google redirect virus and possible others - Page 3

Han Solo · #31 August 20th, 2012, 04:36 AM

Gmer advised it hadn't found any system modification.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-19 22:02:19
-----------------------------
22:02:19.110 OS Version: Windows x64 6.1.7601 Service Pack 1
22:02:19.110 Number of processors: 4 586 0x2A07
22:02:19.111 ComputerName: HANS-PC UserName: Hans
22:02:19.946 Initialize success
22:11:52.202 AVAST engine defs: 12081900
22:13:07.061 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
22:13:07.064 Disk 0 Vendor: ST3500413AS JC47 Size: 476940MB BusType: 3
22:13:07.074 Disk 0 MBR read successfully
22:13:07.077 Disk 0 MBR scan
22:13:07.081 Disk 0 Windows VISTA default MBR code
22:13:07.084 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
22:13:07.095 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15166 MB offset 81920
22:13:07.112 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461733 MB offset 31141888
22:13:07.133 Disk 0 scanning C:\Windows\system32\drivers
22:13:14.068 Service scanning
22:13:28.345 Modules scanning
22:13:28.353 Disk 0 trace - called modules:
22:13:28.376 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
22:13:28.382 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d1e060]
22:13:28.388 3 CLASSPNP.SYS[fffff8800195143f] -> nt!IofCallDriver -> [0xfffffa8003c87040]
22:13:28.393 5 ACPI.sys[fffff88000ef87a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800471b680]
22:13:32.045 AVAST engine scan C:\Windows
22:13:34.717 AVAST engine scan C:\Windows\system32
22:15:20.631 AVAST engine scan C:\Windows\system32\drivers
22:15:29.130 AVAST engine scan C:\Users\Hans
22:16:57.528 AVAST engine scan C:\ProgramData
22:17:24.604 Scan finished successfully
22:18:53.889 Disk 0 MBR has been saved successfully to "C:\Users\Hans\Desktop\MBR.dat"
22:18:53.892 The log file has been saved successfully to "C:\Users\Hans\Desktop\aswMBR 1.txt"

**Jintan** · #32 August 21st, 2012, 01:46 AM

Quote:

i actually had to reboot a couple a times because the desktop was disabled and then there were no desktop icons

Suuggests after booting userinit didn't load, or didn't pass the ball to Explorer, which would have then shown the desktop icons. And not sure why that occurred at this point.

The logs indicate Norton has been removed, which is a plus. Luckily some admin didn't password protect it.

In your next reply, please post back on what issues are still a problem there please.

Let's check (again) for those .tmp files.

Run and post a new OTL scan log - let's check that userinit/explorer issue in it.

lick here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner.

If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Then click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Click Start. This scan may take a while, so please be patient.

If infection is found, at the end of the scan click "List of found threats".

In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please.

Post that log please.

Han Solo · #33 August 21st, 2012, 06:14 AM

Quote:

Originally Posted by Jintan

In your next reply, please post back on what issues are still a problem there please.

i'm not sure to what you are referring to here. i think it is the Symantec... as far as i can tell i think it uninstalled ok. it seems to have uninstalled all of its program components but left behind some remnant folders and files:

C:\Program Files (x86)\Common Files\Symantec Shared\HWID -> sephwid.xml

C:\Users\Hans\AppData\Local\Symantec\Symantec Endpoint Protection\Logs -> looks like log files from scans

C:\ProgramData\Symantec\Common Client -> empty
C:\ProgramData\Symantec\Definitions\VirusDefs -> Cat.DB and umcat_01.db
C:\ProgramData\Symantec\LiveUpdate -> Settings.Liveupdate
C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine -> a bunch of locked and unlocked .VBN files

should i delete all of the Symantec folders or try to get a copy of the Cleanwipe Utility?

the Eset scanner found no threats.

OTL logfile created on: 8/20/2012 9:13:24 PM - Run 3
OTL by OldTimer - Version 3.2.57.0 Folder = C:\Users\Hans\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.91 Gb Total Physical Memory | 3.04 Gb Available Physical Memory | 77.58% Memory free
7.83 Gb Paging File | 6.24 Gb Available in Paging File | 79.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 450.91 Gb Total Space | 394.42 Gb Free Space | 87.47% Space Free | Partition Type: NTFS

Computer Name: HANS-PC | User Name: Hans | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/13 22:18:28 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Hans\Desktop\OTL.exe
PRC - [2012/07/27 13:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/14 07:59:20 | 002,984,832 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/09/06 14:29:20 | 004,259,648 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
PRC - [2011/08/18 12:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
PRC - [2011/08/18 12:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
PRC - [2011/08/01 14:56:48 | 000,460,096 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
PRC - [2011/04/29 19:18:16 | 000,885,760 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
PRC - [2011/02/23 17:11:22 | 000,323,584 | ---- | M] (Eastman Kodak Company) -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2010/10/27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/09/14 19:09:52 | 001,213,848 | ---- | M] (CANON INC.) -- C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
PRC - [2010/05/04 13:07:22 | 000,503,080 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Update\NASvc.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

========== Modules (No Company Name) ==========

MOD - [2012/06/16 20:29:17 | 014,340,608 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Pre sentationFramewo#\e717a230496832656b05b515eb9f3bc5 \PresentationFramework.ni.dll
MOD - [2012/06/16 20:29:03 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Windows.Forms\7b7fbe651c6e72f12099a298654c9594 \System.Windows.Forms.ni.dll
MOD - [2012/06/16 20:28:57 | 001,591,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\Syste m.Drawing.ni.dll
MOD - [2012/06/16 20:28:47 | 012,237,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Pre sentationCore\14a87218ea49639f38097e278b98a3da\Pre sentationCore.ni.dll
MOD - [2012/06/07 11:29:30 | 002,297,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.C ore.ni.dll
MOD - [2012/05/13 19:04:19 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Pre sentationFramewo#\8e56489276063ededde74e597a121df3 \PresentationFramework.Aero.ni.dll
MOD - [2012/05/13 19:03:37 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Win dowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsB ase.ni.dll
MOD - [2012/05/13 19:03:34 | 005,452,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xm l.ni.dll
MOD - [2012/05/13 19:03:31 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/05/13 19:03:31 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Sys tem.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d \System.Configuration.ni.dll
MOD - [2012/05/13 19:03:27 | 011,492,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\msc orlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni .dll
MOD - [2012/04/01 10:02:49 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\VPrintOnlineHelper40.dll
MOD - [2012/04/01 10:02:48 | 000,688,128 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\VPrintOnline.dll
MOD - [2012/04/01 10:02:46 | 000,237,568 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SpiffyExt.dll
MOD - [2012/04/01 10:02:45 | 000,847,872 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxXML2V.dll
MOD - [2012/04/01 10:02:45 | 000,155,648 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxZipV.dll
MOD - [2012/04/01 10:02:44 | 000,528,384 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxProcV.dll
MOD - [2012/04/01 10:02:43 | 000,782,336 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxImV.dll
MOD - [2012/04/01 10:02:43 | 000,462,848 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxFFV.dll
MOD - [2012/04/01 10:02:42 | 002,236,416 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxCmpV.dll
MOD - [2012/04/01 10:02:42 | 001,396,736 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxCommonV.dll
MOD - [2012/04/01 10:02:41 | 000,868,352 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\SkinuxBaseV.dll
MOD - [2012/04/01 10:02:36 | 000,010,240 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\LocUpdateCheck.dll
MOD - [2012/04/01 10:02:35 | 000,090,112 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\LocAcqMod.dll
MOD - [2012/04/01 10:02:35 | 000,044,544 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\LocCamBack.dll
MOD - [2012/04/01 10:02:32 | 000,129,536 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\kpries40.dll
MOD - [2012/04/01 10:02:31 | 000,406,016 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\KFx.dll
MOD - [2012/04/01 10:02:31 | 000,084,480 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\keml40.dll
MOD - [2012/04/01 10:02:31 | 000,052,224 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\KPCDInterface.dll
MOD - [2012/04/01 10:02:29 | 000,471,040 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\ESCom.dll
MOD - [2012/04/01 10:02:27 | 000,356,352 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\Atlas.dll
MOD - [2012/04/01 10:02:27 | 000,062,464 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\DibLibIP.dll
MOD - [2012/04/01 10:02:26 | 001,564,672 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\areaifdll.dll
MOD - [2012/04/01 10:02:25 | 000,264,192 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\AppCore.dll
MOD - [2012/04/01 10:02:24 | 000,315,392 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\VistaPrintOnline.esx
MOD - [2012/04/01 10:02:23 | 000,234,496 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\VistaControls.esx
MOD - [2012/04/01 10:02:23 | 000,098,304 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\VistaCDBackup.esx
MOD - [2012/04/01 10:02:21 | 000,339,968 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\VistaAdapter.esx
MOD - [2012/04/01 10:02:21 | 000,084,480 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\UpdateChecker.esx
MOD - [2012/04/01 10:02:20 | 000,171,520 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\Pcd.esx
MOD - [2012/04/01 10:02:19 | 000,152,576 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\IStorageMediaStore.esx
MOD - [2012/04/01 10:02:17 | 011,503,616 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\ESSkin.esx
MOD - [2012/04/01 10:02:15 | 000,684,032 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\ESEmail.esx
MOD - [2012/04/01 10:02:14 | 000,761,856 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\ESCliWicMDRW.esx
MOD - [2012/04/01 10:02:12 | 000,078,848 | ---- | M] () -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\DXRawFormatHandler.esx
MOD - [2011/09/27 08:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 08:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/08/18 12:05:54 | 002,751,808 | ---- | M] () -- C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
MOD - [2011/04/29 19:18:16 | 000,885,760 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
MOD - [2011/04/29 19:13:50 | 002,225,664 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtCore4.dll
MOD - [2011/04/29 19:13:48 | 007,938,048 | ---- | M] () -- C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtGui4.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/09/22 19:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/08/14 13:58:38 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpda teService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/27 13:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/02/14 18:55:04 | 000,276,248 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs)
SRV - [2011/12/14 07:59:20 | 002,984,832 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/08/18 12:05:46 | 001,692,480 | ---- | M] (SoftThinks SAS) [Auto | Running] -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe -- (SftService)
SRV - [2011/08/17 21:02:23 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2010/11/25 06:34:18 | 000,219,632 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe -- (RoxWatch12)
SRV - [2010/11/25 06:33:18 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/10/12 13:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2010/08/25 21:28:54 | 002,823,000 | ---- | M] (Dell, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe -- (NOBU)
SRV - [2010/05/04 13:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010/03/18 17:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msco rsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/14 18:47:38 | 014,692,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2011/10/01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/08/17 22:46:34 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/08/17 22:46:34 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/06/10 07:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/03/10 19:27:32 | 001,576,576 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/19 20:34:26 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2010/10/15 04:28:16 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2010/03/19 04:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2006/11/01 13:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {49606DC7-976D-4030-A74E-9FB5C842FA68}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}: "URL" = http://www.bing.com/search?q={search...c=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {49606DC7-976D-4030-A74E-9FB5C842FA68}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}: "URL" = http://www.bing.com/search?q={search...c=IE-SearchBox

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.centurylink.net/
IE - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\..\SearchScopes,DefaultScope = {0559E992-C39D-4AA3-AC8B-A3A71E0D11CD}
IE - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\..\SearchScopes\{0559E992-C39D-4AA3-AC8B-A3A71E0D11CD}: "URL" = http://www.google.com/search?q={sear...outputEncoding?}
IE - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\..\SearchScopes\{BB28D4CF-CE79-4B99-832C-108D899ECA34}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
IE - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_33: C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp .dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012/07/27 02:31:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2011/12/29 20:21:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hans\AppData\Roaming\Mozilla\Extensions
[2012/05/13 10:36:48 | 000,574,660 | ---- | M] () (No name found) -- C:\USERS\HANS\APPDATA\ROAMING\THUNDERBIRD\PROFILES \XA2UMSRB.DEFAULT\EXTENSIONS\TBTESTPILOT@LABS.MOZI LLA.COM.XPI

O1 HOSTS File: ([2012/08/19 21:29:51 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4:64bit: - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [DellStage] C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [AccuWeatherWidget] C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe (Dell, Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe (Sonic Solutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4200521874-2590480824-2585516950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O16:64bit: - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub...irector/sw.cab (Reg Error: Key error.)
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_24)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_24)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_24)
O16:64bit: - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://active.macromedia.com/flash2/cabs/swflash.cab (Shockwave Flash Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub...irector/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd...pdetect118.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_33)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_33)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{66647859-4A98-410D-A6EA-64B8B46ABB45}: DhcpNameServer = 192.168.2.1
O18:64bit: - Protocol\Handler\cozi - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\cozi {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/19 22:06:50 | 000,000,000 | ---D | C] -- C:\Users\Hans\Desktop\Scans
[2012/08/19 21:34:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/08/19 21:32:37 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/08/17 21:18:12 | 002,208,856 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Hans\Desktop\larry.com
[2012/08/17 14:36:56 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/08/15 20:29:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/08/15 20:27:31 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Hans\Desktop\esetsmartinstaller_enu.exe
[2012/08/15 03:02:44 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/08/15 03:02:44 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/08/15 03:02:42 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/08/15 03:02:41 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/08/15 03:02:39 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/08/15 03:02:39 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/08/15 03:02:38 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2012/08/15 03:02:38 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2012/08/15 03:02:37 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/08/15 03:02:36 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/08/15 03:02:36 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/08/15 03:02:34 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/08/15 03:02:33 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/08/14 21:23:04 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/08/14 21:23:04 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/08/14 21:23:04 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/08/14 21:20:49 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/08/14 21:20:37 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/08/14 21:11:05 | 004,731,615 | R--- | C] (Swearware) -- C:\Users\Hans\Desktop\ComboFix.exe
[2012/08/14 20:43:30 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2012/08/14 20:43:23 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2012/08/14 20:43:22 | 000,492,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2012/08/14 20:43:22 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\splwow64.exe
[2012/08/14 20:30:08 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netapi32.dll
[2012/08/14 20:30:08 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\browcli.dll
[2012/08/14 20:30:08 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\browcli.dll
[2012/08/14 20:30:05 | 000,956,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\localspl.dll
[2012/08/13 22:21:24 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Hans\Desktop\aswMBR.exe
[2012/08/13 22:18:27 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\Hans\Desktop\OTL.exe
[2012/08/11 17:47:08 | 000,476,976 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\npdeployJava1.dll
[2012/08/11 17:47:07 | 000,157,488 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/08/11 17:47:07 | 000,149,296 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/08/11 17:47:07 | 000,149,296 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/08/05 11:11:12 | 000,000,000 | ---D | C] -- C:\Users\Hans\AppData\Roaming\Malwarebytes
[2012/08/05 11:10:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/07/27 02:50:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/07/27 02:50:06 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/07/27 02:50:05 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/07/27 02:50:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2012/07/27 02:31:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime

========== Files - Modified Within 30 Days ==========

[2012/08/20 20:57:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/08/20 19:47:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/19 22:18:53 | 000,000,512 | ---- | M] () -- C:\Users\Hans\Desktop\MBR 1.dat
[2012/08/19 21:42:14 | 000,021,296 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/19 21:42:14 | 000,021,296 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/19 21:34:43 | 3152,510,976 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/19 21:29:51 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/08/18 20:27:57 | 000,165,376 | ---- | M] () -- C:\Users\Hans\Desktop\SystemLook_x64.exe
[2012/08/17 22:50:19 | 000,779,724 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/08/17 22:50:19 | 000,660,520 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/08/17 22:50:19 | 000,121,190 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/08/17 21:32:16 | 000,849,920 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mbb
[2012/08/17 21:32:16 | 000,409,600 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mb
[2012/08/17 21:18:12 | 002,208,856 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Hans\Desktop\larry.com
[2012/08/17 14:41:03 | 000,002,021 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2012/08/15 20:27:43 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Hans\Desktop\esetsmartinstaller_enu.exe
[2012/08/15 03:21:22 | 000,319,000 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/08/14 21:11:40 | 004,731,615 | R--- | M] (Swearware) -- C:\Users\Hans\Desktop\ComboFix.exe
[2012/08/14 13:58:37 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/08/14 13:58:37 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/08/13 22:22:01 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Hans\Desktop\aswMBR.exe
[2012/08/13 22:19:37 | 000,302,592 | ---- | M] () -- C:\Users\Hans\Desktop\m94e50qq.exe
[2012/08/13 22:18:28 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Hans\Desktop\OTL.exe
[2012/08/13 20:14:05 | 000,000,004 | -H-- | M] () -- C:\aaw7boot.cmd
[2012/08/13 00:39:40 | 000,000,064 | ---- | M] () -- C:\Windows\SysWow64\rp_stats.dat
[2012/08/13 00:39:40 | 000,000,044 | ---- | M] () -- C:\Windows\SysWow64\rp_rules.dat
[2012/08/11 17:47:03 | 000,476,976 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\npdeployJava1.dll
[2012/08/11 17:47:03 | 000,472,880 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2012/08/11 17:47:03 | 000,157,488 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2012/08/11 17:47:03 | 000,149,296 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2012/08/11 17:47:03 | 000,149,296 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2012/07/27 02:50:47 | 000,001,785 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/07/27 02:31:34 | 000,001,847 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk

========== Files Created - No Company Name ==========

[2012/08/19 22:18:53 | 000,000,512 | ---- | C] () -- C:\Users\Hans\Desktop\MBR 1.dat
[2012/08/18 20:27:57 | 000,165,376 | ---- | C] () -- C:\Users\Hans\Desktop\SystemLook_x64.exe
[2012/08/14 21:23:04 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/08/14 21:23:04 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/08/14 21:23:04 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/08/14 21:23:04 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/08/14 21:23:04 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/08/13 22:19:36 | 000,302,592 | ---- | C] () -- C:\Users\Hans\Desktop\m94e50qq.exe
[2012/08/11 19:16:03 | 000,000,004 | -H-- | C] () -- C:\aaw7boot.cmd
[2012/07/27 02:50:47 | 000,001,785 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/07/27 02:31:34 | 000,001,847 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/04/01 20:23:05 | 000,000,022 | ---- | C] () -- C:\Users\Hans\AppData\Local\kodakpcd.ini
[2012/02/14 18:47:06 | 000,963,912 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2012/02/14 18:47:06 | 000,261,208 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2012/02/14 18:44:24 | 000,058,880 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2012/02/14 17:59:56 | 013,209,600 | ---- | C] () -- C:\Windows\SysWow64\ig4icd32.dll
[2012/01/20 19:15:57 | 000,000,064 | ---- | C] () -- C:\Windows\SysWow64\rp_stats.dat
[2012/01/20 19:15:57 | 000,000,044 | ---- | C] () -- C:\Windows\SysWow64\rp_rules.dat
[2012/01/09 12:17:13 | 000,007,602 | ---- | C] () -- C:\Users\Hans\AppData\Local\Resmon.ResmonCfg
[2011/08/17 22:30:40 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
[2011/02/10 12:10:51 | 000,773,448 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 889 bytes -> C:\Users\Hans\Documents\Fw_ Why our country is going bankrupt.eml:OECustomProperty
@Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:5C321E34
< End of report >

the Eset scanner found no threats.

**Jintan** · #34 August 22nd, 2012, 01:01 AM

The log shows no Norton services or functions, and uninstalls don't always remove all files/folders. Wait a day or so to be sure, then sure, you can delete those Norton folders/files.

Things running okay there now? If you would, do this step again, so we can check for those temp files Norton kept finding.

Han Solo · #35 August 22nd, 2012, 05:44 AM

Quote:

Originally Posted by Jintan

Things running okay there now?

yeah as far as i can tell. the google redirects only lasted a couple of days and then stopped. at first i thought Symantec "fixed" that problem but those risk warnings kept coming so i figured maybe a seperate problem. since we got rid of Symantec there are no more warnings. google has been working fine - no redirects since they stopped. pc performance wasn't affected... at least not noticably.

SystemLook 30.07.11 by jpshortstuff
Log created at 21:32 on 21/08/2012 by Hans
Administrator - Elevation successful
========== filefind ==========
Searching for "*.tmp"
C:\Program Files (x86)\ArcSoft\Print Creations\Help\br\Template\index.tmp --a---- 2273 bytes [14:01 01/04/2012] [19:18 17/09/2008] 3F93C257BA6F369E7DDD298332091825
C:\Program Files (x86)\ArcSoft\Print Creations\Help\br\Template\Print.tmp --a---- 2388 bytes [14:01 01/04/2012] [18:55 10/09/2008] CDC688BE29C55F8599A150C162879AD4
C:\Program Files (x86)\ArcSoft\Print Creations\Help\br\Template\Print_and_Share.tmp --a---- 1985 bytes [14:01 01/04/2012] [18:58 10/09/2008] BC7144315DD0852DF09D0B1CAC07FDD9
C:\Program Files (x86)\ArcSoft\Print Creations\Help\br\Template\Project_Types.tmp --a---- 2629 bytes [14:01 01/04/2012] [19:21 17/09/2008] D8F7DFAC567D25B9135FFFE81236F6E9
C:\Program Files (x86)\ArcSoft\Print Creations\Help\cs\Template\index.tmp --a---- 1829 bytes [14:01 01/04/2012] [19:26 10/09/2008] FB491241AAA47EEF9D251959E701D7DE
C:\Program Files (x86)\ArcSoft\Print Creations\Help\cs\Template\Print.tmp --a---- 1742 bytes [14:01 01/04/2012] [13:31 08/09/2008] 38EF775AB2F2ACB1B7EB9B9B568D1A57
C:\Program Files (x86)\ArcSoft\Print Creations\Help\cs\Template\Print_and_Share.tmp --a---- 1677 bytes [14:01 01/04/2012] [19:29 10/09/2008] 3F728D914227CE4F63A3BBEF8215BF1C
C:\Program Files (x86)\ArcSoft\Print Creations\Help\cs\Template\Project_Types.tmp --a---- 2003 bytes [14:01 01/04/2012] [19:27 10/09/2008] 4AFBAAFA4FF6FC225BDC80E9A063DF54
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ct\Template\Index.tmp --a---- 2019 bytes [14:01 01/04/2012] [21:02 23/04/2008] 1C4935BD5AF26392C3ADB75AA1B7FD86
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ct\Template\Print.tmp --a---- 1641 bytes [14:01 01/04/2012] [20:44 18/09/2008] 854B8A535EFD22B377FAF3AE7D65234B
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ct\Template\Print_and_Share.tmp --a---- 1875 bytes [14:01 01/04/2012] [21:02 23/04/2008] A4068044386C78387F845AE1D5CA1D98
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ct\Template\Project_Types.tmp --a---- 2218 bytes [14:01 01/04/2012] [20:44 18/09/2008] 97A0B9E070F516E91D87FE5169C9DF79
C:\Program Files (x86)\ArcSoft\Print Creations\Help\de\Template\Index.tmp --a---- 2209 bytes [14:01 01/04/2012] [19:36 10/09/2008] 95E2790F43B5FAA7D9B1AA65AAC942AF
C:\Program Files (x86)\ArcSoft\Print Creations\Help\de\Template\Print.tmp --a---- 1964 bytes [14:01 01/04/2012] [19:35 10/09/2008] D32BFC049F310CB9C121A2F7ADA6399D
C:\Program Files (x86)\ArcSoft\Print Creations\Help\de\Template\Print_and_Share.tmp --a---- 1965 bytes [14:01 01/04/2012] [19:36 10/09/2008] F463969A5C4C92B9625318228026ACC6
C:\Program Files (x86)\ArcSoft\Print Creations\Help\de\Template\Project_Types.tmp --a---- 2580 bytes [14:01 01/04/2012] [19:37 10/09/2008] 5A4A8BC595D73F17BE6BFFEF2BBFAC4E
C:\Program Files (x86)\ArcSoft\Print Creations\Help\en\Template\index.tmp --a---- 2113 bytes [14:01 01/04/2012] [23:01 16/05/2008] 3551F869492E9F018D2FF0DC24ED0EA1
C:\Program Files (x86)\ArcSoft\Print Creations\Help\en\Template\Print.tmp --a---- 1888 bytes [14:01 01/04/2012] [23:01 16/05/2008] 756DFD30AE872E6E5478A9EA4BDEE333
C:\Program Files (x86)\ArcSoft\Print Creations\Help\en\Template\Print_and_Share.tmp --a---- 2210 bytes [14:01 01/04/2012] [23:01 16/05/2008] 8C5C3AB35A9747861E9146DED2117976
C:\Program Files (x86)\ArcSoft\Print Creations\Help\en\Template\Project_Types.tmp --a---- 2398 bytes [14:01 01/04/2012] [23:01 16/05/2008] A39CCB3B8E80DDFC636F0FFFD49637F6
C:\Program Files (x86)\ArcSoft\Print Creations\Help\es\Template\index.tmp --a---- 2311 bytes [14:01 01/04/2012] [19:39 06/05/2008] 8FFB45B9EBC033735DCE4F67F9A8B71B
C:\Program Files (x86)\ArcSoft\Print Creations\Help\es\Template\Print.tmp --a---- 1969 bytes [14:01 01/04/2012] [19:40 10/09/2008] 7E0541ED7AB3DBDB71CA5644E7917E4B
C:\Program Files (x86)\ArcSoft\Print Creations\Help\es\Template\Print_and_Share.tmp --a---- 1960 bytes [14:01 01/04/2012] [19:23 06/05/2008] 242F2B1E61E6FED78022E25F78D64698
C:\Program Files (x86)\ArcSoft\Print Creations\Help\es\Template\Project_Types.tmp --a---- 2479 bytes [14:01 01/04/2012] [19:22 06/05/2008] B59BED0CF6C1B92A603967346F767158
C:\Program Files (x86)\ArcSoft\Print Creations\Help\fr\Template\Index.tmp --a---- 2299 bytes [14:01 01/04/2012] [19:58 10/09/2008] 78A4AA42668C47F5D2AC116FE775169F
C:\Program Files (x86)\ArcSoft\Print Creations\Help\fr\Template\Print.tmp --a---- 1994 bytes [14:01 01/04/2012] [19:57 10/09/2008] 9549A3FF24D13E36F03502B050356508
C:\Program Files (x86)\ArcSoft\Print Creations\Help\fr\Template\Print_and_Share.tmp --a---- 1843 bytes [14:01 01/04/2012] [21:00 23/04/2008] 6C16CD2CDEC2395AE31D6E6EFC5CE6D6
C:\Program Files (x86)\ArcSoft\Print Creations\Help\fr\Template\Project_Types.tmp --a---- 2636 bytes [14:01 01/04/2012] [21:00 23/04/2008] B812174F95D9B971EC4DD7844C392B9A
C:\Program Files (x86)\ArcSoft\Print Creations\Help\it\Template\index.tmp --a---- 2335 bytes [14:01 01/04/2012] [20:22 10/09/2008] FACDE8DB20D76896F7332AD3C98E7735
C:\Program Files (x86)\ArcSoft\Print Creations\Help\it\Template\Print.tmp --a---- 1930 bytes [14:01 01/04/2012] [14:31 11/09/2008] 7F30ABE9AF02B4C07A3201A2265D2A4C
C:\Program Files (x86)\ArcSoft\Print Creations\Help\it\Template\Print_and_Share.tmp --a---- 2290 bytes [14:01 01/04/2012] [20:24 10/09/2008] 95620D07E4309318658F4FC6D434CEDE
C:\Program Files (x86)\ArcSoft\Print Creations\Help\it\Template\Project_Types.tmp --a---- 2584 bytes [14:01 01/04/2012] [20:24 10/09/2008] BF0F82D90952A6C540737ADFAAD9FD2F
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ja\Template\Index.tmp --a---- 2104 bytes [14:01 01/04/2012] [20:53 10/09/2008] 8132EA40012FFCCE593F24B9E6CAD362
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ja\Template\Print.tmp --a---- 1929 bytes [14:01 01/04/2012] [20:52 10/09/2008] D8A1604CE40F67547E365EB3F35F013D
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ja\Template\Print_and_Share.tmp --a---- 1729 bytes [14:01 01/04/2012] [20:53 10/09/2008] 8425F7069191103020BC837465EFE7FD
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ja\Template\Project_Types.tmp --a---- 2368 bytes [14:01 01/04/2012] [20:53 10/09/2008] B6F9ABEFEB8D2A4E1041BAE5E9F8B02F
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ko\Template\index.tmp --a---- 2079 bytes [14:01 01/04/2012] [20:57 10/09/2008] 29B42257465153F41D23EA785E73D70C
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ko\Template\Print.tmp --a---- 1854 bytes [14:01 01/04/2012] [20:57 10/09/2008] 85DA322C7DE97D0619B5FC472C91A44A
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ko\Template\Print_and_Share.tmp --a---- 1872 bytes [14:01 01/04/2012] [20:58 10/09/2008] D4CB42C7F78FDAD94F6E25B00E8451FD
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ko\Template\Project_Types.tmp --a---- 2318 bytes [14:01 01/04/2012] [20:58 10/09/2008] CE5DE00010B468F78D730E34F836EEBC
C:\Program Files (x86)\ArcSoft\Print Creations\Help\nl\Template\Index.tmp --a---- 2218 bytes [14:01 01/04/2012] [20:59 10/09/2008] 468076E824FCF136684D48C2FC85377A
C:\Program Files (x86)\ArcSoft\Print Creations\Help\nl\Template\Print.tmp --a---- 1921 bytes [14:01 01/04/2012] [20:59 10/09/2008] E8F94AA2A58C2597C2E840BBB1D2F093
C:\Program Files (x86)\ArcSoft\Print Creations\Help\nl\Template\Print_and_Share.tmp --a---- 1808 bytes [14:01 01/04/2012] [20:59 10/09/2008] D1F7D76B6C8328C86D902BF62A4E4294
C:\Program Files (x86)\ArcSoft\Print Creations\Help\nl\Template\Project_Types.tmp --a---- 2420 bytes [14:01 01/04/2012] [20:59 10/09/2008] 498EA93212145CF7FE48BB1A0DD4F0A2
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ru\Template\index.tmp --a---- 2233 bytes [14:01 01/04/2012] [20:50 19/09/2008] 173F27468C59DD781AA7F601E572A5F2
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ru\Template\Print.tmp --a---- 1869 bytes [14:01 01/04/2012] [21:00 10/09/2008] 413D5D9F43208B0116A755264B5E499A
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ru\Template\Print_and_Share.tmp --a---- 2063 bytes [14:01 01/04/2012] [21:21 19/09/2008] 3E7FE0E72C3ACB230D83DA2AB4BD63F9
C:\Program Files (x86)\ArcSoft\Print Creations\Help\ru\Template\Project_Types.tmp --a---- 2487 bytes [14:01 01/04/2012] [20:12 19/09/2008] 8299953F404BAE00A5CDD50410835981
C:\Program Files (x86)\ArcSoft\Print Creations\Help\sv\Template\index.tmp --a---- 2303 bytes [14:01 01/04/2012] [20:42 19/09/2008] 8AE9489D6CD40564A61E223D23F1CE52
C:\Program Files (x86)\ArcSoft\Print Creations\Help\sv\Template\Print.tmp --a---- 1969 bytes [14:01 01/04/2012] [21:02 10/09/2008] 7C3933A245BF831A983E2A6482A4D7EB
C:\Program Files (x86)\ArcSoft\Print Creations\Help\sv\Template\Print_and_Share.tmp --a---- 1947 bytes [14:01 01/04/2012] [21:03 10/09/2008] ADB980158BAA640669C700A23CB2638E
C:\Program Files (x86)\ArcSoft\Print Creations\Help\sv\Template\Project_Types.tmp --a---- 2465 bytes [14:01 01/04/2012] [21:03 10/09/2008] 44D4851C193B555FFDC3F72C215FD4E8
C:\Program Files (x86)\Canon\IJ Manual\CANON MX880 SERIES\Uninstall.tmp --a---- 4068 bytes [17:08 10/01/2012] [17:08 10/01/2012] EC3B8E28B5D5EAAB164B0F767A0C75A2
C:\Program Files (x86)\Common Files\Windows Live\.cache\wlc9379.tmp --a---- 213986 bytes [01:14 18/08/2011] [01:14 18/08/2011] AEF9BCE2A9FE59DB6D932559D2B9D341
C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\GlblVol_sftfs_v1_S-1-5-18.tmp --a---- 675840 bytes [20:18 26/12/2011] [00:19 23/07/2012] 74C9F532BDC291AFA9FD84810345B5D1
C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\GlblVol_sftfs_v1_S-1-5-20.tmp --a---- 679936 bytes [20:18 26/12/2011] [03:37 18/08/2012] A77B29D168301AD0C707A119A21878AD
C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\GlblVol_sftfs_v1_S-1-5-21-4200521874-2590480824-2585516950-1000.tmp --a---- 749568 bytes [21:00 10/08/2012] [03:37 18/08/2012] B05FE496A90DFF2CA0A0144624077029
C:\ProgramData\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\UsrVol_sftfs_v1.tmp --a---- 53248 bytes [20:18 26/12/2011] [03:37 18/08/2012] 924DC07384A0A680ECA5B1E2F6601169
C:\ProgramData\Microsoft\PlayReady\Cache\indiv01.t mp --ahs-- 0 bytes [19:15 30/03/2012] [19:15 30/03/2012] D41D8CD98F00B204E9800998ECF8427E
C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\GlblVol_sftfs_v1_S-1-5-18.tmp --a---- 675840 bytes [20:18 26/12/2011] [00:19 23/07/2012] 74C9F532BDC291AFA9FD84810345B5D1
C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\GlblVol_sftfs_v1_S-1-5-20.tmp --a---- 679936 bytes [20:18 26/12/2011] [03:37 18/08/2012] A77B29D168301AD0C707A119A21878AD
C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\GlblVol_sftfs_v1_S-1-5-21-4200521874-2590480824-2585516950-1000.tmp --a---- 749568 bytes [21:00 10/08/2012] [03:37 18/08/2012] B05FE496A90DFF2CA0A0144624077029
C:\Users\All Users\Microsoft\Application Virtualization Client\SoftGrid Client\AppFS Storage\140066.ENU-90140011-66-409\UsrVol_sftfs_v1.tmp --a---- 53248 bytes [20:18 26/12/2011] [03:37 18/08/2012] 924DC07384A0A680ECA5B1E2F6601169
C:\Users\All Users\Microsoft\PlayReady\Cache\indiv01.tmp --ahs-- 0 bytes [19:15 30/03/2012] [19:15 30/03/2012] D41D8CD98F00B204E9800998ECF8427E
C:\Users\Hans\AppData\Local\SoftGrid Client\140066.ENU-90140011-66-409\UsrVol_sftfs_v1.tmp --a---- 4653056 bytes [20:18 26/12/2011] [03:37 18/08/2012] C0AE4F687C8FFE3B5B441B8DDF4B9432
C:\Users\Hans\AppData\LocalLow\PlayReady\Cache\ind iv01.tmp --ahs-- 0 bytes [19:15 30/03/2012] [19:15 30/03/2012] D41D8CD98F00B204E9800998ECF8427E
C:\Users\Hans\AppData\Roaming\Arcsoft\PrintCreatio ns\WebContents\AlbumPage\All Free\Beach Bums\Beach Bums 01_392.tmp --a---- 58300 bytes [05:58 16/08/2012] [05:58 16/08/2012] F9A545D1FD98C4A1637E7C4395B17773
C:\Users\Hans\AppData\Roaming\Arcsoft\PrintCreatio ns\WebContents\AlbumPage\Artistic\Harmony\Harmony 04_378.tmp --a---- 44102 bytes [05:58 16/08/2012] [05:58 16/08/2012] 31771A33DA2AFA3B4BCDA364C46BAD3A
C:\Windows\SoftwareDistribution\Download\c2738da3d e14337126005c07b43199e5\BIT48D4.tmp --ah--- 0 bytes [14:36 13/05/2012] [14:36 13/05/2012] D41D8CD98F00B204E9800998ECF8427E
C:\Windows\System32\config\systemprofile\AppData\L ocal\SoftGrid Client\140066.ENU-90140011-66-409\UsrVol_sftfs_v1.tmp --a---- 57344 bytes [20:18 26/12/2011] [00:19 23/07/2012] 34DCFAC1476AC55C69BDC2B52F2851BD
-= EOF =-

**Jintan** · #36 August 23rd, 2012, 12:56 AM

I don't see the mystery temp file any more - do you? Strange - kinda looks like Norton's enterprise edition was creating a file, then finding it and ID'ing it as malware. Looks good now - we are ready to start wrapping things up here?

**Jintan** · #37 August 23rd, 2012, 12:56 AM

FYI - Same as the other thread. Norton gone, mystery file gone as well.

Han Solo · #38 August 23rd, 2012, 01:17 AM

darn it. i was about to delete the Symantec files/folders and poked around the .VBN files and opened one with notepad to take a look and must have forgotten to uncheck the "allways use the selected progam to open this file" box and now notepad is associated with .VBN. while it was open briefly it did have DWHXXXX.tmp mentioned in it. well now that its done would it be worthwhile zipping up some of these and sending them to you? do i need to unassociate the notepad from the .VBN files - if so i can't figure out how to do it, Windows 7 appears to only have a way of changing the association, not getting rid of it...

otherwise yes we are ready to wrap things up. i've never been able to track down the tmp file

**Jintan** · #39 August 24th, 2012, 01:12 AM

C:\Users\Hans\AppData\Local\Temp\datBEC6.tmp --a---- 16552 bytes [06:48 15/08/2012] [06:48 15/08/2012] 50E1FD65EA71D299D034BB78D04420BC
C:\Users\Hans\AppData\Local\Temp\datBEC7.tmp --a---- 16728 bytes [06:48 15/08/2012] [06:48 15/08/2012] FE60E16CF3812E703541B8001203D9DB

Quote:

it did have DWHXXXX.tmp mentioned in it

Some files, when run, temporarily create temp files to run from. So be sure to not suspect all temp files you see.

I assume those .vbn files are just files removed by Norton, and renamed, so no real file association to connect with them. I also assume Norton encrypts files it stores as .vpn, so no need to look through any, or if not, still no need to look through old files Norton removed. We okay to start cleanup now?

Han Solo · #40 August 24th, 2012, 01:42 AM

yes, we can start the cleanup.

**Jintan** · #41 August 24th, 2012, 01:53 AM

Just know we can always revisit things here should anything we missed arise.

The logs show you have an outdated version of Java installed there, which is more vulnerable than the current version. Just go here and update that:

http://java.com/en/download/manual.jsp
(For Java 7 Update 5 - trying to slip Ask adware/spyware to systems lately, so watch and uncheck it)

Once you have done that, be sure to go to Programs and Features and uninstall any older, more vulnerable Java versions.

-------------

Eset, if you don't plan to use it again, uninstalls through the Control Panel - Programs and Features.

-------

Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

cd "%userprofile%\desktop"

combofix /uninstall

ComboFix should uninstall itself at this time.

-----

You can also at this time delete the files/folders of the tools we used. To assist with some of that run OTL again. This will help by automatically removing some of the tools we used.

Just click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot.

In addition, I like to recommend reviewing the information Here to make sure you stay malware free.

Han Solo · #42 August 24th, 2012, 11:58 PM

i am following the steps... almost done. i recently got an alert for a java update but have put that off during the troubleshooting to lessen the variables.

your assumptions in the previous post were correct. so will deleting the .vbn files get rid of the association between .vbn and notepad then?

as for the anti-virus/spyware/malware programs i was running, from what you advised and the re-infection webpage, the only one not discussed was Spybot...useless/worthwhile? i was planning on trying the MS Security Essentials in conjunction with Windows Defender and the Malwarebytes... are three programs enough? in the past it seemed a whole bunch were needed.

**Jintan** · #43 August 25th, 2012, 01:53 AM

.vbn files are just one program's quarantine files, so really no issue what opens them. Notepad is as good a choice as any. Prefer to avoid cross-linking threads, but here I made the same point we have been discussing.

SpyBot is all user's choice, though parts of it can interfere with other functions, and it has no recent track record of doing anything of merit. Defender, on the other hand, also has a zero track record, but does interfere with other functions, and should be disabled. Security Essentials should be fine, as long as it is supplemented by an anti-malware program, like Malware bytes, so good to go there.

**Jintan** · #44 August 25th, 2012, 01:54 AM

Quote:

in the past it seemed a whole bunch were needed.

And they didn't protect things then, or now.

Han Solo · #45 August 28th, 2012, 01:02 AM

hey tom, thanks for all of your help, i really appreciate all the effort you put into my issue. i am having another problem but it is not directly related to what we were working on. this one has to do with the mouse and strange clicking behavior. here are some of the symptoms (most are from IE, but other programs also affected, haven't really tested it much yet):

-clicking on a second tab in IE that was opened from another tab closes both tabs
-sometimes clicking on one of the categories on the menu bar in IE such as "Tools" flashes the dropdown for only a split second, have to click repeatedly to get it to stay
-the IE window will maximize and restore down when clicking on title bar when changing windows
-clicking on any window to bring it to the forefront sometimes closes it and opens a window underneath it, sometimes opening something in that window
-dropdown boxes don't work like they should, have to repeatedly click on the little arrow to make them work
-having to repeatedly click the little magnifying glass in the IE address bar to switch the search from bing to google... had to do it 3 times today... it doesn't seem to want to stay on google
-went to mouse properties and under the "Buttons" tab in the "Double-click Speed" section, double clicking on the little folder doesn't produce the desired results... the folder doesn't open and close like its supposed to.

is this some kind of malware/virus issue or is it a problem with the mouse? i don't have another mouse to test with.

thanks,
hans