Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google redirect after File Recovery trojan - have tried the How to art


  • This topic is locked This topic is locked

#1
MikeyTexas

MikeyTexas

    Member

  • Member
  • PipPip
  • 17 posts
Hi there - and thank you in advance for the work you do here.

I contracted some malware on a site yesterday that shot a lot of pop-up windows, then restarted my computer after closing Firefox. Then it would pop-up the fake program File Recovery.

I was running MSE at the time, but have since scanned and removed many infected files first with Adaware, and then with Malwarebytes. I still continue to get redirects on Google from both Firefox and Internet Explorer.

Before starting this post, I was trying to go through the steps of the How to Fix Google Redirects post, and I was able to run OTM and GooredFix successfully. I am unable to get TDSSKiller to launch, even as administrator. I also downloaded it directly from Kapersky just to double-check that.

I am including the OTL.txt below - and thank you again.

-Michael

OTL logfile created on: 09/13/2012 3:53:34 PM - Run 2
OTL by OldTimer - Version 3.2.61.3 Folder = C:\Users\Michael Grantham\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19298)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

3.24 Gb Total Physical Memory | 2.12 Gb Available Physical Memory | 65.34% Memory free
6.67 Gb Paging File | 5.56 Gb Available in Paging File | 83.41% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.03 Gb Total Space | 167.73 Gb Free Space | 56.28% Space Free | Partition Type: NTFS
Drive D: | 4.04 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DELL | User Name: Michael Grantham | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/13 14:40:32 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Michael Grantham\Desktop\OTL.exe
PRC - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/08/24 06:48:16 | 000,035,304 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jp2launcher.exe
PRC - [2012/08/24 06:48:09 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\java.exe
PRC - [2012/07/19 07:09:22 | 000,186,832 | ---- | M] (Google Inc.) -- C:\Users\Michael Grantham\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
PRC - [2012/07/12 15:39:35 | 000,186,832 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.115\GoogleCrashHandler.exe
PRC - [2012/05/09 11:53:46 | 000,201,112 | ---- | M] (Lavasoft) -- C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
PRC - [2012/04/09 07:59:46 | 000,670,792 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
PRC - [2012/02/23 12:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
PRC - [2011/08/25 18:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
PRC - [2011/07/19 08:58:50 | 000,862,032 | R--- | M] (Storage Appliance Corp.) -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacReminder.exe
PRC - [2011/07/19 08:58:49 | 000,163,664 | R--- | M] (Storage Appliance Corporation) -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe
PRC - [2011/07/19 08:58:49 | 000,083,792 | R--- | M] (Storage Appliance Corp.) -- C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe
PRC - [2011/03/25 22:32:40 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2010/11/11 13:31:54 | 000,334,448 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnetdhcp.exe
PRC - [2010/11/11 13:31:50 | 000,404,080 | ---- | M] (VMware, Inc.) -- C:\Windows\System32\vmnat.exe
PRC - [2010/11/11 13:31:36 | 000,064,112 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Player\hqtray.exe
PRC - [2010/11/11 13:30:44 | 000,113,264 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Player\vmware-authd.exe
PRC - [2010/11/11 12:31:44 | 000,539,248 | ---- | M] (VMware, Inc.) -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
PRC - [2010/07/21 20:17:20 | 000,069,632 | ---- | M] () -- C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnsrc.exe
PRC - [2009/05/21 12:14:02 | 001,025,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\gs_agent\dsc.exe
PRC - [2009/05/21 12:13:58 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/04/11 01:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/25 19:06:42 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/14 01:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/01/17 07:22:20 | 004,907,008 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe
PRC - [2007/05/23 21:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/08 16:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe


========== Modules (No Company Name) ==========

MOD - [2012/08/24 06:48:16 | 000,184,808 | ---- | M] () -- C:\Program Files\Java\jre7\bin\jp2iexp.dll
MOD - [2012/08/24 06:48:16 | 000,015,848 | ---- | M] () -- C:\Program Files\Java\jre7\bin\jp2native.dll
MOD - [2012/05/09 05:55:06 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\3b7181bb19dd5dd74cd063f0312cdf57\System.Xml.ni.dll
MOD - [2012/05/09 05:52:55 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/09 05:52:40 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/11/11 13:31:14 | 000,068,720 | ---- | M] () -- C:\Program Files\VMware\VMware Player\zlib1.dll
MOD - [2010/11/11 13:31:00 | 000,970,352 | ---- | M] () -- C:\Program Files\VMware\VMware Player\libxml2.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/09/05 20:26:40 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/04/09 07:59:46 | 000,670,792 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
SRV - [2011/09/07 11:52:46 | 002,646,020 | ---- | M] (NCH Software) [On_Demand | Stopped] -- C:\Program Files\NCH Software\ExpressAccounts\expressaccounts.exe -- (ExpressAccountsService)
SRV - [2011/08/25 18:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2011/07/19 08:58:49 | 000,163,664 | R--- | M] (Storage Appliance Corporation) [Auto | Running] -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe -- (SacNetAgentService_C57C4F854F53)
SRV - [2011/07/19 08:58:49 | 000,083,792 | R--- | M] (Storage Appliance Corp.) [Auto | Running] -- C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe -- (CFUACProxy_officeguardianv2n35)
SRV - [2011/05/06 11:03:10 | 000,191,752 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/03/25 22:32:40 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/11/11 13:31:54 | 000,334,448 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2010/11/11 13:31:50 | 000,404,080 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\System32\vmnat.exe -- (VMware NAT Service)
SRV - [2010/11/11 13:30:44 | 000,113,264 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2010/11/11 12:31:44 | 000,539,248 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2010/08/19 13:57:14 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2010/07/21 20:17:20 | 000,069,632 | ---- | M] () [Auto | Running] -- C:\Program Files\WatchGuard\WatchGuard Mobile VPN with SSL\wgsslvpnsrc.exe -- (wgsslvpnsrc)
SRV - [2009/02/25 19:06:42 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/12/03 19:06:57 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/14 01:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [File_System | On_Demand | Stopped] -- C:\Windows\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2012/04/09 07:27:18 | 000,026,624 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
DRV - [2011/12/23 07:12:12 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2010/11/11 13:32:10 | 000,070,768 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmci.sys -- (vmci)
DRV - [2010/11/11 13:32:08 | 000,854,128 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmx86.sys -- (vmx86)
DRV - [2010/11/11 13:30:34 | 000,024,688 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2010/11/11 13:29:26 | 000,026,352 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2010/11/11 12:31:28 | 000,032,368 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\hcmon.sys -- (hcmon)
DRV - [2010/11/11 10:04:52 | 000,036,400 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2010/11/11 10:04:52 | 000,016,560 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2010/08/19 13:56:38 | 000,022,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2010/07/21 20:17:06 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/07/14 12:51:56 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2010/03/13 12:58:52 | 000,087,536 | ---- | M] (CyberLink Corp.) [2010/04/26 07:31:40] [Kernel | Auto | Running] -- C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl -- ({1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC})
DRV - [2010/02/22 02:44:08 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2008/01/20 21:21:33 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2007/10/03 15:20:32 | 000,063,008 | ---- | M] (Juniper Networks) [Kernel | System | Running] -- C:\Windows\System32\drivers\NEOFLTR_550_12129.sys -- (NEOFLTR_550_12129)
DRV - [2007/06/01 13:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 16:56:00 | 000,014,336 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2007/02/03 10:25:56 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Camdrl.sys -- (CamDrL)
DRV - [2002/06/10 14:24:22 | 000,188,592 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvvi500a.sys -- (LVVI500A)
DRV - [2002/06/10 14:21:02 | 000,010,254 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVBulk.sys -- (LVBulk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081204
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co...html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081204
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co...html?channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://camsmd.com/admin/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 7B 91 B3 17 EC CB 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...TDF&PC=BBSR&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://camsmd.com/ad.../?shva=1#inbox"
FF - prefs.js..extensions.enabledAddons: [email protected]:1.8
FF - prefs.js..extensions.enabledAddons: [email protected]:1.9.3
FF - prefs.js..extensions.enabledAddons: [email protected]:2.15
FF - prefs.js..extensions.enabledAddons: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9
FF - prefs.js..extensions.enabledAddons: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.3
FF - prefs.js..extensions.enabledAddons: [email protected]:3.55
FF - prefs.js..extensions.enabledItems: [email protected]:3.1.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}:5.0.17
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9
FF - prefs.js..extensions.enabledItems: [email protected]:1.83
FF - prefs.js..keyword.URL: "http://www.bing.com/...TDF&PC=BBSR&q="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_268.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.6.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.6.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2011/09/24 17:55:09 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@sun.com/npsopluginmi;version=1.0: C:\Program Files\OpenOffice.org 3\program [2012/06/11 06:47:47 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)
FF - HKCU\Software\MozillaPlugins\@livecode.runrev.com/LiveCode Player;version=1: C:\Users\Michael Grantham\AppData\Local\RunRev\Components\LiveCodePlayer\9\nplcplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Michael Grantham\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Michael Grantham\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Michael Grantham\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/13 07:56:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/03 10:28:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/12/04 15:20:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/12/04 15:20:57 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/09/24 18:09:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Extensions
[2011/05/06 10:02:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/09/13 07:56:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions
[2012/09/13 07:56:03 | 000,000,000 | ---D | M] (Ad-Aware Security Toolbar) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
[2011/09/24 18:09:05 | 000,000,000 | ---D | M] (Web Developer) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2012/09/13 07:56:04 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\[email protected]
[2012/03/09 14:34:43 | 000,000,000 | ---D | M] (Leapforce - Search Engine Evaluator Toolbar) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\[email protected](184).com
[2012/09/13 06:24:28 | 000,000,000 | ---D | M] (Leapforce - Search Engine Evaluator Toolbar) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\[email protected]
[2012/07/29 08:31:28 | 000,005,582 | ---- | M] () (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\[email protected]
[2012/06/01 07:58:03 | 000,617,362 | ---- | M] () (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\[email protected]
[2012/09/11 06:33:21 | 000,335,583 | ---- | M] () (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\[email protected]
[2012/05/04 13:19:53 | 000,344,888 | ---- | M] () (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\[email protected]
[2011/11/14 22:43:31 | 000,042,336 | ---- | M] () (No name found) -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi
[2011/01/16 11:06:42 | 000,001,832 | ---- | M] () -- C:\Users\Michael Grantham\AppData\Roaming\Mozilla\Firefox\Profiles\hpyoio3j.default\searchplugins\bing.xml
[2012/09/12 10:14:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/05 20:27:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/10/12 16:33:32 | 000,124,344 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
[2010/10/12 16:37:06 | 000,070,592 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2010/10/12 16:35:42 | 000,091,576 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2010/10/12 16:34:56 | 000,022,464 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2009/11/20 15:05:31 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2010/10/12 18:16:54 | 000,484,768 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2009/11/20 15:05:32 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2007/03/09 18:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll
[2010/10/12 16:37:02 | 000,024,000 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
[2012/09/05 20:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/09/05 20:26:22 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/09/13 15:05:26 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (The Weather Channel Toolbar) - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\Windows\System32\TwcToolbarIe7.dll ()
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\Windows\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [ConnectionCenter] C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SBRegRebootCleaner] "C:\Program Files\Ad-Aware Antivirus\SBRC.exe" File not found
O4 - HKLM..\Run: [VMware hqtray] C:\Program Files\VMware\VMware Player\hqtray.exe (VMware, Inc.)
O4 - HKCU..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKCU..\Run: [SacReminderHDDV2N] C:\ProgramData\OfficeGuardianV2N35\Reminder\SacReminder.exe (Storage Appliance Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000034 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000036 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: acddirect.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: arise.com ([ns] https in Trusted sites)
O15 - HKCU\..Trusted Domains: callswithoutwalls.com ([training] http in Trusted sites)
O15 - HKCU\..Trusted Domains: callswithoutwalls.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: cingularuniversity.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: convergysworkathome.com ([www] * in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([qtwu1.turbotaxonline] https in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: penson.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: virtualacd.biz ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: virtualized.biz ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: wireless.att.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range1 ([*] in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range2 ([http] in Trusted sites)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech....Detection32.cab (Device Detection)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {34B453C6-CFE8-4806-B0F0-A0E06FFEBF5E} https://iportal.west...erification.ocx (WAHSystemVerification.axVerify)
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} http://i.dell.com/im...r/SysProExe.cab (Scanner.SysScanner)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creat...101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1238598588234 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} http://www.convergys...om/AppHardT.CAB (WNICheck2 Class)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://javadl-esd.su...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.6.2)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.we...ex/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://extranet.int...perSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://ns.arise.com...SetupClient.cab (JuniperSetupClientControl Class)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creat...15112/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: GCSPlayerAxCab https://gcslearn.par...PlayerAxCab.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{44C90F80-ABBA-45E7-ADA7-34981579C325}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AD999CEE-11E4-46A7-85EB-AC99863B35DB}: DhcpNameServer = 172.17.5.27 172.17.5.28
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b4686217-ee9e-11e1-b25e-00219b0dc07d}\Shell - "" = AutoRun
O33 - MountPoints2\{b4686217-ee9e-11e1-b25e-00219b0dc07d}\Shell\AutoRun\command - "" = F:\StartClickFreeBackup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/13 15:33:16 | 002,211,928 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Michael Grantham\Desktop\tdsskiller.exe
[2012/09/13 15:23:11 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\Desktop\TDSS Killer
[2012/09/13 15:14:32 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\Desktop\GooredFix Backups
[2012/09/13 15:13:29 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Michael Grantham\Desktop\GooredFix.exe
[2012/09/13 15:05:23 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/09/13 15:03:29 | 000,522,240 | ---- | C] (OldTimer Tools) -- C:\Users\Michael Grantham\Desktop\OTM.exe
[2012/09/13 14:49:41 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\Desktop\RegistryBackup
[2012/09/13 14:48:38 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\Desktop\erunt
[2012/09/13 14:40:21 | 000,600,064 | ---- | C] (OldTimer Tools) -- C:\Users\Michael Grantham\Desktop\OTL.exe
[2012/09/13 13:52:37 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\Desktop\Leapforce
[2012/09/13 13:50:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/13 08:12:07 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\AppData\Local\adawarebp
[2012/09/13 07:57:53 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\AppData\Local\adaware
[2012/09/13 07:57:40 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/09/13 07:56:01 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2012/09/13 07:05:55 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2012/09/12 19:24:34 | 000,000,000 | ---D | C] -- C:\Users\Michael Grantham\AppData\Roaming\Malwarebytes
[2012/09/12 19:24:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/09/12 19:24:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/08/29 08:35:32 | 000,000,000 | ---D | C] -- C:\ProgramData\OfficeGuardianV2N35
[2011/07/14 03:13:57 | 000,024,576 | ---- | C] (BackWeb) -- C:\Users\Michael Grantham\AppData\Local\TempIadHide3.dll

========== Files - Modified Within 30 Days ==========

[2012/09/13 15:55:14 | 000,666,678 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/09/13 15:55:14 | 000,129,844 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/09/13 15:53:55 | 000,135,598 | ---- | M] () -- C:\Users\Michael Grantham\wnxvzarqhdvihrdemcgprfqkt.exe
[2012/09/13 15:48:13 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/09/13 15:47:54 | 000,002,000 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/13 15:47:54 | 000,002,000 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/13 15:47:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/13 15:47:49 | 3478,310,912 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/13 15:33:20 | 002,211,928 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Michael Grantham\Desktop\tdsskiller.exe
[2012/09/13 15:20:58 | 002,193,184 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\tdsskiller.zip
[2012/09/13 15:14:02 | 000,000,952 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1885834091-318630671-1701898132-1005UA.job
[2012/09/13 15:13:30 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Michael Grantham\Desktop\GooredFix.exe
[2012/09/13 15:05:26 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/09/13 15:03:31 | 000,522,240 | ---- | M] (OldTimer Tools) -- C:\Users\Michael Grantham\Desktop\OTM.exe
[2012/09/13 14:58:44 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/09/13 14:44:12 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/09/13 14:40:32 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Michael Grantham\Desktop\OTL.exe
[2012/09/13 14:32:28 | 000,000,444 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{9632FAA5-1B46-4128-8573-82381CD86F88}.job
[2012/09/13 13:54:14 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/13 07:51:14 | 000,018,798 | ---- | M] () -- C:\Users\Michael Grantham\sheeomaytnrmqrbgvugtgh.exe
[2012/09/13 06:37:54 | 000,000,050 | RH-- | M] () -- C:\Users\Michael Grantham\Desktop\stinger092012.opt
[2012/09/13 06:24:54 | 000,131,072 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\2012-09-13.rateraide
[2012/09/12 21:06:23 | 000,131,072 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\2012-09-12-3.rateraide
[2012/09/12 20:17:26 | 000,001,356 | ---- | M] () -- C:\Users\Michael Grantham\AppData\Local\d3d9caps.dat
[2012/09/12 19:02:28 | 000,000,368 | ---- | M] () -- C:\ProgramData\83hpnl1wwj9a3o
[2012/09/12 08:38:13 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/09/12 08:38:13 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/09/12 07:14:01 | 000,000,900 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1885834091-318630671-1701898132-1005Core.job
[2012/09/11 21:07:19 | 000,131,072 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\2012-09-11-2.rateraide
[2012/09/11 12:41:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2012/09/10 21:01:58 | 000,089,705 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\RaterAide 6.backup
[2012/09/08 13:23:01 | 000,000,284 | ---- | M] () -- C:\Windows\tasks\AppleSoftwareUpdate.job
[2012/09/05 04:24:08 | 000,086,340 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\RaterAide 5.backup
[2012/09/05 04:24:04 | 000,086,340 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\RaterAide 4.backup
[2012/09/04 06:09:51 | 000,086,334 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\RaterAide 3.backup
[2012/09/02 18:37:39 | 000,085,238 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\RaterAide 2.backup
[2012/09/01 20:32:09 | 000,084,452 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\RaterAide.backup
[2012/08/31 17:18:45 | 000,002,093 | ---- | M] () -- C:\Users\Michael Grantham\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/08/29 09:17:51 | 000,000,903 | ---- | M] () -- C:\Users\Michael Grantham\Desktop\Clickfree BackupLink.lnk
[2012/08/16 06:01:26 | 000,317,224 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2012/09/13 15:53:15 | 000,135,598 | ---- | C] () -- C:\Users\Michael Grantham\wnxvzarqhdvihrdemcgprfqkt.exe
[2012/09/13 15:47:49 | 3478,310,912 | -HS- | C] () -- C:\hiberfil.sys
[2012/09/13 15:16:31 | 002,193,184 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\tdsskiller.zip
[2012/09/13 13:50:48 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/13 07:51:08 | 000,018,798 | ---- | C] () -- C:\Users\Michael Grantham\sheeomaytnrmqrbgvugtgh.exe
[2012/09/13 06:36:31 | 000,131,072 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\2012-09-13.rateraide
[2012/09/12 21:06:56 | 000,131,072 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\2012-09-12-3.rateraide
[2012/09/12 20:48:18 | 000,000,050 | RH-- | C] () -- C:\Users\Michael Grantham\Desktop\stinger092012.opt
[2012/09/12 18:14:40 | 000,000,368 | ---- | C] () -- C:\ProgramData\83hpnl1wwj9a3o
[2012/09/11 21:08:36 | 000,131,072 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\2012-09-11-2.rateraide
[2012/09/10 21:01:58 | 000,089,705 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\RaterAide 6.backup
[2012/09/05 04:24:08 | 000,086,340 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\RaterAide 5.backup
[2012/09/05 04:24:04 | 000,086,340 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\RaterAide 4.backup
[2012/09/04 06:09:51 | 000,086,334 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\RaterAide 3.backup
[2012/09/02 18:37:39 | 000,085,238 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\RaterAide 2.backup
[2012/09/01 20:32:09 | 000,084,452 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\RaterAide.backup
[2012/08/29 09:17:51 | 000,000,903 | ---- | C] () -- C:\Users\Michael Grantham\Desktop\Clickfree BackupLink.lnk
[2012/06/28 16:53:16 | 000,000,886 | ---- | C] () -- C:\Users\Michael Grantham\.recently-used.xbel
[2012/01/20 14:34:18 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2012/01/20 14:34:18 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2012/01/17 14:10:59 | 000,003,982 | ---- | C] () -- C:\ProgramData\cd8a54
[2012/01/17 14:10:59 | 000,003,913 | ---- | C] () -- C:\Users\Michael Grantham\AppData\Local\86f34ad2
[2012/01/17 14:10:59 | 000,003,851 | ---- | C] () -- C:\Users\Michael Grantham\AppData\Roaming\c3902a6
[2012/01/17 11:36:00 | 000,008,494 | ---- | C] () -- C:\Users\Michael Grantham\AppData\Roaming\55172e16
[2012/01/17 11:36:00 | 000,008,489 | ---- | C] () -- C:\ProgramData\59e3a6e4
[2012/01/17 11:36:00 | 000,008,420 | ---- | C] () -- C:\Users\Michael Grantham\AppData\Local\dfdd6662
[2011/11/29 12:46:53 | 000,000,590 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
[2011/10/04 08:10:23 | 000,135,702 | ---- | C] () -- C:\Windows\hpwins10.dat.osupcopy
[2011/10/04 08:09:28 | 000,136,359 | ---- | C] () -- C:\Windows\hpwins10.dat.temp
[2011/10/04 08:09:28 | 000,001,042 | ---- | C] () -- C:\Windows\hpwmdl10.dat.temp
[2011/10/04 08:08:57 | 000,001,042 | ---- | C] () -- C:\Windows\hpwmdl10.dat
[2011/09/25 08:40:19 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/09/25 08:40:19 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/09/25 08:39:47 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/09/25 08:39:35 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/09/25 06:30:06 | 000,005,632 | ---- | C] () -- C:\Users\Michael Grantham\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/24 19:55:16 | 000,294,912 | ---- | C] () -- C:\Windows\System32\liplW7.dll
[2011/09/24 19:55:16 | 000,290,816 | ---- | C] () -- C:\Windows\System32\liplA6.dll
[2011/09/24 19:55:16 | 000,278,528 | ---- | C] () -- C:\Windows\System32\liplPX.dll
[2011/09/24 19:55:16 | 000,278,528 | ---- | C] () -- C:\Windows\System32\liplP6.dll
[2011/09/24 19:55:16 | 000,278,528 | ---- | C] () -- C:\Windows\System32\liplM6.dll
[2011/09/24 19:55:16 | 000,020,480 | ---- | C] () -- C:\Windows\System32\lipl.dll
[2011/09/24 19:54:48 | 000,005,187 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2011/09/24 19:37:16 | 000,001,356 | ---- | C] () -- C:\Users\Michael Grantham\AppData\Local\d3d9caps.dat
[2011/09/24 18:25:18 | 000,022,732 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2011/07/28 19:38:28 | 000,000,664 | ---- | C] () -- C:\Windows\System32\d3d9caps.dat
[2011/07/13 09:14:58 | 000,000,241 | ---- | C] () -- C:\Windows\QSync.INI
[2011/07/13 09:13:50 | 000,000,780 | ---- | C] () -- C:\Windows\_delis32.ini
[2011/07/13 09:12:42 | 000,081,920 | ---- | C] () -- C:\Windows\bwUnin-6.1.4.36-8876480L.exe
[2009/03/23 11:15:57 | 000,044,602 | ---- | C] () -- C:\Users\Michael Grantham\AppData\Roaming\wklnhst.dat

========== LOP Check ==========

[2011/09/24 18:08:20 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\acccore
[2012/07/29 07:40:32 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Ad-Aware Antivirus
[2011/09/24 18:08:22 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Avaya
[2011/09/24 18:08:22 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\AVG10
[2011/09/24 18:08:22 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\AVG9
[2011/09/24 18:08:22 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\CoffeeCup Software
[2011/12/23 11:38:13 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\CvgQuickConnect
[2011/09/24 18:08:31 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\DassaultSystemes
[2012/06/28 17:40:29 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\gtk-2.0
[2012/03/10 16:51:06 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\ICAClient
[2012/06/28 16:50:01 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Image Zone Express
[2012/07/02 09:34:46 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Juniper Networks
[2011/09/24 18:09:05 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\OpenOffice.org
[2011/09/24 18:09:07 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\PCDr
[2011/09/24 18:09:10 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Printer Info Cache
[2011/10/05 12:44:33 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Recordpad
[2011/10/12 09:05:06 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\RightNow_Technologies
[2012/05/07 14:21:14 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\SecondLife
[2011/09/24 18:09:13 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Template
[2011/09/24 18:09:13 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Thunderbird
[2012/05/23 05:44:13 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Utherverse
[2012/08/05 15:10:20 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\uTorrent
[2011/09/24 18:09:14 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\VirtualStore
[2011/09/24 18:09:14 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\VS Media Inc
[2011/10/12 08:38:23 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\WatchGuard
[2011/09/24 18:09:14 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\webex
[2011/09/24 18:09:14 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Windows Desktop Search
[2011/09/24 18:09:14 | 000,000,000 | ---D | M] -- C:\Users\Michael Grantham\AppData\Roaming\Windows Search
[2011/09/22 16:47:32 | 000,000,290 | ---- | M] () -- C:\Windows\Tasks\debutShakeIcon.job
[2011/09/30 12:46:00 | 000,000,298 | ---- | M] () -- C:\Windows\Tasks\expressShakeIcon.job
[2011/09/24 15:59:00 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2008/01/20 21:54:58 | 000,003,456 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/10/06 12:47:00 | 000,000,294 | ---- | M] () -- C:\Windows\Tasks\scribeShakeIcon.job
[2011/09/24 15:52:00 | 000,000,422 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job
[2012/09/13 14:32:28 | 000,000,444 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{9632FAA5-1B46-4128-8573-82381CD86F88}.job
[2011/10/03 05:29:00 | 000,000,310 | ---- | M] () -- C:\Windows\Tasks\webdictateShakeIcon.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hello, MikeyTexas! :wave:

:welcome: I'm Nedklaw and I'll be glad to help you with your malware issues. :)

These instructions are specifically designed for MikeyTexas only. No one else should follow these instructions because it can cause serious damage to your computer.

Before we start to clean your computer of malware, please read through the following points to help me and you, and prevent damage to your computer:
  • Please completely read through all of the instructions given to you before attempting to follow them. Reading too lightly will cause you to miss important steps, which could have DESTRUCTIVE effects. If you can't perform a certain step or you are unsure about what to do, let me know!
  • Don't be afraid to ask questions! If you are unsure about anything, ask me! No question is considered stupid here!
  • Be patient with me, logs can take some time to research and my life can mean that I'm busy.
  • Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • NEVER fix anything in OTL or other programs on your own! This can be very dangerous and cause harm to your system.
  • Refrain from running any other tools apart from the ones I tell you to.
Note: You should save or print out my instructions for easy reference, as part of the fix may be in Safe Mode and you won't be able to access GeeksToGo.


I have an idea of what infection you might have but I need to confirm this using a tool called RogueKiller.


Step 1

  • Download RogueKiller and save it onto your desktop.
  • Quit all programs.
  • Start RogueKiller.exe.
  • Note: If RogueKiller has been blocked, do not hesitate to try several times. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.
  • Wait until the Prescan has finished.
  • Click on Scan.

    Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
  • The report has been created on the desktop.
  • Next click on ShortcutsFix.
  • The report has been created on the desktop.

Things I want to see in your next reply

  • All RKreport.txt files

  • 0

#3
MikeyTexas

MikeyTexas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Nedklaw -

Thank you so much for the quick response. I really appreciate your help. Below are the 3 output files from RK as requested.

MikeyTexas


RKreport[1]

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Michael Grantham [Admin rights]
Mode : Scan -- Date : 09/13/2012 17:34:17

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
[SUSP PATH] UACProxy.exe -- C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe -> KILLED [TermProc]
[SUSP PATH] SacNetAgent.exe -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe -> KILLED [TermProc]
[SUSP PATH] SacReminder.exe -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacReminder.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SacReminderHDDV2N (C:\ProgramData\OfficeGuardianV2N35\reminder\SacReminder.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : ConnectionCenter ("C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\concentr.exe" /startup) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1885834091-318630671-1701898132-1005[...]\Run : SacReminderHDDV2N (C:\ProgramData\OfficeGuardianV2N35\reminder\SacReminder.exe) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (\??\C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (\??\C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1885834091-318630671-1701898132-1005\$bcfabcca2de192d7f547a6ce909f1da1\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1885834091-318630671-1701898132-1005\$bcfabcca2de192d7f547a6ce909f1da1\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x8679FFA9)

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ ATA Device +++++
--- User ---
[MBR] cc8a3e2d0a65f793501038757a2907c5
[BSP] 309f752a4e6d8a1397311c24af3cea9d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 128520 | Size: 305180 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 7eba01b58edbf580b2c0796c7621e4d4
[BSP] 309f752a4e6d8a1397311c24af3cea9d : Windows Vista MBR Code [possible maxSST in 2!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 128520 | Size: 305180 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625137345 | Size: 2 Mo

+++++ PhysicalDrive1: HP Photosmart A510 USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RKreport[2]

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Michael Grantham [Admin rights]
Mode : Remove -- Date : 09/13/2012 17:35:00

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
[SUSP PATH] UACProxy.exe -- C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe -> KILLED [TermProc]
[SUSP PATH] SacNetAgent.exe -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe -> KILLED [TermProc]
[SUSP PATH] SacReminder.exe -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacReminder.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : SacReminderHDDV2N (C:\ProgramData\OfficeGuardianV2N35\reminder\SacReminder.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : ConnectionCenter ("C:\Users\Michael Grantham\AppData\Local\Citrix\ICA Client\concentr.exe" /startup) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (\??\C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (\??\C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1885834091-318630671-1701898132-1005\$bcfabcca2de192d7f547a6ce909f1da1\U --> REMOVED
[Del.Parent][FILE] [email protected] : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\L\[email protected] --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$bcfabcca2de192d7f547a6ce909f1da1\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-1885834091-318630671-1701898132-1005\$bcfabcca2de192d7f547a6ce909f1da1\L --> REMOVED

¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x8679FFA9)

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD322HJ ATA Device +++++
--- User ---
[MBR] cc8a3e2d0a65f793501038757a2907c5
[BSP] 309f752a4e6d8a1397311c24af3cea9d : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 128520 | Size: 305180 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 7eba01b58edbf580b2c0796c7621e4d4
[BSP] 309f752a4e6d8a1397311c24af3cea9d : Windows Vista MBR Code [possible maxSST in 2!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 128520 | Size: 305180 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625137345 | Size: 2 Mo

+++++ PhysicalDrive1: HP Photosmart A510 USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RKreport[3]

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Michael Grantham [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/13/2012 18:05:46

¤¤¤ Bad processes : 4 ¤¤¤
[SUSP PATH][DLL] explorer.exe -- C:\Windows\explorer.exe : C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.dll -> UNLOADED
[SUSP PATH] UACProxy.exe -- C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe -> KILLED [TermProc]
[SUSP PATH] SacNetAgent.exe -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe -> KILLED [TermProc]
[SUSP PATH] SacReminder.exe -- C:\ProgramData\OfficeGuardianV2N35\Reminder\SacReminder.exe -> KILLED [TermProc]

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 3 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 4 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 2790 / Fail 0
My documents: Success 3 / Fail 3
My favorites: Success 0 / Fail 0
My pictures: Success 1 / Fail 0
My music: Success 2 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 2364 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume4 -- 0x2 --> Restored

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  • 0

#4
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi and your welcome. :)
The infection you have stops TDSSKiller from running. This infection creates a hidden partition on your computer containing a rootkit.

  • Download ListParts to your desktop.
  • Double click ListParts.exe to launch the program.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on your desktop.
  • Please post the contents of the log in your next reply.

Things I want to see in your next reply

  • Result.txt

  • 0

#5
MikeyTexas

MikeyTexas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ListParts by Farbar Version: 14-09-2012
Ran by Michael Grantham (administrator) on 13-09-2012 at 19:24:14
Windows Vista (X86)
Running From: C:\Users\Michael Grantham\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 45%
Total physical RAM: 3316.27 MB
Available physical RAM: 1807.91 MB
Total Pagefile: 6850.55 MB
Available Pagefile: 5280.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1958.56 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:298.03 GB) (Free:166.47 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 298 GB 63 MB
Partition 3 Primary 2544 KB 298 GB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 298 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******
  • 0

#6
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Lets remove the partition.
You will need a USB drive to perform the following steps.

  • Please open Notepad (Start > All Programs > Accessories > Notepad) and copy the entire contents of the code box below.
    Right-click in the open notepad and select Paste.

    Disk=0 Partition=2 active
    custom
    Disk=0 Partition=3 delete
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
  • Save it on to a USB drive as fix.txt
  • Save ListParts onto the same flash drive.
  • Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt.
  • In the command window type in Notepad and press Enter.
  • A Notepad window will open. Under File menu select Open.
  • Select Computer and find your flash drive letter and then close Notepad.
  • In the command window type e:\ListParts and press Enter.
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • Press the Fix button.
  • When it is done, close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.

Things I want to see in your next reply

  • Result.txt

  • 0

#7
MikeyTexas

MikeyTexas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I am in the Advanced Boot Options screen and the closest item I see is Directory Services Repair Mode. Is that the correct one?

-Michael
  • 0

#8
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Don't worry, some computers don't have the Reapir Your Computer option in Advanced Boot Options. We'll try a different method of working outside of Windows.



Download the following two programmes to your desktop:

1. WiNToBootic
2. Windows Vista 32bit RC


Extract WiNToBoot to your desktop.
Insert a USB drive of at least 4GB.
Run WiNToBoot.

Posted Image


Drag and drop the Windows Vista ISO to the programme in the space indicated.
Tick the Format box and accept the warnings.
Press Do it!.

You will see it progressing.

Posted Image


It will let you know when it is done.
Then copy ListParts.exe and fix.txt to the same USB.


Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB.
Note: If you are not sure how to do that follow the instructions here.


When you reboot you will see this. Click Repair your computer.

Posted Image


Select your operating system.

Posted Image


Select Command Prompt.

Posted Image


  • In the command window type in Notepad and press Enter.
  • A Notepad window will open. Under File menu select Open.
  • Select Computer and find your flash drive letter and then close Notepad.
  • In the command window type e:\listparts and press Enter.
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • Press the Fix button.
  • When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.

Things I want to see in your next reply

  • Result.txt

  • 0

#9
MikeyTexas

MikeyTexas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I am still working on it, my computer is hung and won't move with the USB connected to it. I can't get into F2 to switch it to the USB. I am using a memory stick that is 8GB, not sure if that makes a difference.
  • 0

#10
MikeyTexas

MikeyTexas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ListParts by Farbar Version: 14-09-2012
Ran by SYSTEM (administrator) on 14-09-2012 at 18:23:41
Windows Vista (X86)
Running From: E:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 4084.38 MB
Available physical RAM: 3671.84 MB
Total Pagefile: 3834.54 MB
Available Pagefile: 3669.94 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.57 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:298.03 GB) (Free:170.15 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:3.73 GB) (Free:3.57 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1528 KB
Disk 1 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 298 GB 63 MB

======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 FAT Partition 63 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 298 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3819 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E NTFS Removable 3819 MB Healthy

======================================================================================================

****** End Of Log ******
  • 0

Advertisements


#11
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
ListParts removed the partition containing the rootkit so we will now get rid of the remaining infection.


Step 1

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


IMPORTANT!!! You need to Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here.
  • Double click on ComboFix.exe & follow the prompts.

    Posted Image
  • Please be patient and don't use the PC whilst it is scanning.
  • When finished, it shall produce a log for you. Please copy & paste the contents of this log at C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get this error "Illegal operation attempted on a registry key that has been marked for deletion" then reboot, that will cure it.



Things I want to see in your next reply

  • ComboFix.txt

  • 0

#12
MikeyTexas

MikeyTexas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi there -

I ran the ComboFix and let it go, then it restarted and I logged in and now it is sitting at a blue screen, looks like the command prompt window, and it says "Please wait." with a flashing cursor.

**UPDATED** I let it stay like that overnight and it was still on that screen. It had been that way just shy of 12 hours on the same screen so I forced the computer to shut off so I could restart it. After the reboot the computer gets to the desktop and is frozen. I also do not see a ComboFix.txt file on the desktop. **


MikeyT

Edited by MikeyTexas, 16 September 2012 - 07:21 AM.

  • 0

#13
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

Can you do anything with the computer when it gets to the desktop? Does this happen in Safe Mode as well?
The ComboFix log should be located at C:\ComboFix.txt
  • 0

#14
MikeyTexas

MikeyTexas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey there -

I can get to the desktop in Safe Mode and it is fine. On C: I don't have the .txt file, I only have the ComboFix folder. I did not see it inside there either.

MikeyT
  • 0

#15
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Please run ComboFix again from Safe Mode and then post the log it produces.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP