Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.Downloader.gen Help! My daughter has 3 major projects due t


  • This topic is locked This topic is locked

#1
hel26

hel26

    Member

  • Member
  • PipPip
  • 28 posts
Hi, I have a dell desktop running vista, 32 bit. This week my computer started running a bit slowly, then started writing everything backwards, individual word letters and sentence word order. (in word and in everything else, including the search box). When I tried to run MBAM, I couldn't double click the icon because the arrow would jump to the top left corner of the desktop. Somehow I was able to move that icon to the top corner and ran it.

I got:
PUP.optional.conduit.A registry key
PUP.optional.search protect.A registry value
PUP.optional.search protect.A registry key
PUP.optional.conduit.A registry data

I hit remove and got rid of all but the last one. It seemed to help a bit, but the next day the same problem came back

I then ran spybot s&d and got Win32.Downloader.gen and when trying to repair got "unexpected error fixing problems. Cannot create C:wininit.ini Access denied.

Then I read that I should try the scans in safe mode:
1. Superantispyware: Trojan.agent/Gen-Backdoor This one was successfully removed, supposedly
2. Spybot again: Win32.Downloader.gen Same as before, all 4 back
3. MBAM: PUP.optional.conduit.A registry data This time successfully removed

When I went back into "regular mode" everything was clear except the win32.downloader.exe

I'm afraid to let anyone use the computer because I'm thinking that all this other malware mushroomed off of the win32 downloader. The immediate problem is that my daughter (HS senior) has three major projects due this week, one of which can't be done on our laptop because it's her AP photo project and she needs photoshop, which is only on this computer. \

Sorry if this is too long. I tried to include everything the instructions said. BTW, OTL gave me a second document "OTL extras" which I didn't post but can if you need it. Thank you








Here's my OTL scan:

OTL logfile created on: 11/30/2013 9:46:19 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Mom\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 49.72% Memory free
6.21 Gb Paging File | 4.73 Gb Available in Paging File | 76.17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.70 Gb Total Space | 270.42 Gb Free Space | 59.34% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.00 Gb Free Space | 50.03% Space Free | Partition Type: NTFS

Computer Name: HELEN-PC | User Name: Mom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/11/30 09:45:57 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Mom\Downloads\OTL.exe
PRC - [2013/11/28 10:17:55 | 001,862,536 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_9_900_152.exe
PRC - [2013/11/15 16:23:35 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2013/10/25 02:34:06 | 002,480,408 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2013/10/25 02:34:06 | 001,444,120 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2013/10/08 07:05:13 | 000,264,360 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\N360.exe
PRC - [2013/05/10 02:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/11/08 18:44:13 | 000,296,096 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2012/09/18 13:57:18 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2012/09/17 06:39:30 | 000,171,600 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
PRC - [2011/11/02 01:00:44 | 000,090,448 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
PRC - [2011/06/16 17:00:28 | 000,315,256 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
PRC - [2011/01/02 20:29:50 | 000,009,216 | ---- | M] (www.shadowexplorer.com) -- C:\Program Files\ShadowExplorer\sesvc.exe
PRC - [2010/12/14 09:49:23 | 001,169,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe
PRC - [2010/10/27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/08/25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/01/12 06:01:00 | 000,201,216 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGBA.EXE
PRC - [2009/12/03 09:12:12 | 000,976,320 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2009/05/15 22:24:25 | 000,335,872 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/05/15 22:23:56 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/08/13 23:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/08/12 22:49:30 | 000,405,504 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Software Update 3\SoftAuto.exe
PRC - [2008/07/14 07:19:58 | 000,072,704 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2008/04/28 15:56:28 | 000,161,048 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/01/17 07:22:20 | 004,907,008 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe
PRC - [2007/05/23 19:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe
PRC - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2006/11/27 08:14:52 | 000,180,224 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
PRC - [2006/11/08 14:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe


========== Modules (No Company Name) ==========

MOD - [2013/11/28 10:17:55 | 016,237,448 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_11_9_900_152.dll
MOD - [2013/11/15 16:23:34 | 003,363,952 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2013/10/31 15:01:21 | 001,127,152 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll
MOD - [2012/06/27 15:09:06 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2009/05/15 22:22:51 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
MOD - [2006/11/20 12:29:10 | 000,101,376 | ---- | M] () -- C:\Windows\System32\APOMngr.dll
MOD - [2006/11/13 09:07:34 | 000,066,560 | ---- | M] () -- C:\Windows\System32\CmdRtr.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - [2013/11/28 10:17:55 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/11/15 16:23:34 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/10/25 02:34:06 | 001,444,120 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2013/10/08 07:05:13 | 000,264,360 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\N360.exe -- (N360)
SRV - [2013/05/10 02:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/09/18 13:57:18 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2012/09/17 06:39:30 | 000,171,600 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor11.0)
SRV - [2011/01/02 20:29:50 | 000,009,216 | ---- | M] (www.shadowexplorer.com) [Auto | Running] -- C:\Program Files\ShadowExplorer\sesvc.exe -- (sesvc)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/05/15 22:23:56 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2008/08/13 23:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2008/07/14 07:37:13 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/07/14 07:19:58 | 000,072,704 | ---- | M] (Creative Labs) [Auto | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2008/05/21 06:42:56 | 000,064,000 | ---- | M] (Creative Technology Ltd) [On_Demand | Stopped] -- C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe -- (CTUPnPSv)
SRV - [2008/04/28 15:56:28 | 000,161,048 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe -- (CTDevice_Srv)
SRV - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | Auto | Stopped] -- -- (MCSTRM)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Mom\AppData\Local\Temp\_F625.tmp\FoxAwdWINFLASH.sys -- (FoxAwdWINFLASH)
DRV - [2013/11/22 09:08:21 | 000,376,920 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013/11/22 09:08:21 | 000,108,120 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013/11/21 18:43:08 | 000,393,816 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\IPSDefs\20131128.001\IDSvix86.sys -- (IDSVix86)
DRV - [2013/11/15 19:14:55 | 000,142,936 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2013/11/15 01:00:00 | 001,612,376 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20131129.009\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/11/15 01:00:00 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20131129.009\NAVENG.SYS -- (NAVENG)
DRV - [2013/11/01 18:38:10 | 001,096,280 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\BASHDefs\20131114.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2013/10/31 15:01:18 | 000,340,432 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_59849.sys -- (RapportCerberus_59849)
DRV - [2013/10/25 02:34:18 | 000,230,448 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2013/10/25 02:34:18 | 000,157,264 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2013/10/25 02:34:18 | 000,108,816 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2013/09/26 22:18:30 | 000,935,512 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\System32\drivers\N360\1501000.012\SymEFA.sys -- (SymEFA)
DRV - [2013/09/26 21:45:56 | 000,206,936 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\Ironx86.sys -- (SymIRON)
DRV - [2013/09/26 21:26:03 | 000,651,352 | R--- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\srtsp.sys -- (SRTSP)
DRV - [2013/09/25 22:27:59 | 000,383,576 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\symtdiv.sys -- (SYMTDIv)
DRV - [2013/09/25 21:50:25 | 000,127,064 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\ccSetx86.sys -- (ccSet_N360)
DRV - [2013/09/09 21:47:26 | 000,367,704 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\N360\1501000.012\SymDS.sys -- (SymDS)
DRV - [2013/09/09 20:49:48 | 000,032,344 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\srtspx.sys -- (SRTSPX)
DRV - [2011/09/20 17:24:20 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/09/20 17:24:20 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2009/05/15 23:01:23 | 004,933,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2009/05/15 23:01:23 | 004,933,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/01/04 19:34:36 | 000,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/06/08 13:15:20 | 000,194,362 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2007/06/01 12:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 15:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2007/04/29 03:42:24 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
DRV - [2004/01/28 15:03:26 | 000,021,456 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SilvrLnk.sys -- (SilverLink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...ie7&rlz=1I7DKUS

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {3521B4C5-373B-4C09-9770-113CF657D7D7}
IE - HKCU\..\SearchScopes\{3521B4C5-373B-4C09-9770-113CF657D7D7}: "URL" = http://search.condui...8249855104&UM=2
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...il&geo=US&ver=4
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: "false"
FF - prefs.js..browser.startup.homepage: "https://www.facebook...k.com/StarWars"
FF - prefs.js..extensions.enabledAddons: isreaditlater%40ideashower.com:3.0.4
FF - prefs.js..extensions.enabledAddons: %7BE0B8C461-F8FB-49b4-8373-FE32E9252800%7D:5.9.0
FF - prefs.js..extensions.enabledAddons: %7B0153E448-190B-4987-BDE1-F256CADA672F%7D:15.0.6
FF - prefs.js..extensions.enabledAddons: %7B891f0410-aaa2-11e0-9f1c-0800200c9a66%7D:2.4
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:25.0.1
FF - prefs.js..keyword.URL: "http://search.condui...786908&UM=2&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\Mom\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn\ [2013/11/30 09:25:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2013/11/04 17:13:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF [2013/11/22 07:55:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/11/28 10:09:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/11/28 11:12:29 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{172133FE-C559-11E1-8270-B8AC6F996F26}: C:\Users\Mom\AppData\Local\{172133FE-C559-11E1-8270-B8AC6F996F26}\ [2012/07/03 16:50:36 | 000,000,000 | ---D | M]

[2009/03/18 09:17:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mom\AppData\Roaming\Mozilla\Extensions
[2013/11/28 10:09:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions
[2013/10/20 22:39:41 | 000,000,000 | ---D | M] (Evernote Web Clipper) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
[2013/06/27 12:32:10 | 000,000,000 | ---D | M] (Pocket) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions\[email protected]
[2013/11/28 10:09:02 | 000,109,276 | ---- | M] () (No name found) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions\{891f0410-aaa2-11e0-9f1c-0800200c9a66}.xpi
[2013/11/15 16:23:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/11/15 16:23:35 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/11/04 17:13:57 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2009/03/31 21:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2012/11/08 18:44:21 | 000,129,176 | ---- | M] (RealPlayer) -- C:\Program Files\mozilla firefox\plugins\nprpplugin.dll

========== Chrome ==========

CHR - Extension: No name found = C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

O1 HOSTS File: ([2012/10/25 18:17:06 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ICO.EXE (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SoftAuto.exe] C:\Program Files\Creative\Software Update 3\SoftAuto.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [WorkForce 630(Network)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIGBA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Civilization Registration.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Clip Image - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
O8 - Extra context menu item: Clip selection - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8 - Extra context menu item: Clip this page - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8 - Extra context menu item: Clip URL - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8 - Extra context menu item: New Note - C:\Program Files\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C6A1F688-5AF9-4FBB-B189-4DC686D90729}: DhcpNameServer = 192.168.1.1
O20 - AppInit_DLLs: (c:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - c:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/11/28 10:09:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2013/11/28 10:08:33 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2013/11/28 10:04:02 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2013/11/28 09:56:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/11/28 09:55:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2013/11/27 23:18:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Oracle
[2013/11/27 13:47:56 | 000,000,000 | ---D | C] -- C:\Users\Mom\Desktop\medical
[2013/11/22 07:48:31 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360 Premier Edition
[2013/11/15 16:23:25 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/11/05 13:06:19 | 000,000,000 | ---D | C] -- C:\Users\Mom\Documents\My Kindle Content
[2013/11/05 13:05:32 | 000,000,000 | ---D | C] -- C:\Users\Mom\AppData\Local\Amazon
[2013/11/05 12:47:19 | 000,000,000 | ---D | C] -- C:\Users\Mom\Documents\My Media
[2013/11/05 12:43:41 | 000,000,000 | ---D | C] -- C:\Users\Mom\AppData\Roaming\OverDrive
[2013/11/03 21:43:54 | 000,000,000 | ---D | C] -- C:\Users\Mom\AppData\Local\NPE
[2013/11/03 21:40:59 | 003,053,496 | ---- | C] (Symantec Corporation) -- C:\Users\Mom\Desktop\NPE(1).exe
[2008/09/08 21:01:15 | 008,318,896 | ---- | C] (Dell, Inc. ) -- C:\Users\Mom\AppData\Roaming\DataSafeDotNet.exe
[4 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/11/30 09:32:56 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/11/30 09:26:42 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/11/30 09:25:21 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/11/30 09:25:21 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/11/30 09:25:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/11/30 09:24:55 | 3219,312,640 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/30 01:05:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/11/28 10:09:07 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2013/11/27 22:17:09 | 000,651,024 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/11/27 22:17:09 | 000,123,820 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/11/27 14:25:57 | 000,002,651 | ---- | M] () -- C:\Users\Mom\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2013/11/25 18:31:37 | 000,020,410 | ---- | M] () -- C:\Windows\System32\drivers\N360\1501000.012\VT20131125.019
[2013/11/22 07:48:32 | 000,002,237 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2013/11/22 07:43:26 | 002,542,977 | ---- | M] () -- C:\Windows\System32\drivers\N360\1501000.012\Cat.DB
[2013/11/15 19:14:55 | 000,142,936 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2013/11/15 19:14:55 | 000,008,194 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2013/11/15 19:14:55 | 000,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2013/11/14 18:35:57 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/11/04 14:24:23 | 231,973,022 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/11/03 21:40:58 | 003,053,496 | ---- | M] (Symantec Corporation) -- C:\Users\Mom\Desktop\NPE(1).exe
[4 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/11/29 15:14:39 | 3219,312,640 | -HS- | C] () -- C:\hiberfil.sys
[2013/11/28 10:09:05 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2013/11/14 08:33:54 | 000,218,228 | ---- | C] () -- C:\Windows\System32\WFP.TMF
[2012/11/19 18:07:45 | 000,102,248 | ---- | C] () -- C:\Users\Mom\GoToAssistDownloadHelper.exe
[2012/09/12 18:46:23 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2012/07/16 10:41:55 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2012/01/11 17:53:49 | 000,000,043 | ---- | C] () -- C:\Users\Mom\jagex_cl_runescape_LIVE1.dat
[2012/01/11 17:41:46 | 000,000,042 | ---- | C] () -- C:\Users\Mom\jagex_cl_runescape_LIVE.dat
[2012/01/11 17:41:46 | 000,000,024 | ---- | C] () -- C:\Users\Mom\random.dat
[2011/07/13 09:12:31 | 000,000,036 | ---- | C] () -- C:\Users\Mom\AppData\Local\housecall.guid.cache
[2011/05/12 13:36:06 | 000,001,940 | ---- | C] () -- C:\Users\Mom\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2009/07/07 09:28:09 | 000,000,632 | RHS- | C] () -- C:\Users\Mom\ntuser.pol
[2009/04/30 12:06:00 | 000,001,356 | ---- | C] () -- C:\Users\Mom\AppData\Local\d3d9caps.dat
[2009/03/23 10:18:25 | 000,000,123 | ---- | C] () -- C:\Users\Mom\webct_upload_applet.properties
[2009/01/22 16:06:43 | 000,000,035 | ---- | C] () -- C:\Users\Mom\AppData\Roaming\Statdisk.prefs
[2008/09/08 21:00:45 | 000,672,812 | ---- | C] () -- C:\Users\Mom\AppData\Roaming\datasafeupdate.msi
[2008/07/23 18:59:07 | 000,024,206 | ---- | C] () -- C:\Users\Mom\AppData\Roaming\UserTile.png
[2008/07/19 11:31:58 | 000,008,248 | ---- | C] () -- C:\Users\Mom\AppData\Local\en.ini
[2008/07/17 17:18:36 | 000,047,104 | ---- | C] () -- C:\Users\Mom\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/11/02 07:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"ThreadingModel" = Both

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2009/04/11 01:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2008/07/29 19:12:36 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\BitTorrent
[2010/07/29 15:38:33 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Blackberry Desktop
[2008/09/15 23:44:52 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/07/30 15:13:46 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\DataSafeOnline
[2011/09/23 15:52:21 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\EPSON
[2010/06/12 14:30:59 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Facebook
[2011/02/12 00:59:38 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\IrfanView
[2010/08/07 20:25:09 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Leadertech
[2013/11/05 12:43:41 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\OverDrive
[2010/09/13 12:07:00 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Research In Motion
[2010/05/25 08:05:53 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Tific
[2010/03/01 20:11:17 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\uTorrent
[2011/03/15 22:27:28 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\www.shadowexplorer.com

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,916 posts
Hi hel26, :)

:welcome:

My name is Valinorum and I will be your helper today. Before we proceed, please, acknowledge yourself the following(s):

  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  • Please do not install any new software while we are working on this system as it may hinder our process.
  • Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  • Please do not try to fix anything without being ask.
  • Please do not attach your logs. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
  • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  • If you are confused about any instruction stop and ask. Do not keep on going.
  • Do not repeat the steps if you face any problems.
  • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  • Privet Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

Note: Please, bare in mind that I am still a trainee and my replies need to be reviewed by my teachers before I post them to you which requires time as both teachers and helpers are volunteers here. Take it as a good thing because now you have two people examining your problem. I really hope that we will be able to send you home with a smile on your face. :)

 

Please post the Extras.txt log as well. :)

 

  • Step # Scan with Security Check
    • Download Security Check by screen317 to your Desktop from any of the following location;
    • Link 1
    • Link 2
  • Right click on the program and choose Run as Administrator;
  • After the checking a log will appear;
  • Copy and Paste the content of the log in your next reply.

 

  • Required Log(s):
  • Extras.txt;
  • Security Check Log.

Regards,
Valinorum
  • 1

#3
hel26

hel26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Valinorum! I love your name and your motto. I feel confident that you will valiantly fight to vanquish my malware enemy :)

Here are the two logs you requested:

OTL Extras logfile created on: 11/30/2013 9:46:19 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Mom\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 49.72% Memory free
6.21 Gb Paging File | 4.73 Gb Available in Paging File | 76.17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.70 Gb Total Space | 270.42 Gb Free Space | 59.34% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.00 Gb Free Space | 50.03% Space Free | Partition Type: NTFS

Computer Name: HELEN-PC | User Name: Mom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A9C83F7-B61B-49F4-810A-FB23A2F4CDC2}" = lport=4482 | protocol=6 | dir=in | name=blackberry desktop software wireless music sync data transfer |
"{20CAC788-F28A-4B2C-8A38-8362C9466286}" = lport=137 | protocol=17 | dir=in | app=system |
"{27C20537-6D05-493F-AB41-C9BBF000C561}" = lport=139 | protocol=6 | dir=in | app=system |
"{3E97160C-FFEA-447A-B4D3-1B1F1D8666EB}" = lport=4482 | protocol=17 | dir=in | name=blackberry desktop software wireless music sync discovery |
"{47FBD94B-FD89-459A-B6CD-58A963596021}" = rport=137 | protocol=17 | dir=out | app=system |
"{58EA4695-2287-43AD-91E9-14F75E05586D}" = lport=138 | protocol=17 | dir=in | app=system |
"{5F5A5697-C0EF-4FE1-B3EA-C0AC294E3BC6}" = lport=4481 | protocol=17 | dir=in | name=blackberry desktop software wireless music sync discovery |
"{60B205F2-53CF-4350-871D-748988F82912}" = rport=138 | protocol=17 | dir=out | app=system |
"{91675BC7-DC35-4823-9444-23A8A08F0EAF}" = lport=445 | protocol=6 | dir=in | app=system |
"{966EC332-CCB6-41DB-AED5-F8D7DE12D887}" = lport=4481 | protocol=6 | dir=in | name=blackberry desktop software wireless music sync data transfer |
"{B5DAB535-C346-42CF-A654-D4DD3E677A10}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{E3F7583D-ACED-4DA2-A584-E07E9F4458FC}" = rport=445 | protocol=6 | dir=out | app=system |
"{E7BC76D7-A67F-49F5-B4EF-32FCA24EFA30}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{EEA50DA5-6272-4BF6-A42D-FF8C96D0CFF8}" = rport=139 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{006CB52B-7C39-43CB-BEE5-012961FA908C}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{0504E065-EC42-4889-A746-75F6C2BA7CA1}" = protocol=17 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{064C6FC0-F936-4DDE-98DA-59A35804B2CC}" = protocol=58 | dir=out | [email protected],-28546 |
"{14C05B4D-91E6-4586-AABB-90FF31589941}" = protocol=17 | dir=in | app=c:\program files\dna\btdna.exe |
"{1E0F4300-75F3-4DEC-BA66-FC81EEE98162}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{39A3A5C3-3D92-4109-8731-0CC1CF7D7E4B}" = protocol=6 | dir=in | app=c:\program files\research in motion\blackberry desktop\rim.desktop.exe |
"{3DC350AD-E3BE-44FC-AF66-CEF5CA4A91F9}" = protocol=6 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic.exe |
"{3E0314C2-13A1-42F3-8BED-C30B478C8C84}" = protocol=17 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic.exe |
"{4C7A63E9-25F5-4468-A27B-D3112CE23088}" = protocol=58 | dir=in | [email protected],-28545 |
"{62C5073A-380B-4AC9-98C4-D1DB041AFECB}" = protocol=17 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_ds.exe |
"{7FEA74F0-00F9-4999-850C-60AAD6C8A8CA}" = protocol=1 | dir=out | [email protected],-28544 |
"{81E539CF-4CC3-434D-97D8-A262262EEE1D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8BFA7372-D167-471F-A8BE-391185911D12}" = protocol=6 | dir=in | app=c:\program files\bittorrent\bittorrent.exe |
"{964F851A-2BE5-44E0-9491-4E5623746804}" = protocol=17 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3.exe |
"{97BA2D77-B3A0-4229-B239-EBD45776A6CA}" = protocol=17 | dir=in | app=c:\program files\electric quilt company\eq6\eq6.exe |
"{98F8EEBE-D533-4B7E-885B-93110DCEFEDB}" = protocol=6 | dir=in | app=c:\program files\microsoft games\age of empires iii\age3.exe |
"{A1376466-841D-4CB8-A699-AF63013777FA}" = protocol=6 | dir=in | app=c:\program files\electric quilt company\eq7\eq7.exe |
"{A16EDCB3-24CF-4C45-A554-7057C7010AC8}" = protocol=1 | dir=in | [email protected],-28543 |
"{A3FFF78B-A458-404A-9CC0-E74C301107A0}" = protocol=17 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_online.exe |
"{AAC245CE-8E04-42E4-9D50-4545C78D2E14}" = protocol=6 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_online.exe |
"{AB5026CF-B67E-4959-8A57-FE3DAD8BCA55}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{AC77AF4C-324A-40FB-AE96-21A1B591FC5C}" = protocol=17 | dir=in | app=c:\program files\research in motion\blackberry desktop\rim.desktop.exe |
"{B8FAA0F4-474E-402B-ACB8-0A0B433D4294}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{BEB11CC1-E921-4A34-A923-3B2DCBCC4DD0}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{CC0FC5FD-3EE1-41C3-83F2-CE8C4D6C88CC}" = protocol=17 | dir=in | app=c:\program files\electric quilt company\eq7\eq7.exe |
"{D4CA6ABC-5705-454E-B57B-4D244ABA551B}" = protocol=6 | dir=in | app=c:\program files\dna\btdna.exe |
"{D75DBF33-870B-4151-9C5B-C6C8FC917E5F}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{EE73BF31-3150-4ACE-B33D-E9F90B577EC1}" = protocol=6 | dir=in | app=c:\program files\electric quilt company\eq6\eq6.exe |
"{EF9A4BCF-6912-44C0-BBE3-69361E29B692}" = protocol=6 | dir=in | app=c:\program files\sierra entertainment\world in conflict\wic_ds.exe |
"TCP Query User{388902FD-8FF0-4A13-90B6-0DB8A6B7430E}C:\windows\lmideca.tmp\lmi_rescue.exe" = protocol=6 | dir=in | app=c:\windows\lmideca.tmp\lmi_rescue.exe |
"TCP Query User{3ACF148D-8E6E-428A-A811-850BAEE0D5AA}C:\windows\lmideca.tmp\lmi_rescue.exe" = protocol=6 | dir=in | app=c:\windows\lmideca.tmp\lmi_rescue.exe |
"TCP Query User{624A6759-1C40-468A-B3B0-1AED759BE26A}C:\users\mom\appdata\local\temp\wzse0.tmp\symnrt.exe" = protocol=6 | dir=in | app=c:\users\mom\appdata\local\temp\wzse0.tmp\symnrt.exe |
"TCP Query User{EDF7A791-F5B6-418A-A904-F129041827FB}C:\windows\system32\ftp.exe" = protocol=6 | dir=in | app=c:\windows\system32\ftp.exe |
"UDP Query User{00A837C0-2F28-416C-A6AA-6990C1916398}C:\windows\system32\ftp.exe" = protocol=17 | dir=in | app=c:\windows\system32\ftp.exe |
"UDP Query User{4392935C-D70A-4B3F-8310-543B583F1A8A}C:\users\mom\appdata\local\temp\wzse0.tmp\symnrt.exe" = protocol=17 | dir=in | app=c:\users\mom\appdata\local\temp\wzse0.tmp\symnrt.exe |
"UDP Query User{9000B0CD-1DFA-4F07-A110-56768C437016}C:\windows\lmideca.tmp\lmi_rescue.exe" = protocol=17 | dir=in | app=c:\windows\lmideca.tmp\lmi_rescue.exe |
"UDP Query User{BA76160D-23F0-443D-BEF4-5700AD56EB83}C:\windows\lmideca.tmp\lmi_rescue.exe" = protocol=17 | dir=in | app=c:\windows\lmideca.tmp\lmi_rescue.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{03B8AA32-F23C-4178-B8E6-09ECD07EAA47}" = Epson Event Manager
"{03E2A0D1-D43A-CB88-A35B-05D753DD43C5}" = Catalyst Control Center HydraVision Full
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{045DB95B-F123-B440-D999-AD083AA55196}" = CCC Help German
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0598AAA2-F600-47E9-AE89-4CFDBF7BD706}" = Wunderlist
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0C4A2CBF-CB45-5804-833B-24E1D279B0A2}" = CCC Help English
"{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}" = Epson FAX Utility
"{11CB6E0D-FFB2-7FAE-17FC-CA92BEE8F24A}" = Catalyst Control Center Localization Japanese
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{1400192B-D969-6FD4-8044-E2D07C5ADE3A}" = Catalyst Control Center Localization German
"{14BD87BE-02AA-8E04-602C-B20A43267F5B}" = CCC Help Japanese
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{1662D4E1-B469-D6A3-085B-0B5350BF7CA5}" = Catalyst Control Center Localization Italian
"{168879EE-A348-BFB7-3622-3651449C629F}" = CCC Help Italian
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1A8E3C5D-B772-CB4A-1117-751B5D79787B}" = Catalyst Control Center Graphics Light
"{1B2E11A4-8566-B8C7-3FB6-0D2A6F8D2139}" = CCC Help Portuguese
"{1D0BD79C-F8DA-4803-9C23-55480D769704}" = datasafeupdate
"{1D181764-DCD0-41B8-AA7B-0A599F027A72}" = Adobe Photoshop Elements 11
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{2157961D-0507-44A8-BCF2-1EE2D439E8DF}" = Civilization III Complete Edition
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23C12370-3A82-4558-B727-F345B473AD87}" = BlackBerry Device Software Updater
"{266156C9-F681-A84B-083C-D2052A461583}" = Catalyst Control Center Graphics Full New
"{26A24AE4-039D-4CA4-87B4-2F83217045FF}" = Java 7 Update 45
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{28F0FD94-CC2E-38DE-6080-0F688881DF32}" = Catalyst Control Center Core Implementation
"{2A6FFA23-9188-E796-4AFF-196A2004AA39}" = ccc-utility
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star Wars®: Knights of the Old Republic ™
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2EE437A9-75E3-10D1-3633-D4E8D6043503}" = CCC Help Spanish
"{2F3BCA05-4FD4-9418-1976-32F783E43DF4}" = Catalyst Control Center Graphics Full Existing
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3B03E732-6150-4D0A-849F-C6F4141EA78C}" = EPSON Perfection V30/V300 Photo Scanner Driver Update
"{3CE8C77E-8703-B62E-8F7C-31F7AA97F2A7}" = Catalyst Control Center Localization French
"{3D374523-CFDE-461A-827E-2A102E2AB365}" = Star Wars Battlefront II
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{4442AB48-DEC4-4B39-B067-1F75BF8017E7}" = Creative Centrale
"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers
"{4524E7FD-A547-C564-CD8F-A872F7C39029}" = CCC Help French
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{531F0013-964C-4BE6-B382-4117DC8BCDF9}" = ArcSoft MediaImpression
"{53C6D09E-EAB6-49E5-BA4C-BA7FF13830FB}" = Sound Blaster Audigy ADVANCED MB
"{56AB063D-1450-4BDE-9F0D-E9C693429C51}" = netbrdg
"{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}" = Apple Application Support
"{5DA49E6A-74A7-B5A8-172A-3CFFBD984EC6}" = ccc-utility
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{60B8D26D-5D6D-21D5-0366-3664E5DE3471}" = ATI Catalyst Install Manager
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{628C2C7D-8AD1-E614-E8E2-6EEAD8D5F2D0}" = Acrobat.com
"{629F65FB-7F3C-4D66-A1C0-20722744B7B6}" = Star Wars® Knights of the Old Republic® II: The Sith Lords™
"{64d93c40-f16c-49f0-93f1-e7304a8cb538}" = Wunderlist
"{65D85050-5610-4A91-A3B1-D5C744291AD4}" = PCDADDIN
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6AAFA39D-8247-29FF-B0AC-9D6F21BA4A1C}" = Catalyst Control Center Graphics Previews Vista
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{6E4FC36F-A7B5-EE38-2FE4-7D0D94D230F5}" = Catalyst Control Center Localization Portuguese
"{6EF2AFEF-2044-4A85-ED1F-E70A568D7ED9}" = Catalyst Control Center Localization Turkish
"{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7113847B-EC8E-C244-66B0-C8C98A855525}" = Catalyst Control Center InstallProxy
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{75F8E142-7720-156D-C74C-80AA0974B993}" = CCC Help Polish
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7727DA6C-A845-890D-2B48-7863A93F167C}" = Catalyst Control Center Localization Korean
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.11.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{86604C06-DA30-425E-AECE-47304FE81C45}" = Creative Software Update
"{8681B1E6-CD96-46EF-9065-CE0D1085ED99}" = Star Wars JK II Jedi Outcast
"{87CA11B3-C4CE-D989-42C7-C6197B266EFD}" = CCC Help Chinese Standard
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{91F2493D-8A65-7BF3-5684-9D6397F8847D}" = Catalyst Control Center Core Implementation
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5
"{95381165-5D16-4CD4-9162-57799A3F3AB5}" = PCLinq2 High-Speed USB Bridge Cable
"{9794B30C-0FCB-3658-B44F-33BDDC788C2D}" = CCC Help English
"{97B70991-5002-4241-8B0C-D74B8ADEB2B5}" = BlackBerry Desktop Software 7.1
"{98A01836-BC4F-BA02-8ECA-F2F22FA9754A}" = Catalyst Control Center Graphics Light
"{98CE8819-87AA-4814-8167-ADDDD513485F}" = PSE11 STI Installer
"{994FCE98-1379-2A33-24BC-F092466CC5C4}" = Catalyst Control Center Localization Thai
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{9F612429-4A00-3D44-88CF-146DA2EE1F92}" = Microsoft .NET Framework 4.5
"{A0FE0292-D3BE-3447-80F2-72E032A54875}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A2749C1C-CA17-6DD2-EAE0-D00518B39AB1}" = Catalyst Control Center Graphics Previews Common
"{A3D44AD8-D3C9-45E4-B861-3B653C6EF620}" = Rhapsody MP3 Download Manager
"{A6563D7C-F3AD-11E2-A4DB-984BE15F174E}" = Evernote v. 4.6.7
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA72FB28-73B4-49E5-B6B4-E78F44BBD0AD}" = Epson Copy Utility 3.5
"{AA89DBA6-2CC9-46C5-9102-4B2833304AE2}" = World In Conflict
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.8)
"{AC76BA86-7AD7-2447-0000-A00000000003}" = Chinese Simplified Fonts Support For Adobe Reader X
"{AC7C7307-6324-D891-1E53-77B00E4F0961}" = CCC Help Turkish
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AD1DEFDB-6143-4DF9-AF6D-ED8B61484105}" = EQ6
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B6EECBB7-BDA4-4E52-2BD6-69D70215AC48}" = Catalyst Control Center Localization Polish
"{B9242864-2841-4ADE-86E0-8F90F91B04DD}" = Logitech Gaming Software
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{C279E4B3-9FCD-9D82-7A83-B773C2D4E526}" = Catalyst Control Center Localization Hungarian
"{C2D192BE-5E2C-92CF-56A0-28C7D9D67B96}" = CCC Help Hungarian
"{C2F3DB53-EF8E-4885-36C4-34C4911FEAE0}" = ccc-core-static
"{C486C7E9-5591-8777-CEB5-FA373AFE6711}" = Catalyst Control Center Localization Spanish
"{C57606D6-7A44-4A99-D6D0-BA07FD3ACCEA}" = Catalyst Control Center Localization Chinese Traditional
"{C99DCDA4-7407-4F72-A77E-C81C551D0C4E}" = PCDHELP
"{C9D8A041-2963-4B31-8FFC-1500F3DB9293}" = EpsonNet Setup 3.3
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CBE48FF8-521A-4AE1-92B5-7008D8529630}" = Logger Pro 3.6.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEAF3507-FCB3-11D2-850C-00C0F01410B1}" = Majesty
"{D07205E7-F6D3-4333-AFCC-782A07685B72}" = OverDrive Media Console
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D379100F-65A2-4B54-D568-CD2BE238C6A3}" = Catalyst Control Center Graphics Previews Vista
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D4D065E1-3ABF-41D0-B385-FC6F027F4D00}" = Elements 11 Organizer
"{D973AE1D-ACB1-2C54-92FE-A29E2A7482C0}" = CCC Help Thai
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E0EFA6E0-2A18-A83B-34EA-8435EFEE1285}" = CCC Help Korean
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E24EDDF0-93A0-95CC-509A-1C012180F8CB}" = Skins
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E53C563F-1157-20B2-1276-755A22E814D2}" = Catalyst Control Center Localization Chinese Standard
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{E8B55B7D-A94D-4C4B-AFEB-4C4AAAFEB071}" = EQ7 Upgrade
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{EEC4F30A-C514-6096-C27A-D0226394CD11}" = Catalyst Control Center Graphics Full New
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F163FBE3-7EC2-BE0C-374A-E6E4A2633075}" = Catalyst Control Center Graphics Full Existing
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F6B8797E-923E-4902-9698-62937FE80FAB}" = CCC Help Chinese Traditional
"{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FBF1268D-3323-545E-4DD0-F45AD313E37E}" = Catalyst Control Center Graphics Previews Common
"{FDF9943A-3D5C-46B3-9679-586BD237DDEE}" = SKIN0001
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop Elements 11" = Adobe Photoshop Elements 11
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"Age of Mythology 1.0" = Age of Mythology
"Age of Mythology Expansion Pack 1.0" = Age of Mythology - The Titans Expansion
"AVS Screen Capture_is1" = AVS Screen Capture version 2.0.1
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS Video Editor_is1" = AVS Video Editor 5
"AVS Video Recorder_is1" = AVS Video Recorder 2.4
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
"Backyard Baseball 2001" = Backyard Baseball 2001
"Backyard Football" = Backyard Football
"BlackBerry_Desktop" = BlackBerry Desktop Software 7.1
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative Centrale" = Creative Centrale
"Creative Jukebox Driver" = Creative Jukebox Driver
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"EPSON PC-FAX Driver 2" = Epson PC-FAX Driver
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 630 Series" = EPSON WorkForce 630 Series Printer Uninstall
"EQ5" = EQ5
"GameSpy Arcade" = GameSpy Arcade
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"GoToAssist" = GoToAssist 8.0.0.514
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{2157961D-0507-44A8-BCF2-1EE2D439E8DF}" = Civilization III Complete Edition
"InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"InstallShield_{AD1DEFDB-6143-4DF9-AF6D-ED8B61484105}" = EQ6
"InstallShield_{E8B55B7D-A94D-4C4B-AFEB-4C4AAAFEB071}" = EQ7 Upgrade
"IrfanView" = IrfanView (remove only)
"jGRASP" = jGRASP
"LucasArts' The Phantom Menace" = LucasArts' The Phantom Menace
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2010 Tools for Office Runtime (x86)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 25.0.1 (x86 en-US)" = Mozilla Firefox 25.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP3 Player Recovery Tool_is1" = MP3 Player Recovery Tool
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"N360" = Norton 360
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSetDX" = Intel® PRO Network Connections 12.1.11.0
"Rapport_msi" = Trusteer Endpoint Protection
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 15.0" = RealPlayer
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"ShadowExplorer_is1" = ShadowExplorer 0.8
"Wheel of Time" = Wheel of Time
"ZENMozaicUG" = Creative ZEN Mozaic User's Guide
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/28/2013 11:47:22 PM | Computer Name = Helen-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/28/2013 11:49:23 PM | Computer Name = Helen-PC | Source = EventSystem | ID = 4609
Description =

Error - 11/28/2013 11:52:07 PM | Computer Name = Helen-PC | Source = EventSystem | ID = 4609
Description =

Error - 11/28/2013 11:52:34 PM | Computer Name = Helen-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/28/2013 11:56:53 PM | Computer Name = Helen-PC | Source = EventSystem | ID = 4609
Description =

Error - 11/28/2013 11:57:21 PM | Computer Name = Helen-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/29/2013 4:16:23 PM | Computer Name = Helen-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/29/2013 7:07:13 PM | Computer Name = Helen-PC | Source = Application Hang | ID = 1002
Description = The program N360.exe version 12.11.0.16 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: d4c Start Time: 01ceed3fe676d185 Termination Time: 125

Error - 11/30/2013 2:30:53 AM | Computer Name = Helen-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/30/2013 10:25:33 AM | Computer Name = Helen-PC | Source = WinMgmt | ID = 10
Description =

[ OSession Events ]
Error - 2/13/2009 12:05:14 AM | Computer Name = Helen-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 52
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/23/2009 9:47:44 PM | Computer Name = Helen-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5097
seconds with 1320 seconds of active time. This session ended with a crash.

Error - 3/13/2012 11:21:31 PM | Computer Name = Helen-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6612.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 8395
seconds with 2040 seconds of active time. This session ended with a crash.


Error encountered while reading event logs.

< End of report >

----------------


Results of screen317's Security Check version 0.99.77
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Norton 360 Premier Edition
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 45
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 11.9.900.152
Mozilla Firefox (25.0.1)
Google Chrome 31.0.1650.48
Google Chrome 31.0.1650.57
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
  • 0

#4
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,916 posts
Hi hel26, :)

I love your name and your motto. I feel confident that you will valiantly fight to vanquish my malware enemy

:)
Can you tell me where the win32.downloader.exe is located?

  • Step #1 Fix with AdwCleaner
    Download : ADWCleaner to your desktop.

    NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.

    Close all programs and click on the AdwCleaner icon.

    Posted Image

    Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

    The report will be saved in the C:\AdwCleaner folder. as AdwCleaner[S0].txt

 

  • Step #2 Fix with Junkware Removal Tool
    Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

  • Step #3 Scan with OTL
  • Re-run OTL;
  • Copy and Paste the following code inside the Custom Scans/Fixes box;
    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button;
  • After the scan two logs will be produced;
  • Copy and paste the content of the logs in your next reply

 

  • Required Log(s):
  • AdwCleaner Log;
  • Junkware Removal Tool Log;
  • OTL.txt.

Regards,
Valinorum
  • 1

#5
hel26

hel26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello again!

I only got one OTL log this time. Did I do something wrong?
I wrote down the spybot info, but the last little bit ended "..." so it's not complete

Spybot info
Here it is Win32.Downloader.gen registry change
[SBI $F03796FC]IE start pg (may have said "page")
HKEY_USERS\5-1-5-21-1843113562-2369256311-3...

Here's my AdwareCleaner log:

# AdwCleaner v3.013 - Report created 01/12/2013 at 11:19:38
# Updated 24/11/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Mom - HELEN-PC
# Running from : C:\Users\Mom\Downloads\AdwCleaner(1).exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\~0
Folder Deleted : C:\ProgramData\VisualBee
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Users\Mom\AppData\Local\visualbeeexe
Folder Deleted : C:\Users\Mom\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Maggie\AppData\Roaming\Searchprotect
File Deleted : C:\Users\Maggie\AppData\Roaming\Mozilla\Firefox\Profiles\835rcvxs.default\searchplugins\safesearch.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\safesearch.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\visualbee
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\visualbee
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16520


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\prefs.js ]

Line Deleted : user_pref("CT3287802_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1377133893313,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3287802&octid=CT3287802&SearchSource=61&CUI=UN30888487206786908&UM=2&UP=SP85BF82FF-85B4-4600-9B53-63B0DA01ACF9");
Line Deleted : user_pref("Smartbar.ConduitSearchEngineList", "");
Line Deleted : user_pref("Smartbar.ConduitSearchUrlList", "");
Line Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3287802");
Line Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3287802&SearchSource=2&CUI=UN30888487206786908&UM=2&q=");
Line Deleted : user_pref("show.CT3287802", false);
Line Deleted : user_pref("smartbar.machineId", "J2PIHEM0VEIBPGBF56YZO0AOXOT4EKCJDHXUFLN3OSZJVACORWWWVQTD0SYLOPMEPQRQ3CNWRYTJZ3EDWS93GG");

[ File : C:\Users\Maggie\AppData\Roaming\Mozilla\Firefox\Profiles\835rcvxs.default\prefs.js ]


-\\ Google Chrome v31.0.1650.57

[ File : C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : homepage

*************************

AdwCleaner[R0].txt - [3976 octets] - [01/12/2013 11:13:06]
AdwCleaner[S0].txt - [3609 octets] - [01/12/2013 11:19:38]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3669 octets] ##########




Here's my JRT log[/size][/size]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Mom on Sun 12/01/2013 at 11:36:34.49
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3521B4C5-373B-4C09-9770-113CF657D7D7}



~~~ Files

Successfully deleted: [File] C:\Users\Mom\AppData\Local\{172133FE-C559-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul [Trojan:JS/Medfos.A]



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Mom\appdata\local\cre"
Successfully deleted: [Folder] C:\Users\Mom\AppData\Local\{172133FE-C559-11E1-8270-B8AC6F996F26} [Trojan:JS/Medfos.A]



~~~ FireFox

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\\{172133fe-c559-11e1-8270-b8ac6f996f26}
Emptied folder: C:\Users\Mom\AppData\Roaming\mozilla\firefox\profiles\xabetj7a.default-1352070022297\minidumps [132 files]



~~~ Chrome

Dumping contents of C:\Users\Mom\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Mom\appdata\local\Google\Chrome\User Data\Default\Default\aadedhdeggdhgddhdidcdigbdeddgfdb
C:\Users\Mom\appdata\local\Google\Chrome\User Data\Default\Default\aadedhdeggdhgddhdidcdigbdeddgfdb\background.html
C:\Users\Mom\appdata\local\Google\Chrome\User Data\Default\Default\aadedhdeggdhgddhdidcdigbdeddgfdb\ContentScript.js
C:\Users\Mom\appdata\local\Google\Chrome\User Data\Default\Default\aadedhdeggdhgddhdidcdigbdeddgfdb\manifest.json

Successfully deleted: [Folder] C:\Users\Mom\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/01/2013 at 11:42:41.62
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Here's my second OTL round:

OTL logfile created on: 12/1/2013 12:09:24 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Mom\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 54.21% Memory free
6.20 Gb Paging File | 5.03 Gb Available in Paging File | 81.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.70 Gb Total Space | 269.45 Gb Free Space | 59.13% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.89 Gb Free Space | 48.90% Space Free | Partition Type: NTFS

Computer Name: HELEN-PC | User Name: Mom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/12/01 11:51:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Mom\Downloads\OTL(1).exe
PRC - [2013/10/25 02:34:06 | 002,480,408 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2013/10/25 02:34:06 | 001,444,120 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2013/10/08 07:05:13 | 000,264,360 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\N360.exe
PRC - [2013/05/10 02:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/11/08 18:44:13 | 000,296,096 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2012/09/18 13:57:18 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2012/09/17 06:39:30 | 000,171,600 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
PRC - [2011/11/02 01:00:44 | 000,090,448 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
PRC - [2010/12/14 09:49:23 | 001,169,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe
PRC - [2010/10/27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/08/25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/01/23 15:18:54 | 000,009,216 | ---- | M] (www.shadowexplorer.com) -- C:\Program Files\ShadowExplorer\sesvc.exe
PRC - [2010/01/12 06:01:00 | 000,201,216 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGBA.EXE
PRC - [2009/12/03 09:12:12 | 000,976,320 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2009/05/15 22:24:25 | 000,335,872 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/05/15 22:23:56 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 14:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/08/13 23:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/08/12 22:49:30 | 000,405,504 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Software Update 3\SoftAuto.exe
PRC - [2008/07/14 07:19:58 | 000,072,704 | ---- | M] (Creative Labs) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
PRC - [2008/04/28 15:56:28 | 000,161,048 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/01/17 07:22:20 | 004,907,008 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe
PRC - [2007/05/23 19:02:36 | 000,139,264 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\pmxmiced.exe
PRC - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe
PRC - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2006/11/27 08:14:52 | 000,180,224 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
PRC - [2006/11/08 14:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\Windows\System32\ico.exe


========== Modules (No Company Name) ==========

MOD - [2013/10/31 15:01:21 | 001,127,152 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll
MOD - [2012/06/27 15:09:06 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2010/07/14 15:43:40 | 000,034,816 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\gzlib.dll
MOD - [2009/05/15 22:22:51 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll
MOD - [2006/11/20 12:29:10 | 000,101,376 | ---- | M] () -- C:\Windows\System32\APOMngr.dll
MOD - [2006/11/13 09:07:34 | 000,066,560 | ---- | M] () -- C:\Windows\System32\CmdRtr.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - [2013/11/28 10:17:55 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/11/15 16:23:34 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/10/25 02:34:06 | 001,444,120 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2013/10/08 07:05:13 | 000,264,360 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\N360.exe -- (N360)
SRV - [2013/05/10 02:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/09/18 13:57:18 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2012/09/17 06:39:30 | 000,171,600 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor11.0)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/23 15:18:54 | 000,009,216 | ---- | M] (www.shadowexplorer.com) [Auto | Running] -- C:\Program Files\ShadowExplorer\sesvc.exe -- (sesvc)
SRV - [2009/05/15 22:23:56 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2008/08/13 23:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2008/07/14 07:37:13 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/07/14 07:19:58 | 000,072,704 | ---- | M] (Creative Labs) [Auto | Running] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe -- (Creative Labs Licensing Service)
SRV - [2008/05/21 06:42:56 | 000,064,000 | ---- | M] (Creative Technology Ltd) [On_Demand | Stopped] -- C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe -- (CTUPnPSv)
SRV - [2008/04/28 15:56:28 | 000,161,048 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/05 06:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe -- (CTDevice_Srv)
SRV - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | Auto | Stopped] -- -- (MCSTRM)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Mom\AppData\Local\Temp\_F625.tmp\FoxAwdWINFLASH.sys -- (FoxAwdWINFLASH)
DRV - [2013/11/22 09:08:21 | 000,376,920 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013/11/22 09:08:21 | 000,108,120 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2013/11/21 18:43:08 | 000,393,816 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\IPSDefs\20131128.001\IDSvix86.sys -- (IDSVix86)
DRV - [2013/11/15 19:14:55 | 000,142,936 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2013/11/15 01:00:00 | 001,612,376 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20131130.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/11/15 01:00:00 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20131130.007\NAVENG.SYS -- (NAVENG)
DRV - [2013/11/01 18:38:10 | 001,096,280 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\BASHDefs\20131114.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2013/10/31 15:01:18 | 000,340,432 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_59849.sys -- (RapportCerberus_59849)
DRV - [2013/10/25 02:34:18 | 000,230,448 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2013/10/25 02:34:18 | 000,157,264 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2013/10/25 02:34:18 | 000,108,816 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2013/09/26 22:18:30 | 000,935,512 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\System32\drivers\N360\1501000.012\SymEFA.sys -- (SymEFA)
DRV - [2013/09/26 21:45:56 | 000,206,936 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\Ironx86.sys -- (SymIRON)
DRV - [2013/09/26 21:26:03 | 000,651,352 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\N360\1501000.012\srtsp.sys -- (SRTSP)
DRV - [2013/09/25 22:27:59 | 000,383,576 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\symtdiv.sys -- (SYMTDIv)
DRV - [2013/09/25 21:50:25 | 000,127,064 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\ccSetx86.sys -- (ccSet_N360)
DRV - [2013/09/09 21:47:26 | 000,367,704 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\N360\1501000.012\SymDS.sys -- (SymDS)
DRV - [2013/09/09 20:49:48 | 000,032,344 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\1501000.012\srtspx.sys -- (SRTSPX)
DRV - [2011/09/20 17:24:20 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/09/20 17:24:20 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2009/05/15 23:01:23 | 004,933,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2009/05/15 23:01:23 | 004,933,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/01/04 19:34:36 | 000,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/06/08 13:15:20 | 000,194,362 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2007/06/01 12:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 15:44:00 | 000,019,008 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2007/04/29 03:42:24 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
DRV - [2004/01/28 15:03:26 | 000,021,456 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SilvrLnk.sys -- (SilverLink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...ie7&rlz=1I7DKUS

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: "false"
FF - prefs.js..browser.startup.homepage: "https://www.facebook...k.com/StarWars"
FF - prefs.js..extensions.enabledAddons: isreaditlater%40ideashower.com:3.0.4
FF - prefs.js..extensions.enabledAddons: %7BE0B8C461-F8FB-49b4-8373-FE32E9252800%7D:5.9.0
FF - prefs.js..extensions.enabledAddons: %7B0153E448-190B-4987-BDE1-F256CADA672F%7D:15.0.6
FF - prefs.js..extensions.enabledAddons: %7B891f0410-aaa2-11e0-9f1c-0800200c9a66%7D:2.4
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:25.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.6.14: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\Mom\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn\ [2013/12/01 11:37:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0153E448-190B-4987-BDE1-F256CADA672F}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2013/11/04 17:13:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF [2013/11/22 07:55:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/11/28 10:09:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 25.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/11/28 11:12:29 | 000,000,000 | ---D | M]

[2009/03/18 09:17:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mom\AppData\Roaming\Mozilla\Extensions
[2013/11/28 10:09:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions
[2013/10/20 22:39:41 | 000,000,000 | ---D | M] (Evernote Web Clipper) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
[2013/06/27 12:32:10 | 000,000,000 | ---D | M] (Pocket) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions\[email protected]
[2013/11/28 10:09:02 | 000,109,276 | ---- | M] () (No name found) -- C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\xabetj7a.default-1352070022297\extensions\{891f0410-aaa2-11e0-9f1c-0800200c9a66}.xpi
[2013/11/15 16:23:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/11/15 16:23:35 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/11/04 17:13:57 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2009/03/31 21:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2012/11/08 18:44:21 | 000,129,176 | ---- | M] (RealPlayer) -- C:\Program Files\mozilla firefox\plugins\nprpplugin.dll

========== Chrome ==========

CHR - Extension: No name found = C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

O1 HOSTS File: ([2012/10/25 18:17:06 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\21.1.0.18\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [PMX Daemon] C:\Windows\System32\ICO.EXE (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SoftAuto.exe] C:\Program Files\Creative\Software Update 3\SoftAuto.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [WorkForce 630(Network)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIGBA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Civilization Registration.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Clip Image - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4 File not found
O8 - Extra context menu item: Clip selection - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3 File not found
O8 - Extra context menu item: Clip this page - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1 File not found
O8 - Extra context menu item: Clip URL - C:\Program Files\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0 File not found
O8 - Extra context menu item: New Note - C:\Program Files\Evernote\Evernote\\EvernoteIERes\NewNote.html ()
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.html ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C6A1F688-5AF9-4FBB-B189-4DC686D90729}: DhcpNameServer = 192.168.1.1
O20 - AppInit_DLLs: (c:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - c:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img27.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/12/01 11:30:01 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/12/01 11:09:24 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/11/30 16:47:11 | 000,000,000 | ---D | C] -- C:\Users\Mom\Desktop\win32.downloader files
[2013/11/28 10:09:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2013/11/28 10:08:33 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2013/11/28 10:04:02 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2013/11/28 09:56:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/11/28 09:55:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2013/11/27 23:18:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Oracle
[2013/11/27 13:47:56 | 000,000,000 | ---D | C] -- C:\Users\Mom\Desktop\medical
[2013/11/22 07:48:31 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360 Premier Edition
[2013/11/15 16:23:25 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/11/05 13:06:19 | 000,000,000 | ---D | C] -- C:\Users\Mom\Documents\My Kindle Content
[2013/11/05 13:05:32 | 000,000,000 | ---D | C] -- C:\Users\Mom\AppData\Local\Amazon
[2013/11/05 12:47:19 | 000,000,000 | ---D | C] -- C:\Users\Mom\Documents\My Media
[2013/11/05 12:43:41 | 000,000,000 | ---D | C] -- C:\Users\Mom\AppData\Roaming\OverDrive
[2013/11/03 21:43:54 | 000,000,000 | ---D | C] -- C:\Users\Mom\AppData\Local\NPE
[2013/11/03 21:40:59 | 003,053,496 | ---- | C] (Symantec Corporation) -- C:\Users\Mom\Desktop\NPE(1).exe
[2008/09/08 21:01:15 | 008,318,896 | ---- | C] (Dell, Inc. ) -- C:\Users\Mom\AppData\Roaming\DataSafeDotNet.exe
[4 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/12/01 12:05:04 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/12/01 11:34:29 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/12/01 11:34:13 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/12/01 11:34:13 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/12/01 11:33:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/12/01 11:33:45 | 3217,223,680 | -HS- | M] () -- C:\hiberfil.sys
[2013/12/01 11:32:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/11/28 10:09:07 | 000,001,728 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2013/11/27 22:17:09 | 000,651,024 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/11/27 22:17:09 | 000,123,820 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/11/27 14:25:57 | 000,002,651 | ---- | M] () -- C:\Users\Mom\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2013/11/25 18:31:37 | 000,020,410 | ---- | M] () -- C:\Windows\System32\drivers\N360\1501000.012\VT20131125.019
[2013/11/22 07:48:32 | 000,002,237 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2013/11/22 07:43:26 | 002,542,977 | ---- | M] () -- C:\Windows\System32\drivers\N360\1501000.012\Cat.DB
[2013/11/15 19:14:55 | 000,142,936 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2013/11/15 19:14:55 | 000,008,194 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2013/11/15 19:14:55 | 000,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2013/11/14 18:35:57 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/11/04 14:24:23 | 231,973,022 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/11/03 21:40:58 | 003,053,496 | ---- | M] (Symantec Corporation) -- C:\Users\Mom\Desktop\NPE(1).exe
[4 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/11/29 15:14:39 | 3217,223,680 | -HS- | C] () -- C:\hiberfil.sys
[2013/11/28 10:09:05 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2013/11/14 08:33:54 | 000,218,228 | ---- | C] () -- C:\Windows\System32\WFP.TMF
[2012/11/19 18:07:45 | 000,102,248 | ---- | C] () -- C:\Users\Mom\GoToAssistDownloadHelper.exe
[2012/09/12 18:46:23 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2012/07/16 10:41:55 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2012/01/11 17:53:49 | 000,000,043 | ---- | C] () -- C:\Users\Mom\jagex_cl_runescape_LIVE1.dat
[2012/01/11 17:41:46 | 000,000,042 | ---- | C] () -- C:\Users\Mom\jagex_cl_runescape_LIVE.dat
[2012/01/11 17:41:46 | 000,000,024 | ---- | C] () -- C:\Users\Mom\random.dat
[2011/07/13 09:12:31 | 000,000,036 | ---- | C] () -- C:\Users\Mom\AppData\Local\housecall.guid.cache
[2011/05/12 13:36:06 | 000,001,940 | ---- | C] () -- C:\Users\Mom\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2009/07/07 09:28:09 | 000,000,632 | RHS- | C] () -- C:\Users\Mom\ntuser.pol
[2009/04/30 12:06:00 | 000,001,356 | ---- | C] () -- C:\Users\Mom\AppData\Local\d3d9caps.dat
[2009/03/23 10:18:25 | 000,000,123 | ---- | C] () -- C:\Users\Mom\webct_upload_applet.properties
[2009/01/22 16:06:43 | 000,000,035 | ---- | C] () -- C:\Users\Mom\AppData\Roaming\Statdisk.prefs
[2008/09/08 21:00:45 | 000,672,812 | ---- | C] () -- C:\Users\Mom\AppData\Roaming\datasafeupdate.msi
[2008/07/23 18:59:07 | 000,024,206 | ---- | C] () -- C:\Users\Mom\AppData\Roaming\UserTile.png
[2008/07/19 11:31:58 | 000,008,248 | ---- | C] () -- C:\Users\Mom\AppData\Local\en.ini
[2008/07/17 17:18:36 | 000,047,104 | ---- | C] () -- C:\Users\Mom\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/11/02 07:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"ThreadingModel" = Both

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2009/04/11 01:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2008/07/29 19:12:36 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\BitTorrent
[2010/07/29 15:38:33 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Blackberry Desktop
[2008/09/15 23:44:52 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/07/30 15:13:46 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\DataSafeOnline
[2011/09/23 15:52:21 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\EPSON
[2010/06/12 14:30:59 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Facebook
[2011/02/12 00:59:38 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\IrfanView
[2010/08/07 20:25:09 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Leadertech
[2013/11/05 12:43:41 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\OverDrive
[2010/09/13 12:07:00 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Research In Motion
[2010/05/25 08:05:53 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Tific
[2010/03/01 20:11:17 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\uTorrent
[2011/03/15 22:27:28 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\www.shadowexplorer.com

========== Purity Check ==========



========== Custom Scans ==========

========== Base Services ==========
SRV - [2006/11/02 04:46:02 | 000,024,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\aelupsvc.dll -- (AeLookupSvc)
SRV - [2008/01/20 21:24:17 | 000,033,280 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\appinfo.dll -- (Appinfo)
SRV - [2008/01/20 21:24:14 | 000,059,392 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\alg.exe -- (ALG)
SRV - [2009/04/11 01:28:23 | 000,758,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\qmgr.dll -- (BITS)
SRV - [2009/04/11 01:28:18 | 000,334,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\BFE.DLL -- (BFE)
SRV - [2011/11/16 09:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\lsass.exe -- (KeyIso)
SRV - [2009/04/11 01:28:19 | 000,268,800 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\es.dll -- (EventSystem)
SRV - [2008/01/20 21:24:36 | 000,081,920 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\browser.dll -- (Browser)
SRV - [2013/07/07 23:16:55 | 000,133,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\cryptsvc.dll -- (CryptSvc)
SRV - [2009/04/11 01:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\rpcss.dll -- (DcomLaunch)
SRV - [2009/04/11 01:28:18 | 000,204,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcsvc.dll -- (Dhcp)
SRV - [2011/03/02 10:44:27 | 000,086,528 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dnsrslvr.dll -- (Dnscache)
SRV - [2008/01/20 21:25:01 | 000,057,344 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\eapsvc.dll -- (EapHost)
SRV - [2009/04/11 01:28:19 | 000,026,112 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\hidserv.dll -- (hidserv)
SRV - [2008/01/20 21:24:09 | 000,288,256 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\ipnathlp.dll -- (SharedAccess)
SRV - [2009/04/11 01:28:20 | 000,364,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\IPSECSVC.DLL -- (PolicyAgent)
No service found with a name of MsMpSvc
No service found with a name of NisSrv
SRV - [2009/04/11 01:28:24 | 000,311,808 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\swprv.dll -- (swprv)
SRV - [2008/01/20 21:24:54 | 000,045,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\mmcss.dll -- (MMCSS)
SRV - [2008/01/20 21:24:11 | 000,274,432 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\netman.dll -- (Netman)
SRV - [2008/01/20 21:24:23 | 000,237,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\netprofm.dll -- (netprofm)
SRV - [2008/01/20 21:23:44 | 000,168,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\nlasvc.dll -- (NlaSvc)
SRV - [2008/01/20 21:24:47 | 000,018,432 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\nsisvc.dll -- (nsi)
SRV - [2009/04/11 01:28:25 | 000,222,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpnpmgr.dll -- (PlugPlay)
SRV - [2010/08/17 09:11:37 | 000,128,000 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\spoolsv.exe -- (Spooler)
SRV - [2011/11/16 09:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\lsass.exe -- (ProtectedStorage)
SRV - [2009/04/11 01:28:19 | 000,564,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\emdmgmt.dll -- (EMDMgmt)
SRV - [2008/01/20 21:24:19 | 000,090,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\rasauto.dll -- (RasAuto)
SRV - [2009/04/11 01:28:24 | 000,262,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\rasmans.dll -- (RasMan)
SRV - [2009/04/11 01:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\rpcss.dll -- (RpcSs)
SRV - [2008/01/20 21:24:35 | 000,019,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\seclogon.dll -- (seclogon)
SRV - [2011/11/16 09:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lsass.exe -- (SamSs)
SRV - [2009/04/11 01:28:26 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wscsvc.dll -- (wscsvc)
SRV - [2010/09/06 11:20:29 | 000,125,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\srvsvc.dll -- (LanmanServer)
SRV - [2009/07/10 06:47:42 | 000,247,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\shsvcs.dll -- (ShellHWDetection)
SRV - [2009/04/11 01:27:49 | 003,408,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\SLsvc.exe -- (slsvc)
SRV - [2010/11/04 13:55:12 | 000,601,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\schedsvc.dll -- (Schedule)
SRV - [2009/04/11 01:28:24 | 000,242,688 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\tapisrv.dll -- (TapiSrv)
SRV - [2009/07/10 06:47:42 | 000,247,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\shsvcs.dll -- (Themes)
SRV - [2009/04/11 01:28:23 | 000,153,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\profsvc.dll -- (ProfSvc)
SRV - [2009/04/11 01:28:10 | 001,055,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\VSSVC.exe -- (VSS)
SRV - [2009/04/11 01:28:18 | 000,315,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\audiosrv.dll -- (Audiosrv)
SRV - [2009/04/11 01:28:18 | 000,315,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\audiosrv.dll -- (AudioEndpointBuilder)
SRV - [2008/01/20 21:23:27 | 000,104,960 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\sdrsvc.dll -- (SDRSVC)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/04/11 01:28:25 | 001,017,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wevtsvc.dll -- (Eventlog)
SRV - [2009/04/11 01:28:20 | 000,407,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\MPSSVC.dll -- (MpsSvc)
SRV - [2009/04/11 01:28:25 | 000,453,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wiaservc.dll -- (stisvc)
SRV - [2009/04/11 01:27:45 | 000,073,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\msiexec.exe -- (msiserver)
SRV - [2009/04/11 01:28:25 | 000,162,304 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wbem\WMIsvc.dll -- (Winmgmt)
SRV - [2012/06/02 17:19:17 | 001,933,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wuaueng.dll -- (wuauserv)
SRV - [2009/04/11 01:28:18 | 000,175,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\dot3svc.dll -- (dot3svc)
SRV - [2009/07/11 14:01:42 | 000,513,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wlansvc.dll -- (Wlansvc)
SRV - [2009/06/10 06:42:23 | 000,160,256 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wkssvc.dll -- (LanmanWorkstation)

< %SYSTEMDRIVE%\*.exe >
[2007/11/07 07:03:18 | 000,562,688 | ---- | M] (Microsoft Corporation) -- C:\install.exe

< MD5 for: EXPLORER.EXE >
[2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\ERDNT\cache\explorer.exe
[2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 21:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SERVICES >
[2006/09/18 16:41:30 | 000,017,244 | ---- | M] () MD5=9F534244B7F8F55D5C0BB498D8D481E7 -- C:\Windows\System32\drivers\etc\services
[2006/09/18 16:41:30 | 000,017,244 | ---- | M] () MD5=9F534244B7F8F55D5C0BB498D8D481E7 -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.0.6000.16386_none_024e4071fa6fea95\services

< MD5 for: SERVICES.CFG >
[2013/09/03 08:53:56 | 000,558,864 | ---- | M] () MD5=4097D9DB7F5DB4533DDA8271136C9B7B -- C:\Program Files\Adobe\Reader 10.0\Reader\Services\Services.cfg
[2011/06/06 12:55:30 | 000,584,045 | R--- | M] () MD5=B82DD53FA8C260DDD7FDC42182DB816E -- C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\services.cfg

< MD5 for: SERVICES.DAT >
[2013/11/05 17:18:20 | 000,003,117 | ---- | M] () MD5=5F3B95A58780ADA3F223F004CDEE9967 -- C:\Users\Mom\AppData\Local\Temp\jrt\services.dat

< MD5 for: SERVICES.EXE >
[2008/01/20 21:24:48 | 000,279,040 | ---- | M] (Microsoft Corporation) MD5=2B336AB6286D6C81FA02CBAB914E3C6C -- C:\Windows\ERDNT\cache\services.exe
[2008/01/20 21:24:48 | 000,279,040 | ---- | M] (Microsoft Corporation) MD5=2B336AB6286D6C81FA02CBAB914E3C6C -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\System32\services.exe
[2009/04/11 01:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

< MD5 for: SERVICES.EXE.MUI >
[2006/11/02 07:40:53 | 000,017,920 | ---- | M] (Microsoft Corporation) MD5=1626EACF0E7E59F85C59DDDD27C4169C -- C:\Windows\System32\en-US\services.exe.mui
[2006/11/02 07:40:53 | 000,017,920 | ---- | M] (Microsoft Corporation) MD5=1626EACF0E7E59F85C59DDDD27C4169C -- C:\Windows\winsxs\x86_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.0.6000.16386_en-us_67c6851b290a1ced\services.exe.mui

< MD5 for: SERVICES.LNK >
[2008/01/20 21:42:58 | 000,001,688 | ---- | M] () MD5=C50AE46E57C3F3FB61A3B3A1E5D9C412 -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
[2008/01/20 21:42:58 | 000,001,688 | ---- | M] () MD5=C50AE46E57C3F3FB61A3B3A1E5D9C412 -- C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk

< MD5 for: SERVICES.MOCHIADS.COM.SOL >
[2013/01/16 23:22:57 | 000,000,351 | ---- | M] () MD5=C3CE695A0B03A7DFA690E708423306AB -- C:\Users\Mom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ETWJS3T8\mochiads.com\services.mochiads.com.sol

< MD5 for: SERVICES.MOF >
[2006/09/18 16:46:11 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\System32\wbem\services.mof
[2006/09/18 16:46:11 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.mof
[2006/09/18 16:46:11 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.mof

< MD5 for: SERVICES.MSC >
[2006/11/02 07:41:29 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\System32\en-US\services.msc
[2006/09/18 16:29:40 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\System32\services.msc
[2006/11/02 07:41:29 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\winsxs\x86_microsoft-windows-s..cessnapin.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a2085506ff73b6e0\services.msc
[2006/09/18 16:29:40 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\winsxs\x86_microsoft-windows-servicessnapin_31bf3856ad364e35_6.0.6001.18000_none_cf63e2a445bae4e3\services.msc

< MD5 for: SERVICES.SBS >
[2013/07/16 12:21:30 | 000,034,818 | ---- | M] () MD5=E2ACBC77020C8D5CE97CA61D0D859A44 -- C:\Program Files\Spybot - Search & Destroy\Includes\Services.sbs

< MD5 for: SVCHOST.EXE >
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/20 21:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
[2013/04/04 13:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 21:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 01:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2013/04/04 13:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/01/20 21:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\ERDNT\cache\winlogon.exe
[2008/01/20 21:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< End of report >


Thanks for all your hard work! :thumbsup:
  • 0

#6
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,916 posts
Hi hel26, :)

I only got one OTL log this time. Did I do something wrong?

It is okay. OTL does not create the Extras.txt unless specified except in the first run.

  • Step #4 Fix with OTL
  • Re-run OTL by right clicking and choosing Run as administrator;
  • Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').

    :Commands
    [createrestorepoint]

    :OTL
    [2013/11/30 16:47:11 | 000,000,000 | ---D | C] -- C:\Users\Mom\Desktop\win32.downloader files
    [2011/05/12 13:36:06 | 000,001,940 | ---- | C] () -- C:\Users\Mom\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
    [2008/07/29 19:12:36 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\BitTorrent
    [2010/03/01 20:11:17 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\uTorrent

    :Commands
    [Emptytemp]

  • Click on "Run Fix" and let the program run unhindered;
  • Your PC will reboot automatically and a log will be opened;
  • Please post it in your next reply.

 

  • Step #5 Scan with Malwarebytes' Anti-Malware

  • Re-run Malwarebytes' Anti-Malware;
  • Make sure a check mark is placed next to Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan. The scan may take some time to finish, so please be patient.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
    Posted Image
  • Make sure that everything is checked, and click Remove Selected.
    Posted Image
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
  • The log is automatically saved by Malwarebytes' Anti-Malware and can be viewed by clicking the Logs tab in the interface.
  • Copy and paste the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

  • Step #6 Run ESET Online Scanner

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    Vista / 7 users: You will need to to right-click on the either the Internet Explorer or Firefox icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
    • Please go here then click on: Posted Image

      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

    • Select the option YES, I accept the Terms of Use then click on:Posted Image
    • When prompted allow the Add-On/Active X to install.
    • Uncheck the box beside Remove Found Threats
    • Make sure that the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.


When The Scan is Complete:

  • If No Threats Were Found:

    • Put a checkmark in "Uninstall application on close"
    • Close the program
    • Report to me that nothing was found
  • If Threats Were Found:
    • Click on "list of threats found"
    • Click on "export to text file" and save it to the desktop as ESET SCAN.txt
    • Click on Back
    • Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
    • Click on Finish
    • Close the program
    • Copy and paste the report here


Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
 

How is your PC running?

 

  • Required Log(s):
  • OTL fix log;
  • MBAM Log;
  • ESET Scan log.

Regards,
Valinorum
  • 1

#7
hel26

hel26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello
I have forseen that you will soon ransack the malware empire that wishes to destroy me.
:happy:

I did the scans you requested and posted them below. Two things happened before I ran them, however.
1. I had made a desktop folder for all these text files, and it disappeared after rebooting the last time.
2. Norton 360 popped up to say it detected and removed "suspicious.cloud.5"

Not sure if it matters, but I thought you might like to know.

Fix with OTL

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
C:\Users\Mom\Desktop\win32.downloader files folder moved successfully.
C:\Users\Mom\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini moved successfully.
C:\Users\Mom\AppData\Roaming\BitTorrent folder moved successfully.
C:\Users\Mom\AppData\Roaming\uTorrent folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Maggie
->Temp folder emptied: 605235 bytes
->Temporary Internet Files folder emptied: 478388 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 35617449 bytes
->Flash cache emptied: 8662 bytes

User: Mom
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1618274 bytes
->Java cache emptied: 3702490 bytes
->FireFox cache emptied: 143189762 bytes
->Google Chrome cache emptied: 7370356 bytes
->Flash cache emptied: 283585 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1004391785 bytes

Total Files Cleaned = 1,142.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12012013_165138

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


MBAM (nothing was found)

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
C:\Users\Mom\Desktop\win32.downloader files folder moved successfully.
C:\Users\Mom\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini moved successfully.
C:\Users\Mom\AppData\Roaming\BitTorrent folder moved successfully.
C:\Users\Mom\AppData\Roaming\uTorrent folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Maggie
->Temp folder emptied: 605235 bytes
->Temporary Internet Files folder emptied: 478388 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 35617449 bytes
->Flash cache emptied: 8662 bytes

User: Mom
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1618274 bytes
->Java cache emptied: 3702490 bytes
->FireFox cache emptied: 143189762 bytes
->Google Chrome cache emptied: 7370356 bytes
->Flash cache emptied: 283585 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1004391785 bytes

Total Files Cleaned = 1,142.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12012013_165138

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...



ESET SCAN


C:\MGtools\Process.exe Win32/PrcView application
C:\Users\Mom\Desktop\firefox files\Old Firefox Data\extensions\[email protected] JS/Redirector.NCA trojan
  • 0

#8
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,916 posts
Hi hel26, :)

I have forseen that you will soon ransack the malware empire that wishes to destroy me.
:happy:

Just like Cap'n Edward :lol:
http://www.youtube.com/watch?v=qkalbvrxX2Y&feature=youtu.be&t=1m30s

1. I had made a desktop folder for all these text files, and it disappeared after rebooting the last time.

Was the folder called win32.downloader files by any chance? I removed it earlier thinking it may contain unwanted files. If you require, I can bring it back.

2. Norton 360 popped up to say it detected and removed "suspicious.cloud.5"

Norton is doing its job. Can you do a full system scan and remove things it finds. But do this after completing the following steps. :)

Also, I see you have a folder called firefox files on your Desktop. Do you require this folder? If you do not wish to keep it, delete it and empty your recycle bin. :)

 

  • Step #7 Fix with OTL
  • Re-run OTL by right clicking and choosing Run as administrator;
  • Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').

    :Commands
    [createrestorepoint]
    :Files
    C:\Users\Mom\Desktop\firefox files\Old Firefox Data\extensions\[email protected]

    :Commands
    [Emptytemp]

  • Click on "Run Fix" and let the program run unhindered;
  • Your PC will reboot automatically and a log will be opened;
  • Please post it in your next reply.

 

Any issues are you facing?

 

  • Required Log(s):
  • OTL Fix Log.

Regards,
Valinorum
  • 1

#9
hel26

hel26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello Valinorum, my faithful warrior :happy:

Thanks for removing the win32 downloader file. I deleted the old firefox file as well. I have no idea what it's for.

Here's the latest OTL fix file:

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
File\Folder C:\Users\Mom\Desktop\firefox files\Old Firefox Data\extensions\[email protected] not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Maggie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mom
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33608 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 47911164 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 602 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 286575134 bytes

Total Files Cleaned = 319.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12022013_105626

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...



I did the Norton360 full system scan and it found nothing.

We are into Assassin's creed at my house. I am planning on getting this game for Christmas, so thanks for the preview video! You are a full service malware expert.

I await your next orders...
  • 0

#10
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,916 posts
Hi hel26, :)

We are into Assassin's creed at my house. I am planning on getting this game for Christmas, so thanks for the preview video!

I am sure you will enjoy the game. :)

You are a full service malware expert.

Thanks you but not yet. I am still a trainee here. Maybe one day I can be an expert as this site has meticulous amount of resources and teachers.

 

I see no infection present in your system. If you are not having any further problem, I declare you ALL CLEAN.

 

♣ Removal of Tools and Quarantined Files ♣


 

Despite the tools we have used are clean, they are powerful removal tools and made in a way so that they carry out any commands given to them without (most cases) asking for a confirmation. In the hands of an inept person, they can make the machine un-bootable -- a scenario we do not wish to see. Also, we need to remove the quarantined files/folders from your system as a dormant malware can be as bad as active ones if given the proper environment. I will now give you the guidelines to remove the tools and the quarantined files from your system.

  • Cleanup with OTL
  • Re-run OTL by right clicking and choosing Run as administrator;
  • Under the Custom Scans/Fixes Box copy and paste the following contents inside the quote box. (Do not include the word 'quote').

    :Files
    %systemroot%\sysnative\vssadmin delete shadows /for=c: /all /quiet /c

    :Commands
    [CreateRestorePoint]

  • Click on "Run Fix" and let the program run unhindered;
  • Reboot your PC;
  • Re-run OTL and click Cleanup. It will remove OTL and the quarantined files.

Update Adobe Flash Player
Your Adobe Flash Player is out of date. Older version contains vulnerability that can be used to exploit your system. Please uninstall it from the Uninstall list and download a fresh copy from here. Make sure to un-tick the McAfee Security optional download.
Java Warning:
Java is currently one of the most targeted programs by the Malware writers. The Department of Homeland Security recommends that computer users disable Java. Please acknowledge yourself with the following articles.

I would suggest that you completely uninstall Java unless you need it for important software to run. In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. Please read the following --

 

♣ Prevention and Future Guidelines ♣


 

Prevention is better than cure -- goes the old saying. As much as we love to see you visit our site, we do not want to see you having your PC infected by malwares again.

  • Keep Windows up-to-date.
    It is extremely important that you keep your operating system (Windows) updated when updates are made available. It is set to alert you, so be sure not to ignore these notices and to allow the updates to install. Many of these are critical security packages which could very possibly be the difference between your picking up a future infiltration and simply passing right by it unharmed.
  • Run antivirus software and keep it up-to-date, too.
    Antivirus software is your safety net if all other protections fail. The first line of defense is smart computing, of course, but everyone needs a backup. I'd recommend Microsoft Security Essentials or avast!, both of which are excellent, as well as free. Once they're installed, check periodically to ensure they have been successfully updating as well. An out-of-date antivirus is not a happy antivirus!
  • Keep your web browser plugins and other programs updated also.
    This tip is rarely shared by technicians and its importance is not widely recognized, but it's absolutely critical. Programs such as Java, Adobe Flash Player and Adobe Reader, Internet Explorer, and myriad other such web-exposed items are deeply vulnerable to attack, which can quickly lead to a hopelessly infected system no matter what protection you currently have installed. The reason is that these programs are ubiquitous, but are also not perfect and are extremely complex... and as such, security vulnerabilities are discovered and exploited by hackers hoping to gain control over your machine. By performing every update for these programs as soon as it's made available, you will greatly reduce your exposure to dangerous internet threats.

    A great way to do this is to install the Filehippo Update Checker and run it regularly. Also, try not to ignore any notifications you receive regarding updates to programs already installed on your PC.

    No scripts is an excellent security device too. I like it but it is not for everyone because it requires you to take action if you want to see some things (pop ups, banners etc.) on sites you visit.

    Download NoSript by Giorgio Maone.

    Note: Sometimes you will get a site telling you that you need to install Java when actually all you need to do is enable the site through the no script icon down on the right hand side of your computer.
  • Watch out for new threat named CryptoLocker
    CryptoLocker is a new type ransomware family malware that encrypts your important files and asks for a ransom to decrypt them. At the moment of posting this reply there are no tools that can undo the havoc this malware causes. We can help you to remove the malware from your system but the files that was encrypted cannot be recovered without the decryption key. So, I ask for your forbearance and practice constant vigilance. Please read the following article to acknowledge yourself about the safety measures.
    How to prevent your computer from becoming infected by CryptoLocker.
  • And last of all, surf smart.
    It doesn't matter how well the autopilot system works if the pilot keeps flying the plane into mountain ranges. Don't forget that no matter how much you have protecting yourself, your security ultimately begins and ends with you. Don't visit dangerous or questionable web sites, avoid suspicious links on Facebook and emails/email attachments you're unsure about, and just generally keep your wits about you, and you'll be much safer. Also, avoid illegal downloads, cracks, "warez", and all other too-good-to-be-true internet offerings: they're typically laden with malware. Be smart and you can avoid most threats lurking about the darker corners of the internet! And for even more tips, see our article, How Did I Get Infected in the First Place?

Regards,
Valinorum
  • 0

Advertisements


#11
hel26

hel26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello Valinorum
Thank you for destroying my foe! :thumbsup:

I appreciate your tips and suggestions. I've already gotten rid of Java and updated Flash player. I installed File Hippo and I'm seeing how it works. I have a couple of questions, if you can spare the time.

1. I'd like to add NoScript Do I still need it if I uninstalled Java? I don't really know what script is, obviously :whistling:

2. For Cryptolocker, It makes sense to use the cryptoprevent, but it kind of looks like something for a more tech-savvy person. I mean,it's kind of overwhelming-looking. If I follow the steps carefully, do you think it will go smoothly?

Thanks!
  • 0

#12
hel26

hel26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I just read the article you recommended "how did I get infected" and wonder if you recommend I do any of those below as well. :confused:

- Javacool's spyware blaster and spywareguard
- MVPS HOSTS
- Mcafee site advisor
- Secunia Personal Software Inspector (PSI) (this seems just like the file hippo to me)

Steps 2&3 in the article only apply to IE, correct? If I use firefox, I don't need to worry about those things. Or do I? :unsure:

Thanks again.
  • 0

#13
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,916 posts
Hi hel26, :)

Thank you for destroying my foe!

My pleasure. :)

1. I'd like to add NoScript Do I still need it if I uninstalled Java? I don't really know what script is, obviously :whistling:

Java and JavaScript are two different things. The later one is required to function many webites properly. But this can be exploited and if a dodgy website is opened and the JavaScript on that site is run, it will infect your PC. With the aforementioned tool, you can turn off JavaScript while visiting unknown/suspicious sites. Read this for more information regarding the difference between Java and JavaScript.

2. For Cryptolocker, It makes sense to use the cryptoprevent, but it kind of looks like something for a more tech-savvy person. I mean,it's kind of overwhelming-looking. If I follow the steps carefully, do you think it will go smoothly?

Better safe than sorry. :) The reason why we urge you to use Software Restriction Policy is because this is a new threat (first spotted on September, 2013) and we were unable to come up with a decryption method. Our experts and developers are working on it and soon we will present a decryption method even if you get infected. Till then, constant vigilance is your weapon against it. I'd hate to see your important project files getting encrypted and you are either reiterating the whole process or paying the ransom.
Read and re-read the whole article. It is worth a read. Make a new system restore point and use the automated tool as manual steps tend to be over-whelming if you do not know what you are doing.

I just read the article you recommended "how did I get infected" and wonder if you recommend I do any of those below as well. :confused:

- Javacool's spyware blaster and spywareguard
- MVPS HOSTS
- Mcafee site advisor
- Secunia Personal Software Inspector (PSI) (this seems just like the file hippo to me)

Use MVPS HOSTS. They add infected/poor reputation sites to your host file. So, when you try to access those site, even clicking it mistakenly, your browser won't connect to the site thus you will be on the safe side. I'd say this will suffice for your system if an assumption can be made that you have followed my previous steps. :)

Steps 2&3 in the article only apply to IE, correct? If I use firefox, I don't need to worry about those things. Or do I? :unsure:

Yes, they do. I'd urge you not to disregard the steps even if you do not use Internet Explorer as many day-to-day applications you run use the aforementioned browser's technology to update or gather information. If it left alone, it can be exploited. Also, make use your Internet Explorer is up-to-date as well. If you are unsure, please click here to check.

Regards,
Valinorum
  • 1

#14
hel26

hel26

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I want to sincerely thank you for all the help you've given me. I will try to implement all your suggestions so as maybe to avoid this in the future. Good luck in your future missions. I hope you destroy many other evil villains, and that you graduate with full honors! :cheers:
  • 0

#15
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,916 posts
Thank you for the kind words. Surf safely. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP