Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Seeking help to complete cleanup - Browsers report virus in *every* do


  • This topic is locked This topic is locked

#1
smithm55

smithm55

    Member

  • Member
  • PipPip
  • 37 posts
I'm trying to clean a friend's PC. Malwarebytes found several files to remove. However, some remnants still remain. The main symptom is the inability to download files using IE or Chrome. Every file gets reported as containing a virus. I've run several additional tools, including ComboFix and RogueKiller. Following is the OTL log. I'd truly appreciate help getting this machine clean! Thanks in advance for any advice!

Matt Smith

OTL log follows:



OTL logfile created on: 6/13/2013 8:47:55 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 	Folder = C:\Users\barb\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.99 Gb Total Physical Memory | 1.02 Gb Available Physical Memory | 51.11% Memory free
4.21 Gb Paging File | 3.27 Gb Available in Paging File | 77.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 139.24 Gb Total Space | 85.28 Gb Free Space | 61.25% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.70 Gb Free Space | 58.39% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 1.37 Gb Free Space | 18.43% Space Free | Partition Type: FAT32
 
Computer Name: BARB-LAPTOP | User Name: barb | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2013/06/14 00:44:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\barb\Desktop\OTL.exe
PRC - [2013/05/23 21:20:46 | 001,226,928 | ---- | M] (AVG Secure Search) -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2013/05/23 21:20:46 | 001,015,984 | ---- | M] (AVG Secure Search) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
PRC - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 11:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/11/25 09:40:47 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) -- C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbarsvc.exe
PRC - [2012/11/25 09:40:47 | 000,030,096 | ---- | M] (VER_COMPANY_NAME) -- C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbrmon.exe
PRC - [2012/05/04 15:43:20 | 001,561,768 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
PRC - [2011/10/11 13:49:14 | 001,179,648 | ---- | M] (W3i, LLC) -- C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
PRC - [2009/05/21 13:14:02 | 001,025,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\gs_agent\dsc.exe
PRC - [2009/05/21 13:13:58 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/14 02:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/05/08 02:52:24 | 000,442,433 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2008/05/08 02:52:22 | 000,221,239 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\stacsv.exe
PRC - [2008/05/08 02:52:18 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\AEstSrv.exe
PRC - [2008/03/13 20:21:56 | 001,207,376 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/02/26 11:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/05/09 17:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/02/12 14:38:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/02/12 14:37:58 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
 
 
[color=#E56717]========== Modules (No Company Name) ==========[/color]
 
MOD - [2013/05/23 21:20:47 | 000,158,384 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.2.0\SiteSafety.dll
MOD - [2013/02/17 04:37:46 | 011,820,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\421cb77e6a4c21f94e3c5ddf766de23b\System.Web.ni.dll
MOD - [2013/01/09 04:37:33 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b5df40c22ab563a816103629e2ca99d4\System.Runtime.Remoting.ni.dll
MOD - [2013/01/09 04:36:37 | 005,450,240 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\42087edbcd2294b7c51d9f27f992d919\System.Xml.ni.dll
MOD - [2013/01/09 04:33:04 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\cc149d08e75f8c53cd28ac926b38c370\System.ni.dll
MOD - [2013/01/09 04:32:46 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2227d1559f87943255069398608d5c56\mscorlib.ni.dll
MOD - [2008/05/19 02:25:24 | 000,054,784 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll
 
 
[color=#E56717]========== Services (SafeList) ==========[/color]
 
SRV - [2013/06/12 17:54:40 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/05/23 21:20:46 | 001,015,984 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe -- (vToolbarUpdater15.2.0)
SRV - [2013/01/27 11:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/11/25 09:40:47 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) [Auto | Running] -- C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbarsvc.exe -- (BibleTriviaTime_4lService)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/09/23 15:13:42 | 000,111,896 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe -- (SprintRcAppSvc)
SRV - [2008/09/23 15:13:32 | 000,124,184 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\ConAppsSvc.exe -- (CASprint)
SRV - [2008/08/14 02:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2008/07/02 05:11:08 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/05/08 02:52:22 | 000,221,239 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\stacsv.exe -- (STacSV)
SRV - [2008/05/08 02:52:18 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\AEstSrv.exe -- (AESTFilters)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/02/12 14:38:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\Free Ride Games\X6XSEx.Sys -- (X6XSEx)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\BCM42RLY.sys -- (BCM42RLY)
DRV - [2013/05/23 21:20:47 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2013/01/20 15:59:04 | 000,100,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2008/09/23 15:10:48 | 000,024,840 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/09/23 15:10:46 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2008/09/23 15:10:42 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/09/23 15:10:42 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/09/23 15:10:42 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/09/23 15:10:42 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/09/23 15:10:42 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/09/23 15:10:32 | 000,038,680 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctnullport.sys -- (Nmea)
DRV - [2008/09/23 15:08:26 | 000,032,408 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2008/05/08 02:52:26 | 000,379,904 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/03/24 02:03:12 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2008/03/24 02:03:12 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2008/03/24 02:03:10 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/01/20 22:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2007/10/10 17:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/03/05 10:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DKUS
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook:  - No CLSID value found
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\URLSearchHook: {3d68e927-6002-6bb4-7940-c297f1177192} - SOFTWARE\Classes\CLSID\{3d68e927-6002-6bb4-7940-c297f1177192}\InprocServer32 File not found
IE - HKCU\..\URLSearchHook: {3f2ae504-aa17-4805-90e8-56e48f98731c} - No CLSID value found
IE - HKCU\..\URLSearchHook: {46a21652-3f93-437d-aac0-caa1f6713da0} - No CLSID value found
IE - HKCU\..\URLSearchHook: {9427041a-a8dc-4d06-9a68-93873486e957} - No CLSID value found
IE - HKCU\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=E07860BA-1D4C-4514-ABB4-D39D6F050361&apn_sauid=B8C674CA-F7EB-4646-839C-6834390E4344
IE - HKCU\..\SearchScopes\{5E6317DC-9715-4C9A-87DE-8C22E39E8435}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20120102,0,0,0,0
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7DKUS_enUS316&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={F303E6EF-AD1D-4DB6-A211-F8DA0202A885}&mid=9f9f0690683647d1ad9cd168dd31bfc0-84c7cda9c9fbbb9941e75a751781bb0d30cb82e0&lang=en&ds=ins10&pr=&d=2012-01-03 11:54:47&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80548&lng=en
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredimail.com/?search={searchTerms}&loc=search_box_im2_test_v2
IE - HKCU\..\SearchScopes\{D7D48F5B-C51C-465B-84EF-A810684CC035}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3008668
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
[color=#E56717]========== FireFox ==========[/color]
 
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.2.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@BibleTriviaTime_4l.com/Plugin: C:\Program Files\BibleTriviaTime_4l\bar\1.bin\NP4lStub.dll (MindSpark)
FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files\Free Ride Games\npExentCtl.dll File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\MyWebSearch\bar\2.bin
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/10/27 03:12:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\FireFoxExt\15.2.0.5 [2013/05/23 21:20:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\4lffxtbr@BibleTriviaTime_4l.com: C:\Program Files\BibleTriviaTime_4l\bar\1.bin [2012/11/25 09:41:01 | 000,000,000 | ---D | M]
 
 
[color=#E56717]========== Chrome  ==========[/color]
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: MindSpark Toolbar Platform Plugin Stub (Enabled) = C:\Program Files\BibleTriviaTime_4l\bar\1.bin\NP4lStub.dll
CHR - plugin: AVG SiteSafety plugin (Enabled) = C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\\npsitesafety.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U38 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: McAfee Security Scanner + (Enabled) = C:\Program Files\McAfee Security Scan\3.0.313\npMcAfeeMss.dll
CHR - plugin: MindSpark Toolbar Platform Plugin Stub (Enabled) = C:\Program Files\MyScrapNook_12\bar\1.bin\NP12Stub.dll
CHR - plugin: My Web Search Plugin Stub (Enabled) = C:\Program Files\MyWebSearch\bar\2.bin\NPMyWebS.dll
CHR - plugin: Java Deployment Toolkit 6.0.380.5 (Enabled) = C:\Windows\system32\npdeployJava1.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
 
O1 HOSTS File: ([2013/06/13 06:13:00 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1   	localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {09df68da-2acf-4828-9320-6d999a0834a3} - No CLSID value found.
O2 - BHO: (AppGraffiti) - {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - C:\PROGRA~1\APPGRA~1\APPGRA~1.DLL File not found
O2 - BHO: (Window Shopper) - {74F475FA-6C75-43BD-AAB9-ECDA6184F600} - C:\Program Files\Superfish\Window Shopper\SuperfishIEAddon.dll File not found
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Shopping4Causes Shopping Plugin) - {7C4155B9-EFE5-2364-45E9-6679A6060ED5} - C:\Program Files\Shopping4Causes Shopping Plugin\Toolbar.dll File not found
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {9427041A-A8DC-4D06-9A68-93873486E957} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [BibleTriviaTime_4l Browser Plugin Loader] C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbrmon.exe (VER_COMPANY_NAME)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Know the Bible Search Scope Monitor] C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lSrchMn.exe (MindSpark)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCPowerSpeed] "C:\Program Files\PCPowerSpeed\PCPowerTray.exe" /startup File not found
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Sprint SmartView] C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe (Sprint)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe (AVG Secure Search)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" File not found
O4 - HKCU..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup File not found
O4 - HKCU..\Run: [InstallIQUpdater] C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe (W3i, LLC)
O4 - HKCU..\Run: [RebateInformer] C:\PROGRA~1\REBATE~1\REBATE~1.EXE /STARTUP File not found
O4 - Startup: C:\Users\barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk = C:\pmw\PMREMIND.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
O9 - Extra Button: Window Shopper - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - C:\Program Files\Superfish\Window Shopper\SuperfishIEAddon.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 10.21.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.3.0.116 76.2.127.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5E687446-3D3B-40A4-BDA2-CAA460DC45F5}: DhcpNameServer = 71.3.0.116 76.2.127.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0D94617-72C4-4EA2-8239-7F3C065F5F79}: DhcpNameServer = 12.189.32.61
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll (AVG Secure Search)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2013/06/13 20:47:29 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\barb\Desktop\OTL.exe
[2013/06/13 19:55:54 | 000,000,000 | ---D | C] -- C:\Users\barb\Desktop\RK_Quarantine
[2013/06/13 06:13:08 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/06/13 06:09:46 | 000,000,000 | ---D | C] -- C:\Users\barb\AppData\Local\temp
[2013/06/13 05:53:09 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/06/12 22:27:03 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/06/12 22:17:37 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/06/12 22:17:37 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/06/12 22:17:37 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/06/12 22:16:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/12 22:15:56 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/06/12 21:44:56 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/06/12 18:07:01 | 000,000,000 | ---D | C] -- C:\Users\barb\AppData\Roaming\Malwarebytes
[2013/06/12 18:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/06/12 18:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/06/12 18:06:50 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/06/12 18:06:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/05/23 11:05:22 | 000,000,000 | ---D | C] -- C:\Users\barb\2013-05-23 Steven Phillip Harris, Jr
[2013/05/15 09:31:20 | 000,000,000 | ---D | C] -- C:\Users\barb\2013-05-15 Women's Ministry May 2013 A Day In God's Laundrymat
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2013/06/14 00:44:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\barb\Desktop\OTL.exe
[2013/06/13 20:54:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/13 20:50:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/13 20:45:56 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/13 20:45:52 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 20:45:52 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 20:45:43 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2013/06/13 20:45:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/13 20:45:27 | 2137,456,640 | -HS- | M] () -- C:\hiberfil.sys
[2013/06/13 06:13:00 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/06/13 05:47:38 | 000,295,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/06/12 22:10:46 | 000,002,243 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/06/12 21:55:26 | 000,604,752 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/12 21:55:26 | 000,104,420 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/12 20:03:10 | 000,002,677 | ---- | M] () -- C:\Users\barb\Desktop\Microsoft Word.lnk
[2013/06/12 19:00:51 | 000,002,453 | ---- | M] () -- C:\Users\barb\Desktop\MICROSOFT EXCELL.lnk
[2013/06/12 19:00:33 | 000,002,473 | ---- | M] () -- C:\Users\barb\Desktop\MICROSOFT WORKS.lnk
[2013/06/12 18:06:53 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/05 17:01:08 | 000,002,421 | ---- | M] () -- C:\Users\barb\Desktop\MICROSOFT CALENDAR.lnk
[2013/06/05 14:15:40 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/06/04 08:46:04 | 000,002,585 | ---- | M] () -- C:\Users\barb\Desktop\Microsoft Excel.lnk
[2013/05/28 14:24:23 | 000,040,200 | ---- | M] () -- C:\Users\barb\AppData\Roaming\wklnhst.dat
[2013/05/23 21:20:47 | 000,037,664 | ---- | M] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys
[2013/05/20 12:34:40 | 000,000,680 | ---- | M] () -- C:\Users\barb\AppData\Local\d3d9caps.dat
[2013/05/15 03:07:17 | 000,000,197 | ---- | M] () -- C:\Windows\System32\MRT.INI
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2013/06/12 22:27:53 | 2137,456,640 | -HS- | C] () -- C:\hiberfil.sys
[2013/06/12 22:17:37 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/06/12 22:17:37 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/06/12 22:17:37 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/06/12 22:17:37 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/06/12 22:17:37 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/06/12 21:45:49 | 000,002,243 | ---- | C] () -- C:\Windows\epplauncher.mif
[2013/06/12 21:45:29 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/06/12 18:06:53 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/05/15 03:07:17 | 000,000,197 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2012/09/24 07:35:54 | 000,010,394 | ---- | C] () -- C:\Users\barb\image002.png
[2012/05/11 10:45:33 | 000,000,000 | ---- | C] () -- C:\Windows\MSREGUSR.INI
[2012/03/22 10:23:09 | 000,035,707 | ---- | C] () -- C:\Users\barb\Teacher App Bottle lables.pdf
[2012/01/03 12:51:27 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat
[2010/07/20 10:20:55 | 000,037,440 | ---- | C] () -- C:\Users\barb\09Sample Follow-up Letters.rtf
[2010/03/17 15:48:57 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/07 16:20:13 | 000,000,680 | ---- | C] () -- C:\Users\barb\AppData\Local\d3d9caps.dat
[2009/02/11 11:35:51 | 000,024,064 | ---- | C] () -- C:\Users\barb\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/11 11:03:09 | 000,040,200 | ---- | C] () -- C:\Users\barb\AppData\Roaming\wklnhst.dat
 
[color=#E56717]========== ZeroAccess Check ==========[/color]
 
[2006/11/02 08:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2010/05/20 14:19:21 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\BabyPanda.AE596E2C895946753C836133BB20D7D0CC6BAC08.1
[2013/06/12 18:54:04 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\Clip Art Collection
[2011/11/25 09:46:48 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\com.w3i.plyt
[2012/01/03 13:53:33 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\Exent Technologies
[2011/10/09 21:16:07 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\PCPowerSpeed
[2009/02/11 12:24:47 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\Template
 
[color=#E56717]========== Purity Check ==========[/color]
 
 

< End of report >



  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello smithm55 and welcome to my office here at G2G! :)

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Download OTL to your Desktop

  • Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan/Fixes box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /mp /s
    dir C:\ /S /A:L /C
    CREATERESTOREPOINT
    
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them here for me.

