Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Keylogger Detected [Solved]


  • This topic is locked This topic is locked

#1
WBLG123

WBLG123

    Member

  • Member
  • PipPip
  • 48 posts
Hello Everyone,

Today, I came across a folder in my AppData folder labeled dclogs. It contained files documenting many keys I have typed, websites visitied, etc. It also included many files / websites I had not visited or obtainted interwined with my actual activity. Based on dates, it appeared this has happened for about a month. I have deleted those files. For about the past month, I have noticed my system running slower but that was about the only noticeable symptom. A scan with Malwarebites showed three files labeled Backdoor.DarkKomet and something involving the program name Uete.exe I believe. I believe these have also been removed. I am hoping I removed all instances of the malware and I am hoping somebody could review my OTL data and offer their opinion / advice. It will be very appreciated. My only other concern is that I may have used this system for credit card and bank processing. Should I take measures to protect myself, i.e., do you think this data has been transferred elsewhere? Like I said before, I monitor my processes and I have not seen anything out of the ordinary. Recently, I have removed and deleted many programs. Some of their remaining files still linger within my system.

Thanks!

OTL logfile created on: 12/4/2012 6:18:29 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Bill\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.32 Gb Available Physical Memory | 44.16% Memory free
6.19 Gb Paging File | 4.77 Gb Available in Paging File | 77.09% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.77 Gb Total Space | 97.67 Gb Free Space | 69.39% Space Free | Partition Type: NTFS
Drive D: | 8.28 Gb Total Space | 1.82 Gb Free Space | 22.04% Space Free | Partition Type: NTFS

Computer Name: BILL-PC | User Name: Bill | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/04 18:18:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Bill\Desktop\OTL.exe
PRC - [2012/09/29 19:54:26 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/08/22 11:17:04 | 003,113,312 | ---- | M] (Piriform Ltd) -- C:\Program Files\CCleaner\CCleaner.exe
PRC - [2009/04/10 22:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/18 22:33:06 | 000,226,816 | ---- | M] (Microsoft Corp.) -- C:\Windows\System32\Defrag.exe
PRC - [2008/01/18 22:33:06 | 000,163,840 | ---- | M] (Microsoft Corp.) -- C:\Windows\System32\DfrgNtfs.exe
PRC - [2007/04/23 20:11:44 | 000,106,593 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
PRC - [2007/04/23 20:11:42 | 000,262,243 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
PRC - [2007/03/09 12:50:02 | 004,390,912 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/02/12 09:38:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/19 14:38:37 | 000,020,288 | ---- | M] () -- C:\Program Files\CCleaner\branding.dll
MOD - [2011/03/16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 14:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll


========== Services (SafeList) ==========

SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/09/20 13:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2008/01/18 22:38:26 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/04/23 20:11:44 | 000,106,593 | ---- | M] () [Auto | Running] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe -- (CLSched)
SRV - [2007/04/23 20:11:42 | 000,262,243 | ---- | M] () [Auto | Running] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe -- (CLCapSvc)
SRV - [2007/02/12 09:38:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | System | Unknown] -- C:\Windows\system32\drivers\ovfsthdosgopepvepiybxgppxkvwxmjuscujiq.sys -- (ovfsthmailparfbmkncwemucpduxvisyxolomt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Motousbnet.sys -- (Motousbnet)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motswch.sys -- (MotoSwitchService)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motmodem.sys -- (motmodem)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motccgpfl.sys -- (motccgpfl)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motccgp.sys -- (motccgp)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\motoandroid.sys -- (motandroidusb)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ma_cmidi.sys -- (MA_CMIDI)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\loopbe1.sys -- (LoopBeMidi1)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\easytthr.sys -- (easytether)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motfilt.sys -- (BTCFilterService)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\motoandroid.sys -- (androidusb)
DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/07/13 18:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/04/10 21:06:28 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2008/09/07 08:34:19 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2008/01/18 21:15:00 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/04/09 08:56:22 | 000,021,248 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2007/04/09 08:55:08 | 000,022,912 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2007/04/09 08:53:24 | 000,012,672 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2007/03/05 16:28:00 | 000,076,288 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2007/03/01 07:49:58 | 002,216,448 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32)
DRV - [2007/02/24 09:42:22 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/01/23 12:03:28 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/01/23 11:40:20 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/30 12:24:58 | 000,008,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\Windows\System32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2006/11/02 02:41:49 | 001,010,560 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2006/11/02 02:30:54 | 001,781,760 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32)
DRV - [2006/06/28 11:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2003/10/08 14:34:24 | 000,032,084 | ---- | M] (Cirrus Logic Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\adsexpb.sys -- (ADSEXPB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\..\SearchScopes,DefaultScope = {0B4A10D1-FBD6-451d-BFDA-F03252B05984}
IE - HKLM\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect...nType=tb50trie7
IE - HKLM\..\SearchScopes\{266B0F19-BF0E-4E12-8518-86D59D5A63A5}: "URL" = http://search.live.c...#38;FORM=HVDUS7
IE - HKLM\..\SearchScopes\{9EECE930-EA06-477C-A728-406A4A40B9C1}: "URL" = http://search.yahoo....ing}&fr=hp-pvdt
IE - HKLM\..\SearchScopes\{B0F2BB51-91F8-46C6-AB21-953BC6C7B8D7}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpd

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=14196
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
IE - HKCU\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect...nType=tb50trie7
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...s}&locale=en_US
IE - HKCU\..\SearchScopes\{266B0F19-BF0E-4E12-8518-86D59D5A63A5}: "URL" = http://search.live.c...#38;FORM=HVDUS7
IE - HKCU\..\SearchScopes\{9EECE930-EA06-477C-A728-406A4A40B9C1}: "URL" = http://search.yahoo....ing}&fr=hp-pvdt
IE - HKCU\..\SearchScopes\{B0F2BB51-91F8-46C6-AB21-953BC6C7B8D7}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpd
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168.*.*

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "AOL Search"
FF - prefs.js..browser.search.defaulturl: "http://search.aol.co...rud=14-11-2012"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.aol.com/?...usaolp00000013"
FF - prefs.js..extensions.enabledAddons: {c2f863cd-0429-48c7-bb54-db756a951760}:5.96.10.8937
FF - prefs.js..extensions.enabledItems: {c2f863cd-0429-48c7-bb54-db756a951760}:5.20.1.1
FF - prefs.js..keyword.URL: "http://slirsredirect...=14-11-2012&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll File not found
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll File not found
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2009/03/15 19:01:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bill\AppData\Roaming\Mozilla\Extensions
[2009/03/15 19:01:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bill\AppData\Roaming\Mozilla\Extensions\[email protected]
[2012/11/14 17:26:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\extensions
[2008/07/27 14:43:33 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/11/14 17:26:29 | 000,000,000 | ---D | M] ("AOL Messaging Toolbar") -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2012/10/02 09:11:03 | 000,000,000 | ---D | M] (Rapportive) -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\extensions\[email protected]
[2012/05/24 18:32:04 | 000,020,591 | ---- | M] () (No name found) -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2009/01/15 21:22:28 | 000,001,739 | ---- | M] () -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\searchplugins\aim-search.xml
[2012/11/14 17:26:33 | 000,002,533 | ---- | M] () -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\searchplugins\aol-search.xml
[2010/07/19 08:56:19 | 000,002,424 | ---- | M] () -- C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\hdx9caa1.default\searchplugins\askcom.xml

O1 HOSTS File: ([2009/04/29 12:04:01 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (Reg Error: Key error.)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmar...martActivia.cab (Snapfish Activia)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1006.cab (MySpace Uploader Control)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8313A1CF-8CDD-44ED-8968-E707D18571B8}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EC302945-AED3-4D1F-96C8-3D97C28F4FC1}: DhcpNameServer = 137.238.1.15 137.238.1.14
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Users\Bill\AppData\Roaming\tmp291\Uete.exe) - File not found
O24 - Desktop WallPaper: C:\Users\Bill\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Bill\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/05/14 07:10:42 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{3e0b3aab-8d12-11dd-af3b-001b24adb490}\Shell - "" = AutoRun
O33 - MountPoints2\{3e0b3aab-8d12-11dd-af3b-001b24adb490}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -a
O33 - MountPoints2\{60386809-8b19-11dc-9214-001b24adb490}\Shell - "" = AutoRun
O33 - MountPoints2\{60386809-8b19-11dc-9214-001b24adb490}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -a
O33 - MountPoints2\{c59e90d6-7cea-11dd-a35b-001b24adb490}\Shell - "" = AutoRun
O33 - MountPoints2\{c59e90d6-7cea-11dd-a35b-001b24adb490}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{f6df6bd2-11be-11de-9632-001b24adb490}\Shell - "" = AutoRun
O33 - MountPoints2\{f6df6bd2-11be-11de-9632-001b24adb490}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -a
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/04 18:18:05 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Bill\Desktop\OTL.exe
[2012/12/04 15:07:11 | 000,000,000 | ---D | C] -- C:\Users\Bill\Desktop\Transfer Folder
[2012/12/04 14:20:00 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/12/04 13:13:04 | 000,000,000 | ---D | C] -- C:\Users\Bill\AppData\Local\Temp
[2012/11/30 11:16:18 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJEPPEX2
[2012/11/30 11:16:18 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonEPP
[2012/11/30 11:16:14 | 000,000,000 | ---D | C] -- C:\Users\Bill\AppData\Roaming\Canon
[2012/11/30 11:15:01 | 000,000,000 | ---D | C] -- C:\Windows\medias
[2012/11/30 11:14:57 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJFAX
[2012/11/30 11:13:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CANON
[2012/11/30 11:09:30 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ
[2012/11/30 11:09:06 | 000,000,000 | -H-D | C] -- C:\Windows\System32\CanonIJ Uninstaller Information
[2012/11/30 11:09:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MX890 series
[2012/11/30 11:06:04 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2012/11/30 11:05:48 | 000,000,000 | ---D | C] -- C:\Windows\System32\STRING
[2012/11/30 11:05:08 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[263 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/12/04 18:18:05 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Bill\Desktop\OTL.exe
[2012/12/04 18:00:00 | 000,000,442 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2012/12/04 17:52:00 | 000,003,584 | ---- | M] () -- C:\Users\Bill\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/12/04 17:51:21 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/12/04 17:51:21 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/12/04 15:59:08 | 000,598,588 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/12/04 15:59:07 | 000,102,194 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/12/04 15:51:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/12/04 15:50:55 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/04 13:18:31 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/03 20:00:00 | 000,000,544 | ---- | M] () -- C:\Windows\tasks\Norton Internet Security - Run Full System Scan - Bill.job
[2012/12/02 17:01:53 | 000,000,416 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Update Version3.job
[263 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/12/04 17:52:00 | 000,003,584 | ---- | C] () -- C:\Users\Bill\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/11/30 11:15:03 | 000,070,656 | ---- | C] () -- C:\Windows\System32\CNC175ED.TBL
[2012/05/29 16:22:34 | 000,180,624 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/06/03 11:04:50 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol

========== ZeroAccess Check ==========

[2006/11/02 07:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/10 22:28:20 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/10 22:28:26 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/07/06 22:45:39 | 000,000,000 | ---D | M] -- C:\Users\Bill\AppData\Roaming\BleachBit
[2012/11/30 11:16:14 | 000,000,000 | ---D | M] -- C:\Users\Bill\AppData\Roaming\Canon
[2012/07/31 13:09:25 | 000,000,000 | ---D | M] -- C:\Users\Bill\AppData\Roaming\Motorola
[2012/09/27 13:55:00 | 000,000,000 | ---D | M] -- C:\Users\Bill\AppData\Roaming\PrimoPDF
[2012/11/28 19:16:06 | 000,000,000 | ---D | M] -- C:\Users\Bill\AppData\Roaming\Synthesia

========== Purity Check ==========



< End of report >


OTL Extras logfile created on: 12/4/2012 6:18:29 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Bill\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.32 Gb Available Physical Memory | 44.16% Memory free
6.19 Gb Paging File | 4.77 Gb Available in Paging File | 77.09% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 140.77 Gb Total Space | 97.67 Gb Free Space | 69.39% Space Free | Partition Type: NTFS
Drive D: | 8.28 Gb Total Space | 1.82 Gb Free Space | 22.04% Space Free | Partition Type: NTFS

Computer Name: BILL-PC | User Name: Bill | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00D3DE5C-A073-418E-B341-8ABA35429D1C}" = lport=139 | protocol=6 | dir=in | app=system |
"{23A638F8-126A-48AE-9BF5-BF47B12051E9}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{2891F4B5-D5A0-4094-9A82-0EB388EEFAC3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{34B15EA5-1036-4E3E-96C1-649067047A68}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{4E47AB68-D137-4CC3-AB1E-1969E69D3B3F}" = lport=137 | protocol=17 | dir=in | app=system |
"{58F0AE40-A01B-4C8B-B20F-A70C6B258714}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{69D44519-1871-4275-913F-48D452C58128}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{8167AE73-17AB-4CF7-80D3-17E51A09AE64}" = rport=137 | protocol=17 | dir=out | app=system |
"{9B564442-9A45-4AA7-B155-0B369224050A}" = rport=445 | protocol=6 | dir=out | app=system |
"{A979CB47-4317-47F3-A030-69E058FB0432}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{B121AFB3-6EDB-4C33-AE6B-A661F5D91967}" = rport=139 | protocol=6 | dir=out | app=system |
"{B7E9CC62-1576-4266-9863-738C7A6A4166}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{BF1C2750-2DC1-4667-A96A-99788F3FC087}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{C8D87B1E-EAC0-40EA-98F4-3A52339DB337}" = lport=445 | protocol=6 | dir=in | app=system |
"{CB449032-1906-4E33-AC33-B9714C099432}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{D305980C-879D-4FEB-8EFB-DAE712B9E328}" = rport=138 | protocol=17 | dir=out | app=system |
"{F20A0B67-CFC1-4127-A28E-7C8F8AF9AB16}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{F42D0917-B867-444D-A244-598F4A343C43}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{F89D8777-698C-4FC3-8F1A-B51DD1311835}" = lport=138 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1736FDD6-20DC-40CC-BF30-7807A852D421}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{241B44E1-D545-4A34-8655-873A7579F235}" = protocol=1 | dir=out | [email protected],-28544 |
"{24D44D86-8E9D-49F2-A8BB-544C4D43499C}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{6F391FD6-78BB-4B58-A374-61F6BC4D8BAF}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{718A99E6-21DE-424D-B6A4-5E2CD182C414}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{88C43A3E-EACF-4725-88E6-FFA63B2A208C}" = protocol=58 | dir=out | [email protected],-28546 |
"{8F78CCB0-4EAB-468E-AC50-8C2E6A12EE17}" = protocol=58 | dir=in | [email protected],-26142 |
"{A993B05E-AAC6-4C6D-B57F-B458632FF64D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{C1107305-205D-4C26-8E9D-494EFA99B646}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{D40E4D7B-7631-4BF1-BF75-FDF757150983}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{ECDF6DEF-80A4-4BCD-9ED8-F5873657E4D9}" = protocol=1 | dir=in | [email protected],-26140 |
"TCP Query User{2C027560-29DF-49FD-99AA-DD919118D107}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{336EE624-994D-4230-858B-430D0DCC1312}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{2D899FE4-950F-4144-98F3-FAA6B71A9C40}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{308BC1EB-E565-45E5-A136-E016B1C77ECD}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX890_series" = Canon MX890 series MP Drivers
"{1517A7CB-5F00-4A88-8F06-E89B6DB63784}" = ESU for Microsoft Vista
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.20 B1
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module
"{3FFB3B34-D639-4384-9AE9-DDE58430D86F}" = MSCU for Microsoft Vista
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.2
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{CAA2E4F0-2DAC-408A-A5B4-AEE5AD2DA055}" =
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{9061CEF2-51F5-42C9-8A70-9ED351C6597A}" = HP Help and Support
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{D32067CD-7409-4792-BFA0-1469BCD8F0C8}" = HP Wireless Assistant
"{DDFD9BA2-8E26-4E49-92AE-882424DAB1BC}" = HP User Guides 0057
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}" = HP Active Support Library 32 bit components
"BleachBit" = BleachBit
"CCleaner" = CCleaner
"Easy-PhotoPrint EX" = Canon Easy-PhotoPrint EX
"HDMI" = Intel® Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"SynTPDeinstKey" = Synaptics Pointing Device Driver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/17/2012 5:59:09 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 5:59:09 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 5:59:09 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 5:59:10 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 5:59:10 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 5:59:10 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 5:59:11 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 6:00:10 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 6:00:10 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

Error - 6/17/2012 6:00:11 PM | Computer Name = Bill-PC | Source = Bonjour Service | ID = 100
Description =

[ System Events ]
Error - 12/4/2012 10:06:08 AM | Computer Name = Bill-PC | Source = DCOM | ID = 10010
Description =

Error - 12/4/2012 11:10:20 AM | Computer Name = Bill-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 9:57:42 AM on 12/4/2012 was unexpected.

Error - 12/4/2012 11:11:43 AM | Computer Name = Bill-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/4/2012 11:11:43 AM | Computer Name = Bill-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/4/2012 3:13:29 PM | Computer Name = Bill-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 12/4/2012 3:13:29 PM | Computer Name = Bill-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/4/2012 4:13:14 PM | Computer Name = Bill-PC | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

Error - 12/4/2012 4:52:28 PM | Computer Name = Bill-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/4/2012 4:52:28 PM | Computer Name = Bill-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 12/4/2012 6:10:21 PM | Computer Name = Bill-PC | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.


< End of report >
  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome back to Geeks to Go. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Vista Advice:

All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.

The Operating System in use comes with a inbuilt utility called User Access Control(UAC) when prompted by this with anything I ask you to do carry out please select the option Allow.

Next:

Going back to this you mentioned:-

A scan with Malwarebites showed three files labeled Backdoor.DarkKomet and something involving the program name Uete.exe I believe.

Is the log still available? If so please post its contents for my review in your next reply.

To check >> Launch Malwarebytes' Anti-Malware >> Click on the Logs radio tab.

Security Application Check:

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

  • Right-click on SecurityCheck.exe and select Run as Administrator then follow the on-screen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document in your next reply.

  • 0

#3
WBLG123

WBLG123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Hi Dakeyras!

Thank you for your response, I really appreciate the assistance! I have several logs in that Malwarebytes folder, apparantly this has been detected several times but has never notified me of the malware's presence. Here's a log containing the files. I can't find the most recent log but this indicates the files I found. The folders have since been deleted.

2012/11/26 12:18:56 -0500 BILL-PC Bill DETECTION C:\Users\Bill\AppData\Roaming\tmp291\Uete.exe Backdoor.DarkKomet ALLOW
2012/11/26 21:30:02 -0500 BILL-PC Bill DETECTION C:\Users\Bill\AppData\Roaming\tmp291\Uete.exe Backdoor.DarkKomet ALLOW

Interesting it was set to "ALLOW." Here is the log from Security Check. Thanks again for your help!

Results of screen317's Security Check version 0.99.56
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
CCleaner
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi,

I have bad news I'm afraid. :(

Unfortunately, one or more of the identified infections on this system is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
  • 0

#5
WBLG123

WBLG123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Hi,

Thanks for your response. I imagined the problem was very serious. I've already taken precautions with my passwords. It's scary, but it makes sense if my computer was being controlled from a remote source. There were definitely files and websites present that I did not obtain or visit. There was also much gibberish code and text present as well. Fortunately, it is an old machine and I am not in any dire need to repair it. I would like to attempt a complete reset / installation if possible. This computer has a recovery drive built in, I am just not sure how to utilize that. Thanks again for your assistance.
  • 0

#6
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Thanks for your response.

You're welcome!

I imagined the problem was very serious. I've already taken precautions with my passwords. It's scary, but it makes sense if my computer was being controlled from a remote source.

Aye indeed and good RE your passwords etc...

I would like to attempt a complete reset / installation if possible. This computer has a recovery drive built in, I am just not sure how to utilize that.

By all means I will gladly assist you with this. For now just inform myself the exact modal type what appears to be a HP computer you have and we will go from there, thank you.
  • 0

#7
WBLG123

WBLG123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Thank you again!

Okay, I am indeed running on an HP, it's an old model, the Pavilion dv6500. Like I said, it has the recovery drive I believe with the software loaded in already.
  • 0

#8
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Thank you again!

You're welcome!

The below article will explain what is to be done:-

Performing an HP System Recovery (Windows Vista)

Next:

Most new machines when shipped by the vendors tend to come with all kinds of dross pre-installed and if the inbuilt recovery partition is invoked like you just did with the HP, basically it is back as was when first booted up etc.

So this application here is worth both downloading and running.

--------------

Install all critical updates and relevant service packs via Windows Update. For Vista the latest is SP2.

I would also ensure Internet Explorer is up-to date also. For Vista based machines it is IE9. Reason being even if you opt not to use IE as your main browser having a out of date version installed can leave any one machine vulnerable to malware.

The aforementioned should be available via Windows Update, if not can be downloaded from here.

Once the machine is updated and fully patched, I do advise visiting Windows Update periodically as Microsoft releases patches for Windows and other products regularly.

Plus check Automatic Updates is enabled.

--------------

Then install a Anti-Virus software solution, only ever have one of such installed and active in system memory at any one time.

Either of the below will suffice:-

Which ever of the above you choose to install, automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this at least once per week.

--------------

Installing a specific Anti-Spyware application would be prudent, myself I recommend:-

Malwarebyte's Anti-Malware

During the installation process you will be offered the Malwarebytes' Anti-Malware Trial. Your choice to enable or not...

After installing, I advise check for updates and run a scan at least once per week.

--------------

Emergency Recovery Utility NT. I advice you consider installing this, as a means to keep a complete backup of your registry and restore it when needed. Instructions can be read here.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

--------------

A custom Host-File is a further layer of protection whilst browsing online.

Either of the below will suffice:-

Only use one of the above!

--------------

Consider installing WinPatrol. This application alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

--------------

Finally, consider installing FileHippo Update Checker...Then periodically use it to check for any updates as having certain software outdated is a potential for malware to gain a foothold and exploit a system etc.
  • 0

#9
WBLG123

WBLG123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Thank you so much, the restore worked wonderfully. I am in the process of patching everything up and downloading protective software. I will post a new OTL log soon to make sure everything looks good!

Thank you again!
  • 0

#10
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
You're most welcome..no need to post a new OTL log I assure you, merely follow prior advice is all. :)
  • 0

#11
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP