Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.downloader9.55030 [Solved]


  • This topic is locked This topic is locked

#1
mango_nj

mango_nj

    Member

  • Member
  • PipPipPip
  • 206 posts
Laptop suddenly stopped loading webpages last night. Figured my internet connection was down and called my provider. They found that my DNS was changed and the address goes here:

Trojan.downloader9.55030

It releases a program called resetdns.exe

I was told there may be a file on my system called Looksafeutility and that is where it may be. This file is in my program folder. I asked if I deleted that file would it be safe to do so. He told me it may be buried in something I need on my system and to delete the file may cause problems. I was advised to run Malwarebytes to get rid of it, then run my antivirus. I did both in safe mode and nothing was found :confused:

My provider instructed me how to change things back if this happened again, but I will have to keep doing it. So far my connection has stayed on, but I was told it will revert if this evil is still there. Don't know how long it's been there.
Please help! thank you



OTL logfile created on: 2/10/2014 2:40:10 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Owner\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.43 Gb Total Physical Memory | 0.25 Gb Available Physical Memory | 17.51% Memory free
3.12 Gb Paging File | 1.65 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 65.26 Gb Total Space | 19.26 Gb Free Space | 29.51% Space Free | Partition Type: NTFS
Drive D: | 9.27 Gb Total Space | 3.58 Gb Free Space | 38.61% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/02/10 14:32:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
PRC - [2014/02/05 15:15:20 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2014/02/05 03:39:29 | 001,863,048 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe
PRC - [2014/01/27 18:00:00 | 000,564,072 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK32.EXE
PRC - [2013/12/18 10:42:32 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/09/26 15:41:52 | 000,153,776 | ---- | M] (WinZip Computing International, LLC) -- C:\Program Files\File Association Helper\FAHWindow.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/09/07 01:40:01 | 000,952,496 | ---- | M] () -- C:\Program Files\Lexmark Pro710 Series\LMADImon.exe
PRC - [2010/11/02 22:06:06 | 000,365,336 | ---- | M] (Kaspersky Lab ZAO) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
PRC - [2009/05/14 17:07:14 | 000,759,048 | ---- | M] (ABBYY) -- C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
PRC - [2009/04/10 22:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/06/05 12:20:32 | 000,177,704 | ---- | M] () -- C:\Windows\System32\PSIService.exe


========== Modules (No Company Name) ==========

MOD - [2014/02/05 15:15:16 | 003,583,600 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2014/02/05 03:39:28 | 016,287,624 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_12_0_0_44.dll
MOD - [2012/09/07 01:40:01 | 000,952,496 | ---- | M] () -- C:\Program Files\Lexmark Pro710 Series\LMADImon.exe
MOD - [2012/08/22 05:05:46 | 001,490,944 | ---- | M] () -- C:\Program Files\Lexmark Pro710 Series\LMabdrs.dll
MOD - [2007/01/25 20:11:36 | 000,159,744 | ---- | M] () -- C:\Windows\System32\atitmmxx.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Windows\system32\wbengine.exe -- (wbengine)
SRV - [2014/02/05 03:39:34 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/12/18 10:42:32 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/10/25 17:53:33 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011/02/02 11:00:32 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper)
SRV - [2010/11/02 22:06:06 | 000,365,336 | ---- | M] (Kaspersky Lab ZAO) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe -- (AVP)
SRV - [2009/05/14 17:07:14 | 000,759,048 | ---- | M] (ABBYY) [Auto | Running] -- C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Sprint.9.0)
SRV - [2008/01/18 23:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/06/05 12:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2013/11/12 16:08:28 | 000,488,536 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2013/11/07 14:15:35 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/06/09 16:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl2.sys -- (kl2)
DRV - [2010/06/09 16:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\kl1.sys -- (KL1)
DRV - [2010/04/22 18:07:34 | 000,022,104 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\System32\drivers\klim6.sys -- (KLIM6)
DRV - [2009/11/02 19:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2007/04/11 14:33:06 | 000,079,376 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2007/04/11 14:32:58 | 000,036,112 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/04/11 14:32:52 | 000,034,832 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/04/11 14:32:38 | 000,063,248 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2007/04/11 14:32:30 | 000,020,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/01/25 20:19:46 | 002,387,456 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/01 23:41:50 | 000,983,552 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/01 23:30:56 | 000,311,808 | ---- | M] (Realtek) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL85n86.sys -- (RTL85n86)
DRV - [2006/10/06 14:59:06 | 000,044,224 | R--- | M] (BVRP Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:8080

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:27.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\[email protected] [2013/11/12 16:39:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\[email protected] [2013/11/12 16:39:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/04/05 18:03:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Extensions
[2014/01/20 06:46:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\0zmjktat.default-1386741420574\extensions
[2014/01/20 06:46:13 | 000,120,471 | ---- | M] () (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\0zmjktat.default-1386741420574\extensions\{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi
[2014/01/16 06:46:13 | 000,940,775 | ---- | M] () (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\0zmjktat.default-1386741420574\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2014/02/05 15:14:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/02/05 15:15:22 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2013/12/11 16:00:14 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [FAHConsole] C:\Program Files\File Association Helper\FAHConsole.exe (WinZip Computing International, LLC)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [LMADImon] C:\Program Files\Lexmark Pro710 Series\LMADImon.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [LMADImon] C:\Program Files\Lexmark Pro710 Series\LMADImon.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnableShellExecuteHooks = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O16 - DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.186.46.5 208.186.47.5 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6FBD5B69-E619-4515-84DD-5ACB9E1CE4DC}: DhcpNameServer = 208.186.46.5 208.186.47.5 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7304F139-455B-4604-934F-3AE9A180E444}: NameServer = 208.69.150.252,208.69.150.250
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - (C:\Windows\system32\klogon.dll) - C:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop WallPaper: C:\Users\Owner\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Owner\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2014/02/10 14:32:06 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2014/02/10 14:31:57 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\Desktop
[2014/02/05 17:57:57 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jasc Software
[2014/02/05 17:50:21 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\WinZip
[2014/02/05 17:49:31 | 000,000,000 | ---D | C] -- C:\Program Files\File Association Helper
[2014/02/05 17:49:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
[2014/02/05 17:47:55 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip
[2014/02/05 17:47:50 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2014/02/05 15:14:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2014/02/04 22:37:42 | 000,000,000 | ---D | C] -- C:\Program Files\Jasc Software Inc
[2014/02/04 14:09:27 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\EP
[2014/01/16 21:51:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2014/01/16 21:51:34 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2014/01/16 21:51:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/02/10 14:39:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/02/10 14:32:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2014/02/10 14:20:55 | 000,003,648 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/02/10 14:20:54 | 000,003,648 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/02/10 14:17:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/02/10 14:14:27 | 000,137,948 | ---- | M] () -- C:\Users\Owner\Documents\Experience Project.rtf
[2014/02/09 19:34:30 | 000,023,539 | ---- | M] () -- C:\Users\Owner\Documents\WISH LIST.rtf
[2014/02/09 01:33:04 | 000,001,708 | ---- | M] () -- C:\Users\Owner\Documents\experience p.rtf
[2014/02/08 21:21:31 | 000,064,228 | ---- | M] () -- C:\Users\Owner\Documents\quotes.rtf
[2014/02/07 20:16:21 | 000,002,597 | ---- | M] () -- C:\Users\Owner\Desktop\Paint Shop Pro 7.lnk
[2014/02/06 13:00:05 | 000,000,534 | ---- | M] () -- C:\Users\Owner\Documents\SS.rtf
[2014/02/06 12:56:15 | 000,051,229 | ---- | M] () -- C:\Users\Owner\Documents\lights.rtf
[2014/02/05 17:49:01 | 000,001,854 | ---- | M] () -- C:\Users\Public\Desktop\WinZip.lnk
[2014/02/05 17:49:00 | 000,001,800 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2014/02/04 16:29:43 | 000,129,229 | ---- | M] () -- C:\Users\Owner\Documents\experience project Andrew.rtf
[2014/02/04 02:31:59 | 000,007,811 | ---- | M] () -- C:\Users\Owner\Documents\experience project2.rtf
[2014/02/01 13:25:22 | 000,094,872 | ---- | M] () -- C:\Users\Owner\Documents\experience project Andrew22.rtf
[2014/01/30 07:29:26 | 000,001,339 | ---- | M] () -- C:\Users\Owner\Documents\Marcus Cover Letter.rtf
[2014/01/28 21:39:03 | 000,000,650 | ---- | M] () -- C:\Users\Owner\Documents\names.rtf
[2014/01/28 06:06:01 | 000,001,061 | ---- | M] () -- C:\Users\Owner\Documents\experience project pages.rtf
[2014/01/22 09:34:11 | 000,004,549 | ---- | M] () -- C:\Users\Owner\Documents\maori and new zealand.rtf
[2014/01/22 07:30:49 | 001,913,229 | ---- | M] () -- C:\Users\Owner\Documents\Untitled (7).wma
[2014/01/22 07:28:07 | 000,251,929 | ---- | M] () -- C:\Users\Owner\Documents\Untitled (6).wma
[2014/01/22 07:27:41 | 000,224,989 | ---- | M] () -- C:\Users\Owner\Documents\Untitled (5).wma
[2014/01/22 07:26:48 | 000,166,619 | ---- | M] () -- C:\Users\Owner\Documents\Untitled (4).wma
[2014/01/22 07:26:29 | 000,512,349 | ---- | M] () -- C:\Users\Owner\Documents\Untitled (3).wma
[2014/01/22 07:25:27 | 000,615,619 | ---- | M] () -- C:\Users\Owner\Documents\Untitled (2).wma
[2014/01/22 07:14:03 | 000,588,679 | ---- | M] () -- C:\Users\Owner\Documents\Untitled.wma
[2014/01/21 10:46:09 | 000,002,575 | ---- | M] () -- C:\Users\Owner\Documents\computer symbols typing.rtf
[2014/01/16 21:51:38 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/02/08 22:51:51 | 000,001,708 | ---- | C] () -- C:\Users\Owner\Documents\experience p.rtf
[2014/02/06 12:58:40 | 000,000,534 | ---- | C] () -- C:\Users\Owner\Documents\SS.rtf
[2014/02/05 17:57:57 | 000,002,597 | ---- | C] () -- C:\Users\Owner\Desktop\Paint Shop Pro 7.lnk
[2014/02/05 17:49:01 | 000,001,854 | ---- | C] () -- C:\Users\Public\Desktop\WinZip.lnk
[2014/02/05 17:48:47 | 000,001,800 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2014/02/04 02:28:06 | 000,007,811 | ---- | C] () -- C:\Users\Owner\Documents\experience project2.rtf
[2014/01/27 23:46:19 | 000,001,061 | ---- | C] () -- C:\Users\Owner\Documents\experience project pages.rtf
[2014/01/25 14:46:01 | 000,094,872 | ---- | C] () -- C:\Users\Owner\Documents\experience project Andrew22.rtf
[2014/01/23 03:49:07 | 000,129,229 | ---- | C] () -- C:\Users\Owner\Documents\experience project Andrew.rtf
[2014/01/22 07:30:48 | 001,913,229 | ---- | C] () -- C:\Users\Owner\Documents\Untitled (7).wma
[2014/01/22 07:28:07 | 000,251,929 | ---- | C] () -- C:\Users\Owner\Documents\Untitled (6).wma
[2014/01/22 07:27:41 | 000,224,989 | ---- | C] () -- C:\Users\Owner\Documents\Untitled (5).wma
[2014/01/22 07:26:48 | 000,166,619 | ---- | C] () -- C:\Users\Owner\Documents\Untitled (4).wma
[2014/01/22 07:26:29 | 000,512,349 | ---- | C] () -- C:\Users\Owner\Documents\Untitled (3).wma
[2014/01/22 07:25:27 | 000,615,619 | ---- | C] () -- C:\Users\Owner\Documents\Untitled (2).wma
[2014/01/22 07:14:03 | 000,588,679 | ---- | C] () -- C:\Users\Owner\Documents\Untitled.wma
[2014/01/21 17:34:35 | 000,004,549 | ---- | C] () -- C:\Users\Owner\Documents\maori and new zealand.rtf
[2014/01/16 21:51:38 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/14 21:02:23 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2013/11/12 16:17:06 | 000,116,189 | ---- | C] () -- C:\Windows\System32\drivers\klin.dat
[2013/11/12 16:17:06 | 000,098,168 | ---- | C] () -- C:\Windows\System32\drivers\klick.dat
[2013/11/07 09:26:10 | 000,000,408 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\CamShapes.ini
[2013/11/07 09:26:10 | 000,000,408 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\CamLayout.ini
[2013/11/07 09:26:10 | 000,000,100 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\Camdata.ini
[2013/11/07 09:20:49 | 000,000,096 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\version2.xml
[2013/10/02 16:16:23 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2013/09/26 11:14:34 | 000,006,169 | -H-- | C] () -- C:\Windows\System32\BTImages.dat
[2013/06/22 19:58:01 | 000,000,114 | -H-- | C] () -- C:\Users\Owner\AppData\Local\tokdet56.dat
[2013/05/18 23:01:40 | 000,053,248 | ---- | C] () -- C:\Windows\System32\CommonDL.dll
[2013/05/18 23:01:40 | 000,002,413 | ---- | C] () -- C:\Windows\System32\lgAxconfig.ini
[2013/04/27 12:58:00 | 000,000,079 | ---- | C] () -- C:\Windows\WinInit.Ini
[2013/04/19 22:43:38 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lexlog.dll
[2013/04/19 22:36:49 | 001,069,056 | ---- | C] ( ) -- C:\Windows\System32\LMFX1Nlang.dll
[2013/04/19 22:36:49 | 000,430,080 | ---- | C] ( ) -- C:\Windows\System32\LMFX1Ncomc.dll
[2013/04/19 22:36:49 | 000,204,800 | ---- | C] ( ) -- C:\Windows\System32\LMFX1Ninpa.dll
[2013/04/19 22:35:55 | 001,077,248 | ---- | C] ( ) -- C:\Windows\System32\LMADIQlang.dll
[2013/04/19 22:35:55 | 000,430,080 | ---- | C] ( ) -- C:\Windows\System32\LMADIQcomc.dll
[2013/04/19 22:35:55 | 000,204,800 | ---- | C] ( ) -- C:\Windows\System32\LMADIQinpa.dll
[2013/03/19 19:58:38 | 000,000,207 | ---- | C] () -- C:\Windows\tweaking.com-regbackup-OWNER-PC-Microsoft®-Windows-Vista™-Home-Basic-(32-bit).dat
[2013/01/19 01:52:09 | 000,000,022 | ---- | C] () -- C:\Users\Owner\AppData\Local\xftredahs.dat
[2011/08/20 21:57:13 | 000,017,408 | ---- | C] () -- C:\Users\Owner\AppData\Local\WebpageIcons.db
[2010/01/26 13:22:21 | 000,000,680 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2008/12/13 13:59:46 | 000,000,560 | ---- | C] () -- C:\ProgramData\lxdf
[2007/10/14 18:26:28 | 000,005,632 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/11 01:04:24 | 000,000,682 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\wklnhst.dat

========== ZeroAccess Check ==========

[2006/11/02 04:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 09:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\Windows\system32\wbem\fastprox.dll -- [2009/04/10 22:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\Windows\system32\wbem\wbemess.dll -- [2009/04/10 22:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2008/12/13 23:30:31 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\6500 Series
[2013/12/30 17:12:54 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Audacity
[2008/12/13 13:55:37 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Lexmark Productivity Studio
[2013/06/28 05:35:04 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\SanDisk
[2007/10/11 01:04:27 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Template

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >


----------------

OTL Extras logfile created on: 2/10/2014 2:40:10 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Owner\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.43 Gb Total Physical Memory | 0.25 Gb Available Physical Memory | 17.51% Memory free
3.12 Gb Paging File | 1.65 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 65.26 Gb Total Space | 19.26 Gb Free Space | 29.51% Space Free | Partition Type: NTFS
Drive D: | 9.27 Gb Total Space | 3.58 Gb Free Space | 38.61% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.chm [@ = chm.file] -- Reg Error: Key error. File not found
.cmd [@ = cmdfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{048EC4B1-7B9B-437D-ACD9-6F0C3128D682}" = rport=138 | protocol=17 | dir=out | app=system |
"{2B213D14-A65C-46B6-B066-6C1B7843C635}" = lport=138 | protocol=17 | dir=in | app=system |
"{2E02E9DA-D954-4502-8331-E95B17684843}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{496CF423-FB8D-46B0-A63C-7B49312EC362}" = lport=137 | protocol=17 | dir=in | app=system |
"{69FA9359-4FD6-4D79-94A4-4114EDA3DB7D}" = lport=139 | protocol=6 | dir=in | app=system |
"{70CF4561-E1B3-4FBA-B14C-90523A30E461}" = rport=445 | protocol=6 | dir=out | app=system |
"{AE1EBFCD-3117-4EB4-BDCE-313F967BFDDE}" = rport=137 | protocol=17 | dir=out | app=system |
"{BDF430FD-B21A-4D1C-885C-5555463D2AED}" = lport=445 | protocol=6 | dir=in | app=system |
"{DA546AB9-3098-4805-A138-E77E85AD1612}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{EF865607-324A-4F83-A40E-B1FA6DB570CE}" = rport=139 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04AA01E9-DCE9-49A8-B7ED-DA47DAF76B6B}" = protocol=6 | dir=in | app=c:\program files\lexmark\status center\lmsmc.exe |
"{07885F0E-9ED4-4E04-9E74-02CD1FEF4CF0}" = protocol=17 | dir=in | app=c:\program files\lexmark\status center\lmsmc.exe |
"{12D28B69-6529-4FE2-BC3B-9B24337B29BA}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdftime.exe |
"{13352222-CB9A-4F74-B0B2-1ED6BD48139B}" = protocol=58 | dir=out | [email protected],-28546 |
"{151131AC-168A-4232-9DD8-8CD0C3447298}" = protocol=17 | dir=in | app=c:\program files\lexmark\psu\lmpsu.exe |
"{1CF315ED-8986-49CE-9893-96579A5B6F4D}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{1DA6627D-ECF2-4734-9165-4AA2DC62D8F4}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe |
"{20DBD894-E623-4417-AE7D-0C3B22B063A8}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfjswx.exe |
"{2667B39B-8337-48E5-901A-6D7FF5D32AE5}" = protocol=6 | dir=in | app=c:\program files\lexmark pro710 series\lmabscw.dll |
"{2841EB6B-A46E-469C-BD60-1D3F73608D6F}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfpswx.exe |
"{39DD502B-A790-44B4-977B-347CDD81477F}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdfamon.exe |
"{45A74E42-1D05-4E24-AC80-12FEE9B9272D}" = protocol=17 | dir=in | app=c:\program files\lexmark\networktwain\lmzzz_32__bc.dll |
"{49919916-2E75-4A1B-A12D-C0B02B5155AD}" = protocol=6 | dir=in | app=c:\program files\lexmark\psu\lmpsu.exe |
"{509DD2D9-6892-4EEE-9B6F-885B867AACAA}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |
"{520BDFEB-9C0F-44A1-BE41-B869A1FD9B88}" = protocol=6 | dir=in | app=c:\program files\lexmark\networktwain\lmzzz_32__bc.dll |
"{577127DA-6C05-4C6B-8114-FABDAEB9237B}" = protocol=6 | dir=in | app=c:\program files\lexmark pro710 series\lmadimon.exe |
"{577D8142-2C28-4698-B875-DBB5AD4300C5}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{67368528-39B4-4A91-B5C9-FD01940B0BC2}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdffax.exe |
"{690D656D-B83A-473C-8CCC-1304A7652C5C}" = protocol=6 | dir=in | app=c:\program files\lexmark\networktwain\lmzzz_32serv.dll |
"{6A7803E5-4B62-494A-932A-5C4273DAF7AC}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{6FFD73E5-A029-4EC2-AD3C-B7A38BF62F27}" = protocol=1 | dir=out | [email protected],-28544 |
"{7AB1FAE7-8B87-437C-B0A9-5A8374EBF777}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"{84A6B385-7143-42FC-8CE0-893372F40F71}" = protocol=58 | dir=in | [email protected],-28545 |
"{8B11D1FF-7EF6-4BCE-AC05-438F335F9DFC}" = protocol=17 | dir=in | app=c:\program files\lexmark pro710 series\lmadimon.exe |
"{9DF9341D-90B0-4166-BC74-2694B094A5FF}" = protocol=17 | dir=in | app=c:\windows\twain_32\lexmark\networktwain\lexnetworkds.ds |
"{9F711964-2E83-4C6B-92EB-DDFA7262E8FC}" = protocol=17 | dir=in | app=c:\program files\lexmark pro710 series\lmadilscn.exe |
"{A0FA1305-C834-4570-815A-7C929B8E3837}" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\frun.exe |
"{A2608910-52B6-4DB3-AEBF-BC20C68B97CE}" = protocol=17 | dir=in | app=c:\windows\system32\lxdfcoms.exe |
"{A2FA9C88-B3FF-4874-A1C6-94EE083F5348}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{A4DBE28E-0F3F-4677-9B5F-5AB29AC1F59C}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdffax.exe |
"{A5C0E5DF-6FF0-48A4-9E74-0FB4F620F8D6}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\frun.exe |
"{AA21B955-BD73-4644-A54C-E8B39502B117}" = protocol=17 | dir=in | app=c:\program files\lexmark\wirelesssetup\lmwpss.exe |
"{AEC6E3BE-CF56-449B-8A1F-6C938C819838}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdfjswx.exe |
"{B0C1420B-D56E-4F0C-85C9-0411423EFF38}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\w32x86\3\lxdftime.exe |
"{BE12B337-9137-4D1A-84C3-C2A57E8E31D4}" = protocol=6 | dir=in | app=c:\program files\lexmark pro710 series\lmadilscn.exe |
"{BE295BAC-23B6-4EC8-BF6F-37356E97FE98}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{C24CBE1E-8C44-42EC-BF24-886868853584}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"{C24CD31C-B8EA-439B-86F6-E5592D0AE2DB}" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdfamon.exe |
"{CE397E70-5250-4EB9-838A-0516FC90DA93}" = protocol=6 | dir=in | app=c:\windows\system32\lxdfcoms.exe |
"{D104F9CD-BA95-4726-BA42-F629C9157E47}" = protocol=6 | dir=in | app=c:\program files\lexmark\wirelesssetup\lmwpss.exe |
"{D4A59D00-6092-4412-801E-DF8C63791EEA}" = protocol=17 | dir=in | app=c:\program files\lexmark pro710 series\lmabscw.dll |
"{D5D2C593-7C37-4852-8635-C9460666493D}" = protocol=1 | dir=in | [email protected],-28543 |
"{DC4925AB-EBB3-430F-8254-8A6EE825F1C9}" = protocol=6 | dir=in | app=c:\windows\twain_32\lexmark\networktwain\lexnetworkds.ds |
"{E1F4796D-E780-4397-A313-846DC61451D0}" = protocol=17 | dir=in | app=c:\program files\lexmark\networktwain\lextwprotocol.dll |
"{EDEFE32C-5FA7-4DAD-94B8-7B5B131A56FD}" = protocol=6 | dir=in | app=c:\program files\lexmark\networktwain\lextwprotocol.dll |
"{FC5DA010-742D-4C0A-B24C-D36AD08170E4}" = protocol=17 | dir=in | app=c:\program files\lexmark\networktwain\lmzzz_32serv.dll |
"TCP Query User{0D7A71CA-8A9E-48F0-8F93-892537A49B70}C:\program files\lexmark 6500 series\lxdfmon.exe" = protocol=6 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"TCP Query User{16A40DBD-722D-4635-AE0E-58DDA4F435AA}C:\program files\lexmark pro710 series\lmadimon.exe" = protocol=6 | dir=in | app=c:\program files\lexmark pro710 series\lmadimon.exe |
"TCP Query User{1EAFEEBE-38C8-471E-915F-E9EC610479AB}C:\windows\system32\lxdfcoms.exe" = protocol=6 | dir=in | app=c:\windows\system32\lxdfcoms.exe |
"TCP Query User{F9DB4E3E-AA91-45A3-8795-5FD2767886DA}C:\kav\kav7\setup.exe" = protocol=6 | dir=in | app=c:\kav\kav7\setup.exe |
"UDP Query User{1280E033-09EA-4E84-BE96-18E186625F54}C:\program files\lexmark 6500 series\lxdfmon.exe" = protocol=17 | dir=in | app=c:\program files\lexmark 6500 series\lxdfmon.exe |
"UDP Query User{157C5482-8175-47F3-992A-C849ED8DA219}C:\program files\lexmark pro710 series\lmadimon.exe" = protocol=17 | dir=in | app=c:\program files\lexmark pro710 series\lmadimon.exe |
"UDP Query User{19E4C820-9C74-405E-8AAB-0F06C7589BA6}C:\windows\system32\lxdfcoms.exe" = protocol=17 | dir=in | app=c:\windows\system32\lxdfcoms.exe |
"UDP Query User{E8EC4CE2-8951-48FB-B05A-7802C676C73C}C:\kav\kav7\setup.exe" = protocol=17 | dir=in | app=c:\kav\kav7\setup.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{44C05309-60F4-410B-BC32-31733CFF1A41}" = Microsoft Digital Image Starter Edition 2006 Editor
"{4FE542EB-FF0B-4739-94DD-25C8AE0AB251}" = Microsoft Digital Image Starter Edition 2006 Library
"{66F1F013-008F-4875-B283-5A814B820347}" = Kaspersky Anti-Virus 2011
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{936B9029-265A-45CB-88DA-B00EAB4DD14C}" = File Association Helper
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.9)
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240E0}" = WinZip 18.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 ESD
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics DiskDefrag
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{F9000000-0018-0000-0000-074957833700}" = ABBYY FineReader 9.0 Sprint
"ABBYY FineReader 9.0 Sprint" = ABBYY FineReader 9.0 Sprint
"Adobe Flash Player ActiveX" = Adobe Flash Player 12 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 12 Plugin
"FLV Player" = FLV Player 2.0 (build 25)
"InstallWIX_{66F1F013-008F-4875-B283-5A814B820347}" = Kaspersky Anti-Virus 2011
"Lexmark Pro710 Series" = Lexmark Pro710 Series Uninstaller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 27.0 (x86 en-US)" = Mozilla Firefox 27.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"PictureItSuiteTrial_v12" = Microsoft Digital Image Starter Edition 2006
"Speccy" = Speccy
"SpywareBlaster_is1" = SpywareBlaster 5.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Yahoo! Messenger" = Yahoo! Messenger
"YTdetect" = Yahoo! Detect

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2/10/2014 6:23:22 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\CYBERLINK POWERDVD.LNK> in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:22 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\CYBERLINK POWERDVD.LNK> in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:22 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\POWERDVD HELP FILE.LNK> in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:22 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\POWERDVD HELP FILE.LNK> in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:23 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\ONLINE REGISTRATION.LNK> in the hash
map cannot be updated. Context: Application, SystemIndex Catalog Details: A device
attached to the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:23 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\ONLINE REGISTRATION.LNK> in the hash
map cannot be updated. Context: Application, SystemIndex Catalog Details: A device
attached to the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:23 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\READ ME.LNK> in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:23 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\READ ME.LNK> in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:24 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\UNINSTALL POWERDVD.LNK> in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 2/10/2014 6:23:24 PM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description = The entry <C:\USERS\OWNER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START
MENU\PROGRAMS\CYBERLINK DVD SUITE\POWERDVD\UNINSTALL POWERDVD.LNK> in the hash map
cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

[ System Events ]
Error - 9/3/2008 10:51:28 PM | Computer Name = Owner-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
4, function 0. Please contact your system vendor for technical assistance.

Error - 9/3/2008 10:51:28 PM | Computer Name = Owner-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
5, function 0. Please contact your system vendor for technical assistance.

Error - 9/3/2008 10:53:08 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 9/3/2008 11:05:30 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7043
Description =

Error - 9/3/2008 11:06:13 PM | Computer Name = Owner-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
4, function 0. Please contact your system vendor for technical assistance.

Error - 9/3/2008 11:06:13 PM | Computer Name = Owner-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
5, function 0. Please contact your system vendor for technical assistance.

Error - 9/3/2008 11:07:30 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 9/3/2008 11:11:53 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7043
Description =

Error - 9/3/2008 11:12:28 PM | Computer Name = Owner-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
4, function 0. Please contact your system vendor for technical assistance.

Error - 9/3/2008 11:12:28 PM | Computer Name = Owner-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
5, function 0. Please contact your system vendor for technical assistance.


< End of report >
  • 0

Advertisements


#2
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
Hello and welcome to Geeks to Go! My nickname is Pystryker :) , and I will be helping you with your issue today.

Please note: I am currently in training and all my fixes must be approved by my teacher before being posted. This gives you the advantage of having two people working to solve your problems.

Before we get started, I have a few things I need to go over with you

  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  • Please subscribe to this topic. By subscribing, the board will notify you when a new reply is added to your topic. You can find instructions on how to do that by clicking here.
  • If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.

  • Please read through my instructions carefully and completely before executing them.
  • Please make sure that all the programs I ask you to download are downloaded to and run from your Desktop.
  • Please make sure you print out these instructions so that you will be able to refer to them while working on your machine. Part of the solution(s) to your problem may involve us working in Safe Mode and you will need them to go by.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • Please read through my instructions carefully and make sure you complete them from start to finish. I will make sure that I lay the instructions out in a step by step order to make them easy to follow
  • This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  • Please make sure you reply within 3 days to my responses, if there is no reply within 3 days, the topic will be closed and you will need to request the topic be reopened.
  • Before we get started, please remember we will do our best to get your machine repaired. However, there are some cases where the only solution is a reformat and reinstall of the operating system. This is a worst case scenario though.
  • It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  • If possible, please have your original Windows installation disks handy, just in case.
  • If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  • If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  • Please copy and paste the contents of any requested logs in your replies. Do not attach the log files in your replies unless requested to do so.
  • Please remember, the fixes are for your machine and your machine ONLY!



Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future

Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way. :)

Now, let's get started, shall we? :thumbsup:


I'm currently reviewing your logs and will post a fix once my instructor approves it. :) :thumbsup:
  • 0

#3
mango_nj

mango_nj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 206 posts
Hi Pystryker!

Thank you for the help. Ready when you are!
  • 0

#4
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts

Hi Pystryker!

Thank you for the help. Ready when you are!


You're very much welcome. :) Let's run a scan with SystemLook and find all the instances of those files. :thumbsup:


Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Right-click on SystemLook.exe and select Run as Administrator to start it.
  • Copy the content of the following quote-box(do not copy the word quote) into the main textfield:

:filefind
*resetdns*

:folderfind
*looksafeutility*

:Regfind
resetdns
looksafeutility



  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.


Note:
The log can also be found on your desktop entitled SystemLook.txt


Please let the scan run till completion. It can take some time as it will be searching the Registry.

Things I need to see in your next post:

SystemLook Log

  • 0

#5
mango_nj

mango_nj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 206 posts
Hi Py!

Very odd that systemlook says these folders
are not found on my pc. Please see attached pic
I did not open it, just highlighted so you could see it. Appears to be a [space]
between the words safe and utility. Maybe that is why it wasn't found.

here you go...




SystemLook 30.07.11 by jpshortstuff
Log created at 17:01 on 11/02/2014 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "*resetdns*"
No files found.

========== folderfind ==========

Searching for "*looksafeutility*"
No folders found.

========== Regfind ==========

Searching for "resetdns"
No data found.

Searching for "looksafeutility"
No data found.

-= EOF =-

Attached Thumbnails

  • ProgramFolder.jpg

Edited by mango_nj, 11 February 2014 - 08:39 PM.

  • 0

#6
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
That's probably the reason why. Let's run it again, but let's use this search string this time and see if it picks it up.

Follow the instructions as before, but copy the contents of this quote box this time:

:filefind
*resetdns*

:folderfind
*looksafe utility*

:Regfind
resetdns
looksafe utility



Seeing that folder may be enough to get rid of it, but I'd like to see if there's anything lurking around the registry as well. :)
  • 0

#7
mango_nj

mango_nj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 206 posts
Here you go :P





SystemLook 30.07.11 by jpshortstuff
Log created at 02:18 on 12/02/2014 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "*resetdns*"
No files found.

========== folderfind ==========

Searching for "*looksafe utility*"
C:\Program Files\LookSafe Utility d------ [03:57 30/09/2013]

========== Regfind ==========

Searching for "resetdns"
No data found.

Searching for "looksafe utility"
No data found.

-= EOF =-
  • 0

#8
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
Ok, good :) Let's show that folder to the door.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: OTL Fix

Let's run an OTL fix:

Warning: This fix is to be used on this system and this system ONLY. Using this fix on any other machine other than yours can seriously damage it.

Be advised that when the fix commences, it will shut down all running processes and you may lose the desktop and icons, they will return on reboot.

Run OTL by double clicking it (Windows Vista, Windows 7, and 8, right click and select "Run as Administrator)

  • Copy the text in the quote box below (do not copy the word "quote") and paste in the in the box marked Custom Scans/Fixes as shown in the graphic below.

Posted Image

:Commands
[createrestorepoint]

:OTL
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O16 - DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5C321E34

:Files
C:\Program Files\LookSafe Utility

:Commands
[resethosts]
[emptytemp]



  • Click the Run Fix button at the top of the OTL control panel.
  • Let the program run until it's finished and then reboot the computer.
  • Once your machine has rebooted, a log will open. Please post that log in your next reply.

If you have any problems, questions, or need further explanation, please post a message in this thread and I will get back to you asap.


Step 2: Scan with Malwarebytes Anti-Malware


  • Please open the program.
  • Click on the Update tab then click Check for Updates

    Posted Image
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, check the following settings:
    • On the Settings tab, Scanner Settings, leave the default boxes checked but change the drop-down boxes to Show in results list and check for removal.

    Posted Image
  • On the Scanner tab, check Perform quick scan.

    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.

    Posted Image
  • Make sure that everything is checked, and click Remove Selected.

    Posted Image
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply.


Step 3: Scan with ESET Online Scanner


Please note: You can use Internet Explorer or Firefox for this step.

If you use Firefox, you will be prompted to download esetsmartinstaller_enu.exe. Please do so, then double click it to install it.

Please click on this link and then click the ESET Online Scanner bar ---->Posted Image

  • Select the option YES, I accept the Terms of Use then click on Start
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Now click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Now click on Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Things I need to see in your next post:

OTL Fix Log

Malwarebytes Anti-Malware Log

ESET Scanner Log

  • 0

#9
mango_nj

mango_nj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 206 posts
Good morning!!!

Everything is done, but the Eset scan. I tried both IE and Firefox and link is not working. Firefox Says not redirecting properly and IE says webpage cannot be displayed. Can I get another link please?

Edited by mango_nj, 13 February 2014 - 04:08 AM.

  • 0

#10
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts

Good morning!!!

Everything is done, but the Eset scan. I tried both IE and Firefox and link is not working. Firefox Says not redirecting properly and IE says webpage cannot be displayed. Can I get another link please?


Good morning to you :)

Try this link: ESET Online Scanner

Those links tend to change on their server and that happens some times. :thumbsup:
  • 0

Advertisements


#11
mango_nj

mango_nj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 206 posts
Hi Rusty!

Link worked good. Eset took 7 hrs to finish scan
and found zip. Nothing in log, but I posted it.
I did forget to disable KAV, before OTL fix and couldn't
stop the program. Everything seemed to work fine though.
Let me know if there was a problem :wacko:




All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\ComFile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.com\\|comfile /E : value set successfully!
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
ADS C:\ProgramData\TEMP:5C321E34 deleted successfully.
========== FILES ==========
C:\Program Files\LookSafe Utility folder moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 3451968 bytes
->Temporary Internet Files folder emptied: 33351 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 408000175 bytes
->Flash cache emptied: 2565 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49632 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 392.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02132014_011241

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...



---------------------------------------------------

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.13.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

Protection: Enabled

2/13/2014 1:30:40 AM
mbam-log-2014-02-13 (01-30-40).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221859
Time elapsed: 16 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


-------------------------------------------


This was the only thing in the ESET Log. unsure why.
C:\Program Files\ESET\EsetOnlineScanner\log.txt

[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK.
  • 0

#12
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts

Hi Rusty!

Link worked good. Eset took 7 hrs to finish scan
and found zip. Nothing in log, but I posted it.
I did forget to disable KAV, before OTL fix and couldn't
stop the program. Everything seemed to work fine though.
Let me know if there was a problem :wacko:


Hello :)

ESET certainly can take a long time, I had a user the other day it took 17 hours to finish the scan. Everything looks good and clean, and I'll have a couple more steps I have to get approved before we're finished. But things look excellent! :)
  • 0

#13
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
Download Security CheckPosted Image by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Things I need to see in your next post:

SecurityCheck Log

  • 0

#14
mango_nj

mango_nj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 206 posts
I'm so glad everything looks good!
You did a great job...thank you!!!!

Here you go.....




Results of screen317's Security Check version 0.99.79
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Kaspersky Anti-Virus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 5.0
Malwarebytes Anti-Malware version 1.75.0.1300
Adobe Flash Player 12.0.0.44
Adobe Reader 10.1.9 Adobe Reader out of Date!
Mozilla Firefox (27.0)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Kaspersky Lab Kaspersky Anti-Virus 2011 avp.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````
  • 0

#15
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
Ok, only one program that's going to need updating. But, don't leave me just yet, we have a few steps to clean up my tools, and then I have some information for you. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP