View Full Version : a hijacker keeps reappearing with each S&D scan
outpouring
2013-04-07, 03:32
I have been trying to keep my computer clean using different software like Advance System Care, Spybot S&D, Disc Clean Up, CCleaner. I however have a reaccuring hacker so to speak continue to reappear after the clean. It always showes up when I do the Spybot scan. I did a scan this morning, fixed it and did it again not to long ago and there it was again. this is what it says:
Search result list ---
IncrediBar: [SBI $43928D57] Program directory
C:\Documents and Settings\Authorized User\Local Settings\Temp\ImInstaller\
I saved a full .txt file of the S&R scan. I also have the DDS and the AswMBR.txt saved which I am attaching for you to review. I did not see anything like what I got from the S&R scan in the DDS or ASWMBR, but maybe I don't know what to be looking for.
I have downloaded ERUNT I have Windows XP Professional 32-bit SP3, Firefox vs 19.02 and IE8
I don't know how to keep the Incredibar ImInstaller from coming back. I have done much of what was suggested on this site but shy away from the registry. I did not find the word MyStart connected to the incredibar directory that S&R picked up.
thanks for your kind concideration.
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-04-06 16:11:47
-----------------------------
16:11:47.796 OS Version: Windows 5.1.2600 Service Pack 3
16:11:47.796 Number of processors: 2 586 0xF06
16:11:47.796 ComputerName: AUTHORIZ-28629F UserName: Authorized User
16:11:48.468 Initialize success
16:12:21.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
16:12:21.234 Disk 0 Vendor: WDC_WD2500JS-00MHB0 02.01C03 Size: 238475MB BusType: 3
16:12:21.390 Disk 0 MBR read successfully
16:12:21.390 Disk 0 MBR scan
16:12:21.390 Disk 0 Windows XP default MBR code
16:12:21.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
16:12:21.406 Disk 0 scanning sectors +488376000
16:12:21.484 Disk 0 scanning C:\WINDOWS\system32\drivers
16:12:30.968 Service scanning
16:12:33.718 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
16:12:35.750 Service MpKsle761535a c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8EBE9935-4D22-4EDB-958C-DEF884A4DA44}\MpKsle761535a.sys **LOCKED** 32
16:12:35.921 Service MSICPL D:\install4\MSICPL.sys **LOCKED** 21
16:12:36.859 Service NTACCESS D:\NTACCESS.sys **LOCKED** 21
16:12:39.031 Service SetupNTGLM7X D:\NTGLM7X.sys **LOCKED** 21
16:12:42.296 Modules scanning
16:12:47.984 Disk 0 trace - called modules:
16:12:48.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:12:48.015 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f38ab8]
16:12:48.031 3 CLASSPNP.SYS[f75cefd7] -> nt!IofCallDriver -> \Device\0000006b[0x86f0d9e8]
16:12:48.031 5 ACPI.sys[f7445620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-12[0x86f3cb00]
16:12:48.046 Scan finished successfully
16:14:46.562 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Authorized User\Desktop\MBR.dat"
16:14:46.562 The log file has been saved successfully to "C:\Documents and Settings\Authorized User\Desktop\aswMBR.txt"
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Running programs with Vista or Windows 7 , Right Click and select RUN AS ADMINISTATOR
Go here (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and download AdwCleaner to your desktop
Double click on AdwCleaner.exe to run the tool.
Click on Delete
A logfile will automatically open after the scan has finished.
Please post the content of that logfile in your reply.
You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
http://i24.photobucket.com/albums/c30/ken545/AdwareCleaner.jpg
Download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop
shut down your protection software now to avoid potential conflicts.
run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
the tool will open and start scanning your system
please be patient as this can take a while to complete depending on your system's specifications
on completion, a log (JRT.txt) is saved to your desktop and will automatically open
post the contents of JRT.txt into your next message.
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
outpouring
2013-04-11, 06:07
I hope I attached the DDS and the aswMBR zip files correctly this time.
thanks,
Linda
outpouring
2013-04-11, 07:52
# AdwCleaner v2.200 - Logfile created 04/10/2013 at 21:15:06
# Updated 02/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Authorized User - AUTHORIZ-28629F
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Authorized User\My Documents\Downloads\AdwCleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
***** [Registry] *****
Key Deleted : HKCU\Software\FCTB000060093
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000060093.FCTB000060093Pos
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000060093.FCTB000060093Pos.1
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000060093.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000060093.JSOptionsImpl
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000060093.JSOptionsImpl.1
Key Deleted : HKLM\SOFTWARE\Classes\FreeCauseURLSearchHook.FCToolbarURLSearchHook
Key Deleted : HKLM\SOFTWARE\Classes\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1
Key Deleted : HKLM\SOFTWARE\FCTB000060093
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\Software\ImInstaller
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
***** [Internet Browsers] *****
-\\ Internet Explorer v8.0.6001.18702
[OK] Registry is clean.
-\\ Mozilla Firefox v18.0 (en-US)
File : C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\6ptvbrzt.default\prefs.js
Deleted : user_pref("browser.search.defaultenginename", "Blekko");
Deleted : user_pref("browser.search.selectedEngine", "Blekko");
Deleted : user_pref("browser.search.order.1", "Blekko");
Deleted : user_pref("keyword.URL", "hxxp://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=20[...]
File : C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\prefs.js
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\user.js ... Deleted !
Deleted : user_pref("extentions.y2layers.defaultEnableAppsList", "Buzzdock,Buzzdock,");
Deleted : user_pref("extentions.y2layers.installId", "bcf3c70a-2e0a-4b22-b03c-63cf99312cb5");
-\\ Opera v [Unable to get version]
File : C:\Documents and Settings\Authorized User\Application Data\Opera\Opera\operaprefs.ini
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [4165 octets] - [10/04/2013 21:12:18]
AdwCleaner[S1].txt - [4296 octets] - [10/04/2013 21:15:06]
########## EOF - C:\AdwCleaner[S1].txt - [4356 octets] ##########
outpouring
2013-04-11, 07:54
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.8.3 (04.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Authorized User on Wed 04/10/2013 at 21:40:40.42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-57989841-1897051121-725345543-1003\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL
~~~ Registry Keys
Successfully deleted: [Registry Key] hkey_classes_root\clsid\{0055c089-8582-441b-a0bf-17b458c2a3a8}
~~~ Files
Successfully deleted: [File] "C:\WINDOWS\tasks\driverscanner.job"
~~~ Folders
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\blekkotb_031"
Successfully deleted: [Folder] "C:\Documents and Settings\Authorized User\Application Data\drivercure"
Successfully deleted: [Folder] "C:\Documents and Settings\Authorized User\Application Data\oovootb"
Successfully deleted: [Folder] "C:\Documents and Settings\Authorized User\Local Settings\Application Data\blekkotb_031"
Successfully deleted: [Folder] "C:\Program Files\bigfix"
Successfully deleted: [Folder] "C:\Program Files\driver-soft"
Successfully deleted: [Folder] "C:\Program Files\oovootb"
~~~ FireFox
Successfully deleted the following from C:\Documents and Settings\Authorized User\Application Data\mozilla\firefox\profiles\mxj2tocu.default\prefs.js
user_pref("browser.startup.homepage", "hxxps://ixquick.com/eng/");
Emptied folder: C:\Documents and Settings\Authorized User\Application Data\mozilla\firefox\profiles\mxj2tocu.default\minidumps [15 files]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/10/2013 at 22:05:44.96
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
outpouring
2013-04-11, 07:57
OTL logfile created on: 4/10/2013 10:25:30 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Authorized User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1013.75 Mb Total Physical Memory | 414.64 Mb Available Physical Memory | 40.90% Memory free
3.82 Gb Paging File | 3.32 Gb Available in Paging File | 86.90% Paging File free
Paging file location(s): C:\pagefile.sys 3000 3000 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 189.80 Gb Free Space | 81.50% Space Free | Partition Type: NTFS
Computer Name: AUTHORIZ-28629F | User Name: Authorized User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Authorized User\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe (IObit)
PRC - C:\Program Files\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - c:\Program Files\IDT\IntelXPV_v83\WDM\stacsv.exe (IDT, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (No Company Name) ==========
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\Mozilla Firefox\extensions\{99a0337c-6303-4879-b72e-500fd9aaca8c}\components\TextAloud3Adapter.dll ()
MOD - C:\Program Files\program\libxml2.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\Primomonnt.dll ()
========== Services (SafeList) ==========
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (AdvancedSystemCareService6) -- C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe (IObit)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (spupdsvc) -- C:\WINDOWS\system32\spupdsvc.exe (Microsoft Corporation)
SRV - (STacSV) -- c:\Program Files\IDT\IntelXPV_v83\WDM\stacsv.exe (IDT, Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
========== Driver Services (SafeList) ==========
DRV - (SetupNTGLM7X) -- D:\NTGLM7X.sys File not found
DRV - (NTACCESS) -- D:\NTACCESS.sys File not found
DRV - (MSICPL) -- D:\install4\MSICPL.sys File not found
DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found
DRV - (GMSIPCI) -- D:\INSTALL\GMSIPCI.SYS File not found
DRV - (bezmrzjs) -- System32\Drivers\bezmrzjs.sys File not found
DRV - (SmartDefragDriver) -- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys ()
DRV - (PsSdkLBF) -- C:\WINDOWS\system32\drivers\pssdklbf.drv (microOLAP Technologies LTD)
DRV - (PsSdk31) -- C:\WINDOWS\system32\drivers\pssdk31.drv (microOLAP Technologies LTD)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)
DRV - (HECI) -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{86204eb2-384c-4dae-9595-38f95b9a8bd4}: "URL" = http://search.freecause.com/search?ourmark=4&fr=freecause&ei=utf-8&type=60093&p={searchTerms}
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.bing.com/?pc=AVBR
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes\{65119877-70E2-4C07-8FE7-D67BEAA5A0FD}: "URL" = https://ixquick.com/do/search?query={searchTerms}&cat=web&pl=ie&language=english
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1006\..\SearchScopes,DefaultScope =
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&ilc=12&type=902615"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledAddons: %7B9D7B21FA-0991-472C-8F8E-2CD6CC1CB7BC%7D:2.01
FF - prefs.js..extensions.enabledAddons: %7B99a0337c-6303-4879-b72e-500fd9aaca8c%7D:3.0.37
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=902615&p="
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2897: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2955: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1675: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: File not found
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/04/06 18:05:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/04/06 18:04:45 | 000,000,000 | ---D | M]
[2008/08/27 02:55:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Extensions
[2013/03/19 20:12:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions
[2010/08/27 15:15:33 | 000,000,000 | ---D | M] (Bible Fox Blue) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}
[2010/12/17 21:56:03 | 000,000,000 | ---D | M] (Bible Fox) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}
[2007/08/10 12:08:00 | 000,000,000 | ---D | M] (Bible Fox) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}(2)
[2008/01/12 04:18:03 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(2)
[2008/06/24 11:08:02 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(3)
[2008/07/06 23:22:43 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(4)
[2010/08/27 15:15:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\mac\mozapps\extensions
[2010/08/27 15:15:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2010/12/17 21:56:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2011/05/10 18:15:15 | 000,056,087 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{9D7B21FA-0991-472C-8F8E-2CD6CC1CB7BC}.xpi
[2010/06/25 23:08:40 | 000,001,182 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\mac\mozapps\xpinstall\xpinstallConfirm.css
[2010/06/25 23:08:40 | 000,001,937 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\mac\mozapps\xpinstall\xpinstallItemGeneric.png
[2010/04/01 08:10:00 | 000,001,502 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallConfirm.css
[2010/04/01 07:51:04 | 000,001,362 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallItemGeneric.png
[2010/04/01 09:10:00 | 000,001,502 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallConfirm.css
[2010/04/01 08:51:04 | 000,001,362 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallItemGeneric.png
[2013/04/07 22:58:41 | 000,001,635 | ---- | M] () -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\searchplugins\ixquick.xml
[2013/04/06 18:04:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/04/06 18:04:44 | 000,000,000 | ---D | M] (TextAloud 3 Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{99a0337c-6303-4879-b72e-500fd9aaca8c}
[2013/04/06 18:04:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}(2)
[2013/04/06 18:04:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2013/04/06 18:05:19 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2013/03/19 22:10:37 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013/03/19 22:10:37 | 000,002,086 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
O1 HOSTS File: ([2013/03/16 00:19:48 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (TextAloud Toolbar) - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\Program Files\TextAloud\TAForIE.dll (NextUp.com)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKU\S-1-5-21-57989841-1897051121-725345543-1003..\Run: [Advanced SystemCare 6] C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe (IObit)
O4 - HKU\S-1-5-21-57989841-1897051121-725345543-1006..\Run: [ooVoo] C\ooVoo.exe /minimized File not found
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Authorized User\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk = C:\Program Files\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..Trusted Domains: google.com ([b.mail] https in Trusted sites)
O15 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..Trusted Domains: google.com ([mail] https in Trusted sites)
O15 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..Trusted Domains: google.com ([www] https in Trusted sites)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.123.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{839C5D34-0789-4D47-A5F4-D14E41364C1F}: DhcpNameServer = 192.168.123.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/31 09:29:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2013/04/10 21:40:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/04/10 21:40:22 | 000,000,000 | ---D | C] -- C:\JRT
[2013/04/06 18:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2013/04/06 18:12:43 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2013/04/06 18:04:42 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/03/31 22:37:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Authorized User\Recent
[2013/03/30 22:30:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\My Documents\Q-Sciences
[2013/03/22 19:32:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2013/03/19 20:24:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Desktop\Registration_sheets_for_November
[2013/03/19 20:23:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\PC_Drivers_Headquarters
[2013/03/19 20:12:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IncrediMail
[2013/03/19 20:12:23 | 000,000,000 | ---D | C] -- C:\Program Files\Photo Notifier and Animation Creator
[2013/03/19 17:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Application Data\Reason
[2013/03/19 17:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Boost
[2013/03/19 14:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2013/03/19 14:48:02 | 000,000,000 | ---D | C] -- C:\Program Files\PCPitstop
[2013/03/16 00:04:25 | 000,000,000 | ---D | C] -- C:\ReimageUndo
[2013/03/15 23:53:01 | 000,000,000 | ---D | C] -- C:\rei
[2013/03/15 23:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2013/03/15 23:05:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\join.me
[2007/09/01 10:49:23 | 000,411,248 | ---- | C] (Applian Technologies Inc.) -- C:\Program Files\FLV PlayerRCSetup.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[43 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2013/04/10 22:27:00 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CF3510EA-7E82-4CDD-95EE-2B0EFB946C87}.job
[2013/04/10 22:21:55 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{AD28DB5B-3C98-4A5B-BDEB-170A25E647C8}.job
[2013/04/10 22:16:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/04/10 21:31:18 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag_Startup.job
[2013/04/10 21:30:25 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/04/10 21:20:33 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/04/10 21:20:25 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefragUpdate.job
[2013/04/10 21:20:19 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/04/10 21:20:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/04/10 21:03:34 | 000,001,116 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\aswMBR.zip
[2013/04/10 20:50:59 | 000,004,702 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\DDS 04-6-2013 attach.zip
[2013/04/10 20:40:32 | 000,004,674 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\attach.zip
[2013/04/10 18:00:07 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[2013/04/10 06:23:30 | 000,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/04/10 06:06:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/04/08 23:53:00 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\Reimage ScanAgent.job
[2013/04/06 18:12:45 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\NTREGOPT.lnk
[2013/04/06 18:12:45 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\ERUNT.lnk
[2013/04/06 16:14:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\MBR.dat
[2013/04/02 03:33:22 | 000,237,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2013/03/31 00:25:52 | 000,312,572 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/03/31 00:25:52 | 000,040,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/03/29 15:50:19 | 000,208,997 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\Doreen PGE.pdf
[2013/03/22 19:32:19 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2013/03/22 09:29:33 | 000,142,199 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\IMG_9573.jpg
[2013/03/20 14:27:30 | 000,001,177 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\join.me.lnk
[2013/03/19 22:16:25 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/03/19 22:16:25 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/03/18 23:53:29 | 000,000,836 | ---- | M] () -- C:\WINDOWS\System32\ScanResults.xml
[2013/03/18 23:53:03 | 000,000,976 | ---- | M] () -- C:\WINDOWS\System32\SettingsFile
[2013/03/17 13:54:54 | 030,508,911 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Support_Info.zip
[2013/03/16 00:25:35 | 000,002,470 | ---- | M] () -- C:\WINDOWS\System32\reimage.nat
[2013/03/16 00:19:56 | 000,726,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jscript(2).dll
[2013/03/16 00:19:56 | 000,232,448 | ---- | M] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\WINDOWS\System32\l3codecp.acm
[2013/03/16 00:19:50 | 000,021,640 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2013/03/16 00:19:48 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[43 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\etc\*.tmp files -> C:\WINDOWS\System32\drivers\etc\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
========== Files Created - No Company Name ==========
[2013/04/10 21:02:40 | 000,001,116 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\aswMBR.zip
[2013/04/10 20:42:54 | 000,004,702 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\DDS 04-6-2013 attach.zip
[2013/04/10 20:40:32 | 000,004,674 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\attach.zip
[2013/04/10 06:01:51 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2013/04/06 18:12:45 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\NTREGOPT.lnk
[2013/04/06 18:12:45 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\ERUNT.lnk
[2013/04/06 16:14:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\MBR.dat
[2013/03/30 20:58:22 | 000,263,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/03/29 15:50:19 | 000,208,997 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\Doreen PGE.pdf
[2013/03/22 19:32:19 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2013/03/22 09:29:30 | 000,142,199 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\IMG_9573.jpg
[2013/03/20 14:27:30 | 000,001,177 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\join.me.lnk
[2013/03/20 14:27:29 | 000,001,177 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\join.me.lnk
[2013/03/18 23:53:29 | 000,000,836 | ---- | C] () -- C:\WINDOWS\System32\ScanResults.xml
[2013/03/18 23:53:03 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\SettingsFile
[2013/03/17 13:54:52 | 030,508,911 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Support_Info.zip
[2013/03/16 01:26:35 | 000,000,412 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CF3510EA-7E82-4CDD-95EE-2B0EFB946C87}.job
[2013/03/16 00:21:30 | 000,002,470 | ---- | C] () -- C:\WINDOWS\System32\reimage.nat
[2013/03/16 00:18:08 | 000,017,062 | ---- | C] () -- C:\WINDOWS\Coffee Bean.bmp
[2013/03/16 00:18:08 | 000,001,272 | ---- | C] () -- C:\WINDOWS\Blue Lace 16.bmp
[2013/03/16 00:18:06 | 000,026,582 | ---- | C] () -- C:\WINDOWS\Greenstone.bmp
[2013/03/16 00:18:06 | 000,017,336 | ---- | C] () -- C:\WINDOWS\Gone Fishing.bmp
[2013/03/16 00:18:06 | 000,016,730 | ---- | C] () -- C:\WINDOWS\FeatherTexture.bmp
[2013/03/16 00:17:30 | 000,065,978 | ---- | C] () -- C:\WINDOWS\Soap Bubbles.bmp
[2013/03/16 00:17:30 | 000,065,954 | ---- | C] () -- C:\WINDOWS\Prairie Wind.bmp
[2013/03/16 00:17:30 | 000,065,832 | ---- | C] () -- C:\WINDOWS\Santa Fe Stucco.bmp
[2013/03/16 00:17:30 | 000,026,680 | ---- | C] () -- C:\WINDOWS\River Sumida.bmp
[2013/03/16 00:17:30 | 000,017,362 | ---- | C] () -- C:\WINDOWS\Rhododendron.bmp
[2013/03/16 00:17:29 | 000,009,522 | ---- | C] () -- C:\WINDOWS\Zapotec.bmp
[2013/03/15 23:53:09 | 000,000,436 | ---- | C] () -- C:\WINDOWS\tasks\Reimage ScanAgent.job
[2012/12/18 17:32:36 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2012/08/13 11:57:00 | 000,012,927 | ---- | C] () -- C:\Program Files\readme.html
[2012/05/08 15:15:36 | 000,000,005 | ---- | C] () -- C:\Program Files\basis-link
[2012/03/31 23:10:36 | 002,784,050 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2012/03/15 20:57:42 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2012/02/14 15:17:27 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/03 13:52:46 | 000,127,589 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\census.cache
[2011/11/03 13:52:22 | 000,207,176 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\ars.cache
[2011/11/03 12:14:13 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\housecall.guid.cache
[2011/05/10 17:19:36 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2010/08/23 16:01:31 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\prvlcl.dat
[2009/12/09 01:33:52 | 000,000,408 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2009/11/30 16:52:42 | 000,072,080 | ---- | C] () -- C:\Documents and Settings\Authorized User\g2mdlhlpx.exe
[2008/05/08 14:28:55 | 000,095,744 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/21 04:07:41 | 000,005,663 | ---- | C] () -- C:\Documents and Settings\Authorized User\Application Data\PrimoPDFSet.xml
[2008/03/21 04:06:46 | 000,000,399 | ---- | C] () -- C:\Documents and Settings\Authorized User\Application Data\APUSet.xml
[2007/12/12 13:20:00 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/09/01 11:05:24 | 002,293,712 | ---- | C] () -- C:\Program Files\FLV PlayerFCSetup.exe
[2007/09/01 11:01:00 | 003,655,488 | ---- | C] () -- C:\Program Files\FLV PlayerRCATSetup.exe
========== ZeroAccess Check ==========
[2007/08/03 13:50:19 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
outpouring
2013-04-11, 08:12
OTL Extras logfile created on: 4/10/2013 10:25:30 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Authorized User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1013.75 Mb Total Physical Memory | 414.64 Mb Available Physical Memory | 40.90% Memory free
3.82 Gb Paging File | 3.32 Gb Available in Paging File | 86.90% Paging File free
Paging file location(s): C:\pagefile.sys 3000 3000 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 189.80 Gb Free Space | 81.50% Space Free | Partition Type: NTFS
Computer Name: AUTHORIZ-28629F | User Name: Authorized User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- "C:\Program Files\Opera\Opera.exe" "%1"
[HKEY_USERS\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- C:\Program Files\ParetoLogic\PCHA\noapp.exe %1 (ParetoLogic)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\IncrediMail\bin\IncMail.exe" = C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Program Files\IncrediMail\bin\ImApp.exe" = C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Program Files\IncrediMail\bin\ImpCnt.exe" = C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe" = C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe:*:Enabled:Daemonu.exe -- (NVIDIA Corporation)
"C:\Documents and Settings\Authorized User\Local Settings\Application Data\IM\Runtime\IncrediMail_Install.exe" = C:\Documents and Settings\Authorized User\Local Settings\Application Data\IM\Runtime\IncrediMail_Install.exe:*:Enabled:IncrediMail Installer -- ()
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04AAEE65-C463-44B4-BF7E-FE099C2B44B3}" = Bible Explorer 4 Download Edition
"{118071AB-6572-4FAD-A1FD-67264C994350}" = e-Sword
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{18DB3375-0649-4EA3-959A-44F1ACD278BA}" = IncrediMail
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2222B364-0854-4265-B32E-A142DB9DC7BB}" = Intel(R) PRO Network Connections 11.2.0.69
"{26A24AE4-039D-4CA4-87B4-2F83217013FF}" = Java 7 Update 13
"{27D0C7AB-59F1-4D4D-A0BB-05A31AC919EA}" = Windows XP Winter Fun Pack Screensavers
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{390DD8BB-BB57-4942-A029-2D913E4E9D74}" = Microsoft Security Client
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3CBF3EBB-235D-4c29-A68B-2BB1F428586E}" = ParetoLogic PC Health Advisor
"{3F702F22-A623-4B6A-41BD-420700558223}_is1" = What's my computer doing 1.xx
"{459699C3-9430-4381-964B-4248D87B49F9}" = Apple Mobile Device Support
"{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}" = Google Earth
"{48963B63-7A10-49D6-8B08-61E6132453D0}" = ViewSonic Monitor Drivers
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.1
"{55CE417E-BCB2-47B6-86B5-B40860D81033}" = Nero 7 Essentials
"{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{788A0222-5690-4212-AA9C-C48FD0E1C9AE}" = Photo Notifier and Animation Creator
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7B189FD2-B936-4D8A-B329-48A5ECC89FD0}" = WebEx Recording Editor
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87791AF4-4D4C-43DC-97BF-05EEEE5187F2}" = e-Sword
"{877CDE57-EB63-4787-AFBA-722191439C09}" = URsearch 0.6.0
"{8EB39AA7-4019-4550-AF6C-BE51BB27B446}" = TC Web Conferencing
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F1F2AEA-C72A-4DD6-991E-C5506A5625E4}" = OpenOffice.org 3.4.1
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A0BCB4D2-73E5-4405-A48B-B805CCDD79DE}" = NextUp-Acapela Elan Ryan22 US English Voice
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.02)
"{B0261E53-B6F1-474A-864B-E7C3CBF468E0}" = iTunes
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 136.18
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.0213
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.7.11
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B36B2813-018F-41EA-9704-8F403EDD7BE9}" = NextUp-Acapela Elan Heather22 US English Voice
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B76D4A7F-FF11-4420-947C-C3AD624B9DBA}" = Jasc Paint Shop Photo Album
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2F8CA82-2BD9-4513-B2D1-08A47914C1DA}_is1" = Uniblue DriverScanner
"{C8F753CF-C578-4138-A870-33149B689FFD}" = ISA 2 basic
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCE825DB-347A-4004-A186-5F4A6FDD8547}" = Apple Application Support
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}" = WinZip 11.2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7F1A6E9-5A60-4573-AFBD-4A047A57635E}_is1" = Emphatic Diaglott New Testament (unorthodox - older jw) (edw or diaglott) (1942).bblx version 0
"{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}" = NVIDIA PhysX
"{DE332C83-2BCE-4C36-B527-4BD409A8751E}_is1" = NET Bible First Edition 2009
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{E23E9487-2B6B-42CA-AE8D-E2369563AB02}" = TRW conferencing
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{F9AA6D78-CCE3-435F-9AB2-962A45EF41C8}" = TOA
"{FC47C7A5-BE63-11D5-B7C9-005004566E4D}" = ViewSonic Windows XP Signed Files
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Advanced SystemCare 6_is1" = Advanced SystemCare 6
"AnarkClient" = Anark Client 1.0
"AT&T Natural Voice Crystal_is1" = AT&T Natural Voices Crystal v. 1.4
"AT&T Natural Voice Mike_is1" = AT&T Natural Voices Mike v. 1.4
"Bible Explorer 4 Download Edition" = Bible Explorer 4 Download Edition
"CBrowser with C.C. A.E. Knoch" = CBrowser with C.C. A.E. Knoch 1.2.0
"CCleaner" = CCleaner
"Christian Research Library PDF_is1" = Early Christian Research Library in Adobe PDF
"CleanUp!" = CleanUp!
"ClickBook_is1" = ClickBook MMX
"Crazy Browser 3.1.0_is1" = Crazy Browser version 3.1.0
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Duplicate File Finder_is1" = Duplicate File Finder 1.1.0.0
"EPSON NX420 Series" = EPSON NX420 Series Printer Uninstall
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"FoxTab PDF Converter" = FoxTab PDF Converter
"Hardware Helper_is1" = Hardware Helper
"HECI" = Intel(R) Management Engine Interface
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IncrediMail" = IncrediMail 2.0
"InstallShield_{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"ISA 2 basic" = ISA 2 basic
"ISA 2.0 - YLT module" = ISA 2.0 - YLT module 1.2.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 18.0 (x86 en-US)" = Mozilla Firefox 18.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NewSaver" = NewSaver
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PrimoPDF4.0" = PrimoPDF
"PROSet" = Intel(R) PRO Network Connections Drivers
"ReaJPEG_is1" = ReaJPEG 3.9
"Recuva" = Recuva
"RegCure" = RegCure
"Replay Media Catcher2.10" = Replay Media Catcher
"Replay_Converter_1" = Replay Converter 2.8
"Revo Uninstaller" = Revo Uninstaller 1.94
"Simpo PDF Password Remover_is1" = Simpo PDF Password Remover 1.1.0.0
"Smart Defrag 2_is1" = Smart Defrag 2
"Speccy" = Speccy
"TextAloud3_is1" = TextAloud 3.0
"TU2F" = TU2F
"Will God Be All-In-All" = Will God Be All-In-All
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XnView_is1" = XnView 1.92
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"JoinMe" = join.me
"uTorrent" = µTorrent
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 3/12/2013 4:06:01 PM | Computer Name = AUTHORIZ-28629F | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 6.1.0.129, faulting module
kernel32.dll, version 5.1.2600.6293, fault address 0x0000984e.
Error - 3/14/2013 7:57:08 PM | Computer Name = AUTHORIZ-28629F | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 6.1.0.129, faulting module
kernel32.dll, version 5.1.2600.6293, fault address 0x0000984e.
Error - 3/16/2013 4:50:06 PM | Computer Name = AUTHORIZ-28629F | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.
Error - 3/16/2013 4:50:06 PM | Computer Name = AUTHORIZ-28629F | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.
Error - 3/19/2013 2:53:28 AM | Computer Name = AUTHORIZ-28629F | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.
Error - 3/19/2013 10:13:22 PM | Computer Name = AUTHORIZ-28629F | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module msmapi32.dll, version 11.0.5601.0, fault address 0x00003bba.
Error - 3/19/2013 10:47:35 PM | Computer Name = AUTHORIZ-28629F | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module msmapi32.dll, version 11.0.5601.0, fault address 0x00003bba.
Error - 4/6/2013 12:25:29 PM | Computer Name = AUTHORIZ-28629F | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module msmapi32.dll, version 11.0.5601.0, fault address 0x00003bba.
Error - 4/6/2013 2:15:30 PM | Computer Name = AUTHORIZ-28629F | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module msmapi32.dll, version 11.0.5601.0, fault address 0x00003bba.
Error - 4/11/2013 12:38:48 AM | Computer Name = AUTHORIZ-28629F | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 unspecified, P2 hardeningtelemetry, P3 hardeningtelemetrydisablertp,
P4 4.2.223.0, P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10
NIL.
< End of report >
Good Morning,
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
IE - HKLM\..\SearchScopes\{86204eb2-384c-4dae-9595-38f95b9a8bd4}: "URL" = http://search.freecause.com/search?ourmark=4&fr=freecause&ei=utf-8&type=60093&p={searchTerms}
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes\{65119877-70E2-4C07-8FE7-D67BEAA5A0FD}: "URL" = https://ixquick.com/do/search?query={searchTerms}&cat=web&pl=ie&language=english
[2013/04/07 22:58:41 | 000,001,635 | ---- | M] () -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\searchplugins\ixquick.xml
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Then run a new scan with OTL and post a new log please, also let me know how things are running now ?
outpouring
2013-04-11, 11:46
All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86204eb2-384c-4dae-9595-38f95b9a8bd4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86204eb2-384c-4dae-9595-38f95b9a8bd4}\ not found.
Registry key HKEY_USERS\S-1-5-21-57989841-1897051121-725345543-1003\Software\Microsoft\Internet Explorer\SearchScopes\{65119877-70E2-4C07-8FE7-D67BEAA5A0FD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65119877-70E2-4C07-8FE7-D67BEAA5A0FD}\ not found.
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\searchplugins\ixquick.xml moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Authorized User\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Authorized User\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes
User: All Users
User: Authorized User
->Temp folder emptied: 1588032 bytes
->Temporary Internet Files folder emptied: 8121935 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 144876932 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 7039 bytes
->Flash cache emptied: 9352 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->Flash cache emptied: 41 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 79666 bytes
->FireFox cache emptied: 2014709 bytes
User: NetworkService
->Temp folder emptied: 451226 bytes
->Temporary Internet Files folder emptied: 194146 bytes
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes
->Flash cache emptied: 41 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 16552738 bytes
%systemroot%\System32 .tmp files removed: 92311363 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 847727 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 585458054 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 5384952 bytes
RecycleBin emptied: 14976 bytes
Total Files Cleaned = 818.00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 04112013_023653
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
outpouring
2013-04-11, 12:12
OTL logfile created on: 4/11/2013 2:48:51 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Authorized User\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1013.75 Mb Total Physical Memory | 390.17 Mb Available Physical Memory | 38.49% Memory free
3.82 Gb Paging File | 3.34 Gb Available in Paging File | 87.39% Paging File free
Paging file location(s): C:\pagefile.sys 3000 3000 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 190.33 Gb Free Space | 81.73% Space Free | Partition Type: NTFS
Computer Name: AUTHORIZ-28629F | User Name: Authorized User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Authorized User\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe (IObit)
PRC - C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe (IObit)
PRC - C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe (IObit)
PRC - C:\Program Files\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - c:\Program Files\IDT\IntelXPV_v83\WDM\stacsv.exe (IDT, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (No Company Name) ==========
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\Mozilla Firefox\extensions\{99a0337c-6303-4879-b72e-500fd9aaca8c}\components\TextAloud3Adapter.dll ()
MOD - C:\Program Files\program\libxml2.dll ()
MOD - C:\Program Files\IObit\Advanced SystemCare 6\madexcept_.bpl ()
MOD - C:\Program Files\IObit\Advanced SystemCare 6\maddisAsm_.bpl ()
MOD - C:\Program Files\IObit\Advanced SystemCare 6\madbasic_.bpl ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\IObit\Smart Defrag 2\NtfsData.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\Primomonnt.dll ()
========== Services (SafeList) ==========
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (AdvancedSystemCareService6) -- C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe (IObit)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (spupdsvc) -- C:\WINDOWS\system32\spupdsvc.exe (Microsoft Corporation)
SRV - (STacSV) -- c:\Program Files\IDT\IntelXPV_v83\WDM\stacsv.exe (IDT, Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
========== Driver Services (SafeList) ==========
DRV - (SetupNTGLM7X) -- D:\NTGLM7X.sys File not found
DRV - (NTACCESS) -- D:\NTACCESS.sys File not found
DRV - (MSICPL) -- D:\install4\MSICPL.sys File not found
DRV - (Lbd) -- system32\DRIVERS\Lbd.sys File not found
DRV - (GMSIPCI) -- D:\INSTALL\GMSIPCI.SYS File not found
DRV - (bezmrzjs) -- System32\Drivers\bezmrzjs.sys File not found
DRV - (MpKsl8e2a9956) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C52A8FCB-5ACD-4DA8-93D6-C35AB52FAE38}\MpKsl8e2a9956.sys (Microsoft Corporation)
DRV - (SmartDefragDriver) -- C:\WINDOWS\system32\drivers\SmartDefragDriver.sys ()
DRV - (PsSdkLBF) -- C:\WINDOWS\system32\drivers\pssdklbf.drv (microOLAP Technologies LTD)
DRV - (PsSdk31) -- C:\WINDOWS\system32\drivers\pssdk31.drv (microOLAP Technologies LTD)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)
DRV - (HECI) -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.bing.com/?pc=AVBR
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
IE - HKU\S-1-5-21-57989841-1897051121-725345543-1006\..\SearchScopes,DefaultScope =
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&ilc=12&type=902615"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledAddons: %7B9D7B21FA-0991-472C-8F8E-2CD6CC1CB7BC%7D:2.01
FF - prefs.js..extensions.enabledAddons: %7B99a0337c-6303-4879-b72e-500fd9aaca8c%7D:3.0.37
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=902615&p="
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.13.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.13.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2897: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2955: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1675: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: File not found
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/04/06 18:05:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/04/06 18:04:45 | 000,000,000 | ---D | M]
[2008/08/27 02:55:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Extensions
[2013/03/19 20:12:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions
[2010/08/27 15:15:33 | 000,000,000 | ---D | M] (Bible Fox Blue) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}
[2010/12/17 21:56:03 | 000,000,000 | ---D | M] (Bible Fox) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}
[2007/08/10 12:08:00 | 000,000,000 | ---D | M] (Bible Fox) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}(2)
[2008/01/12 04:18:03 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(2)
[2008/06/24 11:08:02 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(3)
[2008/07/06 23:22:43 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}(4)
[2010/08/27 15:15:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\mac\mozapps\extensions
[2010/08/27 15:15:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2010/12/17 21:56:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2011/05/10 18:15:15 | 000,056,087 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{9D7B21FA-0991-472C-8F8E-2CD6CC1CB7BC}.xpi
[2010/06/25 23:08:40 | 000,001,182 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\mac\mozapps\xpinstall\xpinstallConfirm.css
[2010/06/25 23:08:40 | 000,001,937 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\mac\mozapps\xpinstall\xpinstallItemGeneric.png
[2010/04/01 08:10:00 | 000,001,502 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallConfirm.css
[2010/04/01 07:51:04 | 000,001,362 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{0c2508e6-de4c-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallItemGeneric.png
[2010/04/01 09:10:00 | 000,001,502 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallConfirm.css
[2010/04/01 08:51:04 | 000,001,362 | ---- | M] () (No name found) -- C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\mxj2tocu.default\extensions\{646f1212-bb24-11db-8314-0800200c9a66}\chrome\win\mozapps\xpinstall\xpinstallItemGeneric.png
[2013/04/06 18:04:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/04/06 18:04:44 | 000,000,000 | ---D | M] (TextAloud 3 Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{99a0337c-6303-4879-b72e-500fd9aaca8c}
[2013/04/06 18:04:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}(2)
[2013/04/06 18:04:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2013/04/06 18:05:19 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2013/03/19 22:10:37 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013/03/19 22:10:37 | 000,002,086 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
O1 HOSTS File: ([2013/04/11 02:36:56 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (TextAloud Toolbar) - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\Program Files\TextAloud\TAForIE.dll (NextUp.com)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKU\S-1-5-21-57989841-1897051121-725345543-1003..\Run: [Advanced SystemCare 6] C:\Program Files\IObit\Advanced SystemCare 6\ASCTray.exe (IObit)
O4 - HKU\S-1-5-21-57989841-1897051121-725345543-1006..\Run: [ooVoo] C\ooVoo.exe /minimized File not found
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Authorized User\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk = C:\Program Files\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 55924053
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-57989841-1897051121-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..Trusted Domains: google.com ([b.mail] https in Trusted sites)
O15 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..Trusted Domains: google.com ([mail] https in Trusted sites)
O15 - HKU\S-1-5-21-57989841-1897051121-725345543-1003\..Trusted Domains: google.com ([www] https in Trusted sites)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.123.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{839C5D34-0789-4D47-A5F4-D14E41364C1F}: DhcpNameServer = 192.168.123.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 () -
O24 - Desktop WallPaper: C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/31 09:29:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2013/04/11 02:36:53 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/04/10 21:40:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/04/10 21:40:22 | 000,000,000 | ---D | C] -- C:\JRT
[2013/04/06 18:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2013/04/06 18:12:43 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2013/04/06 18:04:42 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/03/31 22:37:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Authorized User\Recent
[2013/03/30 22:30:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\My Documents\Q-Sciences
[2013/03/22 19:32:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2013/03/19 20:24:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Desktop\Registration_sheets_for_November
[2013/03/19 20:23:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\PC_Drivers_Headquarters
[2013/03/19 20:12:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IncrediMail
[2013/03/19 20:12:23 | 000,000,000 | ---D | C] -- C:\Program Files\Photo Notifier and Animation Creator
[2013/03/19 17:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Application Data\Reason
[2013/03/19 17:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Start Menu\Programs\Boost
[2013/03/19 14:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2013/03/19 14:48:02 | 000,000,000 | ---D | C] -- C:\Program Files\PCPitstop
[2013/03/16 00:04:25 | 000,000,000 | ---D | C] -- C:\ReimageUndo
[2013/03/15 23:53:01 | 000,000,000 | ---D | C] -- C:\rei
[2013/03/15 23:52:53 | 000,000,000 | ---D | C] -- C:\Program Files\Reimage
[2013/03/15 23:05:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\join.me
[2007/09/01 10:49:23 | 000,411,248 | ---- | C] (Applian Technologies Inc.) -- C:\Program Files\FLV PlayerRCSetup.exe
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2013/04/11 02:52:00 | 000,000,412 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CF3510EA-7E82-4CDD-95EE-2B0EFB946C87}.job
[2013/04/11 02:51:44 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{AD28DB5B-3C98-4A5B-BDEB-170A25E647C8}.job
[2013/04/11 02:48:55 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/04/11 02:39:05 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/04/11 02:38:54 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefragUpdate.job
[2013/04/11 02:38:52 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/04/11 02:38:52 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag_Startup.job
[2013/04/11 02:38:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/04/11 02:36:56 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/04/11 02:34:13 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\Shortcut to OTL.exe.lnk
[2013/04/11 02:16:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/04/10 21:03:34 | 000,001,116 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\aswMBR.zip
[2013/04/10 20:50:59 | 000,004,702 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\DDS 04-6-2013 attach.zip
[2013/04/10 20:40:32 | 000,004,674 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\attach.zip
[2013/04/10 18:00:07 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[2013/04/10 06:23:30 | 000,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/04/10 06:06:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/04/08 23:53:00 | 000,000,436 | ---- | M] () -- C:\WINDOWS\tasks\Reimage ScanAgent.job
[2013/04/06 18:12:45 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\NTREGOPT.lnk
[2013/04/06 18:12:45 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\ERUNT.lnk
[2013/04/06 16:14:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\MBR.dat
[2013/04/02 03:33:22 | 000,237,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2013/03/31 00:25:52 | 000,312,572 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/03/31 00:25:52 | 000,040,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/03/29 15:50:19 | 000,208,997 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\Doreen PGE.pdf
[2013/03/22 19:32:19 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2013/03/22 09:29:33 | 000,142,199 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\IMG_9573.jpg
[2013/03/20 14:27:30 | 000,001,177 | ---- | M] () -- C:\Documents and Settings\Authorized User\Desktop\join.me.lnk
[2013/03/19 22:16:25 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/03/19 22:16:25 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/03/18 23:53:29 | 000,000,836 | ---- | M] () -- C:\WINDOWS\System32\ScanResults.xml
[2013/03/18 23:53:03 | 000,000,976 | ---- | M] () -- C:\WINDOWS\System32\SettingsFile
[2013/03/17 13:54:54 | 030,508,911 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Support_Info.zip
[2013/03/16 00:25:35 | 000,002,470 | ---- | M] () -- C:\WINDOWS\System32\reimage.nat
[2013/03/16 00:19:56 | 000,726,528 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\jscript(2).dll
[2013/03/16 00:19:56 | 000,232,448 | ---- | M] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\WINDOWS\System32\l3codecp.acm
[2013/03/16 00:19:50 | 000,021,640 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[1 C:\WINDOWS\System32\drivers\etc\*.tmp files -> C:\WINDOWS\System32\drivers\etc\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
========== Files Created - No Company Name ==========
[2013/04/11 02:34:13 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\Shortcut to OTL.exe.lnk
[2013/04/10 21:02:40 | 000,001,116 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\aswMBR.zip
[2013/04/10 20:42:54 | 000,004,702 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\DDS 04-6-2013 attach.zip
[2013/04/10 20:40:32 | 000,004,674 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\attach.zip
[2013/04/10 06:01:51 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2013/04/06 18:12:45 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\NTREGOPT.lnk
[2013/04/06 18:12:45 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\ERUNT.lnk
[2013/04/06 16:14:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\MBR.dat
[2013/03/30 20:58:22 | 000,263,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/03/29 15:50:19 | 000,208,997 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\Doreen PGE.pdf
[2013/03/22 19:32:19 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2013/03/22 09:29:30 | 000,142,199 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\IMG_9573.jpg
[2013/03/20 14:27:30 | 000,001,177 | ---- | C] () -- C:\Documents and Settings\Authorized User\Start Menu\Programs\join.me.lnk
[2013/03/20 14:27:29 | 000,001,177 | ---- | C] () -- C:\Documents and Settings\Authorized User\Desktop\join.me.lnk
[2013/03/18 23:53:29 | 000,000,836 | ---- | C] () -- C:\WINDOWS\System32\ScanResults.xml
[2013/03/18 23:53:03 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\SettingsFile
[2013/03/17 13:54:52 | 030,508,911 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Support_Info.zip
[2013/03/16 01:26:35 | 000,000,412 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CF3510EA-7E82-4CDD-95EE-2B0EFB946C87}.job
[2013/03/16 00:21:30 | 000,002,470 | ---- | C] () -- C:\WINDOWS\System32\reimage.nat
[2013/03/16 00:18:08 | 000,017,062 | ---- | C] () -- C:\WINDOWS\Coffee Bean.bmp
[2013/03/16 00:18:08 | 000,001,272 | ---- | C] () -- C:\WINDOWS\Blue Lace 16.bmp
[2013/03/16 00:18:06 | 000,026,582 | ---- | C] () -- C:\WINDOWS\Greenstone.bmp
[2013/03/16 00:18:06 | 000,017,336 | ---- | C] () -- C:\WINDOWS\Gone Fishing.bmp
[2013/03/16 00:18:06 | 000,016,730 | ---- | C] () -- C:\WINDOWS\FeatherTexture.bmp
[2013/03/16 00:17:30 | 000,065,978 | ---- | C] () -- C:\WINDOWS\Soap Bubbles.bmp
[2013/03/16 00:17:30 | 000,065,954 | ---- | C] () -- C:\WINDOWS\Prairie Wind.bmp
[2013/03/16 00:17:30 | 000,065,832 | ---- | C] () -- C:\WINDOWS\Santa Fe Stucco.bmp
[2013/03/16 00:17:30 | 000,026,680 | ---- | C] () -- C:\WINDOWS\River Sumida.bmp
[2013/03/16 00:17:30 | 000,017,362 | ---- | C] () -- C:\WINDOWS\Rhododendron.bmp
[2013/03/16 00:17:29 | 000,009,522 | ---- | C] () -- C:\WINDOWS\Zapotec.bmp
[2013/03/15 23:53:09 | 000,000,436 | ---- | C] () -- C:\WINDOWS\tasks\Reimage ScanAgent.job
[2012/12/18 17:32:36 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2012/08/13 11:57:00 | 000,012,927 | ---- | C] () -- C:\Program Files\readme.html
[2012/05/08 15:15:36 | 000,000,005 | ---- | C] () -- C:\Program Files\basis-link
[2012/03/31 23:10:36 | 002,784,050 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2012/03/15 20:57:42 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2012/02/14 15:17:27 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/03 13:52:46 | 000,127,589 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\census.cache
[2011/11/03 13:52:22 | 000,207,176 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\ars.cache
[2011/11/03 12:14:13 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\housecall.guid.cache
[2011/05/10 17:19:36 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2010/08/23 16:01:31 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\prvlcl.dat
[2009/12/09 01:33:52 | 000,000,408 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2009/11/30 16:52:42 | 000,072,080 | ---- | C] () -- C:\Documents and Settings\Authorized User\g2mdlhlpx.exe
[2008/05/08 14:28:55 | 000,095,744 | ---- | C] () -- C:\Documents and Settings\Authorized User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/21 04:07:41 | 000,005,663 | ---- | C] () -- C:\Documents and Settings\Authorized User\Application Data\PrimoPDFSet.xml
[2008/03/21 04:06:46 | 000,000,399 | ---- | C] () -- C:\Documents and Settings\Authorized User\Application Data\APUSet.xml
[2007/12/12 13:20:00 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2007/09/01 11:05:24 | 002,293,712 | ---- | C] () -- C:\Program Files\FLV PlayerFCSetup.exe
[2007/09/01 11:01:00 | 003,655,488 | ---- | C] () -- C:\Program Files\FLV PlayerRCATSetup.exe
========== ZeroAccess Check ==========
[2007/08/03 13:50:19 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
========== LOP Check ==========
[2013/01/03 08:54:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2012/08/25 11:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/10/02 00:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/10/25 10:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/01/10 12:28:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\clp
[2010/10/25 10:25:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/07/03 08:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EmailNotifier
[2012/03/31 12:43:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2012/08/25 10:16:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HardwareHelper
[2012/12/22 00:30:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2008/05/19 13:25:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2008/05/19 10:19:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2013/03/07 19:02:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/10/02 00:39:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/03/12 09:57:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2008/11/07 10:05:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2013/03/19 15:48:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2011/02/27 19:35:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Photo Notifier and Animation Creator
[2009/11/21 10:02:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2007/08/10 12:13:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/01/12 04:14:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/07/30 00:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2008/07/26 02:24:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WORDsearch
[2008/07/26 02:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\wsc
[2011/04/18 20:27:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/27 20:43:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/07/26 02:13:22 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{CDF61231-6AD7-4969-B4DD-9E6C0F51DD5E}
[2012/04/03 14:24:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Acapela Group
[2008/11/05 11:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Audacity
[2010/01/07 14:14:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\AVG9
[2012/06/16 10:17:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\blekkotb_019
[2007/11/28 10:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Canon
[2008/10/29 01:17:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Crossword Compiler 8
[2008/06/21 17:56:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\DMCache
[2009/02/04 17:02:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\eBookPro6
[2008/06/17 15:23:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\EBookSys
[2007/09/27 11:30:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\eFax Messenger
[2012/03/06 18:57:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\EPSON
[2012/12/09 22:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\EurekaLog
[2013/01/23 01:46:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\GlarySoft
[2007/08/05 10:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\InterVideo
[2007/12/05 13:59:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\INVISUS
[2012/11/25 12:01:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\IObit
[2010/04/10 12:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\MsgCnf
[2012/03/24 17:46:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\MSNInstaller
[2010/05/21 00:29:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\MxBoost
[2010/04/13 20:48:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\MyShoppingGenie
[2010/06/30 19:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\ooVoo Details
[2009/12/11 17:45:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\OpenOffice.org
[2008/06/28 23:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Opera
[2011/03/12 09:58:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\ParetoLogic
[2009/11/23 01:47:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\ReaSoft
[2013/03/19 17:56:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Reason
[2010/02/26 10:34:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\TeamViewer
[2007/12/05 13:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\TuneUp Software
[2012/08/25 12:25:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Uniblue
[2012/01/26 01:37:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\uTorrent
[2011/09/23 15:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Windows Desktop Search
[2011/09/23 15:12:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Authorized User\Application Data\Windows Search
[2012/10/24 08:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\IObit
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >
:bigthumb:
I need to look over your new log very carefully to make sure nothing was missed, I wont be back online until noon, in the meantime run this program
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
If nothing was found than no need for the log but post it if it did find threats, also let me know how your system is behaving now ??
outpouring
2013-04-14, 12:36
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.04.13.08
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Authorized User :: AUTHORIZ-28629F [administrator]
4/13/2013 5:12:11 PM
mbam-log-2013-04-13 (17-12-11).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258323
Time elapsed: 9 minute(s), 31 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.IBryte) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Documents and Settings\Authorized User\My Documents\Downloads\Setup.exe (PUP.IBryte) -> Quarantined and deleted successfully.
(end)
Seems like everything is running fine. Just curious why a PUP.lBryte just showed up after downloading Malwarebytes
Hi,
Looks like some of the other scanners likr DDS and OTL did not pick it up, Malwarebytes is a reputable program so not to worry
ESET Scanner Grahpics
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
outpouring
2013-04-20, 10:50
sorry it took me so long. I hope your still there.
Good Morning,
All ESET found was that bad file but it was in the Recovery folder in Spybot. Open Spybot and go to Recovery tab, open it and delete everything inside but not the folder itself. Let me know if you where able to do this.
Still with me, how are things running now ?
outpouring
2013-04-28, 00:54
Hi Ken
sorry it took so long to get back to you but my mother board died. Luckily my tech guy had a spare one that worked great for my computer. Just had to update some drivers. Don't know what happened. I guess it was just too old. Anyway, I went into Spybot and clicked on Recovery then selected everything in there and deleted all the selected items. I will run Spybot later to see how everything is. I have an appointment soon and it takes quite a while to do the scan. I'll let you know how it turns out soon ok.:)
outpouring
2013-04-28, 09:06
Ok I ran the spybot scan and again it showed the incredimail HijackersC: IncrediBar: [SBI $43928D57] Program directory (Directory, nothing done)
C:\Documents and Settings\Authorized User\Local Settings\Temp\ImInstaller\
I even tried to delete the file from the ImInstaller folder, but it still comes back.
Sorry you had problems, just like cars computers start getting old and things start failing, you never know.
Is incredibar showing up for you to use, your just showing a file in a temp folder.
Boot to Safemode and open the temp folder and delete everything inside but not the folder itself.
C:\Documents and Settings\Authorized User\Local Settings\Temp
Still in safemode run this cleaner
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
outpouring
2013-04-28, 19:00
Hi Ken,
When I went into safemode to go delete what ever was in The Temp folder. I only saw two empty folders that have nothing to do with ImInstaller and it was not even there. I did not fix it with spybot since you wanted me to go into Safemode and delete it there. What I found in the Temp folder was a bunch of languages like french.bin and the like. Do you still want me to delete everything in that Temp folder? I am confused as to where the ImInstaller is since spybot did detect it.:confused: let me know what you think, K :thanks:
Go ahead and run TFC (Temp File Cleaner ) and then run Spybot and see if it still picks it up
outpouring
2013-04-29, 00:14
Hi Ken
Ran the TFC in safemode and then Spybot and nothing showed up. I have to run my computer and surf a bit and will run spybot again to see if it showes up again. Because I did get rid of it before and then the next day I ran spybot again and it came back so if it does not come back then I am good to go and want to thank you for all your help:bigthumb:
Linda
Hi Linda,
Lets take another look,
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:folderfind
Incredimail
:filefind
Incredimail
:regfind
Incredimail
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
outpouring
2013-04-29, 01:48
when I click on the Mirror #1 and #2 it won't let me save to desktop only to save to C:\Documents and Settings\Authorized User\My Documents\Downloads then I clicked on run a box comes up and nothing happens. I click on Look then system Look Error Script required shows up. What do I do now?
Right click on it and select CUT, then paste it on your desktop
C:\Documents and Settings\Authorized User\My Documents\Downloads\SystemLook
If it still wont run try it in Safemode but still keep it on your desktop
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
outpouring
2013-04-29, 03:43
I did as you asked but it still does not work. you know there really is no icon. It is as if the download did not complete. I have tried several times the icon that shows is like a little box with a blue bar with 3 dots on the right side but no systemlook icon if there is suppose to be. Anyway, It did the same thing as I stated above.
Hi Linda,
There may be something wrong with the download, I moved my copy to the trash and tried downloading from both links and got the same thing you did :oops:
So lets hang off on that for the moment, I am going to check and see whats going on with it. In the meantime just do like you said and surf a few days and then run Spybot and lets see if it comes back.
Good Morning Linda,
Six of the helpers on the forums downloaded and it, no icon but the program ran just fine. Drag your copy to the trash and lets use Internet Explorer to download it again to your desktop. When the box opens thats asks you if you want to run it or save it , save it to your desktop.
Try this link
http://downloads.malwareremoval.com/SystemLook/SystemLook.exe
Lets cut back on the search and see what happens this time
Input this script
:filefind
Incredimail
When you open Systemlook, are you copying the script and pasting it it the box ?
How are you coming along ?
Hi,
I reopened this thread for you, so glad your back up and running and everything is good :cool:
We need to update your Java to keep you more secure
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 7 Update 21, if not proceed with the instructions.
Go to the update Tab and update it
Important, during the upgrade UNCHECK ASK TOOL BAR. ( you do not need or want this )
Then go to your Add Remove Programs (WIN XP) or Programs and Features (Vista / Win 7) in the Control Panel and uninstall all previous versions.
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.
Malwarebytes is the free version and yours to keep and will not be removed
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken