PDA

View Full Version : Trojan Detected - Unable to Remove



Lexi321
2013-09-08, 02:46
Hello,

AVG had a popup indicating a threat which it was unable to remove, as the file was locked. The following is the information I obtained when running AVG in Safe Mode:

AVG 2013 AntiVirus command line scanner
Copyright (c) 1992 - 2012 AVG Technologies
Program version 2013.0.3392, engine 2013.0.3222
Virus Database: Version 3222/6645 2013-09-07
C:\Windows\explorer.exe (1428) Trojan horse Generic29.AJGE
c:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\ Locked file. Not tested.
c:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$R9APP3J\ Locked file. Not tested.

My DDS and aswMBR files follow. Thank you for your assistance.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660 BrowserJavaVersion: 10.25.2
Run by Rick at 19:00:21 on 2013-09-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.6071.3403 [GMT -4:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe
C:\Program Files (x86)\Sling Media\SlingAgent\SlingAgentService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\OEM\USBDECTION\USBS3S4Detection.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\PrintIsolationHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Users\Rick\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Samsung\Kies\Kies.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Users\Rick\AppData\Roaming\mjusbsp\magicJack.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rick\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Microsoft MapPoint 2010\StreetsOlkShim.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Szirtes Computer Compan
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4831&r=17360310p306p04d5v145k4491r56o
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [WeatherEye] C:\Users\Rick\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
uRun: [Simp] C:\Program Files (x86)\Secway\SimpLite-MSN 2.5\SimpLite-MSN.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\Rick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [cdloader] "C:\Users\Rick\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe"
uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
uRun: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
mRun: [masqform.exe] C:\Program Files (x86)\PureEdge\Viewer 6.5\masqform.exe -RunOnce
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun: [ConnectionManager] C:\Program Files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
DPF: {48A5DF03-A77C-4C9F-95C9-CEDC34631004} - hxxps://www.mydlink.com/8D/activeX//DCPP.cab
DPF: {57AF0810-BDA7-47A5-B02D-FDA1073C04B0} - hxxps://www.mydlink.com/8D/activeX//TunnelX.ocx
DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - hxxps://www.mydlink.com/8D/activeX//aplugLiteDL.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1007
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{70441792-5F65-4699-B93D-AF1134F75691} : DHCPNameServer = 192.168.0.1
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files (x86)\QuickTax 2009\ic2009pp.dll
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files (x86)\TurboTax 2010\ic2010pp.dll
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files (x86)\TurboTax 2011\ic2011pp.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files (x86)\TurboTax 2012\ic2012pp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: PCANotify - PCANotify.dll
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs= C:\PROGRA~2\Google\GOOGLE~3\GO36F4~1.DLL
SSODL: WebCheck - <orphaned>
x64-mWindow Title = Szirtes Computer Compan
x64-mSearch Page = hxxp://www.google.com/
x64-mDefault_Search_URL = hxxp://www.google.com/
x64-mSearchAssistant = hxxp://www.google.com/ie
x64-mCustomizeSearch = hxxp://www.google.com/
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - <orphaned>
x64-Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - <orphaned>
x64-Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - <orphaned>
x64-Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\
FF - component: C:\Program Files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Virtual Earth 3D\npVE3D.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Rick\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\extensions\{83a8ce1b-683c-4784-b86d-9eb601b59f38}\plugins\np-mswmp.dll
FF - plugin: C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\extensions\{83a8ce1b-683c-4784-b86d-9eb601b59f38}\plugins\npConduitFirefoxPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-07-13 09:29; {83a8ce1b-683c-4784-b86d-9eb601b59f38}; C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\extensions\{83a8ce1b-683c-4784-b86d-9eb601b59f38}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-7-20 71480]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-7-20 311608]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-7-1 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-7-10 45880]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-7-20 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-7-20 206648]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2008-8-11 16056]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2010-4-3 72216]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2009-12-1 283824]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-12-1 56344]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-5-20 36720]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-12 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
.
=============== Created Last 30 ================
.
2013-09-07 21:21:26 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-09-07 21:21:22 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-09-07 19:22:27 -------- d-----w- C:\Program Files (x86)\ESET
2013-08-21 23:26:35 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-21 23:26:35 -------- d-----w- C:\Program Files\iTunes
2013-08-21 23:26:35 -------- d-----w- C:\Program Files\iPod
2013-08-21 23:26:35 -------- d-----w- C:\Program Files (x86)\iTunes
2013-08-21 16:37:08 17737608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-08-14 11:04:21 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-08-09 07:00:49 -------- d-----w- C:\Windows\System32\MRT
.
==================== Find3M ====================
.
2013-08-21 16:37:14 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-21 16:37:14 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-07-26 05:13:37 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-07-26 05:12:08 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-07-26 05:12:04 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-07-26 05:12:03 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-07-26 03:35:08 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-07-26 03:13:24 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-07-26 03:12:04 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-07-26 03:12:00 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-07-26 03:12:00 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-07-26 02:39:38 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-26 01:59:38 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-20 05:51:00 311608 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2013-07-20 05:50:56 71480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2013-07-20 05:50:56 246072 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2013-07-20 05:50:50 206648 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\sirenacm.dll
2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\olepro32.dll
2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\atiumdva.dll
2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\atiumdag.dll
2013-07-13 14:11:36 0 ----a-w- C:\Windows\System32\atidxx32.dll
2013-07-10 05:32:38 45880 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2013-07-09 06:03:30 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-07-09 05:54:22 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-07-09 05:53:12 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 05:03:34 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-07-09 04:53:47 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:33 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-07-09 04:45:07 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2013-07-09 02:49:42 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-07-09 02:49:41 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-07-09 02:49:39 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-07-09 02:49:38 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-07-06 06:03:53 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-07-03 07:03:14 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-01 05:45:28 116536 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2013-06-20 02:47:17 15359912 ----a-w- C:\SAMSUNG_USB_Driver_for_Mobile_Phones(3).exe
2013-06-15 04:32:16 39936 ----a-w- C:\Windows\System32\drivers\tssecsrv.sys
2013-06-13 01:48:23 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-06-13 01:48:17 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-13 01:47:57 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
============= FINISH: 19:01:55.24 ===============

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-09-07 19:08:45
-----------------------------
19:08:45.143 OS Version: Windows x64 6.1.7601 Service Pack 1
19:08:45.143 Number of processors: 4 586 0x2502
19:08:45.144 ComputerName: RICK-PC UserName: Rick
19:08:46.775 Initialize success
19:11:20.576 AVAST engine defs: 13090701
19:34:37.211 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:34:37.215 Disk 0 Vendor: WDC_WD10 01.0 Size: 953869MB BusType: 3
19:34:37.347 Disk 0 MBR read successfully
19:34:37.351 Disk 0 MBR scan
19:34:37.380 Disk 0 Windows 7 default MBR code
19:34:37.385 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 17408 MB offset 2048
19:34:37.405 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 35653632
19:34:37.414 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 936359 MB offset 35858432
19:34:37.447 Disk 0 scanning C:\Windows\system32\drivers
19:34:46.187 Service scanning
19:35:08.379 Modules scanning
19:35:08.391 Disk 0 trace - called modules:
19:35:08.412 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
19:35:08.419 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065c3060]
19:35:08.427 3 CLASSPNP.SYS[fffff88001b2d43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80062bc050]
19:35:10.367 AVAST engine scan C:\Windows
19:35:13.766 AVAST engine scan C:\Windows\system32
19:36:44.349 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
19:36:46.829 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
19:39:24.963 AVAST engine scan C:\Windows\system32\drivers
19:39:36.452 AVAST engine scan C:\Users\Rick
19:44:33.195 Disk 0 MBR has been saved successfully to "C:\Users\Rick\Desktop\MBR.dat"
19:44:33.202 The log file has been saved successfully to "C:\Users\Rick\Desktop\aswMBR.txt"

Dakeyras
2013-09-09, 12:48
Hi,

I have bad news I'm afraid. :sad:

One or more of the identified infections is a variant of the extremely severe Zero Access Rootkit plus undoubtedly other comprising malware!

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course I strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

Next:

I can attempt to clean this machine(anything I try may not be successful and the machine may loose internet connectivity) but I can't guarantee that it will be at all secure afterwards.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

Lexi321
2013-09-09, 19:22
Thank you for your response. That is certainly not the news I was hoping for. I will go with the re-install option as I don't want to worry about any potential residual infection, however I have a few questions:

1. I will have to archive my files, reformat and re-install and copy my files back. How can I be assured I am not going to recopy the virus on the newly cleaned computer?

2. I believe the factory Windows is located on a Restore partition of the hard drive. Is it possible that this is infected as well?

3. AVG free did not detect the problem. Would another product have stopped it?

Thank you.

Dakeyras
2013-09-09, 22:34
Hi. :)


Thank you for your response.
You're welcome!


That is certainly not the news I was hoping for. I will go with the re-install option as I don't want to worry about any potential residual infection
I certainly understand how you feel with regard to the news, though to be honest if it was one of my own machines ultimately I would not hesitate to follow the my own advice I provide to those I assist.

Next:


1. I will have to archive my files, reformat and re-install and copy my files back. How can I be assured I am not going to recopy the virus on the newly cleaned computer?
I can advice preventive measures to ensure any backup(s) created once re-applied are not able to compromise your machine again. I am surmising you will be using a form of removable storage media to do so. Merely inform myself exactly what you are planning to use and I in turn will provide the aforementioned advice.


2. I believe the factory Windows is located on a Restore partition of the hard drive. Is it possible that this is infected as well?
Recovery Partitions are not usually infected per-say but can be blocked from working correctly. If it works, all fine and it is defacto a reformat and reinstallation of the Windows Operating System. So basically once this has been invoked the machine will back to as it was the first time booted up etc.

Now in the event it does not work and if you have Recovery Media you may have created those/that could be used and or if not we may be able to rectify that problem if the need arises, so overall not to worry as they say.

Also if you are unsure how to invoke the actual Recovery Partition, merely inform myself the exact make and modal of your computer and I in turn will provide the appropriate advice.


3. AVG free did not detect the problem. Would another product have stopped it?
It did detect to a extent but is unable to rectify it effectively as most Anti-Virus software are to be honest though saying that a more reliable freeware solution would be say Microsoft Security Essentials (http://www.microsoft.com/Security_Essentials/) which I use on all of my machines. Or Avast! Free Antivirus (http://www.filehippo.com/download_avast_antivirus/) which is another fine application I personally recommend to those I assist. End of the day any-one Anti-Virus software is only as good as its detection database/active real time protection and used in-conjunction with what is known as layered security and observing online safety protocols...

I can provide my stock advice with regard to the aforementioned online safety if you would care for such, again merely let myself know.

Lexi321
2013-09-10, 07:07
Thank you again for your quick response. Upon reflection, as much as I'd like to say the PC is 100% clean, the thought of starting from scratch is terribly unappealing. I'd like to attempt to clean it first, and only re-install everything if that is not successful. I would like to first make a backup of my data in case I end up having to re-install the operating system. As you suspected, I would like to transfer my data onto an external hard drive. Please let me know how to ensure I am not archiving the virus as well as my files. Once I back up my stuff, I'll proceed with any instructions you provide to clean the PC. Your assistance is greatly appreciated. :greeting:

Dakeyras
2013-09-10, 12:04
Hi. :)


Upon reflection, as much as I'd like to say the PC is 100% clean, the thought of starting from scratch is terribly unappealing. I'd like to attempt to clean it first, and only re-install everything if that is not successful.
Fair play and I always respect the wishes of those I assist...

However I do have one proviso if you really want my assistance with a actual malware removal process, being I would like for you to uninstall the following software:

Vuze
Vuze Remote Toolbar

As per the forum guidelines outlined here (http://forums.spybot.info/showthread.php?282-File-Sharing-otherwise-known-as-Peer-To-Peer-(P2P)).

I will further add if you have used either recently, you can be fairly confident this is one of the principal reasons your computer became infected.

It's really important, if you value your computer at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, LimeWire and Vuze. Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Virtually all of these recent infections will compromise your security, and some can turn your machine into a useless "doorstop".

To be honest I have lost count of the number of machines I have dealt with over the years that became infected due to the use of P2P software...so my friendly advice is steer clear of such software in the future.

Next:


I would like to first make a backup of my data in case I end up having to re-install the operating system. As you suspected, I would like to transfer my data onto an external hard drive.
OK we will do this in several stages, as in halt any malicious running process's and secure your external hard drive against infection and then you can transfer what you want to backup. Then when we have eradicated the vast majority of malware on your machine you can re-attach your external hard drive and scan it with some appropriate security related software to ensure the integrity of the backups.

Next:

Do you still want to uninstall AVG 2013 at some point during the malware removal process and replace it with one of the alternative freeware alternatives I mentioned in my prior post ? If so merely let myself know but do however leave it installed for the time being until I advise otherwise.

Download/run Rkill:

Please download Rkill from one of the following links and save to your desktop:

(If one fails to work delete it and download/try another)

One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr), Four (http://download.bleepingcomputer.com/grinler/iExplore.exe) or Five (http://download.bleepingcomputer.com/grinler/eXplorer.exe)

Note: If your security software warns about Rkill, please ignore and allow the download to continue.


Double click on Rkill.
A command window will open then disappear upon completion, this is normal.
Post the log created, found on the desktop rkill.txt. in your next reply.

Download/Install & Run Panda USB Vaccine:

Please download the installer for Panda USB Vaccine from here (http://www.majorgeeks.com/Panda_USB_and_AutoRun_Vaccine_d6029.html) to the desktop.


Right-click on USBVaccineSetup.exe and and select Run as Administrator >> follow the prompts in the installation wizard.
At the configuration screen(settings)...
Ensure both Run Panda USB Vaccine automatically when computer boots (/resident mode) & Automatically vaccinate any newly inserted USB key are selected >> plus NTFS support
Now click on Next> >> ensure Launch Panda USB Vaccine is selected >> click on Finish.
Connect your External Hard Drive Drive to your machine...it will be automatically vaccinated(as will any usb drives connected in the future).
Now transfer the files and documents etc what you want to backup to your external hard drive.
Then safely remove the External Hard Drive Drive from your machine via right-clicking on the Safely Remove Hardware and Eject Media system tray icon and then select Eject USB Mass Storage Device.
Once done so, do not reconnect again until I advice otherwise as I mentioned prior.

Note: You may uninstall Panda USB Vaccine when we have completed the Malware Removal process if you so wish. Though my advice would be to keep it installed.

Next:

Let myself know when completed the above, provide the answer to my AVG 2013 query and post the rkill log. We will then proceed with the actual malware removal process, thank you.

Lexi321
2013-09-13, 02:14
Hello again!
No problem about removing Vuze, I don't use it anyhow - so that's done. I've run Panda and copied the files to the external drive. Below is the result of running Rkill. Finally, I would like to replace AVG with one of the other products you recommended, perhaps Avast. I'll await your next instructions. Regards...

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/10/2013 08:25:54 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\Rick\Desktop\rkill\rkill-09-10-2013-08-25-57.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* ALERT: ZEROACCESS rootkit symptoms found!

* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\n [ZA File]
* C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\U\ [ZA Dir]
* C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* C:\Windows\System32\olepro32.dll : 0 : 07/13/2013 10:11 AM : d41d8cd98f00b204e9800998ecf8427e [NoSig]
+-> C:\Windows\SysWOW64\olepro32.dll : 90,112 : 11/20/2010 08:20 AM : 703ffd301ab900b047337c5d40fd6f96 [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7600.16385_none_39ea10b66307dbef\olepro32.dll : 90,112 : 07/13/2009 09:16 PM : c10459dbdc2099c5a8428cb7d87db85f [Pos Repl]
+-> C:\Windows\winsxs\x86_microsoft-windows-ole-automation-legacy_31bf3856ad364e35_6.1.7601.17514_none_3c1b247e5ff65f89\olepro32.dll : 90,112 : 11/20/2010 08:20 AM : 703ffd301ab900b047337c5d40fd6f96 [Pos Repl]

Checking HOSTS File:

* Cannot edit the HOSTS file.
* Permissions Fixed. Administrators can now edit the HOSTS file.

* HOSTS file entries found:

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com

20 out of 15466 HOSTS entries shown.
Please review HOSTS file for further entries.

Program finished at: 09/10/2013 08:27:42 AM
Execution time: 0 hours(s), 1 minute(s), and 48 seconds(s)

Dakeyras
2013-09-13, 12:16
Hi. :)


No problem about removing Vuze, I don't use it anyhow - so that's done. I've run Panda and copied the files to the external drive. Below is the result of running Rkill. Finally, I would like to replace AVG with one of the other products you recommended, perhaps Avast. I'll await your next instructions. Regards...
Acknowledged, lets proceed as follows shall we...

Scan with Farbar Recovery Scan Tool:

Please download and save Farbar Recovery Scan Tool 64-Bit (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) to to your Desktop.


Right-click on FRST.exe and select Run as Administrator to start FRST >> follow the prompt/click on Yes
Under Optional Scan ensure both Drivers MD5 and Addition.txt are selected.
Now click on the Scan button/radio tab >> at the Scan completed prompt click on OK
At the next prompt denoting Addition.txt is saved in the same location FRST tool is run >> click on OK
There will now be two logs on your desktop, Addition.txt and FRST.txt. Post the contents of both in your next reply.

Lexi321
2013-09-13, 17:02
Here you go. The files are attached. Thank you.

Dakeyras
2013-09-13, 22:51
Hi. :)


Here you go. The files are attached. Thank you.
Acknowledged and you're welcome!

Custom FRST Script:

Please download the attached fixlist.txt(see below) and save to the desktop.


Now right-click on FRST.exe and select Run as Administrator to start FRST.
Then click on the Fix button/radio tab >> at the Fix completed prompt click on OK
A log will now open named Fixlog and it will also be on the desktop >> close FRST.
Reboot your machine(ensure you do this) and post the contents of the aforementioned Fixlog in your next reply.

Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.

Lexi321
2013-09-14, 00:29
Here it is...

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-09-2013 04
Ran by Rick at 2013-09-13 17:17:46 Run:1
Running from C:\Users\Rick\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000\$5b4025b60727901705831f37f32c5f55\n. ATTENTION! ====> ZeroAccess?
Reg: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spybot-S&D Cleaning" /f
MountPoints2: J - J:\autorun.exe
MountPoints2: {ec7f602d-19c6-11e3-88a5-90fba646c2ee} - "M:\WD SmartWare.exe" autoplay=true
URLSearchHook: (No Name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - No File
earchScopes: HKLM-x32 - DefaultScope {8B2EC7CF-C62C-4234-A001-345DF9A8DD5B} URL =
SearchScopes: HKLM-x32 - {ef80d754-fb77-4a7f-be75-489beebb20c9} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=RGxdm333YYca&ptnrS=RGxdm333YYca&si=1579cidca&ptb=C094FB09-B0F1-4FB5-BE24-A104B4ABFBBA&ind=2012021920&n=77ed04a0&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - DefaultScope {8B2EC7CF-C62C-4234-A001-345DF9A8DD5B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3308528&CUI=UN16662553912685315&UM=2
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=iBObms6tyAEbHD7CUS3A4jlOvvA?q={searchTerms}
SearchScopes: HKCU - {8B2EC7CF-C62C-4234-A001-345DF9A8DD5B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3308528&CUI=UN16662553912685315&UM=2
SearchScopes: HKCU - {ef80d754-fb77-4a7f-be75-489beebb20c9} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=RGxdm333YYca&ptnrS=RGxdm333YYca&si=1579cidca&ptb=C094FB09-B0F1-4FB5-BE24-A104B4ABFBBA&ind=2012021920&n=77ed04a0&psa=&st=sb&searchfor={searchTerms}
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll No File
Toolbar: HKCU - No Name - {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
DPF: HKLM-x32 {4F29DE54-5EB7-4D76-B610-A86B5CD2A234}
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
FF Extension: No Name - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\Extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk
CHR HKLM-x32\...\Chrome\Extension: [ekkhlakkdjfjbohpngmfpijfgmlpnamd] - C:\Users\Rick\AppData\Local\CRE\ekkhlakkdjfjbohpngmfpijfgmlpnamd.crx
CHR HKLM-x32\...\Chrome\Extension: [ojpijjmpahflnipadmlpgbjmagmjchkk] - C:\Users\Rick\AppData\Local\CRE\ojpijjmpahflnipadmlpgbjmagmjchkk.crx
2013-08-17 11:12 - 2013-08-17 11:12 - 00072008 _____ (Azureus Software, Inc.) C:\Users\Rick\Downloads\VuzeBittorrentClientInstaller.exe
2013-09-10 08:21 - 2010-04-03 13:11 - 00000000 ____D C:\Program Files (x86)\Vuze
2013-09-06 17:36 - 2010-04-03 13:11 - 00000000 ____D C:\Users\Rick\AppData\Roaming\Azureus
2013-08-17 11:12 - 2013-08-17 11:12 - 00072008 _____ (Azureus Software, Inc.) C:\Users\Rick\Downloads\VuzeBittorrentClientInstaller.exe
C:\Users\Rick\AppData\Local\Temp\mpegc.dll
C:\Users\Rick\AppData\Local\Temp\tbVuze.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000
End
*****************

HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully.

========= reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spybot-S&D Cleaning" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec7f602d-19c6-11e3-88a5-90fba646c2ee} => Key deleted successfully.
HKCR\CLSID\{ec7f602d-19c6-11e3-88a5-90fba646c2ee} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\\{ba14329e-9550-4989-b3f2-9732e92d17cc} => Value deleted successfully.
HKCR\CLSID\{ba14329e-9550-4989-b3f2-9732e92d17cc} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{ef80d754-fb77-4a7f-be75-489beebb20c9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{ef80d754-fb77-4a7f-be75-489beebb20c9} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E} => Key deleted successfully.
HKCR\CLSID\{70D46D94-BF1E-45ED-B567-48701376298E} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8B2EC7CF-C62C-4234-A001-345DF9A8DD5B} => Key deleted successfully.
HKCR\CLSID\{8B2EC7CF-C62C-4234-A001-345DF9A8DD5B} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ef80d754-fb77-4a7f-be75-489beebb20c9} => Key deleted successfully.
HKCR\CLSID\{ef80d754-fb77-4a7f-be75-489beebb20c9} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKCR\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BA14329E-9550-4989-B3F2-9732E92D17CC} => Value deleted successfully.
HKCR\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{4F29DE54-5EB7-4D76-B610-A86B5CD2A234} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{4F29DE54-5EB7-4D76-B610-A86B5CD2A234} => Key deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll

========= netsh winsock reset =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\Extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc} => Moved successfully.
C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojpijjmpahflnipadmlpgbjmagmjchkk => Moved successfully.
C:\Users\Rick\Downloads\VuzeBittorrentClientInstaller.exe => Moved successfully.
C:\Program Files (x86)\Vuze => Moved successfully.
C:\Users\Rick\AppData\Roaming\Azureus => Moved successfully.
"C:\Users\Rick\Downloads\VuzeBittorrentClientInstaller.exe" => File/Directory not found.
C:\Users\Rick\AppData\Local\Temp\mpegc.dll => Moved successfully.
C:\Users\Rick\AppData\Local\Temp\tbVuze.dll => Moved successfully.
"C:\Windows\assembly\GAC_32\Desktop.ini " => File/Directory not found.
"C:\Windows\assembly\GAC_64\Desktop.ini " => File/Directory not found.
C:\$Recycle.Bin\S-1-5-21-1206012796-1689309657-3446792677-1000 => Moved successfully.

==== End of Fixlog ====

Dakeyras
2013-09-14, 10:38
Hi. :)


Here it is...
Good...quite the favourable outcome so far, lets proceed as follows shall we...

Download/Run ComboFix:

Please visit this webpage for download links(when saving ComboFix, do so to the desktop) and instructions for running the tool:

How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall and Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html) <-- Click on this link.
Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless advised to do so by a trained Anti-Malware helper.

Malwarebytes Anti-Malware:

Note: Remember to right click the executable for MBAM and select Run As Administrator.


Launch the application, Check for Updates >> Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Scan with FSS:

Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)and save to your desktop.


Right-click FSS.exe and select Run as Administrator to start the program.
Select all available options
Then click on the Scan tab.
When the scan is complete, it will produce a log named FSS.txt.
Post the contents in your next reply.

Next:

When completed the above, please post back the following in the order asked for:


How is your computer performing now, any further symptoms and or problems encountered?
ComboFix Log.
Malwarebytes Anti-Malware Log.
Farbar Service Scanner Log.

Lexi321
2013-09-15, 22:45
Hello,
As per your requests:

How is your computer performing now, any further symptoms and or problems encountered?

The computer seems to be performing well and AVG is not popping up alerts like it used to. The only issue I notice is that the hard drive seems to be constantly operating (I can hear it, and activity light blinking) when the computer is idle and not performing any tasks or scans etc.


ComboFix Log.

ComboFix 13-09-14.01 - Rick 15/09/2013 12:21:58.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.6071.4038 [GMT -4:00]
Running from: c:\users\Rick\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\autorun.inf
c:\users\Rick\WINDOWS
c:\users\Sabrina\WINDOWS
c:\users\Samantha\WINDOWS
c:\windows\tmp
c:\windows\tmp\dd_vcredistMSI46A2.txt
c:\windows\tmp\dd_vcredistUI46A2.txt
c:\windows\tmp\qtsingleapp-koboex-7d5-1-lockfile
.
.
((((((((((((((((((((((((( Files Created from 2013-08-15 to 2013-09-15 )))))))))))))))))))))))))))))))
.
.
2013-09-15 16:29 . 2013-09-15 16:29 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2013-09-15 16:29 . 2013-09-15 16:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-15 16:29 . 2013-09-15 16:29 -------- d-----w- c:\users\Samantha\AppData\Local\temp
2013-09-15 16:29 . 2013-09-15 16:29 -------- d-----w- c:\users\Sabrina\AppData\Local\temp
2013-09-13 13:35 . 2013-09-13 13:35 -------- d-----w- C:\FRST
2013-09-11 21:27 . 2013-09-11 21:27 -------- d-----w- c:\programdata\Western Digital
2013-09-11 02:55 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-09-10 22:28 . 2013-09-10 22:28 -------- d-----w- c:\programdata\Panda Security
2013-09-10 22:28 . 2013-09-10 22:28 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2013-09-10 01:57 . 2013-09-10 01:57 -------- d-----w- c:\users\Public\OEM
2013-09-07 22:54 . 2013-09-07 22:54 -------- d-----w- c:\program files (x86)\ERUNT
2013-09-07 21:21 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-07 21:21 . 2013-09-07 21:23 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-07 19:22 . 2013-09-07 19:22 -------- d-----w- c:\program files (x86)\ESET
2013-09-05 05:43 . 2013-09-05 05:43 45880 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2013-08-21 23:26 . 2013-08-21 23:26 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-21 23:26 . 2013-08-21 23:26 -------- d-----w- c:\program files\iTunes
2013-08-21 23:26 . 2013-08-21 23:26 -------- d-----w- c:\program files (x86)\iTunes
2013-08-21 23:26 . 2013-08-21 23:26 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-14 04:37 . 2012-04-12 02:45 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-14 04:37 . 2011-06-14 20:28 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-11 07:42 . 2010-03-29 03:13 79143768 ----a-w- c:\windows\system32\MRT.exe
2013-08-02 01:48 . 2013-09-11 02:55 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-07-25 09:25 . 2013-08-14 11:04 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-25 08:57 . 2013-08-14 11:04 1620992 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-07-20 05:51 . 2013-07-20 05:51 311608 ----a-w- c:\windows\system32\drivers\avgloga.sys
2013-07-20 05:50 . 2013-07-20 05:50 71480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2013-07-20 05:50 . 2013-07-20 05:50 246072 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys
2013-07-20 05:50 . 2013-07-20 05:50 206648 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2013-07-19 01:58 . 2013-08-14 11:04 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-19 01:41 . 2013-08-14 11:04 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2013-07-13 14:11 . 2013-07-13 14:11 0 ----a-w- c:\windows\system32\sirenacm.dll
2013-07-13 14:11 . 2013-07-13 14:11 0 ----a-w- c:\windows\system32\olepro32.dll
2013-07-13 14:11 . 2013-07-13 14:11 0 ----a-w- c:\windows\system32\atiumdva.dll
2013-07-13 14:11 . 2013-07-13 14:11 0 ----a-w- c:\windows\system32\atiumdag.dll
2013-07-13 14:11 . 2013-07-13 14:11 0 ----a-w- c:\windows\system32\atidxx32.dll
2013-07-09 05:52 . 2013-08-14 11:04 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 05:51 . 2013-08-14 11:04 1217024 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 05:46 . 2013-08-14 11:04 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 05:46 . 2013-08-14 11:04 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 05:46 . 2013-08-14 11:04 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-09 04:52 . 2013-08-14 11:04 663552 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2013-07-09 04:52 . 2013-08-14 11:04 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-07-09 04:46 . 2013-08-14 11:04 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-07-09 04:46 . 2013-08-14 11:04 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-07-09 04:46 . 2013-08-14 11:04 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-07-06 06:03 . 2013-08-14 11:04 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-07-03 07:05 . 2013-07-03 07:05 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-07-03 07:05 . 2013-07-03 07:05 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-07-03 07:05 . 2013-07-03 07:05 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-07-03 07:05 . 2013-07-03 07:05 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-07-03 07:05 . 2013-07-03 07:05 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-07-03 07:05 . 2013-07-03 07:05 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-07-03 07:05 . 2013-07-03 07:05 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-07-03 07:05 . 2013-07-03 07:05 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-07-03 07:05 . 2013-07-03 07:05 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-07-03 07:05 . 2013-07-03 07:05 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-07-03 07:05 . 2013-07-03 07:05 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-07-03 07:05 . 2013-07-03 07:05 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-07-03 07:05 . 2013-07-03 07:05 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-07-03 07:05 . 2013-07-03 07:05 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-07-03 07:05 . 2013-07-03 07:05 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-07-03 07:05 . 2013-07-03 07:05 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-07-03 07:05 . 2013-07-03 07:05 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-07-03 07:05 . 2013-07-03 07:05 216064 ----a-w- c:\windows\system32\msls31.dll
2013-07-03 07:05 . 2013-07-03 07:05 197120 ----a-w- c:\windows\system32\msrating.dll
2013-07-03 07:05 . 2013-07-03 07:05 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-07-03 07:05 . 2013-07-03 07:05 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-07-03 07:05 . 2013-07-03 07:05 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-07-03 07:05 . 2013-07-03 07:05 81408 ----a-w- c:\windows\system32\icardie.dll
2013-07-03 07:05 . 2013-07-03 07:05 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-07-03 07:05 . 2013-07-03 07:05 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-07-03 07:05 . 2013-07-03 07:05 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-07-03 07:05 . 2013-07-03 07:05 441856 ----a-w- c:\windows\system32\html.iec
2013-07-03 07:05 . 2013-07-03 07:05 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-07-03 07:05 . 2013-07-03 07:05 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-07-03 07:05 . 2013-07-03 07:05 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-07-03 07:05 . 2013-07-03 07:05 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-07-03 07:05 . 2013-07-03 07:05 235008 ----a-w- c:\windows\system32\url.dll
2013-07-03 07:05 . 2013-07-03 07:05 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-07-03 07:05 . 2013-07-03 07:05 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-03 07:05 . 2013-07-03 07:05 144896 ----a-w- c:\windows\system32\wextract.exe
2013-07-03 07:05 . 2013-07-03 07:05 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-07-03 07:05 . 2013-07-03 07:05 102912 ----a-w- c:\windows\system32\inseng.dll
2013-07-03 07:05 . 2013-07-03 07:05 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-07-03 07:05 . 2013-07-03 07:05 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-07-03 07:05 . 2013-07-03 07:05 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-07-03 07:05 . 2013-07-03 07:05 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-07-03 07:05 . 2013-07-03 07:05 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-07-03 07:05 . 2013-07-03 07:05 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-07-03 07:05 . 2013-07-03 07:05 149504 ----a-w- c:\windows\system32\occache.dll
2013-07-03 07:05 . 2013-07-03 07:05 13824 ----a-w- c:\windows\system32\mshta.exe
2013-07-03 07:05 . 2013-07-03 07:05 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-07-03 07:05 . 2013-07-03 07:05 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-07-03 07:05 . 2013-07-03 07:05 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-07-03 07:05 . 2013-07-03 07:05 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-07-03 07:03 . 2013-07-03 07:03 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-07-03 07:03 . 2013-07-03 07:03 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-07-03 07:03 . 2013-07-03 07:03 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2013-07-03 07:03 . 2013-07-03 07:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-07-03 07:03 . 2013-07-03 07:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2013-07-03 07:03 . 2013-07-03 07:03 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-07-03 07:03 . 2013-07-03 07:03 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2013-07-03 07:03 . 2013-07-03 07:03 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\users\Rick\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
"Simp"="c:\program files (x86)\Secway\SimpLite-MSN 2.5\SimpLite-MSN.exe" [2010-11-09 2094080]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"cdloader"="c:\users\Rick\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2013-08-22 1093464]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-05-23 1561968]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-01 39408]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2013-05-16 3642312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-18 98304]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"masqform.exe"="c:\program files (x86)\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"Google Desktop Search"="c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-14 30192]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"ConnectionManager"="c:\program files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2012-08-14 152424]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-12 244480]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2013-08-15 4411440]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-01-17 267792]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-05-23 311152]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-08-16 152392]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 16:10 18744 ----a-w- c:\windows\System32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\progra~2\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe;c:\program files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [x]
R3 Sage 50 Transaction Manager 2013 - CDN;Sage 50 Transaction Manager 2013 - CDN;c:\program files (x86)\Winsim\TransactionManager2013 - CDN\Sage_SA.TransactionManager.exe;c:\program files (x86)\Winsim\TransactionManager2013 - CDN\Sage_SA.TransactionManager.exe [x]
R3 Sage Simply Accounting Transaction Manager 2011 - CDN;Sage Simply Accounting Transaction Manager 2011 - CDN;c:\program files (x86)\Winsim\TransactionManager2011 - CDN\Sage_SA.TransactionManager.exe;c:\program files (x86)\Winsim\TransactionManager2011 - CDN\Sage_SA.TransactionManager.exe [x]
R3 Sage Simply Accounting Transaction Manager 2012 - CDN;Sage Simply Accounting Transaction Manager 2012 - CDN;c:\program files (x86)\Winsim\TransactionManager2012 - CDN\Sage_SA.TransactionManager.exe;c:\program files (x86)\Winsim\TransactionManager2012 - CDN\Sage_SA.TransactionManager.exe [x]
R3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files (x86)\Winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe;c:\program files (x86)\Winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [x]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 Simply Accounting Database Connection Manager;Sage 50 Database Connection Manager;c:\program files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe;c:\program files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe [x]
S2 SlingAgentService;SlingAgentService;c:\program files (x86)\Sling Media\SlingAgent\SlingAgentService.exe;c:\program files (x86)\Sling Media\SlingAgent\SlingAgentService.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]
S2 USBS3S4Detection;USBS3S4Detection;c:\oem\USBDECTION\USBS3S4Detection.exe;c:\oem\USBDECTION\USBS3S4Detection.exe [x]
S3 BlackBerry Device Manager;BlackBerry Device Manager;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [x]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1k62x64.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys;c:\windows\SYSNATIVE\Drivers\nx6000.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys;c:\windows\SYSNATIVE\Drivers\pcouffin.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 04:37]
.
2013-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-29 04:00]
.
2013-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-03-29 04:00]
.
2013-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1206012796-1689309657-3446792677-1000Core.job
- c:\users\Rick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-24 04:11]
.
2013-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1206012796-1689309657-3446792677-1000UA.job
- c:\users\Rick\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-24 04:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-28 8312352]
"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2008-08-11 57928]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904]
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uLocal Page = c:\windows\system32\blank.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: airmilesshops.ca\www
TCP: DhcpNameServer = 192.168.0.1
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files (x86)\TurboTax 2011\ic2011pp.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files (x86)\TurboTax 2012\ic2012pp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB
DPF: {48A5DF03-A77C-4C9F-95C9-CEDC34631004} - hxxps://www.mydlink.com/8D/activeX//DCPP.cab
DPF: {57AF0810-BDA7-47A5-B02D-FDA1073C04B0} - hxxps://www.mydlink.com/8D/activeX//TunnelX.ocx
DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - hxxps://www.mydlink.com/8D/activeX//aplugLiteDL.cab
FF - ProfilePath - c:\users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\
FF - prefs.js: browser.startup.homepage - hxxps://westway.taxicharger.com/westway/system
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-KiesAirMessage - c:\program files (x86)\Samsung\Kies\KiesAirMessage.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_174_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_174.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\06\18\0d0,H"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-15 12:37:16
ComboFix-quarantined-files.txt 2013-09-15 16:37
.
Pre-Run: 635,997,057,024 bytes free
Post-Run: 636,055,703,552 bytes free
.
- - End Of File - - CEC20D07933B1D64AE448F3C94EFAA2C
A36C5E4F47E84449FF07ED3517B43A31


Malwarebytes Anti-Malware Log.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.15.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Rick :: RICK-PC [administrator]

15/09/2013 12:43:47 PM
mbam-log-2013-09-15 (12-43-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 339488
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Users\Rick\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Rick\AppData\Roaming\OpenCandy\076DF2A85A254267BA5BAACE5D08CE0F (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

Files Detected: 3
C:\Users\Rick\AppData\Roaming\OpenCandy\076DF2A85A254267BA5BAACE5D08CE0F\OtshotInstaller7.exe (PUP.Optional.Otshot.A) -> Quarantined and deleted successfully.
C:\Users\Rick\Downloads\InternationalPrimoPDF.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Rick\Downloads\SetupImgBurn_2.5.8.0.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

(end)


Farbar Service Scanner Log.

Farbar Service Scanner Version: 13-09-2013
Ran by Rick (administrator) on 15-09-2013 at 15:27:57
Running from "C:\Users\Rick\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Thank you.

Dakeyras
2013-09-16, 14:03
Hi. :)


The computer seems to be performing well and AVG is not popping up alerts like it used to.
Good.


The only issue I notice is that the hard drive seems to be constantly operating (I can hear it, and activity light blinking) when the computer is idle and not performing any tasks or scans etc.

Acknowledged.

Java Advice:

There has been a recent severe exploitation of this software. Even though this exploit has been reportedly fixed there is still a vulnerability with the software, the below is currently all that it is installed Java related:-

Java 7 Update 25
Java Auto Updater
Java(TM) 6 Update 29
Java(TM) SE Runtime Environment 6 Update 5
JavaFX 2.1.1

So you need to uninstall all(if still present via Uninstall a program or Programs and Features located in the Control Panel)...Your choice if you wish to go ahead and reinstall but I advise against it and for the present I do not even have anything Java related installed on my machines.

Please let myself know what you wish to do about this in your next reply please and if you opt to re-install I will provide both the appropriate instructions and safety advice etc.

Scan with JRT:

Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.

Note: Temp' disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html).


Right-click on on JRT.exe and select Run as Administrator to launch the application >> follow the on-screen prompt.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Note: Reboot your machine and ensure all disabled security software is now enabled etc.

Scan with TDSSKiller:

Please download TDSSKiller (http://www.bleepingcomputer.com/download/tdsskiller/) to the desktop.

Alternate download is here (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe).


Right-click on TDSSKiller.exe and select Run as Administrator to launch it.
When the window opens, click on Change Parameters
Under Additional options, select both Verify driver digital signatures & Detect TDLFS File System >> OK
Click on Start Scan, the scan will run.
When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
A Report will have been created by TDSSKiller in your root directory C:\
To find the log go to Start(Windows 7 Orb) > Computer > C:
Post the contents of that log in your next reply please.

Note: Do not have TDSSKiller remove anything if found at this point in time!

Lexi321
2013-09-17, 06:21
Hi,


Please let myself know what you wish to do about this in your next reply please and if you opt to re-install I will provide both the appropriate instructions and safety advice etc.

I have not removed the Java items yet, but will, but would appreciate instructions on how to re-install should I need to in the future.

The logs are attached as they are quite large.

I look forward to your response.

:thanks:

Dakeyras
2013-09-17, 12:15
Hi. :)


I have not removed the Java items yet, but will, but would appreciate instructions on how to re-install should I need to in the future.
Fair play but I advise you do so soon as, because having out of date Java software installed is also deemed a security risk and I can also clean up any remnants left behind after the aforementioned removal.

How to update in the future as follows...

Go here: Java SE Downloads (http://www.oracle.com/technetwork/java/javase/downloads/index.html) and click on the JRE Download button, then click on the Accept License Agreement .

At present, time I checked the latest version is:-

Java SE Runtime Environment 7u40

So this may have changed by the time/if you ever opt to reinstall. Now the version you would need to download would be:

Windows x64 - jre-7u40-windows-x64.exe , merely download the installer to the desktop, then right click on it and select Run as Administrator to install Java.

After the new installation, how to secure the software can be read here (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/).

Next:

There are two files I would like to check too err on the side of caution...

Now please go to my file submission channel here (http://www.bleepingcomputer.com/submit-malware.php?channel=87).

Next to the box:- Link to topic where this file was requested: Add in the below:-


http://forums.spybot.info/showthread.php?69296-Trojan-Detected-Unable-to-Remove

Next to the box: Browse to the file you want to submit: click on the Browse... tab and navigate to the below:-

C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe

Then click on the Send File tab. I will be notified when the file has been uploaded and checked.

Next:-

Repeat the above process for the following also:

C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

Scan with AdwCleaner:

Please download adwcleaner from here (http://www.bleepingcomputer.com/download/adwcleaner/) and save to your desktop.

Alternate downloads are here (http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml) or here (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner).


Right-click on adwcleaner.exe and select Run as Administrator to launch the application.
Now click on the Scan tab >> once the scan is complete click on the Clean tab and follow the prompts.
Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

Note: The log can also be located at C: >> AdwCleaner >> AdwCleaner[SN].txt >> N <-- denotes the number of times the application has been ran, so in this case should be 1.

Lexi321
2013-09-18, 04:48
Hello,

I have removed all the Java programs except for Java Auto Updater, as I couldn't find it to uninstall it. I have uploaded the files you requested. Here is the AdwCleaner File:

# AdwCleaner v3.004 - Report created 17/09/2013 at 21:20:56
# Updated 15/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Rick - RICK-PC
# Running from : C:\Users\Rick\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Sabrina\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Sabrina\AppData\LocalLow\Vuze_Remote
Folder Deleted : C:\Users\Samantha\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Samantha\AppData\LocalLow\ConduitEngine
Folder Deleted : C:\Users\Samantha\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Samantha\AppData\LocalLow\Vuze_Remote
File Deleted : C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.conduit.com_0.localstorage

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{70809736-9F62-444C-9F72-A198B4E61B86}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A13CC898-9CA9-4578-9629-B328422FF014}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\UpdateStar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\gsuaeeby.default\prefs.js ]

Line Deleted : user_pref("CT3308528_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1378657596328,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");

-\\ Google Chrome v

[ File : C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2974 octets] - [17/09/2013 21:18:07]
AdwCleaner[S0].txt - [2907 octets] - [17/09/2013 21:20:56]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2967 octets] ##########

I got the following report from AVG after AdwCleaner ran:
"General behavioral detection, C:\Users\Rick\Desktop\AdwCleaner.exe";"Infected";"17/09/2013, 9:22:11 PM";"File or Directory";""

:thanks:

Dakeyras
2013-09-18, 12:44
Hi. :)


I have removed all the Java programs except for Java Auto Updater, as I couldn't find it to uninstall it
Good and not a problem the latter, it was most likely auto uninstalled along with the rest. Only reason I included it was because sometimes it can be left behind etc..


I have uploaded the files you requested.
Thank you and the results are favourable so no further action is required with regard to them.


I got the following report from AVG after AdwCleaner ran:
"General behavioral detection, C:\Users\Rick\Desktop\AdwCleaner.exe";"Infected";"17/09/2013, 9:22:11 PM";"File or Directory";""
Not a problem as many security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe. Anyway we are about to uninstall AVG and replace as follows...

Next:

Download the following to your desktop:-

AVG Remover(64bit) 2013 (http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x64_2013_3341.exe)

Then the installer for the Anti-Virus software replacement you wish to use:-

Avast! Free Antivirus (http://www.filehippo.com/download_avast_antivirus/) or Microsoft Security Essentials (http://windows.microsoft.com/en-gb/windows/security-essentials-download)

Uninstall AVG 2013:

Right click on avg_remover_stf_x64_2013_3341.exe and select Run as Administrator >> Yes

Reboot your machine if not advised to.

Note: There will be a notepad file on the desktop after running the above named avgremover. I have no need to review this unless a problem was encountered running the uninstallation tool itself.

Install a new AV:

Right click on the executable/installer for the AV you chose and select Run as Administrator >> follow the prompts to install.

Once installed check for updates if not prompted during the aforementioned installation process and run a full scan >> have the AV fix/remove anything found.

Note: If anything was removed please inform myself in your next reply and if the need I will provide instructions so you can post the appropriate log for my review.

Scan with OTL:

Please download OTL (http://oldtimer.geekstogo.com/OTL.exe) and save it to your Desktop.

Alternate downloads are here (http://oldtimer.geekstogo.com/OTL.com) and here (http://oldtimer.geekstogo.com/OTL.scr).


Right-click on OTL.exe and select Run as Administrator to start OTL.
Ensure Include 64bit Scans is selected.
Under Output, ensure that Standard Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized
Please post the contents of these two Notepad files in your next reply.

Next:

When completed the above, please post back the following in the order asked for:


How is your computer performing now, any further symptoms and or problems encountered?
Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

Lexi321
2013-09-20, 05:47
Hi,


How is your computer performing now, any further symptoms and or problems encountered?

The computer seems to be running fine. No signs of viral activity.


Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

Tried to paste OTL.txt but it's too large. Please find it attached

Lexi321
2013-09-20, 05:48
Here's the Extra file...

OTL Extras logfile created on: 19/09/2013 10:32:11 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Rick\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16686)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

5.93 Gb Total Physical Memory | 3.46 Gb Available Physical Memory | 58.41% Memory free
11.86 Gb Paging File | 9.08 Gb Available in Paging File | 76.58% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 914.41 Gb Total Space | 587.84 Gb Free Space | 64.29% Space Free | Partition Type: NTFS
Drive K: | 1.64 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 17.59 Mb Total Space | 17.32 Mb Free Space | 98.44% Space Free | Partition Type: FAT

Computer Name: RICK-PC | User Name: Rick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[b]64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0251B27E-63FE-44A5-A136-85FDDD0339FA}" = lport=4000 | protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{043D0921-D8DC-4BAE-BD4F-8C151CEA8494}" = lport=10243 | protocol=6 | dir=in | app=system |
"{130A02B8-BB48-4B8D-A7F9-B977A888AB89}" = lport=137 | protocol=17 | dir=in | app=system |
"{182C9ED4-C950-4150-8FCB-AFA08A1CCD62}" = lport=4000 | protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{1AEFB042-7BCC-426D-9A3D-61405C76EC2D}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{1BFB94A0-311A-4CF2-ABD5-608B07EFCAE0}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{215C6389-2115-43C9-BEDC-9BB7A3060D26}" = lport=4481 | protocol=6 | dir=in | name=blackberry desktop software wireless music sync data transfer |
"{292ABAF5-072E-478F-BEEF-98727B6CF098}" = lport=4482 | protocol=6 | dir=in | name=blackberry desktop software wireless music sync data transfer |
"{35C0296F-2B0F-48A1-8B93-A9DD7B08328A}" = rport=445 | protocol=6 | dir=out | app=system |
"{36B698AF-8B5B-4C39-9159-BD049E4A2B73}" = lport=4482 | protocol=17 | dir=in | name=blackberry desktop software wireless music sync discovery |
"{3BE3D1B2-6CCE-4DA4-ABA3-2BE4AAAAC50C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{42FA1F3C-2709-4B85-B18D-BA276F947DA0}" = lport=2869 | protocol=6 | dir=in | app=system |
"{52DD0586-2319-4484-8B7C-D5E9C953B665}" = lport=138 | protocol=17 | dir=in | app=system |
"{52DDE362-315A-4350-9722-5D0DDE16F5F4}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5E96CD5D-745A-4F5B-B226-1BAA72A5AB38}" = lport=139 | protocol=6 | dir=in | app=system |
"{5ED2A10E-AF76-4720-ADF4-9C90329387CF}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{60F09B6D-5A42-4758-879D-096DB652F70C}" = rport=137 | protocol=17 | dir=out | app=system |
"{659E25C1-61CB-40C8-9124-92A36EDA2E78}" = lport=445 | protocol=6 | dir=in | app=system |
"{70E5637B-9E46-48D0-BA75-F87DF5E4A64B}" = lport=4100 | protocol=17 | dir=in | name=upnp router control port |
"{73968998-DAD9-4F2F-B58F-C3CBD957CA64}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9528748D-5229-4161-9EAD-B43522CD0E9A}" = lport=4000 | protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{9F9C0C17-B1C2-4324-AE71-D28333E2CB43}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A91C089D-C134-44D4-AED3-76F1895EC01D}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A94BDBEA-D2E4-4544-AF6B-BAA98677B21D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{AA9AE678-8A87-428D-96CA-452D884E6C6B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{ACC6E602-5D72-4497-8FAE-CA148CC9F2C5}" = rport=138 | protocol=17 | dir=out | app=system |
"{B514A767-C274-4E48-9359-F5FF06966030}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{B7900AE7-45A5-41BB-B8E1-56292C815C24}" = lport=4481 | protocol=17 | dir=in | name=blackberry desktop software wireless music sync discovery |
"{BD32023D-A7AF-4F5D-8EA1-27164DE1F8A9}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{CC101A6F-5876-4C66-AE3D-2D8261CB73E1}" = lport=4000 | protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{CD8C1C50-EEB3-4BA1-8F27-52A5C9DC9848}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D689F8D2-3E52-4DC3-8505-70D5A901BCCE}" = lport=4000 | protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{E88C772D-DD61-4243-9339-46289AD23A63}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{ED8B894B-BB1E-4718-8CAE-C1B20404633F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{EEA2AA39-C2EB-4B4F-A1EF-5012ACAB5E95}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{F2DEC844-3E71-4F9D-8E05-9100380070D0}" = rport=139 | protocol=6 | dir=out | app=system |
"{FD0A6492-74DD-48C8-A830-933F5C56695C}" = lport=4000 | protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{FEC7E5D0-087F-4F6F-AD14-274E21A87D74}" = lport=4000 | protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"{FEF5C6A8-6A76-4A5D-9607-A1DF3B665AE5}" = rport=10243 | protocol=6 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{004BDF36-679A-4820-BFC0-E33828CE8B51}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{0C1E983E-9696-4B97-91C8-5EA6ECC06141}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{0F5A85EB-DC10-42D3-A919-610C73079DED}" = protocol=17 | dir=in | app=c:\program files (x86)\research in motion\blackberry desktop\rim.desktop.exe |
"{169A2937-B01F-4753-BF6B-508DCDC847FA}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{199A59E3-9283-45C4-B061-8743AC84F4F2}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifeexp.exe |
"{1C4587A7-48A3-4D9A-B91F-FD0B04FFD3BE}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{2B115F2F-1B81-46F0-A11A-BBD7A8062315}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifetray.exe |
"{37CDCE0D-D4D1-470A-9C72-287ABA7A061B}" = dir=in | app=c:\program files (x86)\windows live\sync\windowslivesync.exe |
"{47879582-FE90-409C-B945-CE4013E1F5B4}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{47F3ED98-8B37-4F41-9AE7-39B1D3A00B6B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifetray.exe |
"{4B080D26-3514-4E69-A432-7288B3DBBA1B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{4BBF1986-16F9-450F-9856-A8C10C138D51}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{53083614-CB81-4C81-9AA5-BB0AB2D169EA}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{566A0DBA-C192-47E5-ABB2-2C3C7913ABCB}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{5864FE5B-70CB-4DEB-9AAE-7DCE86D2E77A}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg10\avgmfapx.exe |
"{5D050468-CD44-42E1-BAB8-850FDE7F17A4}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{5FCF43DE-52A7-4578-9BFC-64DC288C3682}" = protocol=6 | dir=in | app=c:\program files (x86)\research in motion\blackberry desktop\rim.desktop.exe |
"{62CE290F-FE95-452B-896A-C55AF48AFAB5}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifeenc2.exe |
"{63F3D053-C1EA-44E5-A3C2-1BE217644342}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifecam.exe |
"{6D6A3B7A-CC18-4753-BC27-6B0A6D9C88C6}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{746AA295-7A58-4922-883A-B75E45FB5723}" = protocol=6 | dir=out | app=system |
"{75586BF0-AE34-4158-AB0A-B2CE70A682CD}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{77119170-E5FA-4427-8E22-D4F79FDF9D03}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
"{79840BA8-7BF1-4450-8218-02FAFC21B0DE}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifecam.exe |
"{79999549-9E5B-485C-9425-E245ADA1BD90}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{80D28D6F-1A72-44F0-8D33-C23A94154474}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{848EB71D-870C-416C-81C8-84AC10F4142C}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{854FEC7C-8D62-4AF0-8D99-D9C2C4759862}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{934B76E2-CC77-4375-A6E8-BFD85510751C}" = protocol=17 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"{9EA43D7D-1C7A-4A62-BE0D-2C1E53E8EEF2}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A311B1E6-7476-4DB9-A071-0293EC313842}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{AEC175AE-B4DC-4198-8DD6-AB1F96C1561A}" = dir=in | app=c:\users\rick\appdata\local\facebook\video\skype\facebookvideocalling.exe |
"{B57B95A0-E2EE-49E4-8087-823E737BBD48}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{B745F4AD-C74E-4F19-877B-A8996D35A1F8}" = protocol=6 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"{B7914991-87C8-462B-858B-8789432BB63B}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifeenc2.exe |
"{C616B351-EABD-49C0-AC4E-CF68020551A3}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{CD2F73F6-AAC6-49CA-BC49-A47E5E326611}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{CDFC3D66-899F-4972-9A0D-4CDDC574FEF2}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{CEDD1884-8670-4BA0-B1BD-38F165F133C9}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{D930823A-372B-46AD-98C0-F013E7901C7D}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg10\avgmfapx.exe |
"{DB2BEC5C-9B0F-4FFB-92E7-166FBC98D232}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{EEE2E806-1B35-486F-A27B-94D0C79168F5}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F3633C8D-8A3F-4C12-83BE-5035E1599F82}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft lifecam\lifeexp.exe |
"{F507BF5E-C066-4040-9629-6C6C71FCAC52}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{FFC4B4A9-4525-4847-9217-7697FE15BC50}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{FFE0247A-F05C-4149-B06B-6059A3148C15}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"TCP Query User{16D124EF-C552-4B3D-8CB3-08809D8C5A75}C:\program files (x86)\vuze\azureus.exe" = protocol=6 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"TCP Query User{26E68BA3-2C3E-48E8-8F4D-9891F9721825}C:\users\rick\appdata\local\google\chrome\application\chrome.exe" = protocol=6 | dir=in | app=c:\users\rick\appdata\local\google\chrome\application\chrome.exe |
"TCP Query User{2B179C3C-8E51-45C7-B001-1CA50ACC4253}C:\windows\splwow64.exe" = protocol=6 | dir=in | app=c:\windows\splwow64.exe |
"TCP Query User{477A7B03-1476-431B-8F20-DE4B5DC88396}C:\program files (x86)\vuze\azureus64.exe" = protocol=6 | dir=in | app=c:\program files (x86)\vuze\azureus64.exe |
"TCP Query User{525141AB-7156-40B0-9F77-F63DC88C846A}C:\users\rick\appdata\local\temp\rarsfx0\setup_wizard.exe" = protocol=6 | dir=in | app=c:\users\rick\appdata\local\temp\rarsfx0\setup_wizard.exe |
"TCP Query User{6FC268CD-6789-432E-B164-9B65D1854D77}C:\program files (x86)\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\client\googleearth.exe |
"TCP Query User{79239B99-6C11-4E00-9CF3-27356F74F96E}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{A23ADEDD-F5BF-4DE8-B73E-8C5407B23FC9}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"TCP Query User{B91D9F9E-726D-4185-94CF-C9A230F5C45C}C:\windows\system32\migwiz\migwiz.exe" = protocol=6 | dir=in | app=c:\windows\system32\migwiz\migwiz.exe |
"TCP Query User{BE970D0E-61E0-4C1D-AC38-ACA80D941148}C:\program files (x86)\gametap web player\bin\release\gametapplayer.exe" = protocol=6 | dir=in | app=c:\program files (x86)\gametap web player\bin\release\gametapplayer.exe |
"TCP Query User{C3D74E73-4D8E-4986-BDFD-5D3D5226F8C6}C:\program files (x86)\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"TCP Query User{C631B8B6-5158-4995-B03F-5B835F97F06E}C:\users\rick\appdata\roaming\mjusbsp\magicjack.exe" = protocol=6 | dir=in | app=c:\users\rick\appdata\roaming\mjusbsp\magicjack.exe |
"TCP Query User{C926CE6E-1C66-4497-B8C5-882B6C44ACB7}C:\users\rick\appdata\roaming\mjusbsp\magicjack.exe" = protocol=6 | dir=in | app=c:\users\rick\appdata\roaming\mjusbsp\magicjack.exe |
"TCP Query User{C9E093E5-9D68-47E6-9928-0F6A3859F192}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
"UDP Query User{384C58F6-5539-4A30-AB01-161C90509E40}C:\program files (x86)\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\plugin\geplugin.exe |
"UDP Query User{473366B5-FE9E-4626-9269-1B73A9C63C9F}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{4C4E2D6A-622B-440B-ABBF-D180296CB483}C:\windows\splwow64.exe" = protocol=17 | dir=in | app=c:\windows\splwow64.exe |
"UDP Query User{5FB8A199-4FFD-4B90-BD82-C7C2EADD5EE2}C:\users\rick\appdata\roaming\mjusbsp\magicjack.exe" = protocol=17 | dir=in | app=c:\users\rick\appdata\roaming\mjusbsp\magicjack.exe |
"UDP Query User{967F4FDD-9B87-4D0E-93A9-82D69C4BE168}C:\users\rick\appdata\roaming\mjusbsp\magicjack.exe" = protocol=17 | dir=in | app=c:\users\rick\appdata\roaming\mjusbsp\magicjack.exe |
"UDP Query User{C0BFC35C-5CCF-44C1-8DE3-39CBBBC52428}C:\windows\system32\migwiz\migwiz.exe" = protocol=17 | dir=in | app=c:\windows\system32\migwiz\migwiz.exe |
"UDP Query User{C69CD58F-44DC-4485-BEF6-6D2A476FDE89}C:\users\rick\appdata\local\google\chrome\application\chrome.exe" = protocol=17 | dir=in | app=c:\users\rick\appdata\local\google\chrome\application\chrome.exe |
"UDP Query User{C818293D-E426-4748-8EDE-02071D3A61DC}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{CBC84AA6-6449-4D47-9590-AA680BBFC34B}C:\program files (x86)\vuze\azureus64.exe" = protocol=17 | dir=in | app=c:\program files (x86)\vuze\azureus64.exe |
"UDP Query User{EA22C123-F39E-4D30-A34F-356BD85EF515}C:\program files (x86)\vuze\azureus.exe" = protocol=17 | dir=in | app=c:\program files (x86)\vuze\azureus.exe |
"UDP Query User{F04A021F-F92D-4C1C-B0E4-A9D19D859145}C:\program files (x86)\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files (x86)\limewire\limewire.exe |
"UDP Query User{F0C8CCFF-19DB-446F-A03C-793C3F6FD1E7}C:\program files (x86)\gametap web player\bin\release\gametapplayer.exe" = protocol=17 | dir=in | app=c:\program files (x86)\gametap web player\bin\release\gametapplayer.exe |
"UDP Query User{F4E2DBA7-D942-4BC8-BAB1-265AF1219AA8}C:\users\rick\appdata\local\temp\rarsfx0\setup_wizard.exe" = protocol=17 | dir=in | app=c:\users\rick\appdata\local\temp\rarsfx0\setup_wizard.exe |
"UDP Query User{FFA50ACB-C318-434A-8221-77E91515EDF2}C:\program files (x86)\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files (x86)\google\google earth\client\googleearth.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
"{21B133D6-5979-47F0-BE1C-F6A6B304693F}" = Visual Studio 2010 x64 Redistributables
"{2F72F540-1F60-4266-9506-952B21D6640D}" = Apple Mobile Device Support
"{34F43E2A-9462-133B-068F-B6D9015616EB}" = ATI AVIVO64 Codecs
"{427174C0-096E-40D9-9684-9C109BEE2CBF}" = iTunes
"{46035FCA-633D-8E15-24EE-B6E5359B0AE2}" = ccc-utility64
"{563F041C-DFDB-437B-A1E8-E141E0906076}" = Microsoft IntelliPoint 8.0
"{6965A8D2-465D-4F98-9FAA-0E9E2348F329}" = Microsoft LifeCam
"{6ACE7F46-FACE-4125-AE86-672F4F2A6A28}" = Bing Maps 3D
"{6B559E62-24D2-D29C-2C02-26B671BDA8A1}" = ATI Catalyst Install Manager
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C5A08BF-BB99-4998-81BD-F6CC32483B34}" = Microsoft Corporation
"{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}" = Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B143BE44-8723-315E-9413-011C55873C0E}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{BE930E38-7BB3-45B6-85B2-5251F374F844}" = 64 Bit HP CIO Components Installer
"{D2DB454C-645C-448A-A0B9-B6F6C1D75BA8}" = Garmin Communicator Plugin x64
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Visual Studio 2010 Tools for Office Runtime (x64)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
"NVIDIA Drivers" = NVIDIA Drivers
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071FC582-37F8-8726-C70A-0B3EBEE11B57}" = Catalyst Control Center Graphics Previews Vista
"{08C8666B-C502-4AB3-B4CB-D74AC42D14FE}" = Nero BackItUp 10 Help (CHM)
"{08F32589-5E39-42B8-8BC5-6A8126ED2A70}" = Microsoft Visual C++ 2008 Redistributable Package
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{10CE1EA2-12E9-11D3-825E-00C04F6843FE}" = Microsoft Office Sounds
"{12118183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{129F4B4F-968D-3843-93A0-A0C5DB613584}" = CCC Help German
"{12CAA28E-56CA-4C3D-B3F2-7311540DD410}" = TurboTax 2011
"{16987E99-C95C-4513-9239-7B44A0A71DB5}" = Nero SoundTrax 10 Help (CHM)
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}" = Nero MediaHub 10
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20643D71-C655-C070-47AD-24F291B3E1E8}" = Catalyst Control Center Core Implementation
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{237CCB62-8454-43E3-B158-3ACD0134852E}" = High-Definition Video Playback 10
"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
"{24AE6B5B-3D5A-488C-9224-1BEE11F75DD9}" = TurboTax 2010
"{277C1559-4CF7-44FF-8D07-98AA9C13AABD}" = Nero Multimedia Suite 10
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29F6BF0C-3D0E-4480-8B55-85EDECE418FF}" = BlackBerry Device Software Updater
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2C73EAA3-3B76-2145-D3F8-0A8AF4DCB5C1}" = CCC Help Turkish
"{2CEDEB33-4931-48B1-8010-20618772B58E}" = Sage Simply Accounting 2012
"{2F6DE91F-47B3-0824-D007-F9EDFA055E7C}" = CCC Help Finnish
"{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}" = Visual C++ 8.0 Runtime Setup Package (x64)
"{30075A70-B5D2-440B-AFA3-FB2021740121}" = Backup Manager Advance
"{31a12940-e5c8-4d27-a6ac-005212152f1f}" = Garmin Express
"{329411A0-19F3-4740-874F-17400B126F27}" = Nero Vision 10 Help (CHM)
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{33643918-7957-4839-92C7-EA96CB621A98}" = Nero Express 10 Help (CHM)
"{34490F4E-48D0-492E-8249-B48BECF0537C}" = Nero DiscSpeed 10
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{369FA236-890F-4490-B607-092BC17E10CD}" = Elevated Installer
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMicron JMB36X Driver
"{3C6920EF-0089-3A24-9F9D-9A346AB2813F}" = Catalyst Control Center Graphics Full Existing
"{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"{3D3407EE-CD37-BFCD-FD15-14A24C35B41E}" = CCC Help Swedish
"{417F3E7E-C754-4707-BF5B-94750B83D58A}" = Garmin Express Tray
"{42B9D779-CF1F-478D-A393-950CE0E48177}" = Garmin Update Service
"{42DB6E8E-29B1-E677-7D91-517D63F3A5F0}" = Westway Report Generator
"{4713E6B1-9270-5824-CD46-68EAE904F899}" = CCC Help Japanese
"{4D43D635-6FDA-4fa5-AA9B-23CF73D058EA}" = Nero StartSmart OEM
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3
"{4F61136C-2A4D-4064-71AF-CF0C9DE552C3}" = CCC Help Chinese Standard
"{4FA47485-D671-D6BB-66CD-536598C460E8}" = Catalyst Control Center Localization All
"{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)
"{52D160F1-0E2C-4AC1-9EF9-8ABE1CAF2F8D}" = Sage 50 Accounting 2013
"{52FD2375-841C-0551-0E2C-6DA65F73FB09}" = CCC Help Dutch
"{53AB83B3-9908-44DF-97B5-C107140F26AD}" = Sage Simply Accounting 2011
"{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM)
"{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1" = Panda USB Vaccine 1.0.1.4
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57046DA6-882F-9A3F-CD74-5357AC9694B8}" = CCC Help Czech
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5BB74B26-8320-4846-951F-84CFFAD671C6}" = Simply Accounting by Sage 2010
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}" = Apple Application Support
"{5D1BCDDC-A969-2474-A777-4C52079C3778}" = CCC Help French
"{5EBD2FC6-FFB9-550B-7EB5-3848E062B4B2}" = CCC Help English
"{63AA3EAB-23BB-48B2-9AD0-44F878075604}" = Nero 10 Menu TemplatePack Basic
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{658AB1BF-9A07-4AAD-B6BB-7CADD2307C75}" = Garmin Express
"{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
"{66049135-9659-4AAD-9169-9CCA269EBB3E}" = Nero InfoTool 10 Help (CHM)
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{68AB6930-5BFF-4FF6-923B-516A91984FE6}" = Nero BackItUp 10
"{6A85286D-BA0F-4318-8C30-AD74A33AAD36}" = MySQL Connector/ODBC 3.51
"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
"{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{726DDC29-79B3-41B4-BDBF-97DF25BF1EA8}" = TurboTax 2012
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{75EF2300-2DA4-60E8-CFAC-04A8081322BE}" = CCC Help Hungarian
"{77277800-4738-946C-B360-19259007E99F}" = CCC Help Chinese Traditional
"{7A295D8F-484B-4FFB-89AB-C1FD497591FE}" = Nero WaveEditor 10 Help (CHM)
"{7A5D731D-B4B3-490E-B339-75685712BAAB}" = Nero Burning ROM 10
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Gateway Recovery Management
"{7F938BCD-7CC9-7949-DE47-F06CF95741B1}" = CCC Help Portuguese
"{80F19EAA-44C4-47C2-AE87-1C7628E858D6}" = Logitech Harmony Remote Software 7
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87BB78C4-F36D-4D93-A7C7-F80F18219848}" = AMD DnD V1.0.19
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}" = Nero Recode 10
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92E25238-61A3-4ACD-A407-3C480EEF47A7}" = Nero RescueAgent 10 Help (CHM)
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{935B9BF4-8006-BC16-B193-F6C13B83F6B2}" = CCC Help Danish
"{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96AD3B61-EAE2-11E2-9E72-B8AC6F98CCE3}" = Google Earth
"{978B28B9-2ED2-C511-5D4C-D72A7D4AEF3E}" = CCC Help Polish
"{9882AE13-E333-3118-45F8-EEDA43BCF63B}" = CCC Help Norwegian
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}" = Nero Vision 10
"{9B6B24BE-80E7-46C4-9FA5-B167D5E0F345}" = Nero BurningROM 10 Help (CHM)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0087DDE-69D0-11E2-AD57-43CA6188709B}" = Adobe AIR
"{A07D7AF9-BA12-D49D-9771-A102A4D5BD13}" = Catalyst Control Center InstallProxy
"{A6D42D59-7188-3DE9-8572-3F83165FBB6C}" = CCC Help Russian
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.8)
"{ACB583B7-8900-DBA7-CB86-789D1755C77E}" = CCC Help Greek
"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7060593-A94C-96E2-115A-11EAA79AEAF8}" = CCC Help Spanish
"{B789926B-4CB9-2345-075B-1BEE87C53A71}" = CCC Help Italian
"{B92C5909-1D37-4C51-8397-A28BB28E5DC3}" = Facebook Video Calling 1.2.0.287
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{BE5B0450-DCCB-4FE9-93E2-3B38D88A745B}" = BlackBerry Desktop Software 7.1
"{C18A0418-442A-4186-AF98-D08F5054A2FC}" = Nero DiscSpeed 10 Help (CHM)
"{C3273C55-E1E4-41FF-8D69-0158090DB8D8}" = Nero CoverDesigner 10 Help (CHM)
"{C3580AC4-C827-4332-B935-9A282ED5BB97}" = Nero Dolby Files 10
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C82185E8-C27B-4EF4-2010-1111BC2C2B6D}" = Microsoft MapPoint North America 2010
"{CC407F63-7F0A-D8E0-E4F8-4B36E7E1E577}" = CCC Help Thai
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D1BBB9C9-800C-ADD3-F847-FF5582DCF68F}" = CCC Help Korean
"{D23E10BC-2CE3-A967-385C-446922563356}" = Catalyst Control Center Graphics Light
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D27018A4-4227-FAF5-8EFD-E214B21FA143}" = Image Desktop
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DB7C1D4A-08BA-4C7E-A8AA-B7F9BB372DCF}" = Nero Recode 10 Help (CHM)
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E0000650-0650-0650-0650-000000000650}" = PureEdge Viewer 6.5
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}" = Nero SoundTrax 10
"{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E883466C-77EC-44AC-8EC8-417A4A16AB3F}" = Garmin Communicator Plugin
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EAF6BE5A-8587-045A-4753-2D273007FDDD}" = Catalyst Control Center Graphics Full New
"{ECB9C58E-C565-4683-9599-B72290BD3B25}" = QuickTax 2009
"{EDCDFAD5-DF80-4600-A493-E9DAD6810230}" = Nero WaveEditor 10
"{EE10D76C-39B7-40A8-A24C-1BEEACBED160}" = Catalyst Control Center - Branding
"{EE171732-BEB4-4576-887D-CB62727F01CA}" = Gateway Updater
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10
"{F467862A-D9CA-47ED-8D81-B4B3C9399272}" = Nero MediaHub 10 Help (CHM)
"{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic
"{F6117F9C-ADB5-4590-9BE4-12C7BEC28702}" = Nero StartSmart 10 Help (CHM)
"{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10
"{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
"{FCF00A6E-FB58-477A-ABE9-232907105521}" = Nero CoverDesigner 10
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FFD412C4-7E27-9167-1C5D-E40803B7AEC7}" = ccc-core-static
"Adobe AIR" = Adobe AIR
"Adobe Digital Editions 2.0" = Adobe Digital Editions 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"avast" = avast! Free Antivirus
"AviSynth" = AviSynth 2.5
"BlackBerry_Desktop" = BlackBerry Desktop Software 7.1
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab 7_is1" = DVDFab 7.0.3.0 (26/03/2010)
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"Gateway InfoCentre" = Gateway InfoCentre
"Gateway Photo Frame" = Gateway Photo Frame 4.2.3.10
"Gateway Registration" = Gateway Registration
"Gateway Screensaver" = Gateway ScreenSaver
"Gateway Welcome Center" = Welcome Center
"Google Desktop" = Google Desktop
"Identity Card" = Identity Card
"ImageDesktop.70A796F90E3A41D1B0A2F1D200C8BD1EF0788CF6.1" = Image Desktop
"ImgBurn" = ImgBurn
"InstallShield_{2CEDEB33-4931-48B1-8010-20618772B58E}" = Sage Simply Accounting 2012
"InstallShield_{30075A70-B5D2-440B-AFA3-FB2021740121}" = Gateway MyBackup
"InstallShield_{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer
"InstallShield_{52D160F1-0E2C-4AC1-9EF9-8ABE1CAF2F8D}" = Sage 50 Accounting 2013
"InstallShield_{53AB83B3-9908-44DF-97B5-C107140F26AD}" = Sage Simply Accounting 2011
"InstallShield_{5BB74B26-8320-4846-951F-84CFFAD671C6}" = Simply Accounting by Sage 2010
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"IrfanView" = IrfanView (remove only)
"IsoBuster_is1" = IsoBuster 2.8
"Kingsoft Office" = Kingsoft Office 2013 (9.1.0.4246)
"Kobo" = Kobo
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Mozilla Firefox 23.0.1 (x86 en-US)" = Mozilla Firefox 23.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"T4 Internet - T4 par Internet 11.0" = T4 Internet - T4 par Internet 11.0
"Videora iPod classic Converter" = Videora iPod classic Converter 5.04
"VLC media player" = VLC media player 2.0.4
"Westway-Report-Generator" = Westway Report Generator
"WildTangent gateway Master Uninstall" = Gateway Games
"WinLiveSuite" = Windows Live Essentials
"YouTube Downloader App" = YouTube Downloader App 2.03

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"magicJack" = magicJack
"MyFreeCodec" = MyFreeCodec
"WeatherEye" = WeatherEye

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 18/09/2013 10:39:31 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0002e04e Faulting
process id: 0xf7c Faulting application start time: 0x01ceb4e176d480ea Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: b59fd616-20d4-11e3-be08-90fba646c2ee

Error - 18/09/2013 10:39:43 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0002e26b Faulting
process id: 0x1a78 Faulting application start time: 0x01ceb4e17df8002d Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: bcbceca1-20d4-11e3-be08-90fba646c2ee

Error - 18/09/2013 10:39:46 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0002e04e Faulting
process id: 0x720 Faulting application start time: 0x01ceb4e17ff27807 Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: beb20d37-20d4-11e3-be08-90fba646c2ee

Error - 18/09/2013 10:39:49 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0002e04e Faulting
process id: 0xa88 Faulting application start time: 0x01ceb4e181cdcead Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: c0909839-20d4-11e3-be08-90fba646c2ee

Error - 18/09/2013 10:39:56 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0003a74b Faulting
process id: 0x1838 Faulting application start time: 0x01ceb4e185b6d755 Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: c47952c0-20d4-11e3-be08-90fba646c2ee

Error - 18/09/2013 10:40:02 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0003a74b Faulting
process id: 0xa88 Faulting application start time: 0x01ceb4e1893758a6 Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: c7fc1e09-20d4-11e3-be08-90fba646c2ee

Error - 18/09/2013 10:40:05 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0003a74b Faulting
process id: 0xec4 Faulting application start time: 0x01ceb4e18b3049da Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: c9f0f07e-20d4-11e3-be08-90fba646c2ee

Error - 18/09/2013 10:40:21 PM | Computer Name = Rick-PC | Source = Application Error | ID = 1000
Description = Faulting application name: IEXPLORE.EXE, version: 10.0.9200.16686,
time stamp: 0x52058cf0 Faulting module name: ntdll.dll, version: 6.1.7601.18229,
time stamp: 0x51fb1072 Exception code: 0xc00000fd Fault offset: 0x0003a74b Faulting
process id: 0xd60 Faulting application start time: 0x01ceb4e194fa61fc Faulting application
path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Faulting module path:
C:\Windows\SysWOW64\ntdll.dll Report Id: d3bc1a14-20d4-11e3-be08-90fba646c2ee

Error - 19/09/2013 12:45:35 AM | Computer Name = Rick-PC | Source = SideBySide | ID = 16842827
Description = Activation context generation failed for "C:\Program Files (x86)\Skype\Toolbars\Internet
Explorer\SkypeIEPluginBroker.exe".Error in manifest or policy file "C:\Program
Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" on line 2.
Multiple
requestedPrivileges elements are not allowed in manifest.

Error - 19/09/2013 12:47:23 AM | Computer Name = Rick-PC | Source = SideBySide | ID = 16842832
Description = Activation context generation failed for "c:\program files (x86)\ESET\eset
online scanner\ESETSmartInstaller.exe".Error in manifest or policy file "" on line
. A component version required by the application conflicts with another component
version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component
2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

[ System Events ]
Error - 16/09/2013 10:31:34 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D
2 Scanner Service service to connect.

Error - 16/09/2013 10:31:34 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Scanner Service service failed to start due to the
following error: %%1053

Error - 17/09/2013 9:22:19 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7006
Description = The ScRegSetValueExW call failed for FailureActions with the following
error: %%5

Error - 17/09/2013 9:25:19 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D
2 Scanner Service service to connect.

Error - 17/09/2013 9:25:19 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Scanner Service service failed to start due to the
following error: %%1053

Error - 17/09/2013 9:25:57 PM | Computer Name = Rick-PC | Source = DCOM | ID = 10016
Description =

Error - 17/09/2013 9:26:02 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D
2 Updating Service service to connect.

Error - 17/09/2013 9:26:02 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Updating Service service failed to start due to the
following error: %%1053

Error - 17/09/2013 9:27:26 PM | Computer Name = Rick-PC | Source = Service Control Manager | ID = 7022
Description = The Internet Connection Sharing (ICS) service hung on starting.

Error - 18/09/2013 10:16:39 PM | Computer Name = Rick-PC | Source = DCOM | ID = 10016
Description =


< End of report >

:thanks:

Dakeyras
2013-09-20, 15:46
Hi. :)


The computer seems to be running fine. No signs of viral activity.
Good.


Tried to paste OTL.txt but it's too large. Please find it attached
Not a problem.

Next:

Uninstall the following as they are leftovers from prior Symantec software...

Now please go to Start(Windows 7 Orb) >> Control Panel >> Uninstall a program or Programs and Features and remove the following (if present):

LiveReg
LiveUpdate

To do so click once on each of the above in turn to highlight, then click on Uninstall/Change and follow the prompts.

Note: If any of the above will not uninstall, merely proceed to the below Custom OTL Script, as I have included them as a extra precaution in-case such a event does occur.

Custom OTL Script:


Right-click OTL.exe and select Run as Administrator to start the program.
Copy the lines from the code-box to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


:Commands
[CreateRestorePoint]

:Services
awhost32
LiveUpdate

:OTL
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: airmilesshops.ca ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/4.0.3.0/GarminAxControl_32.CAB (Reg Error: Key error.)

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Java
C:\Program Files (x86)\Symantec
C:\Users\Rick\AppData\Roaming\inst.exe
C:\Windows\SysWOW64\npDeployJava1.dll
netsh advfirewall reset /c
netsh advfirewall set allprofiles state on /c

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate]
[HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\Software\Microsoft\Windows\CurrentVersion\Run\Software\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"=-

:Commands
[EmptyTemp]

Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
Then click the red Run Fix button.
Let the program run unhindered.
If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

I deem it prudent to check for updates and run another scan to err on the side of caution, taking into account the malware we have been dealing with.

Note: Remember to right click the executable for MBAM and select Run As Administrator.


Launch the application, Check for Updates >> Perform quick scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Next:

When completed the above, please post back the following in the order asked for:


OTL Log from the Custom Script.
Malwarebytes Anti-Malware Log.

Lexi321
2013-09-21, 18:52
Hello,

I removed LiveUpdate, however when attempting to remove LiveReg, I received the error that it could not be removed because I still had active Symantec products (PCAW). I need to keep PCanywhere installed, as I use it as a last resource to connect to remote PCs, therefore I didn't remove it or LiveReg using your script, hence I didn't run OTL. Please advise if running the script will leave PCAW intact, then I'll proceed. Otherwise, everything looks fine, Avast scans are clean as is the MBAM scan.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.21.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Rick :: RICK-PC [administrator]

21/09/2013 11:43:35 AM
mbam-log-2013-09-21 (11-43-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 311926
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

:thanks:

Dakeyras
2013-09-21, 21:59
Hi. :)

Not a problem what you mentioned, merely run this modified custom script below please:


:Commands
[CreateRestorePoint]

:OTL
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: airmilesshops.ca ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-1206012796-1689309657-3446792677-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/...Control_32.CAB (Reg Error: Key error.)

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Java
C:\Users\Rick\AppData\Roaming\inst.exe
C:\Windows\SysWOW64\npDeployJava1.dll
netsh advfirewall reset /c
netsh advfirewall set allprofiles state on /c

:Reg
[HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\Software\Microsoft\Windows\CurrentVersion\Run\Software\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"=-

Next:

Let check/update some software as follows shall we...


Download and install FileHippo Update Checker from here (http://www.filehippo.com/updatechecker/).
Once installed(during the installation process deselect the option:- Run at Startup >> Start(Windows 7 Orb) >> All Programs >> right-click on Update Checker and select Run as Administrator >> a browser window will open after the scan is complete.
Download any updates detected(apart from beta updates) to the desktop >> uninstall anything that requires updating via Uninstall a program or Programs and Features in the Control Panel.
Re-install the updated software, delete the installers and then empty the Recycle Bin.

Note: When I give the all clear my advice would be to consider keeping FileHippo Update Checker installed. Then periodically use it to check for any updates as having certain software outdated is a potential for malware to gain a foothold and exploit a system etc.

Next:

Attach your external Hard-Drive >> right click on the drives icon(found via Start(Windows 7 Orb) >> Computer) and select Scan with Malwarebytes Anti-Malware

Perform the same again but this time scan with avast! Free Antivirus

Note: Check for updates with both of the above security applications prior to scanning.

Next:

Let myself know when completed the above, post the the OTL Log from the Custom Script. Also inform myself if any further issue's remaining, thank you.

Lexi321
2013-09-23, 00:46
Hello,

Everything seems to be running well except for a problem I have installing a new printer. I don't think this has anything to do with this computer, as I cant get it to work with any of my computers. Brother support was also unable to help me. At any rate, I believe the virus situation has been resolved (from what I can tell). Here is the OTL log, and once again :thanks:

========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2\ deleted successfully.
C:\Windows\SysWOW64\npDeployJava1.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\airmilesshops.ca\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Rick\Desktop\Virus Utils\cmd.bat deleted successfully.
C:\Users\Rick\Desktop\Virus Utils\cmd.txt deleted successfully.
C:\Program Files (x86)\Java\jre7\lib\ext folder moved successfully.
C:\Program Files (x86)\Java\jre7\lib folder moved successfully.
C:\Program Files (x86)\Java\jre7 folder moved successfully.
C:\Program Files (x86)\Java folder moved successfully.
C:\Users\Rick\AppData\Roaming\inst.exe moved successfully.
File\Folder C:\Windows\SysWOW64\npDeployJava1.dll not found.
< netsh advfirewall reset /c >
Ok.
C:\Users\Rick\Desktop\Virus Utils\cmd.bat deleted successfully.
C:\Users\Rick\Desktop\Virus Utils\cmd.txt deleted successfully.
< netsh advfirewall set allprofiles state on /c >
Ok.
C:\Users\Rick\Desktop\Virus Utils\cmd.bat deleted successfully.
C:\Users\Rick\Desktop\Virus Utils\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry key HKEY_USERS\S-1-5-21-1206012796-1689309657-3446792677-1000\Software\Microsoft\Windows\CurrentVersion\Run\Software\Microsoft\Windows\CurrentVersion\Run not found.

OTL by OldTimer - Version 3.2.69.0 log created on 09222013_172557

Dakeyras
2013-09-23, 12:07
Hi. :)


a problem I have installing a new printer. I don't think this has anything to do with this computer, as I cant get it to work with any of my computers. Brother support was also unable to help me

Hmmm as a rule Windows 7 is quite good at installing Printers, without any third party software if all you wish to do is print of say documents and not use any of the printers more advanced features like scanning for example. So you could try uninstalling any printer related software then re-connect the printer and it should auto be detected and then check if a Test Page can be printed. If still problems my best advice would be to seek further assistance in either of the below forums...

Geeks to Go - Hardware, Components and Peripherals (http://www.geekstogo.com/forum/forum/9-hardware-components-and-peripherals/)

Or:

What the tech - General Hardware (http://forums.whatthetech.com/index.php?showforum=126)

I am a member of both of the above and they have excellent IT Tech Support staff.

Next:

Congratulations your computer appears to be malware free!

Disclaimer: Given the nature of the infections that were present on the machine, I give no guarantees about the security of this computer and have to the best of my abilities tried too both identify and eradicate all malware.

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

Also so is this:

What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)

AdwCleaner Uninstall:


Right-click on AdwCleaner.exe and select Run as Administrator to start the program
Click on Uninstall >> Yes, this will remove the application and its log(s) etc.

ComboFix Uninstall :


Click on Start(Windows 7 Orb) >> Run...(or depress both the Windows key and R together to launch the run box)
Now type in ComboFix /Uninstall into the and click OK.
Note the space between the X and the /Uninstall, it needs to be there.
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/CF-Uninstall.png

Clean up with OTL:


Right-click OTL and select Run as Administrator to start the program.
Close all other programs apart from OTL as this step will require a reboot.
On the OTL main screen, depress the CleanUp button.
Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Reset the System Restore points:

Create a new, clean System Restore point:-


Right click on Computer and select Properties >> System protection >> Create....
Give this restore point a descriptive name and click Create.
When the new restore point is created click on OK >> close the System Properties window.

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Flush Old System Restore points:-


Click on Start(Windows 7 Orb) >> All Programs >> Accessories >> System Tools >> right-click on Disk Cleanup and select Run as Administrator.
Select the system drive, C >> OK.
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Click on Clean up system files >> Select the system drive, C >> OK.
Now click on the More Options tab.
Under:-
System Restore and Shadow Copies
Click on Clean up... >> Delete >> OK >> Delete Files.

Now some advice for on-line safety:

The below are worth reading/bookmarking for future reference...

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?279-So-how-did-I-get-infected-in-the-first-place)

Computer Security - a short guide to staying safer online (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=54766)

Next:

Any questions? Feel free to ask, if not stay safe!

Lexi321
2013-09-24, 07:14
Hello,

An interesting development. I tried printing from another PC and couldn't only to find that all the settings to allow access through Windows Firewall had been turned off (file and print sharing for one). I didn't do anything to cause this to happen. Any thoughts?

Dakeyras
2013-09-24, 10:55
Hi. :)


An interesting development. I tried printing from another PC and couldn't only to find that all the settings to allow access through Windows Firewall had been turned off (file and print sharing for one). I didn't do anything to cause this to happen. Any thoughts?
Do you mean the settings for this machine we have been working on ?

If so the part of the prior custom OTL fix reset the Windows 7 Firewall back to default to remove the P2P related entries etc. Anyway to rectify what you mentioned, follow the advice in the below Microsoft article:-

Enable file and printer sharing (http://windows.microsoft.com/en-gb/windows-vista/enable-file-and-printer-sharing)

Any further questions ?

Lexi321
2013-09-24, 15:40
I also do not have any restore points before September 21 even when "show more restore points" is checked. Also, with the resetting of the firewall, wont all my programs that need to go through the firewall, now not work?

Dakeyras
2013-09-24, 15:56
I also do not have any restore points before September 21 even when "show more restore points" is checked.
That is because part of the clean up process in post #25(Reset the System Restore points) will have purged the older(and infected ones) and created a new safe clean one. This is standard procedure upon completion of a malware removal process.


Also, with the resetting of the firewall, wont all my programs that need to go through the firewall, now not work?
No they will work/be granted the appropriate access. :)

Lexi321
2013-09-24, 16:18
That is because part of the clean up process in post #25(Reset the System Restore points) will have purged the older(and infected ones) and created a new safe clean one. This is standard procedure upon completion of a malware removal process.

I realize that, but I hadn't done that step yet. Would something else have gotten rid of them?

Dakeyras
2013-09-24, 16:25
I see, in that case then then most likely explanation would be that malware purged them as not unheard of. Reason being if no prior SR Points after the infection gained a foothold, then that is another way to enable it staying on a system etc. :)

Dakeyras
2013-09-26, 00:36
Any further questions before I close and archive this topic ? :)

Lexi321
2013-09-26, 03:24
No further questions regarding this topic. I do have one final request, and that is if you could recommend a routine of programs to run on my non-infected machines to keep them running well, and get rid of unwanted stuff. The thread can be closed, once again, thank you so much for your time and assistance.

Dakeyras
2013-09-26, 23:48
Hi. :)


thank you so much for your time and assistance.

You're most welcome!

Everything mentioned here (http://www.malwareremoval.com/forum/viewtopic.php?p=557962#p557962) should be of assistance...

--------------

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help