Step 2

Download GMER from Here. Note the file\'s name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

  • OTL log
  • OTL Extras log
  • GMER log
It would be helpful if you could post each log in separate post using "Add Reply" button
  • 0

#3
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hello maliprog,

Thanks for taking on my case. Congratulations on post #6000 today! I always appreciate the help I receive here. One cup of coffee is on the way, and another once my issue is resolved. I pasted in the code and ran OTL, but had a few issues:
  • The command prompt window open near the end of the scan had some "path too long" errors scrolling by,
  • The logs didn't save to the desktop, where OTL is saved (OTL.exe itself, not a shortcut),
  • I did not get extras.txt, neither in a window nor saved to the desktop
When I did my own OTL scan yesterday, the 2 logs did save to the desktop. I renamed them before performing OTL scans for you this morning. If you would like me to paste that extras.txt from yesterday, please advise. I'm going to run the GMER scan now, and I'll post those results shortly. Again, thank you!




OTL logfile created on: 6/14/2013 9:34:48 AM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\barb\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.97 Gb Available Physical Memory | 48.72% Memory free
4.21 Gb Paging File | 3.13 Gb Available in Paging File | 74.27% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 139.24 Gb Total Space | 85.69 Gb Free Space | 61.54% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.70 Gb Free Space | 58.39% Space Free | Partition Type: NTFS

Computer Name: BARB-LAPTOP | User Name: barb | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/06/14 00:44:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\barb\Desktop\OTL.exe
PRC - [2013/05/23 21:20:46 | 001,226,928 | ---- | M] (AVG Secure Search) -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2013/05/23 21:20:46 | 001,015,984 | ---- | M] (AVG Secure Search) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe
PRC - [2013/01/27 11:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 11:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/11/25 09:40:47 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) -- C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbarsvc.exe
PRC - [2012/11/25 09:40:47 | 000,030,096 | ---- | M] (VER_COMPANY_NAME) -- C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbrmon.exe
PRC - [2012/05/04 15:43:20 | 001,561,768 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
PRC - [2011/10/11 13:49:14 | 001,179,648 | ---- | M] (W3i, LLC) -- C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
PRC - [2009/05/21 13:13:58 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/14 02:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/05/08 02:52:24 | 000,442,433 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2008/05/08 02:52:22 | 000,221,239 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\stacsv.exe
PRC - [2008/05/08 02:52:18 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\AEstSrv.exe
PRC - [2008/03/13 20:21:56 | 001,207,376 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/02/26 11:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/05/09 17:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/02/12 14:38:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/02/12 14:37:58 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe


========== Modules (No Company Name) ==========

MOD - [2013/05/23 21:20:47 | 000,158,384 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.2.0\SiteSafety.dll
MOD - [2013/02/17 04:37:46 | 011,820,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\421cb77e6a4c21f94e3c5ddf766de23b\System.Web.ni.dll
MOD - [2013/01/09 04:37:33 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b5df40c22ab563a816103629e2ca99d4\System.Runtime.Remoting.ni.dll
MOD - [2013/01/09 04:36:37 | 005,450,240 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\42087edbcd2294b7c51d9f27f992d919\System.Xml.ni.dll
MOD - [2013/01/09 04:33:04 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\cc149d08e75f8c53cd28ac926b38c370\System.ni.dll
MOD - [2013/01/09 04:32:46 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2227d1559f87943255069398608d5c56\mscorlib.ni.dll
MOD - [2008/05/19 02:25:24 | 000,054,784 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll


========== Services (SafeList) ==========

SRV - [2013/06/12 17:54:40 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/05/23 21:20:46 | 001,015,984 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe -- (vToolbarUpdater15.2.0)
SRV - [2013/01/27 11:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/01/27 11:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/11/25 09:40:47 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) [Auto | Running] -- C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbarsvc.exe -- (BibleTriviaTime_4lService)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/09/23 15:13:42 | 000,111,896 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe -- (SprintRcAppSvc)
SRV - [2008/09/23 15:13:32 | 000,124,184 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\ConAppsSvc.exe -- (CASprint)
SRV - [2008/08/14 02:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter)
SRV - [2008/07/02 05:11:08 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/05/08 02:52:22 | 000,221,239 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\stacsv.exe -- (STacSV)
SRV - [2008/05/08 02:52:18 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\AEstSrv.exe -- (AESTFilters)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/02/12 14:38:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\Free Ride Games\X6XSEx.Sys -- (X6XSEx)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\BCM42RLY.sys -- (BCM42RLY)
DRV - [2013/05/23 21:20:47 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2013/01/20 15:59:04 | 000,100,328 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2008/09/23 15:10:48 | 000,024,840 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/09/23 15:10:46 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2008/09/23 15:10:42 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/09/23 15:10:42 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/09/23 15:10:42 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/09/23 15:10:42 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/09/23 15:10:42 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/09/23 15:10:32 | 000,038,680 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctnullport.sys -- (Nmea)
DRV - [2008/09/23 15:08:26 | 000,032,408 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2008/05/08 02:52:26 | 000,379,904 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/03/24 02:03:12 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2008/03/24 02:03:12 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2008/03/24 02:03:10 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/01/20 22:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2007/10/10 17:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/03/05 10:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...ie7&rlz=1I7DKUS

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: - No CLSID value found
IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKCU\..\URLSearchHook: {3d68e927-6002-6bb4-7940-c297f1177192} - SOFTWARE\Classes\CLSID\{3d68e927-6002-6bb4-7940-c297f1177192}\InprocServer32 File not found
IE - HKCU\..\URLSearchHook: {3f2ae504-aa17-4805-90e8-56e48f98731c} - No CLSID value found
IE - HKCU\..\URLSearchHook: {46a21652-3f93-437d-aac0-caa1f6713da0} - No CLSID value found
IE - HKCU\..\URLSearchHook: {9427041a-a8dc-4d06-9a68-93873486e957} - No CLSID value found
IE - HKCU\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...9C-6834390E4344
IE - HKCU\..\SearchScopes\{5E6317DC-9715-4C9A-87DE-8C22E39E8435}: "URL" = http://search.yahoo....0120102,0,0,0,0
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.c...r=&d=2012-01-03 11:54:47&v=14.2.0.1&pid=avg&sg=&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox...id=80548&lng=en
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incre...box_im2_test_v2
IE - HKCU\..\SearchScopes\{D7D48F5B-C51C-465B-84EF-A810684CC035}: "URL" = http://search.condui...&ctid=CT3008668
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.2.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@BibleTriviaTime_4l.com/Plugin: C:\Program Files\BibleTriviaTime_4l\bar\1.bin\NP4lStub.dll (MindSpark)
FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files\Free Ride Games\npExentCtl.dll File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\MyWebSearch\bar\2.bin
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/10/27 03:12:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\FireFoxExt\15.2.0.5 [2013/05/23 21:20:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\4lffxtbr@BibleTriviaTime_4l.com: C:\Program Files\BibleTriviaTime_4l\bar\1.bin [2012/11/25 09:41:01 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.110\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: MindSpark Toolbar Platform Plugin Stub (Enabled) = C:\Program Files\BibleTriviaTime_4l\bar\1.bin\NP4lStub.dll
CHR - plugin: AVG SiteSafety plugin (Enabled) = C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\14.0.1\\npsitesafety.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U38 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: McAfee Security Scanner + (Enabled) = C:\Program Files\McAfee Security Scan\3.0.313\npMcAfeeMss.dll
CHR - plugin: MindSpark Toolbar Platform Plugin Stub (Enabled) = C:\Program Files\MyScrapNook_12\bar\1.bin\NP12Stub.dll
CHR - plugin: My Web Search Plugin Stub (Enabled) = C:\Program Files\MyWebSearch\bar\2.bin\NPMyWebS.dll
CHR - plugin: Java Deployment Toolkit 6.0.380.5 (Enabled) = C:\Windows\system32\npdeployJava1.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

O1 HOSTS File: ([2013/06/13 06:13:00 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {09df68da-2acf-4828-9320-6d999a0834a3} - No CLSID value found.
O2 - BHO: (AppGraffiti) - {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - C:\PROGRA~1\APPGRA~1\APPGRA~1.DLL File not found
O2 - BHO: (Window Shopper) - {74F475FA-6C75-43BD-AAB9-ECDA6184F600} - C:\Program Files\Superfish\Window Shopper\SuperfishIEAddon.dll File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Shopping4Causes Shopping Plugin) - {7C4155B9-EFE5-2364-45E9-6679A6060ED5} - C:\Program Files\Shopping4Causes Shopping Plugin\Toolbar.dll File not found
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {9427041A-A8DC-4D06-9A68-93873486E957} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [BibleTriviaTime_4l Browser Plugin Loader] C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lbrmon.exe (VER_COMPANY_NAME)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Know the Bible Search Scope Monitor] C:\Program Files\BibleTriviaTime_4l\bar\1.bin\4lSrchMn.exe (MindSpark)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCPowerSpeed] "C:\Program Files\PCPowerSpeed\PCPowerTray.exe" /startup File not found
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Sprint SmartView] C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe (Sprint)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe (AVG Secure Search)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" File not found
O4 - HKCU..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup File not found
O4 - HKCU..\Run: [InstallIQUpdater] C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe (W3i, LLC)
O4 - HKCU..\Run: [RebateInformer] C:\PROGRA~1\REBATE~1\REBATE~1.EXE /STARTUP File not found
O4 - Startup: C:\Users\barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk = C:\pmw\PMREMIND.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
O9 - Extra Button: Window Shopper - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - C:\Program Files\Superfish\Window Shopper\SuperfishIEAddon.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.21.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.3.0.116 76.2.127.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5E687446-3D3B-40A4-BDA2-CAA460DC45F5}: DhcpNameServer = 71.3.0.116 76.2.127.122
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0D94617-72C4-4EA2-8239-7F3C065F5F79}: DhcpNameServer = 12.189.32.61
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll (AVG Secure Search)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/06/13 20:47:29 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\barb\Desktop\OTL.exe
[2013/06/13 19:55:54 | 000,000,000 | ---D | C] -- C:\Users\barb\Desktop\RK_Quarantine
[2013/06/13 06:13:08 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/06/13 06:09:46 | 000,000,000 | ---D | C] -- C:\Users\barb\AppData\Local\temp
[2013/06/13 05:53:09 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/06/12 22:27:03 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/06/12 22:17:37 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/06/12 22:17:37 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/06/12 22:17:37 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/06/12 22:16:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/12 22:15:56 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/06/12 21:44:56 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/06/12 18:07:01 | 000,000,000 | ---D | C] -- C:\Users\barb\AppData\Roaming\Malwarebytes
[2013/06/12 18:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/06/12 18:06:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/06/12 18:06:50 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/06/12 18:06:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/05/23 11:05:22 | 000,000,000 | ---D | C] -- C:\Users\barb\2013-05-23 Steven Phillip Harris, Jr

========== Files - Modified Within 30 Days ==========

[2013/06/14 09:13:30 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/06/14 09:04:56 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/06/14 09:03:27 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/14 09:03:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/14 00:44:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\barb\Desktop\OTL.exe
[2013/06/13 20:45:52 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 20:45:52 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/13 20:45:43 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2013/06/13 20:45:27 | 2137,456,640 | -HS- | M] () -- C:\hiberfil.sys
[2013/06/13 06:13:00 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/06/13 05:47:38 | 000,295,832 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/06/12 22:10:46 | 000,002,243 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/06/12 21:55:26 | 000,604,752 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/12 21:55:26 | 000,104,420 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/12 20:03:10 | 000,002,677 | ---- | M] () -- C:\Users\barb\Desktop\Microsoft Word.lnk
[2013/06/12 19:00:51 | 000,002,453 | ---- | M] () -- C:\Users\barb\Desktop\MICROSOFT EXCELL.lnk
[2013/06/12 19:00:33 | 000,002,473 | ---- | M] () -- C:\Users\barb\Desktop\MICROSOFT WORKS.lnk
[2013/06/12 18:06:53 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/05 17:01:08 | 000,002,421 | ---- | M] () -- C:\Users\barb\Desktop\MICROSOFT CALENDAR.lnk
[2013/06/05 14:15:40 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/06/04 08:46:04 | 000,002,585 | ---- | M] () -- C:\Users\barb\Desktop\Microsoft Excel.lnk
[2013/05/28 14:24:23 | 000,040,200 | ---- | M] () -- C:\Users\barb\AppData\Roaming\wklnhst.dat
[2013/05/23 21:20:47 | 000,037,664 | ---- | M] (AVG Technologies) -- C:\Windows\System32\drivers\avgtpx86.sys
[2013/05/20 12:34:40 | 000,000,680 | ---- | M] () -- C:\Users\barb\AppData\Local\d3d9caps.dat

========== Files Created - No Company Name ==========

[2013/06/12 22:27:53 | 2137,456,640 | -HS- | C] () -- C:\hiberfil.sys
[2013/06/12 22:17:37 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/06/12 22:17:37 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/06/12 22:17:37 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/06/12 22:17:37 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/06/12 22:17:37 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/06/12 21:45:49 | 000,002,243 | ---- | C] () -- C:\Windows\epplauncher.mif
[2013/06/12 21:45:29 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/06/12 18:06:53 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/05/15 03:07:17 | 000,000,197 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2012/09/24 07:35:54 | 000,010,394 | ---- | C] () -- C:\Users\barb\image002.png
[2012/05/11 10:45:33 | 000,000,000 | ---- | C] () -- C:\Windows\MSREGUSR.INI
[2012/03/22 10:23:09 | 000,035,707 | ---- | C] () -- C:\Users\barb\Teacher App Bottle lables.pdf
[2012/01/03 12:51:27 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat
[2010/07/20 10:20:55 | 000,037,440 | ---- | C] () -- C:\Users\barb\09Sample Follow-up Letters.rtf
[2010/03/17 15:48:57 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/02/07 16:20:13 | 000,000,680 | ---- | C] () -- C:\Users\barb\AppData\Local\d3d9caps.dat
[2009/02/11 11:35:51 | 000,024,064 | ---- | C] () -- C:\Users\barb\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/11 11:03:09 | 000,040,200 | ---- | C] () -- C:\Users\barb\AppData\Roaming\wklnhst.dat

========== ZeroAccess Check ==========

[2006/11/02 08:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2010/05/20 14:19:21 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\BabyPanda.AE596E2C895946753C836133BB20D7D0CC6BAC08.1
[2013/06/12 18:54:04 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\Clip Art Collection
[2011/11/25 09:46:48 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\com.w3i.plyt
[2012/01/03 13:53:33 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\Exent Technologies
[2011/10/09 21:16:07 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\PCPowerSpeed
[2009/02/11 12:24:47 | 000,000,000 | ---D | M] -- C:\Users\barb\AppData\Roaming\Template

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/10/29 02:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008/10/29 23:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\erdnt\cache\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008/10/27 22:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008/01/20 22:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SERVICES.EXE >
[2008/01/20 22:24:48 | 000,279,040 | ---- | M] (Microsoft Corporation) MD5=2B336AB6286D6C81FA02CBAB914E3C6C -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2009/04/11 02:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\erdnt\cache\services.exe
[2009/04/11 02:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\System32\services.exe
[2009/04/11 02:27:59 | 000,279,552 | ---- | M] (Microsoft Corporation) MD5=D4E6D91C1349B7BFB3599A6ADA56851B -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe

< MD5 for: SVCHOST.EXE >
[2008/01/20 22:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\erdnt\cache\svchost.exe
[2008/01/20 22:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/20 22:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\erdnt\cache\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 22:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\erdnt\cache\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009/04/11 02:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/01/20 22:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< %systemroot%\*. /mp /s >

< dir C:\ /S /A:L /C >
Volume in drive C is OS
Volume Serial Number is 6EDB-0B0A
Directory of C:\Program Files\Windows Defender
11/02/2006 08:42 AM <SYMLINKD> en-US [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MpAsDesc.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpClient.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpCmdRun.exe [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MpEvMsg.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpOAV.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpRtMon.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpRtPlug.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpSigDwn.dll [c:\windows\system32\config]
04/11/2009 02:27 AM <SYMLINK> MpSoftEx.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpSvc.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MSASCui.exe [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MsMpCom.dll [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MsMpLics.dll [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MsMpRes.dll [c:\windows\system32\config]
14 File(s) 4,344,192 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile
07/02/2008 05:09 AM <JUNCTION> Application Data [..]
07/02/2008 05:09 AM <JUNCTION> Cookies [..]
07/02/2008 05:09 AM <JUNCTION> Local Settings [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [.]
0 File(s) 0 bytes
Directory of C:\Program Files\Windows Defender\en-US\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [.]
07/02/2008 05:09 AM <JUNCTION> History [.]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [.]
0 File(s) 0 bytes
Directory of C:\ProgramData
02/11/2009 09:38 AM <JUNCTION> Application Data [C:\ProgramData]
02/11/2009 09:38 AM <JUNCTION> Desktop [C:\Users\Public\Desktop]
02/11/2009 09:38 AM <JUNCTION> Documents [C:\Users\Public\Documents]
02/11/2009 09:38 AM <JUNCTION> Favorites [C:\Users\Public\Favorites]
02/11/2009 09:38 AM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
02/11/2009 09:38 AM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users
02/11/2009 09:38 AM <SYMLINKD> All Users [C:\ProgramData]
02/11/2009 09:38 AM <JUNCTION> Default User [C:\Users\Default]
0 File(s) 0 bytes
Directory of C:\Users\All Users
02/11/2009 09:38 AM <JUNCTION> Application Data [C:\ProgramData]
02/11/2009 09:38 AM <JUNCTION> Desktop [C:\Users\Public\Desktop]
02/11/2009 09:38 AM <JUNCTION> Documents [C:\Users\Public\Documents]
02/11/2009 09:38 AM <JUNCTION> Favorites [C:\Users\Public\Favorites]
02/11/2009 09:38 AM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
02/11/2009 09:38 AM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users\barb
02/11/2009 09:42 AM <JUNCTION> Application Data [C:\Users\barb\AppData\Roaming]
02/11/2009 09:42 AM <JUNCTION> Cookies [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies]
02/11/2009 09:42 AM <JUNCTION> Local Settings [C:\Users\barb\AppData\Local]
02/11/2009 09:42 AM <JUNCTION> My Documents [C:\Users\barb\Documents]
02/11/2009 09:42 AM <JUNCTION> NetHood [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
02/11/2009 09:42 AM <JUNCTION> PrintHood [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
02/11/2009 09:42 AM <JUNCTION> Recent [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Recent]
02/11/2009 09:42 AM <JUNCTION> SendTo [C:\Users\barb\AppData\Roaming\Microsoft\Windows\SendTo]
02/11/2009 09:42 AM <JUNCTION> Start Menu [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Start Menu]
02/11/2009 09:42 AM <JUNCTION> Templates [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users\barb\AppData\Local
02/11/2009 09:42 AM <JUNCTION> Application Data [C:\Users\barb\AppData\Local]
02/11/2009 09:42 AM <JUNCTION> History [C:\Users\barb\AppData\Local\Microsoft\Windows\History]
02/11/2009 09:42 AM <JUNCTION> Temporary Internet Files [C:\Users\barb\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes
Directory of C:\Users\barb\Documents
02/11/2009 09:42 AM <JUNCTION> My Music [C:\Users\barb\Music]
02/11/2009 09:42 AM <JUNCTION> My Pictures [C:\Users\barb\Pictures]
02/11/2009 09:42 AM <JUNCTION> My Videos [C:\Users\barb\Videos]
0 File(s) 0 bytes
Directory of C:\Users\Default
02/11/2009 09:38 AM <JUNCTION> Application Data [C:\Users\Default\AppData\Roaming]
02/11/2009 09:38 AM <JUNCTION> Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
02/11/2009 09:38 AM <JUNCTION> Local Settings [C:\Users\Default\AppData\Local]
02/11/2009 09:38 AM <JUNCTION> My Documents [C:\Users\Default\Documents]
02/11/2009 09:38 AM <JUNCTION> NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
02/11/2009 09:38 AM <JUNCTION> PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
02/11/2009 09:38 AM <JUNCTION> Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
02/11/2009 09:38 AM <JUNCTION> SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
02/11/2009 09:38 AM <JUNCTION> Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
02/11/2009 09:38 AM <JUNCTION> Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users\Default\AppData\Local
02/11/2009 09:38 AM <JUNCTION> Application Data [C:\Users\Default\AppData\Local]
02/11/2009 09:38 AM <JUNCTION> History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
02/11/2009 09:38 AM <JUNCTION> Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes
Directory of C:\Users\Default\Documents
02/11/2009 09:38 AM <JUNCTION> My Music [C:\Users\Default\Music]
02/11/2009 09:38 AM <JUNCTION> My Pictures [C:\Users\Default\Pictures]
02/11/2009 09:38 AM <JUNCTION> My Videos [C:\Users\Default\Videos]
0 File(s) 0 bytes
Directory of C:\Users\Public\Documents
02/11/2009 09:38 AM <JUNCTION> My Music [C:\Users\Public\Music]
02/11/2009 09:38 AM <JUNCTION> My Pictures [C:\Users\Public\Pictures]
02/11/2009 09:38 AM <JUNCTION> My Videos [C:\Users\Public\Videos]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile
07/02/2008 05:09 AM <JUNCTION> Application Data [..]
07/02/2008 05:09 AM <JUNCTION> Cookies [..]
07/02/2008 05:09 AM <JUNCTION> Local Settings [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [..]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/02/2008 05:09 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008 05:09 AM <JUNCTION> History [..]
07/02/2008 05:09 AM <JUNCTION> Temporary Internet Files [.]
0 File(s) 0 bytes
Directory of C:\Windows\winsxs\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f
11/02/2006 08:34 AM <SYMLINK> MpEvMsg.dll [c:\windows\system32\config]
1 File(s) 65,640 bytes
Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5
11/02/2006 08:34 AM <SYMLINK> MpAsDesc.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpClient.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpCmdRun.exe [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpOAV.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpRtMon.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpRtPlug.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpSigDwn.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpSvc.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MSASCui.exe [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MsMpCom.dll [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MsMpLics.dll [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MsMpRes.dll [c:\windows\system32\config]
12 File(s) 3,765,552 bytes
Directory of C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411
11/02/2006 08:34 AM <SYMLINK> MpAsDesc.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpClient.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpCmdRun.exe [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpOAV.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpRtMon.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpRtPlug.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpSigDwn.dll [c:\windows\system32\config]
04/11/2009 02:27 AM <SYMLINK> MpSoftEx.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MpSvc.dll [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MSASCui.exe [c:\windows\system32\config]
01/20/2008 10:23 PM <SYMLINK> MsMpCom.dll [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MsMpLics.dll [c:\windows\system32\config]
11/02/2006 08:34 AM <SYMLINK> MsMpRes.dll [c:\windows\system32\config]
13 File(s) 4,278,552 bytes
Total Files Listed:
40 File(s) 12,453,936 bytes
128 Dir(s) 91,479,199,744 bytes free

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\History] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\Application Data] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\Cookies] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\Local Settings] -> Error: Cannot create file handle -> Unknown point type

< End of report >

Edited by maliprog, 16 June 2013 - 11:17 PM.

  • 0

#4
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
mailprog,

GMER is still chugging away, so that log will be forthcoming. I'm headed out of town, so I will give you an update Sunday evening. Thank you.

Matt

Edited by smithm55, 14 June 2013 - 12:01 PM.

  • 0

#5
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi smithm55,

Thank you for you donation. I really appreciate it!

Please post GMER log when scan is done and I'll prepare next steps for you in mean time.
  • 0

#6
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
maliprog,

Following is the GMER scan.

Thank you,

Matt


GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-17 06:21:42
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916082 rev.3.AD 149.05GB
Running: 6mgdk5yh.exe; Driver: C:\Users\barb\AppData\Local\Temp\pwliypog.sys


---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                   Wdf01000.sys
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                   Wdf01000.sys
AttachedDevice  \FileSystem\fastfat \Fat                                  fltmgr.sys

---- Files - GMER 2.1 ----

File            C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui  40960 bytes executable
File            C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui   18944 bytes executable
File            C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui   61440 bytes executable

---- EOF - GMER 2.1 ----


  • 0

#7
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi smithm55,

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

  • Click on the Start Posted Image button and in the search box, type Notepad and click on it
  • Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\en-US"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpAsDesc.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpClient.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCmdRun.exe"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCommu.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpEvMsg.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpOAV.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRTP.dll" 
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSvc.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MSASCui.exe"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpCom.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpLics.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpRes.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRtMon.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRtPlug.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSigDwn.dll"
    fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSoftEx.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpAsDesc.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpClient.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpCmdRun.exe"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpOAV.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpRtMon.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpRtPlug.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpSigDwn.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpSvc.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MSASCui.exe"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpCom.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpLics.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpRes.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpAsDesc.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpClient.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpCmdRun.exe"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpOAV.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpRtMon.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpRtPlug.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSigDwn.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSoftEx.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSvc.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MSASCui.exe"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpCom.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpLics.dll"
    fsutil reparsepoint delete "C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpRes.dll"
    CD \
    DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
    START JunctionPoints.txt
    EXIT
    
    
  • Go to File > Save As... and save it to your Desktop named fix.bat. Make sure you change the Save as type to All Files (*.*)
  • Locate fix.bat on your Desktop and right click then select Run as administrator

Post JunctionPoints.txt when finished.

Step 2

Download the ESET services repair tool, extract the file to your desktop.
  • Double-click ServicesRepair.exe.
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.

Step 3

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion just reboot your system once, that will cure it.


Please make sure you include the combo fix log in your next reply

Step 4

Please don't forget to include these items in your reply:

  • JunctionPoints.txt log
  • ServicesRepair log
  • Combofix log
It would be helpful if you could post each log in separate post using "Add Reply" button
  • 0

#8
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
JunctionPoints.txt



 Volume in drive C is OS
 Volume Serial Number is 6EDB-0B0A

 Directory of C:\ProgramData

02/11/2009  09:38 AM    <JUNCTION>     Application Data [C:\ProgramData]
02/11/2009  09:38 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
02/11/2009  09:38 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
02/11/2009  09:38 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
02/11/2009  09:38 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
02/11/2009  09:38 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users

02/11/2009  09:38 AM    <SYMLINKD>     All Users [C:\ProgramData]
02/11/2009  09:38 AM    <JUNCTION>     Default User [C:\Users\Default]
               0 File(s)              0 bytes

 Directory of C:\Users\All Users

02/11/2009  09:38 AM    <JUNCTION>     Application Data [C:\ProgramData]
02/11/2009  09:38 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
02/11/2009  09:38 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
02/11/2009  09:38 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
02/11/2009  09:38 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
02/11/2009  09:38 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users\barb

02/11/2009  09:42 AM    <JUNCTION>     Application Data [C:\Users\barb\AppData\Roaming]
02/11/2009  09:42 AM    <JUNCTION>     Cookies [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies]
02/11/2009  09:42 AM    <JUNCTION>     Local Settings [C:\Users\barb\AppData\Local]
02/11/2009  09:42 AM    <JUNCTION>     My Documents [C:\Users\barb\Documents]
02/11/2009  09:42 AM    <JUNCTION>     NetHood [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
02/11/2009  09:42 AM    <JUNCTION>     PrintHood [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
02/11/2009  09:42 AM    <JUNCTION>     Recent [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Recent]
02/11/2009  09:42 AM    <JUNCTION>     SendTo [C:\Users\barb\AppData\Roaming\Microsoft\Windows\SendTo]
02/11/2009  09:42 AM    <JUNCTION>     Start Menu [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Start Menu]
02/11/2009  09:42 AM    <JUNCTION>     Templates [C:\Users\barb\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users\barb\AppData\Local

02/11/2009  09:42 AM    <JUNCTION>     Application Data [C:\Users\barb\AppData\Local]
02/11/2009  09:42 AM    <JUNCTION>     History [C:\Users\barb\AppData\Local\Microsoft\Windows\History]
02/11/2009  09:42 AM    <JUNCTION>     Temporary Internet Files [C:\Users\barb\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes

 Directory of C:\Users\barb\Documents

02/11/2009  09:42 AM    <JUNCTION>     My Music [C:\Users\barb\Music]
02/11/2009  09:42 AM    <JUNCTION>     My Pictures [C:\Users\barb\Pictures]
02/11/2009  09:42 AM    <JUNCTION>     My Videos [C:\Users\barb\Videos]
               0 File(s)              0 bytes

 Directory of C:\Users\Default

02/11/2009  09:38 AM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Roaming]
02/11/2009  09:38 AM    <JUNCTION>     Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
02/11/2009  09:38 AM    <JUNCTION>     Local Settings [C:\Users\Default\AppData\Local]
02/11/2009  09:38 AM    <JUNCTION>     My Documents [C:\Users\Default\Documents]
02/11/2009  09:38 AM    <JUNCTION>     NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
02/11/2009  09:38 AM    <JUNCTION>     PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
02/11/2009  09:38 AM    <JUNCTION>     Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
02/11/2009  09:38 AM    <JUNCTION>     SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
02/11/2009  09:38 AM    <JUNCTION>     Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
02/11/2009  09:38 AM    <JUNCTION>     Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users\Default\AppData\Local

02/11/2009  09:38 AM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Local]
02/11/2009  09:38 AM    <JUNCTION>     History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
02/11/2009  09:38 AM    <JUNCTION>     Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes

 Directory of C:\Users\Default\Documents

02/11/2009  09:38 AM    <JUNCTION>     My Music [C:\Users\Default\Music]
02/11/2009  09:38 AM    <JUNCTION>     My Pictures [C:\Users\Default\Pictures]
02/11/2009  09:38 AM    <JUNCTION>     My Videos [C:\Users\Default\Videos]
               0 File(s)              0 bytes

 Directory of C:\Users\Public\Documents

02/11/2009  09:38 AM    <JUNCTION>     My Music [C:\Users\Public\Music]
02/11/2009  09:38 AM    <JUNCTION>     My Pictures [C:\Users\Public\Pictures]
02/11/2009  09:38 AM    <JUNCTION>     My Videos [C:\Users\Public\Videos]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile

07/02/2008  05:09 AM    <JUNCTION>     Application Data [..]
07/02/2008  05:09 AM    <JUNCTION>     Cookies [..]
07/02/2008  05:09 AM    <JUNCTION>     Local Settings [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [..]
               0 File(s)              0 bytes

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data

07/02/2008  05:09 AM    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
07/02/2008  05:09 AM    <JUNCTION>     History [..]
07/02/2008  05:09 AM    <JUNCTION>     Temporary Internet Files [.]
               0 File(s)              0 bytes

 Directory of C:\Windows\winsxs\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f

11/02/2006  08:34 AM    <SYMLINK>      MpEvMsg.dll [...]
               1 File(s)         65,640 bytes

     Total Files Listed:
               1 File(s)         65,640 bytes
              88 Dir(s)  93,375,950,848 bytes free


  • 0

#9
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
ESET Log:
Log Opened: 2013-06-17 @ 18:09:30
18:09:30 - -----------------
18:09:30 - | Begin Logging |
18:09:30 - -----------------
18:09:30 - Fix started on a WIN_VISTA X86 computer
18:09:30 - Prep in progress.  Please Wait.
18:09:33 - Prep complete
18:09:33 - Repairing Services Now.  Please wait...
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BFE.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\iphlpsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\MpsSvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\WinDefend.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
18:09:36 - Services Repair Complete.
18:09:39 - Reboot Initiated

  • 0

#10
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Combofix:
ComboFix 13-06-17.01 - barb 06/17/2013  18:20:09.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2038.1154 [GMT -4:00]
Running from: c:\users\barb\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_MyWebSearchService
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-17 to 2013-06-17  )))))))))))))))))))))))))))))))
.
.
2013-06-17 22:31 . 2013-06-17 22:31	--------	d-----w-	c:\users\barb\AppData\Local\temp
2013-06-17 22:31 . 2013-06-17 22:31	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-06-17 22:10 . 2013-06-17 22:10	23327	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-06-17 22:10 . 2013-06-17 22:10	8782	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-06-17 22:10 . 2013-06-17 22:10	7271	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-06-14 13:14 . 2013-05-17 14:19	724464	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7670D4D6-9002-4435-A42D-DCD7B0BCF211}\gapaengine.dll
2013-06-14 13:13 . 2013-06-11 04:59	7016152	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F3EF526C-61E6-4214-97C9-33D386F4E6BD}\mpengine.dll
2013-06-13 09:44 . 2013-06-11 04:59	7016152	----a-w-	c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-13 01:44 . 2013-06-13 01:45	--------	d-----w-	c:\program files\Microsoft Security Client
2013-06-13 01:43 . 2010-04-05 20:00	221568	----a-w-	c:\windows\system32\drivers\netio.sys
2013-06-12 22:57 . 2013-06-12 22:57	94112	----a-w-	c:\windows\system32\WindowsAccessBridge.dll
2013-06-12 22:07 . 2013-06-12 22:07	--------	d-----w-	c:\users\barb\AppData\Roaming\Malwarebytes
2013-06-12 22:06 . 2013-06-12 22:06	--------	d-----w-	c:\programdata\Malwarebytes
2013-06-12 22:06 . 2013-06-12 22:06	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2013-06-12 22:06 . 2013-04-04 18:50	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-05-23 15:05 . 2013-05-23 15:28	--------	d-----w-	c:\users\barb\2013-05-23 Steven Phillip Harris, Jr
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-12 22:56 . 2012-09-21 21:11	866720	----a-w-	c:\windows\system32\npdeployJava1.dll
2013-06-12 22:56 . 2010-06-25 12:52	788896	----a-w-	c:\windows\system32\deployJava1.dll
2013-06-12 21:54 . 2012-10-10 15:19	692104	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2013-06-12 21:54 . 2012-01-09 18:59	71048	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-24 01:20 . 2012-09-04 18:26	37664	----a-w-	c:\windows\system32\drivers\avgtpx86.sys
2013-05-07 13:01 . 2013-05-07 13:01	60872	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{05E8F96D-53D9-47ED-847F-4BDE2CEEFB61}\offreg.dll
2013-05-05 19:12 . 2013-05-15 07:14	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2013-05-02 15:28 . 2011-09-17 03:10	238872	------w-	c:\windows\system32\MpSigStub.exe
2013-04-15 14:20 . 2013-05-15 03:36	638328	----a-w-	c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56 . 2013-05-15 03:36	37376	----a-w-	c:\windows\system32\cdd.dll
2013-04-10 03:08 . 2013-05-07 12:52	6906960	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{05E8F96D-53D9-47ED-847F-4BDE2CEEFB61}\mpengine.dll
2013-04-09 01:36 . 2013-05-15 03:36	2049024	----a-w-	c:\windows\system32\win32k.sys
2013-04-04 22:11 . 2013-05-15 07:01	1800704	----a-w-	c:\windows\system32\jscript9.dll
2013-04-04 22:02 . 2013-05-15 07:01	1427968	----a-w-	c:\windows\system32\inetcpl.cpl
2013-04-04 22:02 . 2013-05-15 07:01	1129472	----a-w-	c:\windows\system32\wininet.dll
2013-04-04 21:58 . 2013-05-15 07:01	142848	----a-w-	c:\windows\system32\ieUnatt.exe
2013-04-04 21:57 . 2013-05-15 07:01	420864	----a-w-	c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-05-04 1519272]
"{3d68e927-6002-6bb4-7940-c297f1177192}"= "c:\program files\Shopping4Causes Shopping Plugin\Helper.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{3d68e927-6002-6bb4-7940-c297f1177192}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{81CFA2ED-1F83-3174-2D87-120C59E1FF90}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}]
c:\progra~1\APPGRA~1\APPGRA~1.DLL [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{7C4155B9-EFE5-2364-45E9-6679A6060ED5}]
c:\program files\Shopping4Causes Shopping Plugin\Toolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2013-05-24 01:20	1991344	----a-w-	c:\program files\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\15.2.0.5\AVG Secure Search_toolbar.dll" [2013-05-24 1991344]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RebateInformer"="c:\progra~1\REBATE~1\REBATE~1.EXE" [BU]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [BU]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-02 68856]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-10-11 1179648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-24 1029416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-08 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-08 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-08 133656]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-19 3444736]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-09-23 17664]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"PCPowerSpeed"="c:\program files\PCPowerSpeed\PCPowerTray.exe" [BU]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-08 442433]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2013-05-24 1226928]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-05-04 1561768]
"Know the Bible Search Scope Monitor"="c:\progra~1\BIBLET~2\bar\1.bin\4lsrchmn.exe" [2012-11-25 42536]
"BibleTriviaTime_4l Browser Plugin Loader"="c:\progra~1\BIBLET~2\bar\1.bin\4lbrmon.exe" [2012-11-25 30096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [BU]
.
c:\users\barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE \Q [1998-2-27 255408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-3-13 1207376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-02 09:11	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_1a0d9ac6\aestsrv.exe [2008-05-08 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-06-05 18:05	1165776	----a-w-	c:\program files\Google\Chrome\Application\27.0.1453.110\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-09-07 17:59	114176	----a-w-	c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-10 21:54]
.
2013-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 15:43]
.
2013-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 15:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - {A69A551A-1AAE-4B67-8C2E-52F8B8A19504} - c:\program files\Superfish\Window Shopper\SuperfishIEAddon.dll
TCP: DhcpNameServer = 71.3.0.116 76.2.127.122
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\15.2.0\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{46a21652-3f93-437d-aac0-caa1f6713da0} - (no file)
URLSearchHooks-{9427041a-a8dc-4d06-9a68-93873486e957} - (no file)
WebBrowser-{9427041A-A8DC-4D06-9A68-93873486E957} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-17 18:31
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{07B18EA9-A523-4961-B6BB-170DE4475CCA}"=hex:51,66,7a,6c,4c,1d,38,12,c7,8d,a2,
   03,11,eb,0f,0c,c9,ad,54,4d,e1,19,18,de
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
   eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}"=hex:51,66,7a,6c,4c,1d,38,12,56,9f,34,
   9c,79,90,a1,0e,ec,df,cd,82,65,37,92,e0
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{00A6FAF1-072E-44CF-8957-5838F569A31D}"=hex:51,66,7a,6c,4c,1d,38,12,9f,f9,b5,
   04,1c,49,a1,01,f6,41,1b,78,f0,37,e7,09
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
   06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
   02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{07B18EA1-A523-4961-B6BB-170DE4475CCA}"=hex:51,66,7a,6c,4c,1d,38,12,cf,8d,a2,
   03,11,eb,0f,0c,c9,ad,54,4d,e1,19,18,de
"{1631550F-191D-4826-B069-D9439253D926}"=hex:51,66,7a,6c,4c,1d,38,12,61,56,22,
   12,2f,57,48,0d,cf,7f,9a,03,97,0d,9d,32
"{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}"=hex:51,66,7a,6c,4c,1d,38,12,5a,50,79,
   6b,db,36,f5,08,fe,94,c8,01,ef,d2,7d,fb
"{74F475FA-6C75-43BD-AAB9-ECDA6184F600}"=hex:51,66,7a,6c,4c,1d,38,12,94,76,e7,
   70,47,22,d3,06,d5,af,af,9a,64,da,b2,14
"{7C4155B9-EFE5-2364-45E9-6679A6060ED5}"=hex:51,66,7a,6c,4c,1d,38,12,d7,56,52,
   78,d7,a1,0a,66,3a,ff,25,39,a3,58,4a,c1
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,38,12,ae,1a,70,
   ce,85,7f,70,05,da,0e,e3,3c,38,e6,b3,63
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{E8DAAA30-6CAA-4B58-9603-8E54238219E2}"=hex:51,66,7a,6c,4c,1d,38,12,5e,a9,c9,
   ec,98,22,36,0e,e9,15,cd,14,26,dc,5d,f6
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
   f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}"=hex:51,66,7a,6c,4c,1d,38,12,49,e1,1e,
   1a,d6,12,cd,0b,d4,1a,c8,43,e4,f4,32,a8
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:c0,25,f1,d1,27,1f,cd,01
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3440)
c:\program files\BibleTriviaTime_4l\bar\1.bin\4lbrstub.dll
.
Completion time: 2013-06-17  18:34:32
ComboFix-quarantined-files.txt  2013-06-17 22:34
ComboFix2.txt  2013-06-13 02:36
.
Pre-Run: 93,170,737,152 bytes free
Post-Run: 93,333,303,296 bytes free
.
- - End Of File - - 91C8EC6107B923106B4EEC97DD3AA15F
CDB4DE4BBD714F152979DA2DCBEF57EB

  • 0

Advertisements


#11
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi smithm55,

How is your system now? What is your current problems?
  • 0

#12
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
maliprog,


Things are better. One of the things that wouldn't work before was downloading in either IE or Chrome. Every time you tried to download a file, the browser would report it had a virus and reject it. That is now working properly, and I can download in either browser.


At this time, the main issue I still have are updates. If I try to update Microsoft Security Essentials, I get "Virus and spyware definitions update failed."


If a try to run Windows Updates, I get "Windows could not search for new updates" with a code 80096001.


Thanks,


Matt
  • 0

#13
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi smithm55,

Step 1

Please run ESET Servce repair tool one more time. After this test your updates agan. Sometimes we need to run it twice.

  • Double-click ServicesRepair.exe.
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.


Step 2

If first step fails then click on link below and follow steps on Microsoft site to repair you updates.

Microsoft Updates Repair

Let me know results
  • 0

#14
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
maliprog,

Still no luck with updates. I've also tried a couple additional things on my own:
Log Opened: 2013-06-17 @ 18:09:30
18:09:30 - -----------------
18:09:30 - | Begin Logging |
18:09:30 - -----------------
18:09:30 - Fix started on a WIN_VISTA X86 computer
18:09:30 - Prep in progress.  Please Wait.
18:09:33 - Prep complete
18:09:33 - Repairing Services Now.  Please wait...
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BFE.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\iphlpsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\MpsSvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\WinDefend.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
18:09:36 - Services Repair Complete.
18:09:39 - Reboot Initiated
Log Opened: 2013-06-20 @ 19:12:06
19:12:06 - -----------------
19:12:06 - | Begin Logging |
19:12:06 - -----------------
19:12:06 - Fix started on a WIN_VISTA X86 computer
19:12:06 - Prep in progress.  Please Wait.
19:12:10 - Prep complete
19:12:10 - Repairing Services Now.  Please wait...
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BFE.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\SubLayer>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Provider>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\Persistent>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime\Filter>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy\BootTime>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters\Policy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BFE>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\BITS.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Performance>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\BITS>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\iphlpsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\Interfaces>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc\config>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\iphlpsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\MpsSvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\Teredo>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters\PortKeywords>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\MpsSvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\SharedAccess.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Epoch>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\StandardProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\PublicProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile\Logging>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy\DomainProfile>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults\FirewallPolicy>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess\Defaults>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\SharedAccess>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\WinDefend.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\WinDefend>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wscsvc.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wscsvc>

SetACL finished successfully.
INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that require the object name may be combined with -restore.
INFORMATION: Input file for restore operation opened: '.\Vista\wuauserv.sddl'
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Security>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv\Parameters>
INFORMATION: Restoring SD of: <machine\System\CurrentControlset\Services\wuauserv>

SetACL finished successfully.
19:12:11 - Services Repair Complete.
19:12:16 - Reboot Initiated

  • 0

#15
smithm55

smithm55

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
maliprog,

Thanks for your help. This machine was a Dell Inspiron with a recovery partition, so I've backed up the user's files and am attempting to rebuild the machine. Let me scan once more after I restore the users documents and post the results. If all goes well, we can close the case on this one. I had tried a number of solutions, but neither Windows nor Security Essentials would update.

Thanks,

Matt
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP