE
csrss.exe 380 1,980 K 4,316 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows NT AUTHORITY\SYSTEM
Report
Reply
Edit
Delete
RKinner
Malware Expert
Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 27 August 2012 - 02:48 AM
Process Explorer looks pretty good. I don't see anything hogging the CPU or anything that looks suspicious. Sometimes you can get ESET to work in Firefox but you have to install their add-on first.
Do you still have a problem?
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks
New Member
Group: Member Posts: 1 Joined: 22-August 12
Sent 27 August 2012 - 11:49 AM
I will cautiously say it looks OK.
I am running the ESET online scan right now and I will see what the results hold.
A few very important questions,
The mirror drive
What happens when I reconnect the Carbonite mirror drive? Should I just reformat the drive and start over? Will even hooking it up to reformat cause reinfection?
Computer B
What about the other computer she was using? Symptoms seem to be the same as this one, should I start a new thread or start at the beginning of your instructions and follow them with a hard stop and contact you if there is any difference?
Computer C
Seems fine, is the ESET online scan my best bet to be sure?
And lastly, where can I go and learn more about how to secure our PC's so that my children cannot do something like this again?
Thank you so very much. I am not lucky enough to live on Orcas Island but I am lucky enough to own an Inn near Monticello that was built by members of Jefferson's family in 1820. We have hosted Thomas Jefferson, Martin Van Buren, Teddy Roosevelt and Franklin Roosevelt. If you are ever out this way to visit Charlottesville there is a room here for you waiting. Jim
Report
Reply
Edit
Delete
RKinner
Malware Expert
Group: Expert Posts: 8,833 Joined: 19-April 05 Location:Orcas Island (Olga, WA) MVP:
Sent 27 August 2012 - 12:31 PM
ESET is one of the best free online scans so if it says you are clean then most likely you are.
Normally Windows has an update that prevents anything from using the autorun.ini file but I don't see it on yours.
There is a program called AutoRun Eater v2.5
http://download.cnet...4-10752777.html
It will stay resident and prevent USB drives from infecting your PC via autorun.inf if you do not have the windows update that removes autorun from everything but CD/DVDs.
Download, Save and Run by Right clicking and Run As Admin.
The other threat is easy to guard again. Do not open the drive using Explorer or Computer until after you have done the following:
Use a Command Window to put a directory called desktop.ini in the root of each drive. Say you have an external drive in F:
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:
F:
mkdir \desktop.ini
(you can also do the same for autorun.inf)
mkdir \autorun.inf
Then I would scan the drive with your anti-virus.
In your case I did not see anything really evil so I doubt that your other drives are infected. We should probably cleanup:
We need to cleanup System Restore:
Copy the following:
:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.
That will get the last of the malware off the system.
You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:
"%userprofile%\Desktop\combofix.exe" /Uninstall
Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.
OTL has a cleanup tab if you go there it will remove itself and its logs.
To hide hidden files again (OTL may do it for you):
Vista or Win7
# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.
To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
Seems to work best if Firefox is the default browser. You can also try Secunia PSI http://secunia.com/v...l/download_psi/ Same kind of info. You don't need both.
If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.
If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.
If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.
If you could I would prefer to work from a new topic on your other PCs. It's a real pain to work via PMs. If you want to be sure I'll pick it up, put my name in the Subject and send me a PM with the link.
Start off with a custom OTL scan as follows:
Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.
Copy the text in the code box:
DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT
Run OTL (Vista or Win 7 => right click and Run As Administrator)
Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes
Select the All option in the Extra Registry group then Run Scan.
You should get two logs. Please copy and paste both of them.
Ron
If you are lucky enough to live on Orcas Island you're lucky enough!
Report
Reply
thisstinks
New Member
Group: Member Posts: 1 Joined: 22-August 12
Sent 28 August 2012 - 05:05 PM
FOUND IT! Note the little "c"
Autorun eater finds "c:\\ProgramFiles\MicrosoftSecurityclient\msseces.exe" -hide -runkey
And says this is not a valid file
MSE report says
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\Program Files\Microsoft Security Client\MpCmdRun.exe" -UnregisterWSC -InstallPath "c:\Program Files\Microsoft Security Client\\"
Start Time: Tue Aug 28 2012 16:23:25
INFO: IWscASStatus::Unregister() Succeeded
INFO: IWscAVStatus::Unregister() Succeeded
INFO: RunCommandUnregisterWSC() Succeeded 0
MpCmdRun: End Time: Tue Aug 28 2012 16:23:25
-------------------------------------------------------------------------------------
Went to CC:cleaner and remove startup line = "c:\Program Files\Microsoft Security Client\MpCmdRun.exe"
Then I rebooted and it was normal fast instead of dog slow, now I am running MSEssentials then I will run ESET online scan.
What is the nrxt step?
Report
Reply
Edit
Delete
thisstinks
New Member
Group: Member Posts: 1 Joined: 22-August 12
Sent 28 August 2012 - 06:11 PM
Autorun Eater has found the little "c" command on all three computers so clearly all three have been compromised by this. I will let ESET finish but cannot be sure that anything I am doing is actually having an effect since Essentials is compromised.
Silentrunners reports this on all three
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
CarboniteService, CarboniteService, "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe" [Carbonite, Inc. (www.carbonite.com)]
Microsoft Antimalware Service, MsMpSvc, "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [MS]
Net.Tcp Port Sharing Service, NetTcpPortSharing, C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [MS]
Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\
<<!>> MsMpSvc, Service
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\
<<!>> MsMpSvc, Service
---------- (launch time: 2012-08-28 15:24:28)
<<!>>: Suspicious data at a malware launch point.
Edited by thisstinks, 30 August 2012 - 03:57 PM.