Go Back   Cyber Tech Help Support Forums > Software > Malware Removal Forum

Notices

Reply
 
Topic Tools
  #1  
Old March 5th, 2013, 02:16 PM
birdiexris birdiexris is offline
New Member
 
Join Date: Mar 2013
Posts: 7
Weird Background process - IP 46.165.221.199 - Moved by MURF

I have a computer running Vista and there's a weird background process. The ip address is 46.165.221.199 and there's a bunch of IE pages running in the background. i can't quit them in the task manager either, and i can't quit the IE processes. I'm not sure what's going on in there but Malwarebytes, Windows defender, and Norton all don't find anything wrong with the computer and no spyware so whatever it is, it's in there good. Can anyone help?
Reply With Quote


  #2  
Old March 5th, 2013, 04:22 PM
Murf's Avatar
Murf Murf is offline
Moderator
 
Join Date: Oct 2001
O/S: Windows 7 64-bit
Location: Newport News VA
Posts: 15,623
Welcome to CTH

That IP is from Germany, you are infected. I am moving this over to our malware forum for some help.
Reply With Quote
  #3  
Old March 5th, 2013, 04:37 PM
birdiexris birdiexris is offline
New Member
 
Join Date: Mar 2013
Posts: 7
awesome. Thanks. I figured it was some kind of adware. Most of the internet has that same consensus.
Reply With Quote
  #4  
Old March 6th, 2013, 12:37 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,140
Welcome to CTH birdiexris,

Let's take a look.


The system is Vista, so when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool.

And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download RogueKiller from here to your desktop.

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
Wen RogueKiller finises it's opening scan, press the Scan button..
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.


A lot, but comprehensive, and will make sure we get a good view of everything.
Reply With Quote
  #5  
Old March 11th, 2013, 09:20 PM
birdiexris birdiexris is offline
New Member
 
Join Date: Mar 2013
Posts: 7
OTL report 1

Here is the OTL. I'll run the other scan overnight.

OTL logfile created on: 3/11/2013 4:05:03 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Brenda\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.97 Gb Total Physical Memory | 1.37 Gb Available Physical Memory | 46.09% Memory free
6.13 Gb Paging File | 3.97 Gb Available in Paging File | 64.81% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 134.32 Gb Total Space | 67.76 Gb Free Space | 50.45% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 9.21 Gb Free Space | 62.85% Space Free | Partition Type: NTFS

Computer Name: BRENDA-PC | User Name: ADMIN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/03/11 16:04:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Brenda\Downloads\OTL (1).exe
PRC - [2013/02/28 19:08:21 | 001,274,832 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
PRC - [2013/01/29 23:32:58 | 001,078,624 | ---- | M] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) -- C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
PRC - [2013/01/29 23:23:06 | 011,802,464 | ---- | M] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) -- C:\Program Files\Evernote\Evernote\Evernote.exe
PRC - [2013/01/29 23:23:06 | 000,395,616 | ---- | M] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) -- C:\Program Files\Evernote\Evernote\EvernoteTray.exe
PRC - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 12:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/12/18 10:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/12/06 20:00:12 | 001,176,464 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2012/12/06 19:59:24 | 001,181,584 | ---- | M] (Intuit Inc.) -- C:\Program Files\Intuit\QuickBooks 2012\QBW32.EXE
PRC - [2012/12/06 19:17:04 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2012/09/06 08:41:42 | 000,192,512 | ---- | M] (Two Pilots) -- C:\Windows\VPDAgent.exe
PRC - [2012/06/11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE
PRC - [2011/09/21 20:40:11 | 000,117,648 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.8.3.6\ccSvcHst.exe
PRC - [2011/08/19 22:31:14 | 001,248,256 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
PRC - [2011/08/19 22:30:04 | 000,667,648 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Intuit\QuickBooks 2012\QBDBMgr9.exe
PRC - [2011/04/19 09:01:39 | 001,505,784 | ---- | M] (American Express) -- C:\Program Files\American Express inSite\inSite.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/02/11 18:38:38 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe


========== Modules (No Company Name) ==========

MOD - [2013/02/28 19:08:19 | 000,459,728 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\25.0.1364.152\ppgo oglenaclpluginchrome.dll
MOD - [2013/02/28 19:08:18 | 012,637,136 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\25.0.1364.152\Pepp erFlash\pepflashplayer.dll
MOD - [2013/02/28 19:08:16 | 004,050,896 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\25.0.1364.152\pdf. dll
MOD - [2013/02/28 19:07:25 | 000,596,944 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\25.0.1364.152\libg lesv2.dll
MOD - [2013/02/28 19:07:24 | 000,124,368 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\25.0.1364.152\libe gl.dll
MOD - [2013/02/28 19:07:21 | 001,552,848 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\25.0.1364.152\ffmp egsumo.dll
MOD - [2013/01/10 04:35:01 | 013,345,792 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Data.Entity\52588e18078ea592ce9cc2399b624a15\S ystem.Data.Entity.ni.dll
MOD - [2013/01/10 04:33:32 | 000,096,768 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\UIA utomationProvider\a1b65a602c75409c0c1ce7fa1f2a0983 \UIAutomationProvider.ni.dll
MOD - [2013/01/10 04:33:29 | 001,189,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Data.OracleC#\aad0fd94c3d1be97f53ce20c138490de \System.Data.OracleClient.ni.dll
MOD - [2013/01/10 04:33:07 | 000,787,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.EnterpriseSe#\1d254fbc811d0de6c54a9d9c428c4497 \System.EnterpriseServices.ni.dll
MOD - [2013/01/10 04:33:07 | 000,236,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.EnterpriseSe#\1d254fbc811d0de6c54a9d9c428c4497 \System.EnterpriseServices.Wrapper.dll
MOD - [2013/01/10 04:33:06 | 000,649,728 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Transactions\dcb0e7d56ffca14d7c483103235b11ad\ System.Transactions.ni.dll
MOD - [2013/01/10 04:33:03 | 002,647,040 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Runtime.Seri#\910fe53ec2122cf3a2ad11c2b2f5cbfd \System.Runtime.Serialization.ni.dll
MOD - [2013/01/10 04:33:00 | 000,393,216 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Xml.Linq\d01a925ecd339eae8ea1da8488eb2283\Syst em.Xml.Linq.ni.dll
MOD - [2013/01/10 04:31:54 | 001,801,728 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Xaml\866894ebe5258bf9f45d6b063229e990\System.X aml.ni.dll
MOD - [2013/01/10 04:10:44 | 018,002,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Pre sentationFramewo#\14f511c47523f19ca591eb207e9e2084 \PresentationFramework.ni.dll
MOD - [2013/01/10 04:10:30 | 011,451,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Pre sentationCore\e10fd15441d278c04a03302880a3e231\Pre sentationCore.ni.dll
MOD - [2013/01/10 04:10:27 | 006,815,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Data\9071f089ab65d518d1bd7e8fa857a95f\System.D ata.ni.dll
MOD - [2013/01/10 04:10:20 | 003,858,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Win dowsBase\7a9ff5ce3a909d075179a2ac70d8f388\WindowsB ase.ni.dll
MOD - [2013/01/10 04:10:18 | 005,617,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Xml\43cd41484df96d15df949eb17dd88152\System.Xm l.ni.dll
MOD - [2013/01/10 04:10:15 | 000,982,528 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Configuration\5de5d8c1c02e33789e3cf7e3f54c0ec9 \System.Configuration.ni.dll
MOD - [2013/01/10 04:10:12 | 007,069,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Core\27dcf04ed7a3506045597c02a5a1fc31\System.C ore.ni.dll
MOD - [2013/01/10 04:10:05 | 000,595,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Pre sentationFramewo#\dfeff31ab1e7cd3480c8942290c92f5d \PresentationFramework.Aero.ni.dll
MOD - [2013/01/10 04:10:04 | 009,094,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem\15872842e3e63ddf0f720f406706198e\System.ni.dll
MOD - [2013/01/10 04:09:59 | 000,145,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Sys tem.Numerics\c300c8ca0910bbffb16a244b56be6d05\Syst em.Numerics.ni.dll
MOD - [2013/01/10 04:09:58 | 014,412,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\msc orlib\3f95a6d480ed1ebe45cf27b770ba94ed\mscorlib.ni .dll
MOD - [2012/12/06 20:00:06 | 000,110,480 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\Webification.DLL
MOD - [2012/12/06 20:00:00 | 000,121,232 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\ReportBridge.DLL
MOD - [2012/12/06 19:59:54 | 000,138,128 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\QBMAPILibrary.dll
MOD - [2012/12/06 19:59:50 | 000,020,880 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\QBCompressor.DLL
MOD - [2012/12/06 19:59:48 | 000,070,032 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\QB2WPFBridge.dll
MOD - [2012/12/06 19:59:44 | 000,042,384 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\mbpopup.dll
MOD - [2012/12/06 19:59:42 | 000,093,072 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\IPDWidgetInterop.dll
MOD - [2012/12/06 19:59:42 | 000,082,832 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\IPDWidgetBridge.DLL
MOD - [2012/12/06 19:59:40 | 000,057,744 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\htmlhelper.dll
MOD - [2012/12/06 19:59:38 | 000,400,272 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\FeaturesBridge.DLL
MOD - [2012/12/06 19:59:30 | 000,268,688 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\boost_regex-vc90-mt-p-1_33.dll
MOD - [2012/12/06 19:59:30 | 000,176,528 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\boost_serialization-vc90-mt-p-1_33.dll
MOD - [2012/12/06 19:59:28 | 000,380,304 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\BackupLib.dll
MOD - [2012/09/08 13:16:30 | 000,433,664 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libxml2.dll
MOD - [2012/09/08 13:16:20 | 000,315,392 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libtidy.dll
MOD - [2012/08/29 07:50:42 | 021,009,920 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libcef.dll
MOD - [2012/08/29 07:50:28 | 000,133,134 | ---- | M] () -- C:\Program Files\Evernote\Evernote\avutil-51.dll
MOD - [2012/08/29 07:50:26 | 000,189,454 | ---- | M] () -- C:\Program Files\Evernote\Evernote\avformat-54.dll
MOD - [2012/08/29 07:50:24 | 000,983,054 | ---- | M] () -- C:\Program Files\Evernote\Evernote\avcodec-54.dll
MOD - [2011/08/19 22:30:50 | 000,059,904 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks 2012\zlib1.dll


========== Services (SafeList) ==========

SRV - [2013/02/27 11:32:21 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpda teService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/01/27 12:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/12/18 10:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/12/06 19:17:04 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2012/09/06 08:41:42 | 000,192,512 | ---- | M] (Two Pilots) [Auto | Running] -- C:\Windows\VPDAgent.exe -- (Agent)
SRV - [2012/06/11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Running] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate)
SRV - [2012/06/11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc)
SRV - [2011/09/21 20:40:11 | 000,117,648 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton 360\Engine\3.8.3.6\ccSvcHst.exe -- (N360)
SRV - [2011/08/19 22:31:14 | 001,248,256 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe -- (QBVSS)
SRV - [2011/08/19 22:30:58 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS. exe -- (QBFCService)
SRV - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2008/01/20 22:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\tqezvlqb.sys -- (tqezvlqb)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\RTKVHDA.sys -- (IntcAzAudAddService)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\apnewtkg.sys -- (apnewtkg)
DRV - [2013/02/07 19:54:46 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\2013031 1.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/02/07 19:54:46 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\2013031 1.004\NAVENG.SYS -- (NAVENG)
DRV - [2013/01/20 16:59:04 | 000,100,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2012/09/06 04:54:30 | 000,386,720 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20130308. 001\IDSvix86.sys -- (IDSVix86)
DRV - [2012/07/31 20:34:46 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/31 20:34:45 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/09/21 20:40:13 | 000,467,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\0308030.006\cchpx 86.sys -- (ccHP)
DRV - [2011/09/21 20:40:13 | 000,217,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\0308030.006\symtd i.sys -- (SYMTDI)
DRV - [2011/09/21 20:40:13 | 000,089,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\N360\0308030.006\symfw .sys -- (SYMFW)
DRV - [2011/09/21 20:40:13 | 000,048,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\N360\0308030.006\symnd isv.sys -- (SYMNDISV)
DRV - [2010/06/23 10:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2010/01/13 16:27:28 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/01/13 16:27:01 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\System32\drivers\N360\0308030.006\SymEF A.sys -- (SymEFA)
DRV - [2010/01/13 16:27:01 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\N360\0308030.006\srtsp .sys -- (SRTSP)
DRV - [2010/01/13 16:27:01 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\0308030.006\BHDrv x86.sys -- (BHDrvx86)
DRV - [2010/01/13 16:27:01 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\N360\0308030.006\srtsp x.sys -- (SRTSPX)
DRV - [2010/01/13 16:27:01 | 000,025,648 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\SymIMV.sys -- (SymIM)
DRV - [2009/04/06 12:13:30 | 000,043,008 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtTeam60.sys -- (TEAM)
DRV - [2009/04/06 12:13:30 | 000,043,008 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtTeam60.sys -- (RTTEAMPT)
DRV - [2008/12/04 09:17:15 | 000,645,120 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WUSB54GCv3.sys -- (WUSB54GCv3)
DRV - [2008/08/26 10:55:14 | 000,112,128 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV - [2008/08/19 00:03:28 | 000,079,960 | ---- | M] (JMicron Technology Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\jraid.sys -- (JRAID)
DRV - [2008/01/20 22:23:50 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2007/12/11 11:50:20 | 000,027,648 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\RtNdPt60.sys -- (RtNdPt60)
DRV - [2007/12/03 11:19:42 | 000,019,968 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtVlan60.sys -- (RTVLANPT)
DRV - [2006/11/02 03:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {76a747b4-edc6-46ff-8a5d-9ae61a889d5b} - C:\Program Files\Produtools_Forms\prxtbProd.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language }:{referrer:source?}&ie={inputEncoding}&oe={output Encoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{858D067E-783D-4D35-8F65-899C39CC6A56}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&Form=DLSDF7&pc=MDDS&s rc={referrer:source?}
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}


IE - HKU\.DEFAULT\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

IE - HKU\S-1-5-20\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\URLSearchHook: {76a747b4-edc6-46ff-8a5d-9ae61a889d5b} - C:\Program Files\Produtools_Forms\prxtbProd.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110802&tt=0313_7&babsrc=SP_ ss&mntrId=5c6f9eb5000000000000002564cf5026
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=BCPA&o=16145&src=crm&q={sear chTerms}&locale=en_US&apn_ptnrs=QK&apn_dtid=YYYYYY M2US&apn_uid=82C37017-793A-437C-8323-21AFB1020CD4&apn_sauid=9CADE408-3D29-4F58-9F4E-8A8C0080FBFA
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes\{1C798044-605B-4860-90E7-B2819204AEE2}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20120727,17118 ,0,18,0
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7PCTC_enUS353&ie={inp utEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes\{858D067E-783D-4D35-8F65-899C39CC6A56}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=DLSDF7&pc=MDDS&src=IE-SearchBox
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\SearchScopes\{E304C0AA-AB4A-4321-8899-4BD7541DFBE3}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&cti d=CT3209602
IE - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0



========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2011/10/12 08:02:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extens ions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/12/16 12:53:44 | 000,000,000 | ---D | M]

[2013/01/17 15:51:04 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ }{google:acceptedSuggestion}{google:originalQueryF orSuggestion}{google:assistedQueryStats}{google:se archFieldtrialParameter}{google:searchClient}{goog le:sourceId}{google:instantExtendedEnabledParamete r}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldt rialParameter}client=chrome&q={searchTerms}&{googl e:cursorPosition}sugkey={google:suggestAPIKeyParam eter}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\25.0.1364.152\Pepp erFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\25.0.1364.152\ppGo ogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\25.0.1364.152\pdf. dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java(TM) Platform SE 6 U13 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java(TM) Platform SE 6 U13 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.3.6\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (inSite) - {74F6C5A9-0EAD-4a71-891E-376A838DF1F0} - c:\Program Files\American Express inSite\inSiteIE.dll (American Express)
O2 - BHO: (Produtools Forms Toolbar) - {76a747b4-edc6-46ff-8a5d-9ae61a889d5b} - C:\Program Files\Produtools_Forms\prxtbProd.dll (Conduit Ltd.)
O2 - BHO: (Evernote extension) - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Produtools Forms Toolbar) - {76a747b4-edc6-46ff-8a5d-9ae61a889d5b} - C:\Program Files\Produtools_Forms\prxtbProd.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (inSite) - {E8558D71-5E4E-4217-B608-D2F5D3623AE3} - c:\Program Files\American Express inSite\inSiteIE.dll (American Express)
O3 - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\Toolbar\WebBrowser: (Produtools Forms Toolbar) - {76A747B4-EDC6-46FF-8A5D-9AE61A889D5B} - C:\Program Files\Produtools_Forms\prxtbProd.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..\Toolbar\WebBrowser: (inSite) - {E8558D71-5E4E-4217-B608-D2F5D3623AE3} - c:\Program Files\American Express inSite\inSiteIE.dll (American Express)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found
O4 - HKU\S-1-5-18..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\ADMIN\AppData [2006/11/02 07:18:34 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\ADMIN\Application Data [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Cookies [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Desktop [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\ADMIN\Documents [2013/02/28 17:16:00 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\ADMIN\Downloads [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\ADMIN\Favorites [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\ADMIN\Links [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\ADMIN\Local Settings [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Music [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\ADMIN\My Documents [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\NetHood [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\NTUSER.DAT ()
O4 - Startup: C:\Users\ADMIN\ntuser.dat.LOG1 ()
O4 - Startup: C:\Users\ADMIN\ntuser.dat.LOG2 ()
O4 - Startup: C:\Users\ADMIN\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf ()
O4 - Startup: C:\Users\ADMIN\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regt rans-ms ()
O4 - Startup: C:\Users\ADMIN\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regt rans-ms ()
O4 - Startup: C:\Users\ADMIN\ntuser.ini ()
O4 - Startup: C:\Users\ADMIN\Pictures [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\ADMIN\PrintHood [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Recent [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Saved Games [2006/11/02 06:23:35 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\ADMIN\SendTo [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Start Menu [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Templates [2013/02/28 17:16:00 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\ADMIN\Videos [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\All Users\5C760B949F8D9EB500005C75AF24A469 [2013/02/27 18:42:48 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Adaptive Server Anywhere 9 [2010/02/18 10:15:03 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Adobe [2012/11/12 09:16:06 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Application Data [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Babylon [2013/01/17 15:50:33 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\COMMON FILES [2009/10/21 15:56:54 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Dell [2009/10/06 13:50:44 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Desktop [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Documents [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\EPSON [2012/02/21 14:35:10 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Favorites [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\Google [2009/11/10 16:58:08 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\HP [2012/08/23 09:07:24 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\HP Product Assistant [2010/12/16 12:50:54 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\hpzinstall.log ()
O4 - Startup: C:\Users\All Users\InstallShield [2009/10/06 13:43:41 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Intuit [2012/01/12 10:34:50 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Malwarebytes [2013/02/27 18:20:02 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\McAfee [2010/11/29 13:20:30 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Microsoft [2013/02/28 13:05:51 | 000,000,000 | --SD | M]
O4 - Startup: C:\Users\All Users\Microsoft Help [2010/01/14 09:11:28 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Norton [2012/09/24 10:08:14 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\NortonInstaller [2010/01/13 16:26:11 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\ntuser.pol ()
O4 - Startup: C:\Users\All Users\Nuance [2012/06/01 11:19:30 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\PC Tools [2011/01/19 10:42:38 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\PCSettings [2010/01/13 16:21:20 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Sonic [2009/10/06 13:44:46 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\SQL Anywhere 10 [2011/01/19 11:12:01 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\SQL Anywhere 11 [2012/01/13 10:01:08 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Start Menu [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\SupportSoft [2009/10/06 13:42:35 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Symantec [2009/10/19 08:32:55 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Symantec Temporary Files [2010/01/13 16:16:01 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Tarma Installer [2013/01/17 15:56:16 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\TEMP [2011/01/19 11:01:51 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Templates [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\All Users\The Neat Company [2012/02/14 11:17:06 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Uninstall [2009/10/06 13:45:53 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\WEBREG [2009/10/13 17:20:16 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\WindowsSearch [2010/03/19 11:07:11 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\All Users\Yahoo! [2013/01/28 10:32:10 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Brenda\A000000831R72160-20100417.pdf ()
O4 - Startup: C:\Users\Brenda\AppData [2011/09/16 09:47:34 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Brenda\Application Data [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\Contacts [2009/10/13 10:33:04 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\Cookies [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\Desktop [2013/03/11 16:00:11 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\Documents [2013/03/11 12:34:58 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\Downloads [2013/03/11 16:04:37 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\Favorites [2010/04/30 13:58:55 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\Integer Invoice 3-17-11 Pella 7.pdf ()
O4 - Startup: C:\Users\Brenda\Links [2011/02/23 10:25:31 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\Local Settings [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\Music [2009/10/13 10:33:12 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\My Documents [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\NetHood [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\ntuser.dat ()
O4 - Startup: C:\Users\Brenda\ntuser.dat.LOG1 ()
O4 - Startup: C:\Users\Brenda\ntuser.dat.LOG2 ()
O4 - Startup: C:\Users\Brenda\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf ()
O4 - Startup: C:\Users\Brenda\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regt rans-ms ()
O4 - Startup: C:\Users\Brenda\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regt rans-ms ()
O4 - Startup: C:\Users\Brenda\ntuser.ini ()
O4 - Startup: C:\Users\Brenda\Pictures [2012/06/11 09:14:08 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\PrintHood [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\QuickBooksAutoDataRecovery [2012/03/22 13:06:32 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Brenda\Recent [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\Restored_TC STUDIOS LLC_Files [2010/02/16 10:54:59 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Brenda\Saved Games [2009/10/13 10:33:12 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\Searches [2009/10/13 10:33:12 | 000,000,000 | R--D | M]
Reply With Quote
  #6  
Old March 11th, 2013, 09:21 PM
birdiexris birdiexris is offline
New Member
 
Join Date: Mar 2013
Posts: 7
OTL report 2 (remainder)

O4 - Startup: C:\Users\Brenda\SendTo [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\Start Menu [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\TC Real Estate LLC.lgb ()
O4 - Startup: C:\Users\Brenda\TC Real Estate LLC.qbw ()
O4 - Startup: C:\Users\Brenda\TC Real Estate LLC.qbw.DSN ()
O4 - Startup: C:\Users\Brenda\TC Real Estate LLC.qbw.ND ()
O4 - Startup: C:\Users\Brenda\TC Real Estate LLC.qbw.TLG ()
O4 - Startup: C:\Users\Brenda\TC STUDIOS LLC.ND ()
O4 - Startup: C:\Users\Brenda\TC STUDIOS LLC.QBW.TLG ()
O4 - Startup: C:\Users\Brenda\Templates [2009/10/13 10:32:40 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Brenda\Tracing [2012/02/09 09:25:18 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Brenda\Videos [2009/10/13 10:33:12 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Brenda\{e19c1276-53fc-4b34-8fa4-f9e486abd5d9} [2009/10/28 11:31:11 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Default\AppData [2006/11/02 07:18:34 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Users\Default\Application Data [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Cookies [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Desktop [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Documents [2009/10/13 10:27:19 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Downloads [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Favorites [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Links [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\Local Settings [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Music [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\My Documents [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\NetHood [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\NTUSER.DAT ()
O4 - Startup: C:\Users\Default\NTUSER.DAT.LOG ()
O4 - Startup: C:\Users\Default\ntuser.dat.LOG1 ()
O4 - Startup: C:\Users\Default\ntuser.dat.LOG2 ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regt rans-ms ()
O4 - Startup: C:\Users\Default\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regt rans-ms ()
O4 - Startup: C:\Users\Default\Pictures [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Default\PrintHood [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Recent [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Saved Games [2006/11/02 06:23:35 | 000,000,000 | ---D | M]
O4 - Startup: C:\Users\Default\SendTo [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Start Menu [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Templates [2009/10/13 10:27:19 | 000,000,000 | -HSD | M]
O4 - Startup: C:\Users\Default\Videos [2006/11/02 06:23:35 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Desktop [2013/02/28 12:30:16 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Documents [2012/02/14 11:24:30 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Downloads [2006/11/02 08:50:56 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Favorites [2006/11/02 06:23:35 | 000,000,000 | RH-D | M]
O4 - Startup: C:\Users\Public\Music [2006/11/02 08:50:56 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Pictures [2006/11/02 08:50:56 | 000,000,000 | R--D | M]
O4 - Startup: C:\Users\Public\Videos [2006/11/02 08:50:56 | 000,000,000 | R--D | M]
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.htm l ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\\EvernoteIERes\AddNote.htm l ()
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3619115116-1404167161-2404751703-1003\..Trusted Domains: webcashmgmt.com ([ffcw] https in Trusted sites)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{34BB8124-BC78-47F5-90AD-AB78B82AFB64}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{B2F1400E-9BCF-4D4E-AADA-B6EBB02DF8C6}: NameServer = 75.75.75.75,75.75.75.76
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.3.6\CoIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\Templates
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\Start Menu
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\SendTo
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\Recent
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\PrintHood
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\NetHood
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\My Documents
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\Local Settings
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\Cookies
[2013/02/28 17:16:00 | 000,000,000 | -HSD | C] -- C:\Users\ADMIN\Application Data
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Videos
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Pictures
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Music
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Links
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Favorites
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Downloads
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Documents
[2013/02/28 17:15:59 | 000,000,000 | R--D | C] -- C:\Users\ADMIN\Desktop
[2013/02/28 17:15:59 | 000,000,000 | -H-D | C] -- C:\Users\ADMIN\AppData
[2013/02/28 17:15:59 | 000,000,000 | ---D | C] -- C:\Users\ADMIN\Saved Games
[2013/02/28 13:05:39 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/02/28 13:04:21 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[2013/02/27 18:20:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/02/27 18:20:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/02/27 18:20:00 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/02/27 18:20:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/02/27 17:31:52 | 000,000,000 | ---D | C] -- C:\ProgramData\5C760B949F8D9EB500005C75AF24A469
[2013/02/13 04:07:08 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/02/13 04:07:07 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/02/13 04:07:06 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/02/13 04:07:06 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/02/13 04:07:06 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/02/13 04:07:04 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/02/13 04:07:04 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/02/13 04:07:02 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/02/13 00:26:21 | 002,048,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/02/13 00:26:19 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2013/02/13 00:26:12 | 003,602,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/02/13 00:26:12 | 003,550,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe

========== Files - Modified Within 30 Days ==========

[2013/03/11 16:01:57 | 000,000,468 | -H-- | M] () -- C:\Windows\tasks\TC STUDIOS LLCrev 1342101860.job
[2013/03/11 16:00:08 | 000,000,468 | -H-- | M] () -- C:\Windows\tasks\TC STUDIOS LLCrev 1327006931.job
[2013/03/11 16:00:07 | 000,000,468 | -H-- | M] () -- C:\Windows\tasks\TC STUDIOS LLCrev 1295450279.job
[2013/03/11 15:45:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/03/11 15:32:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/03/11 14:49:31 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/03/11 14:49:31 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/03/11 08:02:55 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/03/08 08:49:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/03/04 20:47:55 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/02/28 13:07:17 | 000,002,154 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/02/27 18:20:04 | 000,000,649 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/27 11:32:18 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/02/27 11:32:17 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/02/13 04:19:00 | 000,389,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/02/13 04:03:43 | 000,690,232 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/02/13 04:03:43 | 000,137,238 | ---- | M] () -- C:\Windows\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2013/02/28 17:15:59 | 000,000,258 | ---- | C] () -- C:\Users\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2013/02/28 17:15:59 | 000,000,240 | ---- | C] () -- C:\Users\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2013/02/28 13:07:17 | 000,002,154 | ---- | C] () -- C:\Windows\epplauncher.mif
[2013/02/28 13:06:36 | 000,001,828 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/02/27 18:20:04 | 000,000,649 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/21 11:49:26 | 000,048,640 | ---- | C] () -- C:\Windows\System32\sdtnpm.dll
[2012/02/14 11:27:16 | 000,155,648 | ---- | C] () -- C:\Windows\agent.exe
[2012/01/24 12:05:09 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/01/19 12:55:03 | 000,000,096 | ---- | C] () -- \pwd_vault.dat
[2012/01/13 14:54:16 | 000,000,000 | ---- | C] () -- C:\Windows\EEventManager.INI
[2011/08/19 22:26:28 | 000,667,280 | ---- | C] () -- C:\Windows\System32\tx12.dll
[2011/08/19 22:26:28 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx12_ic.ini
[2011/08/19 22:26:28 | 000,000,186 | ---- | C] () -- C:\Windows\System32\Gsw32.exe.config
[2011/05/24 16:04:33 | 000,000,079 | ---- | C] () -- C:\Windows\EWF840.ini
[2009/10/06 16:17:16 | 000,003,988 | RH-- | C] () -- \dell.sdr
[2009/04/11 11:44:03 | 000,333,257 | RHS- | C] () -- \bootmgr
[2006/11/02 06:23:09 | 000,000,024 | ---- | C] () -- \autoexec.bat
[2006/11/02 02:25:08 | 000,000,010 | ---- | C] () -- \config.sys

========== ZeroAccess Check ==========

[2006/11/02 08:54:18 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc8 7-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA 9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CD B-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 161 bytes -> C:\ProgramData\TEMPFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:430C6D84

< End of report >
Reply With Quote
  #7  
Old March 11th, 2013, 11:25 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,140
We're surely going to have to do something with all those odd user account startups, but yes, I would like to see the other scan logs first.
Reply With Quote
  #8  
Old March 12th, 2013, 12:58 PM
birdiexris birdiexris is offline
New Member
 
Join Date: Mar 2013
Posts: 7
GMER 2.1.19155 - http://www.gmer.net
Rootkit quick scan 2013-03-12 07:49:05
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316031 rev.CC44 149.01GB
Running: cfq4b5zs.exe; Driver: C:\Users\ADMIN\AppData\Local\Temp\awdiipog.sys


---- Devices - GMER 2.1 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS

---- EOF - GMER 2.1 ----
Reply With Quote
  #9  
Old March 12th, 2013, 01:21 PM
birdiexris birdiexris is offline
New Member
 
Join Date: Mar 2013
Posts: 7
RogueKiller report

Told me i have zero access.... i'm going to do the video on how to remove it now. in the meantime here is the report from RK

RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files...3-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : ADMIN [Admin rights]
Mode : Scan -- Date : 03/12/2013 08:14:46
| ARK || FAK || MBR |

Bad processes : 1
[SUSP PATH] VPDAgent.exe -- C:\Windows\VPDAgent.exe [-] -> KILLED [TermProc]

Registry Entries : 4
[TASK][ROGUE ST] 0 : c:\program files\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4769 : wscript.exe C:\Users\Brenda\AppData\Local\Temp\launchie.vbs //B -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3619115116-1404167161-2404751703-1003\$09378bd110d8a6b768f167158928f0b4\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3619115116-1404167161-2404751703-1003\$09378bd110d8a6b768f167158928f0b4\L --> FOUND

Driver : [LOADED]
SSDT[13] : NtAlertResumeThread @ 0x84CE5591 -> HOOKED (Unknown @ 0x8AD57DA8)
SSDT[14] : NtAlertThread @ 0x84C5E1F5 -> HOOKED (Unknown @ 0x8A788120)
SSDT[18] : NtAllocateVirtualMemory @ 0x84C9A47D -> HOOKED (Unknown @ 0x8AF1DB98)
SSDT[21] : NtAlpcConnectPort @ 0x84C3C824 -> HOOKED (Unknown @ 0x8A1E75C0)
SSDT[42] : NtAssignProcessToJobObject @ 0x84C0FB08 -> HOOKED (Unknown @ 0x8AF1B3A8)
SSDT[67] : NtCreateMutant @ 0x84C727A2 -> HOOKED (Unknown @ 0x8A789120)
SSDT[77] : NtCreateSymbolicLinkObject @ 0x84C1231F -> HOOKED (Unknown @ 0x8A843C20)
SSDT[78] : NtCreateThread @ 0x84CE3BA4 -> HOOKED (Unknown @ 0x8A75E888)
SSDT[116] : NtDebugActiveProcess @ 0x84CB6CA0 -> HOOKED (Unknown @ 0x8AEF8538)
SSDT[129] : NtDuplicateObject @ 0x84C4A4E1 -> HOOKED (Unknown @ 0x8955BF20)
SSDT[147] : NtFreeVirtualMemory @ 0x84AD6F1D -> HOOKED (Unknown @ 0x8AF204C0)
SSDT[156] : NtImpersonateAnonymousToken @ 0x84C0CF15 -> HOOKED (Unknown @ 0x8A853110)
SSDT[158] : NtImpersonateThread @ 0x84C2250F -> HOOKED (Unknown @ 0x8A75C110)
SSDT[165] : NtLoadDriver @ 0x84BBDDEE -> HOOKED (Unknown @ 0x89785BA0)
SSDT[177] : NtMapViewOfSection @ 0x84C6283A -> HOOKED (Unknown @ 0x8A78C110)
SSDT[184] : NtOpenEvent @ 0x84C4BD5F -> HOOKED (Unknown @ 0x8AEEFAD0)
SSDT[194] : NtOpenProcess @ 0x84C72F3E -> HOOKED (Unknown @ 0x8AF1BBD0)
SSDT[195] : NtOpenProcessToken @ 0x84C539C0 -> HOOKED (Unknown @ 0x8A5D3650)
SSDT[197] : NtOpenSection @ 0x84C6360D -> HOOKED (Unknown @ 0x8AEF9110)
SSDT[201] : NtOpenThread @ 0x84C6E48F -> HOOKED (Unknown @ 0x8AF1FA20)
SSDT[210] : NtProtectVirtualMemory @ 0x84C6C272 -> HOOKED (Unknown @ 0x8AF496F0)
SSDT[282] : NtResumeThread @ 0x84C6DADA -> HOOKED (Unknown @ 0x8AC14288)
SSDT[289] : NtSetContextThread @ 0x84CE503F -> HOOKED (Unknown @ 0x8A77A4C0)
SSDT[305] : NtSetInformationProcess @ 0x84C66868 -> HOOKED (Unknown @ 0x8AF353B8)
SSDT[317] : NtSetSystemInformation @ 0x84C38E9B -> HOOKED (Unknown @ 0x8AEF60B0)
SSDT[330] : NtSuspendProcess @ 0x84CE54CB -> HOOKED (Unknown @ 0x8AEF4108)
SSDT[331] : NtSuspendThread @ 0x84BEC921 -> HOOKED (Unknown @ 0x8A7A11E0)
SSDT[334] : NtTerminateProcess @ 0x84C430D3 -> HOOKED (Unknown @ 0x8AD30020)
SSDT[335] : NtTerminateThread @ 0x84C6E4C4 -> HOOKED (Unknown @ 0x8A786EB0)
SSDT[348] : NtUnmapViewOfSection @ 0x84C62AFD -> HOOKED (Unknown @ 0x8A760BA8)
SSDT[358] : NtWriteVirtualMemory @ 0x84C5F8CD -> HOOKED (Unknown @ 0x8AF20F00)
SSDT[382] : NtCreateThreadEx @ 0x84C6DF79 -> HOOKED (Unknown @ 0x8AF49130)
S_SSDT[317] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8B5CA0E0)
S_SSDT[397] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A112318)
S_SSDT[428] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A112258)
S_SSDT[430] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A1123D8)
S_SSDT[442] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A112510)
S_SSDT[479] : NtUserMessageCall -> HOOKED (Unknown @ 0x89642F80)
S_SSDT[497] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A112188)
S_SSDT[498] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A1120B8)
S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A112668)
S_SSDT[576] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8B5CA118)

Extern Hives:
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


MBR Check:

+++++ PhysicalDrive0: ST3160318AS +++++
--- User ---
[MBR] d2363058415e7514b06a54311d4a82d0
[BSP] 281534eaf8264ff920a11d7180914027 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 137546 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: HP Officejet 6500 E USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_03122013_02d0814.txt >>
RKreport[1]_S_03122013_02d0814.txt
Reply With Quote
  #10  
Old March 12th, 2013, 11:07 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,140
Quote:
i'm going to do the video on how to remove it now
Sure wish you wouldn't do your own repairs. Removing infection is what we are doing here. I assume you are "doing the video", so everything is on hold here until you post back.
Reply With Quote
  #11  
Old March 13th, 2013, 01:10 PM
birdiexris birdiexris is offline
New Member
 
Join Date: Mar 2013
Posts: 7
Well, RK took me to a video instantly on how to remove it. I did realize then that it was in French and since i can't understand french, i didn't do it. It appears RK did find and eliminate the threat though. There are no more background processes and we've gone from using 65% ram back down to using only 28%.
Reply With Quote
  #12  
Old March 13th, 2013, 10:13 PM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,140
RogueKiller did locate the malware. But did you go ahead and run the Delete portion as well? Just need to know where we stand still.
Reply With Quote
  #13  
Old March 14th, 2013, 12:13 AM
Jintan Jintan is offline
Malware Removal Team Advisor
 
Join Date: Dec 2004
Posts: 50,140
I don't want to delay these repairs, so I am going to assume you did run the delete step.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 07:12 PM.