Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Java:Agent virus found by Avast boot time scan [Solved]

Started by nehac , Jun 13 2013 05:32 PM

This topic is locked

#1
nehac

Posted 13 June 2013 - 05:32 PM

Member

Member
78 posts

Edit: Upon starting the computer yesterday (Jun 15) there are two files titled "desktop.ini" showing up on my desktop. There were not there before.

Hi, last night sister was using my laptop and received a message to run a boot-time scan of avast.

Upon doing so today, there were a few issues found. Which I moved into the Avast chest.
These include:
Java:Malware-gen [Trj]
Java:Agent-AVF [Expl]
Java:Agent-ANE [Expl]
Java:CVE-2011-3544-AZ [Expl]
Java:Agent-AML [Expl]
Java:Agent-AMH [Expl]
Java:Agent-APP [Expl]
Java:Agent-AMI [Expl]
Java:Agent-AMK [Expl]

Now, I have checked before and have updated Java recently and uninstalled the older version from the computer. Just want to make sure everything is okay with the computer.

Would appropriate any help.
Thank you.

Here is the OTL log:

OTL logfile created on: 13/06/2013 6:53:23 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Neha\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 43.44% Memory free
4.21 Gb Paging File | 2.91 Gb Available in Paging File | 69.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.74 Gb Total Space | 85.16 Gb Free Space | 62.28% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.23 Gb Free Space | 53.52% Space Free | Partition Type: NTFS

Computer Name: NEHA-PC2 | User Name: Neha | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Neha\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
PRC - C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe ()
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\conime.exe (Microsoft Corporation)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
PRC - C:\Program Files\Dell\DellDock\DockLogin.exe (Stardock Corporation)
PRC - C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
PRC - C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
PRC - C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation)
PRC - C:\Windows\System32\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\3da65115bf9debbf564861f6b123a2e4\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\e9ea3e70247b4aa4a8b260426db3aa6b\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\421cb77e6a4c21f94e3c5ddf766de23b\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\e2c8b42e90615454cb7222c0497c1649\VistaBridgeLibrary.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\DellDock\f299b7e05756196d0c8513a2f0e24b60\DellDock.ni.exe ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\4bbe8fd74505a3cefbcf4d9476ea1e6b\MyDock.Util.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f042f66c2ad8fd5b8c34fa22cd22079e\System.Management.ni.dll ()
MOD - C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b5df40c22ab563a816103629e2ca99d4\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b757806657fa5db2b1ed1a89b026b463\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\78157a494dc9a7e52be8840decfcd9cc\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\cc149d08e75f8c53cd28ac926b38c370\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2227d1559f87943255069398608d5c56\mscorlib.ni.dll ()
MOD - C:\Program Files\Trusteer\Rapport\bin\js32.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Windows\System32\bcmwlrmt.dll ()

========== Services (SafeList) ==========

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
SRV - (RealNetworks Downloader Resolver Service) -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe ()
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (DockLoginService) -- C:\Program Files\Dell\DellDock\DockLogin.exe (Stardock Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AESTFilters) -- C:\Windows\System32\AEstSrv.exe (Andrea Electronics Corporation)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (IDT, Inc.)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)

========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswVmm) -- C:\Windows\System32\drivers\aswVmm.sys ()
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswRvrt) -- C:\Windows\System32\drivers\aswRvrt.sys ()
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.)
DRV - (RapportEI) -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys (Trusteer Ltd.)
DRV - (RapportKELL) -- C:\Windows\System32\drivers\RapportKELL.sys (Trusteer Ltd.)
DRV - (RapportCerberus_51755) -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys ()
DRV - (BCM42RLY) -- C:\Windows\System32\drivers\bcm42rly.sys (Broadcom Corporation)
DRV - (PSI) -- C:\Windows\System32\drivers\psi_mf.sys (Secunia)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (IntcHdmiAddService) -- C:\Windows\System32\drivers\IntcHdmi.sys (Intel® Corporation)
DRV - (OEM02Vfx) -- C:\Windows\System32\drivers\OEM02Vfx.sys (EyePower Games Pte. Ltd.)
DRV - (OEM02Dev) -- C:\Windows\System32\drivers\OEM02Dev.sys (Creative Technology Ltd.)
DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (WimFltr) -- C:\Windows\System32\drivers\WimFltr.sys (Microsoft Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.live.ca [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.live.ca [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{8980E441-C32A-4ABA-92A7-46160AAEB620}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.live.ca [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {05D2DF68-C038-411D-BE8C-E059FC44DDD2}
IE - HKCU\..\SearchScopes\{05D2DF68-C038-411D-BE8C-E059FC44DDD2}: "URL" = http://search.live.c...ferrer:source?}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:466...q={searchTerms}
IE - HKCU\..\SearchScopes\{8CE64232-A854-4959-9F18-3D22A2F4475E}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{B3772213-7182-458C-A917-41A74825DB26}: "URL" = http://websearch.ask...34-627F47230532
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...TDF&PC=WLEM&q="
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledAddons: DivXWebPlayer%40divx.com:2.0.2.039
FF - prefs.js..extensions.enabledAddons: %7B6614d11d-d21d-b211-ae23-815234e1ebb5%7D:2.7.5
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.2.32: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.2: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.2: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.2: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.2.32: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Neha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Alwil Software\Avast5\WebRep\FF [2013/05/10 12:53:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FCE04E1F-9378-4f39-96F6-5689A9159E45}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/05/29 18:00:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/05/29 17:56:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/05/29 17:58:18 | 000,000,000 | ---D | M]

[2008/08/23 21:23:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Neha\AppData\Roaming\Mozilla\Extensions
[2013/05/09 19:58:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Neha\AppData\Roaming\Mozilla\Firefox\Profiles\bd8ek5km.default\extensions
[2013/03/24 17:08:39 | 000,000,000 | ---D | M] (United States English Spellchecker) -- C:\Users\Neha\AppData\Roaming\Mozilla\Firefox\Profiles\bd8ek5km.default\extensions\[email protected]
[2012/10/22 16:26:19 | 000,550,833 | ---- | M] () (No name found) -- C:\Users\Neha\AppData\Roaming\Mozilla\Firefox\Profiles\bd8ek5km.default\extensions\[email protected]
[2012/12/01 12:23:20 | 000,164,308 | ---- | M] () (No name found) -- C:\Users\Neha\AppData\Roaming\Mozilla\Firefox\Profiles\bd8ek5km.default\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}.xpi
[2013/05/09 19:58:18 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\Neha\AppData\Roaming\Mozilla\Firefox\Profiles\bd8ek5km.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/09/21 19:21:13 | 000,002,299 | ---- | M] () -- C:\Users\Neha\AppData\Roaming\Mozilla\Firefox\Profiles\bd8ek5km.default\searchplugins\askcom.xml
[2010/10/26 20:29:10 | 000,001,832 | ---- | M] () -- C:\Users\Neha\AppData\Roaming\Mozilla\Firefox\Profiles\bd8ek5km.default\searchplugins\bing.xml
[2013/05/17 18:18:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/05/17 18:18:54 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/05/29 17:57:45 | 000,124,504 | ---- | M] (RealPlayer) -- C:\Program Files\mozilla firefox\plugins\nprpplugin.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: avast! Online Security = C:\Users\Neha\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\8.0.6_0\
CHR - Extension: RealDownloader = C:\Users\Neha\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.1_0\
CHR - Extension: RealDownloader = C:\Users\Neha\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.2_0\

O1 HOSTS File: ([2011/11/25 11:52:21 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Users\Neha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: secunia.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2E08DF09-B3A1-420F-878E-C4AE240E1D34}: DhcpNameServer = 205.188.146.145
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img31.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img31.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/13 18:23:16 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Neha\Desktop\OTL.exe
[2013/06/12 22:52:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2013/06/12 22:51:04 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013/06/12 22:50:50 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2013/06/12 22:50:50 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2013/05/29 18:02:17 | 000,000,000 | ---D | C] -- C:\Users\Neha\AppData\Roaming\RealNetworks
[2013/05/29 18:00:14 | 000,000,000 | ---D | C] -- C:\Program Files\RealNetworks
[2013/05/29 18:00:12 | 000,000,000 | ---D | C] -- C:\ProgramData\RealNetworks
[2013/05/29 17:55:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2013/05/29 17:55:05 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2013/05/29 17:32:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Defraggler
[2013/05/29 17:32:45 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2013/05/29 17:27:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
[2013/05/17 18:18:09 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\Users\Neha\Documents\*.tmp files -> C:\Users\Neha\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/13 18:53:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/13 18:28:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/13 18:23:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Neha\Desktop\OTL.exe
[2013/06/13 18:18:24 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/13 18:13:48 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 18:13:47 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 18:11:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/12 23:24:08 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-3050332229-2584247302-3963020623-1000UA.job
[2013/06/12 22:52:29 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013/06/12 22:50:10 | 000,609,196 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/12 22:50:10 | 000,108,672 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/05 11:24:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-3050332229-2584247302-3963020623-1000Core.job
[2013/05/31 14:45:27 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013/05/29 18:00:28 | 000,000,847 | ---- | M] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2013/05/29 17:57:32 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\Windows\System32\pncrt.dll
[2013/05/29 17:55:33 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2013/05/29 17:43:01 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/05/29 17:32:54 | 000,001,704 | ---- | M] () -- C:\Users\Public\Desktop\Defraggler.lnk
[2013/05/18 11:24:30 | 000,395,232 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\Users\Neha\Documents\*.tmp files -> C:\Users\Neha\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/12 22:52:29 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013/05/29 18:00:28 | 000,000,847 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2013/05/29 17:55:33 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2013/05/29 17:32:54 | 000,001,704 | ---- | C] () -- C:\Users\Public\Desktop\Defraggler.lnk
[2013/03/13 23:28:59 | 000,174,664 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013/03/13 23:28:56 | 000,049,376 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2009/05/07 18:14:51 | 000,000,680 | ---- | C] () -- C:\Users\Neha\AppData\Local\d3d9caps.dat
[2008/11/02 19:15:56 | 000,010,240 | ---- | C] () -- C:\Users\Neha\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/26 20:05:54 | 000,000,170 | ---- | C] () -- C:\Users\Neha\AppData\Roaming\wklnhst.dat
[2008/08/20 17:50:31 | 000,008,248 | ---- | C] () -- C:\Users\Neha\AppData\Local\en.ini

========== ZeroAccess Check ==========

[2006/11/02 08:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/02/14 20:48:09 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\DataSafeOnline
[2010/05/06 20:00:10 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\NVD
[2008/11/19 18:05:02 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\OpenOffice.org
[2011/05/27 23:06:55 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\PCDr
[2011/11/21 01:00:17 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\SoftGrid Client
[2008/10/26 20:05:55 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\Template
[2011/11/25 19:06:01 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\TMP
[2010/05/06 19:59:49 | 000,000,000 | ---D | M] -- C:\Users\Neha\AppData\Roaming\TP

========== Purity Check ==========

< End of report >

Edited by nehac, 15 June 2013 - 03:58 PM.

#2
Crowbar

Posted 15 June 2013 - 06:37 PM

Teacher

GeekU Moderator
4,798 posts

Hello nehac and welcome to the Virus, Spyware, Malware Removal forum !!

My name is Crowbar and I'll be the malware removal Geek that will be helping you remove any infections you may have on your computer.

Please read all of my response through at least once before attempting to follow the procedures described.
Please save my instructions as a text file on your desktop, or print them out, as you may not be able to access this thread at times.
Please follow the steps exactly as written, in the same order.
If there's anything you don't understand or isn't totally clear, please ask me any questions that you may have.
Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
This process is not an instant process - please stick with me until I tell you that your machine is clean. If you don't see any symptoms it does not mean your system is clear of malware
Please don't run any other scans or other software unless I ask you to, as it will make this repair more difficult.

Also please note before we begin:
Please be aware that removing Malware can be a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot %100 guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before we start.

I gotta tell you that if you really don't use Java, you should uninstll it, as it's really the most exploited and picked on program out there right now.
The desktop.ini file(s) on your desktop tells me that you are viewing hidden and system files. That is normal behaviour after running OTL, and will be reset back to normal when we run the cleanup utility in OTL.
I don't see much in there, but would like to take a different look or 2 if you don't mind.

Step 1
We need to do an OTL fix:

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below. If it still hangs then please uninstall MalwareBytes' and run this fix again.
Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:commands
[createrestorepoint]
:OTL
IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:466...q={searchTerms}
IE - HKCU\..\SearchScopes\{B3772213-7182-458C-A917-41A74825DB26}: "URL" = http://websearch.ask...34-627F47230532
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
:commands
[emptytemp]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log it produces in your next reply.

Step 2
Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please attach that

Step 3
Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it
Posted Image

Click the [Scan] button to start scan
Posted Image

On completion of the scan click [Save log], save it to your desktop and post in your next reply

In your next reply I would like to see:

OTL fix log
ADWcleaner log
aswMBR log
Any symptoms, like your antivirus finding anything else?

#3
nehac

Posted 15 June 2013 - 09:12 PM

Member

Topic Starter
Member
78 posts

Thank you for the response.
I will post the scan results in separate posts.

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70D46D94-BF1E-45ED-B567-48701376298E}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B3772213-7182-458C-A917-41A74825DB26}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B3772213-7182-458C-A917-41A74825DB26}\ not found.
Prefs.js: "Ask.com" removed from browser.search.order.1
Prefs.js: "Ask.com" removed from browser.search.selectedEngine
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 57472 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Neha
->Temp folder emptied: 202363 bytes
->Temporary Internet Files folder emptied: 64236617 bytes
->Java cache emptied: 1395707 bytes
->FireFox cache emptied: 481886470 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 74981 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 91239961 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 185718 bytes

Total Files Cleaned = 610.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 06152013_225532

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Edited by nehac, 15 June 2013 - 09:16 PM.

#4
nehac

Posted 15 June 2013 - 09:27 PM

Member

Topic Starter
Member
78 posts

Attached you will find the AdwCleaner log

Attached Files

AdwCleanerS1.txt 2.06KB 187 downloads

#5
nehac

Posted 15 June 2013 - 09:48 PM

Member

Topic Starter
Member
78 posts

Here is the last log.
Currently the system appears to be okay with no error messages and such. Will preform another boot time avast scan tomorrow to make sure there aren't any more items found.

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-15 23:29:01
-----------------------------
23:29:01.257 OS Version: Windows 6.0.6002 Service Pack 2
23:29:01.257 Number of processors: 2 586 0xF0D
23:29:01.260 ComputerName: NEHA-PC2 UserName: Neha
23:29:04.538 Initialize success
23:29:06.480 AVAST engine defs: 13061501
23:29:36.655 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:29:36.660 Disk 0 Vendor: SAMSUNG_ HH10 Size: 152627MB BusType: 3
23:29:36.965 Disk 0 MBR read successfully
23:29:36.969 Disk 0 MBR scan
23:29:36.975 Disk 0 Windows VISTA default MBR code
23:29:36.997 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
23:29:37.029 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10000 MB offset 81920
23:29:37.052 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 140026 MB offset 20561920
23:29:37.059 Disk 0 Partition - 00 0F Extended LBA 2559 MB offset 307337216
23:29:37.177 Disk 0 Partition 4 00 DD MSDOS5.0 2558 MB offset 307339264
23:29:37.216 Disk 0 scanning sectors +312578048
23:29:37.401 Disk 0 scanning C:\Windows\system32\drivers
23:30:01.891 Service scanning
23:30:26.860 Modules scanning
23:30:38.403 Disk 0 trace - called modules:
23:30:38.415
23:30:45.881 AVAST engine scan C:\Windows
23:30:59.705 AVAST engine scan C:\Windows\system32
23:35:08.134 AVAST engine scan C:\Windows\system32\drivers
23:35:26.536 AVAST engine scan C:\Users\Neha
23:39:08.623 AVAST engine scan C:\ProgramData
23:45:58.055 Scan finished successfully
23:46:13.252 Disk 0 MBR has been saved successfully to "C:\Users\Neha\Desktop\MBR.dat"
23:46:13.270 The log file has been saved successfully to "C:\Users\Neha\Desktop\aswMBR.txt"

#6
Crowbar

Posted 15 June 2013 - 10:01 PM

Teacher

GeekU Moderator
4,798 posts

Hi,
You can paste in the log files, try not to attach them.
Adware looks gone now, and your MBR looks good, so lets sweep for any remains. Otherwise it's looking pretty good so far.
Try to do at least steps 1 and 2 before you do the avast boot time scan.
I don't have Avast, is there a log file available from when it found those Java exploits? I would like to see where they were hiding. If you can't find the log from within Avast, try looking here:
C:\ProgramData\Avast Software\Avast\report\aswBoot.txt

Step 1
Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 2
Note: You can use either Internet Explorer or Mozilla FireFox for this Scan.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on: Posted Image

You will however need to disable your current installed Anti-Virus, how to do so can be read here.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the following instructions work with either Internet Explorer or Mozilla FireFox.

Select the option YES, I accept the Terms of Use then click on:
When prompted allow Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked.
Make sure that the option Scan archives is checked.
Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Now click on:
The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically. The scan may take several hours.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files/ESET/ESET Online Scanner\log.txt
Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Step 3
Download Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply I would like to see:

MalwareBytes log
ESET scan log - careful this one is easy to lose the log.
checkup.txt from security check

#7
nehac

Posted 16 June 2013 - 03:10 PM

Member

Topic Starter
Member
78 posts

Hi, sorry about that. Thought the instruction said to attach that one log *opps*

here the the avast scan from before:
06/13/2013 11:11
Scan of all local drives

File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1fa06fc1-166f02fc|>smbkhrnvpetuqumq\bkajnhkcaatplhjhmtclr.class is infected by Java:Malware-gen [Trj], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1fa06fc1-166f02fc|>smbkhrnvpetuqumq\esqmyjbsfultpmmybupdr.class is infected by Java:Agent-ANE [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1fa06fc1-166f02fc|>smbkhrnvpetuqumq\jjvefskfgsqheydmybmfw.class is infected by Java:Agent-AVF [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1fa06fc1-166f02fc|>smbkhrnvpetuqumq\kvkbwmcrgqfgnrgsgpkwj.class is infected by Java:Malware-gen [Trj], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1fa06fc1-166f02fc|>smbkhrnvpetuqumq\wpdtvtffmqwgcpueqneuf.class is infected by Java:Malware-gen [Trj], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\67db042-693dcc4a|>j.class is infected by Java:Malware-gen [Trj], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\67db042-693dcc4a|>Final.class is infected by Java:CVE-2011-3544-AZ [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\67db042-693dcc4a|>n.class is infected by Java:Malware-gen [Trj], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\7394ad18-6eb40df9|>datas\wall.class is infected by Java:Agent-AML [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\7394ad18-6eb40df9|>datas\b.class is infected by Java:Agent-AMI [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\7394ad18-6eb40df9|>datas\r.class is infected by Java:Agent-APP [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\7394ad18-6eb40df9|>datas\a.class is infected by Java:Agent-AMK [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\7394ad18-6eb40df9|>datas\s.class is infected by Java:Agent-AMH [Expl], Moved to chest
File C:\Users\Neha\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\dcfd067-63db02cd|>dhycnvdbqlpbdahs.class is infected by Java:Agent-ANE [Expl], Moved to chest
----------------------------------------
06/13/2013 16:26
Scan of all local drives

Number of searched folders: 28764
Number of tested files: 825612
Number of infected files: 0

I had run it twice since the first scan I didn't think completed.
Will post the new requests in the next post

Edited by nehac, 16 June 2013 - 03:12 PM.

#8
nehac

Posted 16 June 2013 - 03:27 PM

Member

Topic Starter
Member
78 posts

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.16.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Neha :: NEHA-PC2 [administrator]

16/06/2013 5:15:19 PM
mbam-log-2013-06-16 (17-15-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214396
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#9
nehac

Posted 16 June 2013 - 06:34 PM

Member

Topic Starter
Member
78 posts

C:\Users\Neha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab Win32/OpenCandy application

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=87be5a0edee691498b4be65b860a8ca6
# engine=14089
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-06-17 12:08:39
# local_time=2013-06-16 08:08:39 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776573 100 100 97356 208035291 0 0
# scanned=145617
# found=1
# cleaned=0
# scan_time=8950
sh=2D6C24702A783B58258D647A62D3E2AEE62A200B ft=0 fh=0000000000000000 vn="Win32/OpenCandy application" ac=I fn="C:\Users\Neha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab"

#10
nehac

Posted 16 June 2013 - 06:54 PM

Member

Topic Starter
Member
78 posts

Results of screen317's Security Check version 0.99.64
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
CA Yahoo! Anti-Spy (remove only)
Secunia PSI (2.0.0.4003)
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Java 7 Update 21
Adobe Flash Player 11.7.700.224
Adobe Reader 8
Adobe Reader XI
Mozilla Firefox (21.0)
Google Chrome 27.0.1453.110
Google Chrome 27.0.1453.94
````````Process Check: objlist.exe by Laurent````````
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

#11
Crowbar

Posted 17 June 2013 - 08:45 AM

Teacher

GeekU Moderator
4,798 posts

Hi, thanks for the info from Avast.

Step 1
We need to do an OTL fix:

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below. If it still hangs then please uninstall MalwareBytes' and run this fix again.
Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:commands
[createrestorepoint]
:OTL
:files
C:\Users\Neha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab
:commands
[emptytemp]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Post the log it produces in your next reply.

Step 2
As you can probably see, your Avast AV program is not up to date, can you please check it to make sure it has the latest definitions
Also, I see you have adobe reader 8 installled along with the new version XI
I would uninstall version 8, unless there is a particular reason you need to keep the older one.
I see you have CCleaner installed. While the features to clean up temp files and folders in this program is ok, please stay far away from the registry cleaning section. This can cause some serious damage to your operating system.

It looks like Avast had quarentined the offending java exploits, and we cleared out the Java cache during the last OTL fix, so I think you are looking good.
I would like to see the next OTL fix log and then clean up my tools in the next post.

#12
nehac

Posted 17 June 2013 - 10:29 AM

Member

Topic Starter
Member
78 posts

Thank you. I will edit this with the new log.
I have checked Avast for both a software and definition updates and it shows that the are upto date...Will double check on the website to make sure.

Also, I didn't realize that adobe reader 8 is still installed. When I go into control panel--> add/remove program, I only see adobe reader XI there.
Sorry for the noob question, but where can I uninstall version 8 from?

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
========== FILES ==========
C:\Users\Neha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Neha
->Temp folder emptied: 73175 bytes
->Temporary Internet Files folder emptied: 1237042 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 114487016 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 602 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 534669 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 111.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 06172013_123010

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Edited by nehac, 17 June 2013 - 10:41 AM.

#13
Crowbar

Posted 17 June 2013 - 11:46 AM

Teacher

GeekU Moderator
4,798 posts

Ok, as long as your newer Adobe reader is the default program that opens PDF files, it's less risky. Do you still have the Extras.txt file that was generated on the first run of OTL? Please post it if you find it, It should be on your desktop. That will tell us what is installed.

It might be a glitch in the Security Check program. Same with the Avast updates, if the program says it's updated, I'm satisfied.

If you can't find Extras.txt then re-run OTL, and click on the None button
look down and find the Extra Registry section.
In there select the Use SafeList option and then click on the Run Scan button up top.

This will generate a mostly blank OTL log, and a fresh copy of Extras.txt - please post the Extras.txt file.

#14
nehac

Posted 17 June 2013 - 11:51 AM

Member

Topic Starter
Member
78 posts

This is the original extras log:

OTL Extras logfile created on: 13/06/2013 6:53:23 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Neha\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 43.44% Memory free
4.21 Gb Paging File | 2.91 Gb Available in Paging File | 69.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.74 Gb Total Space | 85.16 Gb Free Space | 62.28% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.23 Gb Free Space | 53.52% Space Free | Partition Type: NTFS

Computer Name: NEHA-PC2 | User Name: Neha | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1EBDB3E8-7E28-4D2E-B6E8-9A963E677C83}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{203F1293-CB4A-4FCC-972D-CC04EF819E24}" = lport=138 | protocol=17 | dir=in | app=system |
"{30329D08-09ED-428C-A89F-6B66C82B62E8}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{3CECC815-FF9C-4E02-B7BD-8D28FCEBF731}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{435729B3-BD2C-484C-B27E-684D9BCD562F}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{4AA6DAC9-74E3-44EF-B946-1E46E2F65686}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{65305B6E-1C40-416C-8364-C3477719895D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{704AA5EC-3E0A-4FAE-B6E5-1FDD5C56E316}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{72183201-02AC-4D6C-A257-D9E08C0D52ED}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A65BF7FC-D671-44CA-8203-7B9C7188D50B}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{B3E5544F-1010-4949-B770-03F69886FD27}" = rport=137 | protocol=17 | dir=out | app=system |
"{B7C0675B-22C7-4E24-B1D7-DE4DF894E195}" = lport=10243 | protocol=6 | dir=in | app=system |
"{BA080478-E6B6-4252-92DF-FC562285EF8D}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{BECAE3BE-AC9A-4C8C-91D0-DFBB3E52E95F}" = rport=138 | protocol=17 | dir=out | app=system |
"{C52C9EB3-1D39-4A4F-8C75-4D245661CB8E}" = lport=139 | protocol=6 | dir=in | app=system |
"{CB99AA02-1EF9-4864-8BD8-DF813F99B375}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{D56D0ED6-3DB6-4562-9FC9-77BC0D1233EC}" = rport=139 | protocol=6 | dir=out | app=system |
"{DB213E90-FB35-4821-9CC4-B85A711E7942}" = rport=445 | protocol=6 | dir=out | app=system |
"{DC4473AB-6FAA-4362-97AB-A6B111F188EA}" = lport=445 | protocol=6 | dir=in | app=system |
"{DCFA790E-7933-4342-8199-076E9B1FFC1C}" = rport=10243 | protocol=6 | dir=out | app=system |
"{E3E2106B-E265-454D-A92B-ADBDC287FE7B}" = lport=2869 | protocol=6 | dir=in | app=system |
"{EEC9C80D-6D07-42CC-B92B-34EAA34A94D6}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F8B6B2F8-5B43-496B-817A-FAF8BFA9A7C9}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{FE2AE733-9825-48ED-849B-E12A98FD7D29}" = lport=137 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D58BDA5-ADF4-4FA7-8992-CB67C7BD8145}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 3050 j610 series\bin\hpnetworkcommunicator.exe |
"{0F5122E0-62D1-4937-A403-E97B7A57F2A8}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{14EEE45D-338B-42D5-8EFF-AA8FE3D54E6D}" = dir=in | app=c:\users\neha\appdata\local\facebook\video\skype\facebookvideocalling.exe |
"{14FF4383-9012-4DD9-8C59-33523EC167E8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{23A053FA-34C4-4BB8-A603-E5BAEBEFB0E9}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 3050 j610 series\bin\devicesetup.exe |
"{296DAFE4-92E7-4133-97EA-58ED8D3B0FBA}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2ABCD3C3-DC5B-401B-B0B9-6E692DDAC572}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{3C2E1176-8DD4-4505-B54A-DDD1C4072C6D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{40CE1B46-3BDF-4134-B794-A559C2DE9AED}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 3050 j610 series\bin\hpnetworkcommunicator.exe |
"{434EEFDF-58BC-4145-A50B-73ADFFA1F6CF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{446B236E-527E-4BCC-B11D-6E6514D2AB13}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{4544F2DF-E0A2-4EE2-82CF-AB08200BC129}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{476775A2-D603-45CC-91A0-0EF7D5B55097}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{5166C8F6-AF1C-4145-9F6B-A11B12DF93AC}" = protocol=17 | dir=in | app=c:\program files\secunia\psi\psi.exe |
"{54549B62-DC7A-4892-B187-B4B9BB1EB426}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{547787B8-5522-4492-9349-FF6C8FE06C5F}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{5B0F3CE2-8E5E-4FC2-9496-B6C0DD5F92EA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{6D226714-9E77-4CF1-9B96-119879D7662B}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{6F3F88BF-F7D5-4E9A-AC1D-B7E36C8927C0}" = protocol=58 | dir=in | [email protected],-28545 |
"{7038B98D-DC12-48B3-BF81-A8AFD8F6FA73}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{72B709B1-700E-4A81-9CA8-1E8D462B90CC}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{77FF02B8-4D09-4916-AED6-5B8AC2DE918F}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 3050 j610 series\bin\devicesetup.exe |
"{7FF769BB-B77A-4B5B-818E-E255F85ED362}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{81205967-EFFB-4A1C-8225-54FDAB923255}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{92894B75-814E-48A3-9938-AA00562D1CF2}" = protocol=1 | dir=in | [email protected],-28543 |
"{9374F5B4-D423-4AFC-A69C-F89E4F0971EA}" = protocol=6 | dir=out | app=system |
"{9E3DE435-3BBE-4100-AC5C-E8B04429B79F}" = protocol=58 | dir=out | [email protected],-28546 |
"{B46A9CAB-1A3A-4E30-A734-1538A374242B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{B65E0320-0D4D-4B00-BAF1-B2DCB0E9A779}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C42E9B72-A4E4-42EA-9FCC-112ED889F85A}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{DE812A3C-8F7B-430B-92A2-8D598E52FD6B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DEEEF6F5-51C7-4EBD-BC1A-EA39AAD13CCA}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E714F3B8-8999-47B0-9890-ED4DCE7F28B1}" = protocol=6 | dir=in | app=c:\program files\secunia\psi\psi.exe |
"{EBD27E27-A27A-4D38-8FE6-DB40AE38B055}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{EE11AFC2-4289-4E04-9BC8-A2B706678E6C}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{F2A6E747-A5CF-4E16-8AB0-D43F50F2D91A}" = protocol=1 | dir=out | [email protected],-28544 |
"{F66139F2-9A1A-4CA1-A451-BB3670A0F6AF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{FA53D7D3-F4BD-4F71-87A3-0F467CDFE6E2}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{FD52E402-C40B-4AE1-AD30-F73C4A2733F3}" = dir=in | app=c:\program files\windows live\mesh\moe.exe |
"{FFF18F5D-3D53-4D5C-83B7-E326B3236C42}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"TCP Query User{097AFC14-2702-439A-BB6F-E18FB8F9B6C2}C:\program files\mozilla firefox\plugin-container.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\plugin-container.exe |
"TCP Query User{16B34FC1-F5BD-4534-BC31-3581A983AF30}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"UDP Query User{5FA82E63-ABA1-405A-86EC-F4626548EE13}C:\program files\mozilla firefox\plugin-container.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\plugin-container.exe |
"UDP Query User{B09E58B8-BAEA-4C47-A609-3B4AD9364960}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center
"{0564C76B-8E1F-4157-8654-B0F9F308BEE9}" = HP Deskjet 3050 J610 series Basic Device Software
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{17504ED4-DB08-40A8-81C2-27D8C01581DA}" = Windows Live Remote Service Resources
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19A4A990-5343-4FF7-B3B5-6F046C091EDF}" = Windows Live Remote Client
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{227E8782-B2F4-4E97-B0EE-49DE9CC1C0C0}" = Windows Live Remote Service
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{247C5DDA-FFD7-44E0-8BF7-79BC80A0BF87}" = Windows Live Family Safety
"{26A24AE4-039D-4CA4-87B4-2F83217021FF}" = Java 7 Update 21
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2D6E3D97-1FDF-4993-AC75-72F59EC445C5}" = Windows Live Family Safety
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3DC873BB-FFE3-46BF-9701-26B9AE371F9F}" = RealDownloader
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{464B3406-A4D0-4914-910F-7CA4380DCC13}" = Windows Live Remote Client Resources
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B6AD248-D3BF-426A-8D64-847288154F13}" = QuickSet
"{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}" = Dell DataSafe Online
"{4E5386F5-C0F6-4532-A54A-374865AEAB71}" = Cisco PEAP Module
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}" = Apple Application Support
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{76F9CF97-FC4B-4E20-B363-D127C888448F}" = Cisco LEAP Module
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91FD46D2-4FB7-4A51-8637-556E1BE1DB7C}" = iTunes
"{925F1DB6-E86E-4378-9091-D1F68B0583C9}" = iCloud
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{95140000-007D-0409-0000-0000000FF1CE}" = Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A0087DDE-69D0-11E2-AD57-43CA6188709B}" = Adobe AIR
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAECF7BA-E83B-4A10-87EA-DE0B333F8734}" = RealNetworks - Microsoft Visual C++ 2010 Runtime
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.03)
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B92C5909-1D37-4C51-8397-A28BB28E5DC3}" = Facebook Video Calling 1.2.0.287
"{BF53252E-4AB2-4C7F-A0FD-6100755745E3}" = Cisco EAP-FAST Module
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E14ADE0E-75F3-4A46-87E5-26692DD626EC}" = Apple Mobile Device Support
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
"{F7632A9B-661E-4FD9-B1A4-3B86BC99847F}" = HP Deskjet 3050 J610 series Help
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"avast" = avast! Free Antivirus
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"cayahooantispy" = CA Yahoo! Anti-Spy (remove only)
"CCleaner" = CCleaner
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Defraggler" = Defraggler
"Dell Support Center" = Dell Support Center
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FileHippo.com" = FileHippo.com Update Checker
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"GoToAssist" = GoToAssist 8.0.0.514
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 21.0 (x86 en-US)" = Mozilla Firefox 21.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Rapport_msi" = Rapport
"RealPlayer 16.0" = RealPlayer
"Secunia PSI" = Secunia PSI (2.0.0.4003)
"WinLiveSuite" = Windows Live Essentials
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 12/06/2013 10:05:21 PM | Computer Name = Neha-PC2 | Source = Windows Search Service | ID = 3013
Description =

Error - 12/06/2013 10:05:21 PM | Computer Name = Neha-PC2 | Source = Windows Search Service | ID = 3013
Description =

Error - 12/06/2013 11:18:30 PM | Computer Name = Neha-PC2 | Source = EventSystem | ID = 4621
Description =

Error - 12/06/2013 11:22:06 PM | Computer Name = Neha-PC2 | Source = WinMgmt | ID = 10
Description =

Error - 12/06/2013 11:25:10 PM | Computer Name = Neha-PC2 | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{3DC873BB-FFE3-46BF-9701-26B9AE371F9F}\recordingmanager.exe".
Dependent
Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 12/06/2013 11:25:10 PM | Computer Name = Neha-PC2 | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{3DC873BB-FFE3-46BF-9701-26B9AE371F9F}\recordingmanager.exe".
Dependent
Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 13/06/2013 4:20:07 PM | Computer Name = Neha-PC2 | Source = WinMgmt | ID = 10
Description =

Error - 13/06/2013 4:25:14 PM | Computer Name = Neha-PC2 | Source = EventSystem | ID = 4621
Description =

Error - 13/06/2013 4:25:31 PM | Computer Name = Neha-PC2 | Source = Windows Search Service | ID = 3013
Description =

Error - 13/06/2013 6:12:39 PM | Computer Name = Neha-PC2 | Source = WinMgmt | ID = 10
Description =

[ Broadcom Wireless LAN Events ]
Error - 07/02/2013 8:47:10 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 19:47:08, Thu, Feb 07, 13 Error - Unable to gain access to user store

Error - 07/02/2013 8:51:04 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 19:51:04, Thu, Feb 07, 13 Error - Unable to gain access to user store

Error - 09/02/2013 9:39:43 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 20:39:41, Sat, Feb 09, 13 Error - Unable to gain access to user store

Error - 26/04/2013 9:40:09 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 21:40:05, Fri, Apr 26, 13 Error - Unable to gain access to user store

Error - 26/04/2013 10:36:54 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 22:36:52, Fri, Apr 26, 13 Error - Unable to gain access to user store

Error - 30/04/2013 8:52:17 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 20:52:17, Tue, Apr 30, 13 Error - Unable to gain access to user store

Error - 30/04/2013 8:56:11 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 20:56:11, Tue, Apr 30, 13 Error - Unable to gain access to user store

Error - 01/06/2013 9:29:52 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 21:29:51, Sat, Jun 01, 13 Error - Unable to gain access to user store

Error - 01/06/2013 9:33:56 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 21:33:56, Sat, Jun 01, 13 Error - Unable to gain access to user store

Error - 08/06/2013 9:45:31 PM | Computer Name = Neha-PC2 | Source = WLAN-Tray | ID = 0
Description = 21:45:30, Sat, Jun 08, 13 Error - Unable to gain access to user store

[ OSession Events ]
Error - 06/06/2011 10:24:00 PM | Computer Name = Neha-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 18
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/06/2013 10:28:37 PM | Computer Name = Neha-PC2 | Source = Service Control Manager | ID = 7009
Description =

Error - 12/06/2013 10:28:37 PM | Computer Name = Neha-PC2 | Source = Service Control Manager | ID = 7000
Description =

Error - 12/06/2013 10:28:37 PM | Computer Name = Neha-PC2 | Source = DCOM | ID = 10005
Description =

Error - 12/06/2013 10:28:37 PM | Computer Name = Neha-PC2 | Source = Service Control Manager | ID = 7009
Description =

Error - 12/06/2013 10:28:37 PM | Computer Name = Neha-PC2 | Source = Service Control Manager | ID = 7000
Description =

Error - 12/06/2013 11:18:49 PM | Computer Name = Neha-PC2 | Source = DCOM | ID = 10010
Description =

Error - 12/06/2013 11:22:07 PM | Computer Name = Neha-PC2 | Source = Service Control Manager | ID = 7000
Description =

Error - 13/06/2013 4:20:08 PM | Computer Name = Neha-PC2 | Source = Service Control Manager | ID = 7000
Description =

Error - 13/06/2013 4:25:31 PM | Computer Name = Neha-PC2 | Source = DCOM | ID = 10010
Description =

Error - 13/06/2013 6:12:40 PM | Computer Name = Neha-PC2 | Source = Service Control Manager | ID = 7000
Description =

< End of report >

#15
Crowbar

Posted 17 June 2013 - 12:54 PM

Teacher

GeekU Moderator
4,798 posts

Hi there,
So after I looked at this in depth, I am thinking that Security Check is seeing this:

"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8

and that is what is triggering it to say that verion 8 is installed. I am not positive about this, so I am going to ask the developer.
If I hear anything important I will post it here, or send you a PM if I have since closed this topic.

On to your computer, I don't see anything else in your logs that causes me any concern.

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands
[resethosts]
[emptytemp]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Go to control panel
Select folder options (Appearance > Folder options in category view)
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

Do you use Java If you do not use it, you are better off uninstalling it completely. Go to your Control Panel, Uninstall a Program, then find any instance of Java in the list and click on Uninstall - do this until there are no instances of Java in the list. If you do use Java....
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to this site and click Do I have Java
It will check your current version and then offer to update to the latest version

SPRING CLEAN

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
Posted Image

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programs on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit