Trojan.pidief and Trojan.maljava (I think!)

View previous topic View next topic Go down

Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 5:24 am

Hi all,

I have a pretty bad case of malware on my computer(s). It started on my thinkpad, which is now having hardware issues (the fan died); I assume these hardware issues are unrelated, but fixing that computer is now on hold until I get it back from being serviced (it is still under warranty). Unfortunately, before the fan died, I used my girlfriend's computer (this computer) to scan my drive (I put it in an external enclosure, and plugged it in via USB). In the process of scanning my Thinkpad's drive, it seems my girlfriend's computer has become infected. So now I am trying to fix the mess I made on her computer.

The symptoms are what you would expect. The computer(s) are slowed down. They freeze with great frequency, and programs such as internet browsers malfunction (freeze, randomly close, etc.). While booted in normal mode, things do not seem as nightmarish as they are--anti-virus programs appear to be running just fine. When booted in safe mode, I get the error message that the Security Service is turned off. When I try to turn it on, I get the error message saying it cannot be turned on. Symantec also produces an error when I try to start it: 0x8007043c.

When I scan in normal mode, I find the two trojans named in the topic of this post: trojan.pidief and trojan.maljava. AVG also found a rootkit. Microsoft security essentials finds the trojan.pidief. These tools (what I use to protect our computers, with spybot running in the background) cannot clean the computer--the action always fails.

I think that about describes the problem. Relevant text files from the scans I was told to run in the "Before you post" section will appear in attachments (just found out I have to attach things one at a time, I will copy/paste). I would greatly appreciate any help anyone can give. My own sense is that this is going to end in a reformat, but I'd love to avoid that!

Thanks in advance,
Dennis and Beth

P.S.
I read the bit about uninstalling P2P software after I was instructed to scan. I had since uninstalled limewire and azureus.

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 5:25 am

OTL logfile created on: 6/17/2012 1:30:33 PM - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\Beth\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.93 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 71.75% Memory free
6.06 Gb Paging File | 5.46 Gb Available in Paging File | 90.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.45 Gb Total Space | 30.23 Gb Free Space | 10.55% Space Free | Partition Type: NTFS
Drive D: | 11.63 Gb Total Space | 1.81 Gb Free Space | 15.55% Space Free | Partition Type: NTFS
Drive E: | 577.26 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BETH-PC | User Name: Beth | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/17 13:29:54 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Beth\Downloads\OTL.com
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2011/11/03 13:06:56 | 001,101,960 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
PRC - [2009/10/27 18:15:46 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2009/10/27 18:15:38 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/20 22:24:02 | 000,498,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\HelpPane.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe /s Norton Internet Security /m C:\Program Files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll /prefetch:1 -- (Norton Internet Security)
SRV - [2012/06/16 16:02:01 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/14 09:39:32 | 000,257,224 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/05/24 13:22:27 | 002,152,720 | ---- | M] (Lavasoft Limited) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/07/13 10:00:16 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/09/06 10:43:32 | 000,120,152 | ---- | M] (WeFi) [On_Demand | Stopped] -- C:\Program Files\WeFi\WefiEngSvc.exe -- (WefiEngSvc)
SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/10/27 18:15:46 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/10/27 18:15:46 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/10/27 18:15:42 | 000,341,320 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/10/27 18:15:40 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/10/27 18:15:38 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/10/23 13:31:44 | 000,401,920 | ---- | M] (Amazon.com) [Auto | Stopped] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)
SRV - [2009/10/12 12:33:26 | 000,046,824 | ---- | M] (Xobni Corporation) [Disabled | Stopped] -- C:\Program Files\Xobni\XobniService.exe -- (XobniService)
SRV - [2009/07/13 16:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/06/04 00:43:18 | 000,217,170 | ---- | M] (IDT, Inc.) [Disabled | Stopped] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_827e372d\stacsv.exe -- (STacSV)
SRV - [2008/12/17 20:11:40 | 000,365,952 | ---- | M] () [Auto | Stopped] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/11/26 21:13:08 | 000,296,320 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe -- (TVCapSvc) TV Background Capture Service (TVBCS)
SRV - [2008/11/26 21:13:08 | 000,116,096 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe -- (TVSched) TV Task Scheduler (TVTS)
SRV - [2008/01/20 22:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2012/05/30 04:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/05/30 04:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/05/16 04:00:00 | 001,589,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120616.009\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/05/16 04:00:00 | 000,087,928 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120616.009\NAVENG.SYS -- (NAVENG)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/11/03 13:06:56 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2011/11/03 13:06:56 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/08/20 16:08:46 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/01/19 19:59:44 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2009/12/29 19:49:21 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/27 18:15:46 | 000,320,560 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2009/10/27 18:15:46 | 000,281,648 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2009/10/27 18:15:46 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2009/10/27 18:15:32 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2009/10/27 18:15:32 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2009/10/27 18:15:30 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2009/10/27 18:15:30 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2009/09/02 07:09:24 | 000,176,128 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/06/04 00:43:18 | 000,407,040 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2008/11/28 22:04:24 | 000,087,536 | ---- | M] (CyberLink Corp.) [2009/12/25 20:44:33] [Kernel | Auto | Stopped] -- C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl -- ({55662437-DA8C-40c0-AADA-2C816A897A49})
DRV - [2008/09/22 01:49:36 | 000,112,128 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV - [2008/09/04 13:47:00 | 000,054,784 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\enecir.sys -- (enecir)
DRV - [2008/03/27 16:12:12 | 000,024,424 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hpdskflt.sys -- (hpdskflt)
DRV - [2008/03/27 16:11:34 | 000,034,664 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2008/01/20 22:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel(R)
DRV - [2007/06/18 20:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\..\SearchScopes,DefaultScope = {E3E1488C-C9A6-41A2-83F7-23BCB5DBAD7D}
IE - HKLM\..\SearchScopes\{6A296A5B-71DF-477C-8863-FFA1FEBD27DA}: "URL" = [You must be registered and logged in to see this link.]
IE - HKLM\..\SearchScopes\{E3E1488C-C9A6-41A2-83F7-23BCB5DBAD7D}: "URL" = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\SearchScopes,DefaultScope = {E3E1488C-C9A6-41A2-83F7-23BCB5DBAD7D}
IE - HKCU\..\SearchScopes\{6A296A5B-71DF-477C-8863-FFA1FEBD27DA}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{E3E1488C-C9A6-41A2-83F7-23BCB5DBAD7D}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/home.php?#!/?ref=home|http://caloriecount.about.com/cc/account/index.php|https://mail.google.com/mail/?shva=1#inbox|http://www.weather.com/weather/today/21117:4:US|[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_257.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10516.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.775: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.775: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.775: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\Beth\AppData\Roaming\Move Networks\plugins\npqmp071706000001.dll (Move Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fbphotozoom@installdaddy.com: C:\Program Files\fbphotozoom\fbphotozoom15.xpi [2012/03/24 13:32:42 | 000,102,423 | ---- | M] ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/16 16:02:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/19 14:30:40 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Users\Beth\AppData\Roaming\Move Networks [2011/07/02 14:04:28 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/16 16:02:03 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/19 14:30:40 | 000,000,000 | ---D | M]

[2010/03/24 23:12:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Beth\AppData\Roaming\Mozilla\Extensions
[2010/03/24 23:12:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Beth\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2012/05/10 07:33:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\b26e7yv9.default\extensions
[2010/07/07 12:48:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\b26e7yv9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/01 21:53:22 | 000,001,498 | ---- | M] () -- C:\Users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\b26e7yv9.default\searchplugins\saveswatts.xml
[2011/11/14 18:15:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/13 22:11:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2012/01/07 12:23:33 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\BETH\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\B26E7YV9.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2012/06/16 16:02:03 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/05 21:07:53 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/14 18:15:29 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2009/12/29 20:18:33 | 000,370,684 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 12779 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.
O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Beth\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Beth\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{67DCD674-8702-4186-8971-F03AFD006367}: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CA2CDE49-B0DC-4575-8438-934026890EAD}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img11.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img11.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/09/10 16:47:40 | 000,011,064 | R--- | M] (Her Interactive, Inc.) - E:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2010/09/10 16:47:40 | 000,000,189 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{07603192-58c6-11e0-92bf-00269e30be4e}\Shell - "" = AutoRun
O33 - MountPoints2\{07603192-58c6-11e0-92bf-00269e30be4e}\Shell\AutoRun\command - "" = I:\TL-Bootstrap.exe
O33 - MountPoints2\{33bd964d-f1db-11de-9592-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{33bd964d-f1db-11de-9592-806e6f6e6963}\Shell\AutoRun\command - "" = E:\autorun.exe [open][2] "Setup.exe"
O33 - MountPoints2\{a0b3fe04-0557-11df-b453-00269e30be4e}\Shell - "" = AutoRun
O33 - MountPoints2\{a0b3fe04-0557-11df-b453-00269e30be4e}\Shell\AutoRun\command - "" = F:\SETUP.EXE
O33 - MountPoints2\{a0b3fe04-0557-11df-b453-00269e30be4e}\Shell\configure\command - "" = F:\SETUP.EXE
O33 - MountPoints2\{a0b3fe04-0557-11df-b453-00269e30be4e}\Shell\install\command - "" = F:\SETUP.EXE
O33 - MountPoints2\{be045a7c-df6d-11e0-b2c4-00269e30be4e}\Shell - "" = AutoRun
O33 - MountPoints2\{be045a7c-df6d-11e0-b2c4-00269e30be4e}\Shell\AutoRun\command - "" = H:\setup.exe -a
O33 - MountPoints2\{d76ef29d-dc1b-11df-b3f0-000000000030}\Shell - "" = AutoRun
O33 - MountPoints2\{d76ef29d-dc1b-11df-b3f0-000000000030}\Shell\AutoRun\command - "" = I:\TL-Bootstrap.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - StartUpFolder: C:^Users^Beth^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: CLMLServer for HP TouchSmart - hkey= - key= - C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)
MsConfig - StartUpReg: DAEMON Tools Lite - hkey= - key= - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
MsConfig - StartUpReg: DivXUpdate - hkey= - key= - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MsConfig - StartUpReg: DVDAgent - hkey= - key= - C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)
MsConfig - StartUpReg: HP Health Check Scheduler - hkey= - key= - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
MsConfig - StartUpReg: HPAdvisor - hkey= - key= - File not found
MsConfig - StartUpReg: LightScribe Control Panel - hkey= - key= - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: Skype - hkey= - key= - C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
MsConfig - StartUpReg: SmartMenu - hkey= - key= - File not found
MsConfig - StartUpReg: SysTrayApp - hkey= - key= - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - StartUpReg: TSMAgent - hkey= - key= - C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe (CyberLink Corp.)
MsConfig - StartUpReg: TVAgent - hkey= - key= - C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe (CyberLink Corp.)
MsConfig - StartUpReg: UCam_Menu - hkey= - key= - C:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: UpdateLBPShortCut - hkey= - key= - C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: UpdateP2GoShortCut - hkey= - key= - C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: UpdatePDIRShortCut - hkey= - key= - C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: UpdatePSTShortCut - hkey= - key= - C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
MsConfig - StartUpReg: Windows Defender - hkey= - key= - File not found
MsConfig - StartUpReg: WirelessAssistant - hkey= - key= - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard)
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - Service
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SafeBootMin: MsMpSvc - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootMin: Symantec Antvirus - Service
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: AppMgmt - Service
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootNet: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Lavasoft Ad-Aware Service - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)
SafeBootNet: Messenger - Service
SafeBootNet: MsMpSvc - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: SmcService - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootNet: Symantec Antvirus - Service
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: WudfPf - Driver
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Unable to start System Restore Service. Error code 1084

========== Files/Folders - Created Within 30 Days ==========

[2012/06/14 09:43:00 | 000,000,000 | ---D | C] -- C:\Users\Beth\AppData\Local\Macromedia
[2012/06/14 03:09:20 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/06/14 03:09:13 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/06/14 03:09:12 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/06/14 03:09:09 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/06/14 03:09:04 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/06/14 03:09:04 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/06/14 03:08:59 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/06/13 05:09:08 | 002,045,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/06/08 20:55:44 | 000,045,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll
[2012/06/08 20:55:43 | 002,422,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll
[2012/06/08 20:55:08 | 000,035,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2012/06/08 20:55:07 | 000,577,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2012/06/08 20:55:07 | 000,088,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2012/06/08 20:54:43 | 000,171,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2012/06/08 20:54:43 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[2012/05/19 14:30:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/05/19 14:29:29 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012/05/19 14:29:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[7 C:\Users\Beth\Documents\*.tmp files -> C:\Users\Beth\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/17 13:11:16 | 000,605,838 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/17 13:11:15 | 000,104,808 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/17 13:06:30 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/06/17 13:06:30 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/06/17 13:06:18 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2012/06/17 13:05:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/17 12:33:50 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/06/17 11:46:55 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/17 11:46:55 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/17 09:52:13 | 000,000,290 | ---- | M] () -- C:\Windows\tasks\WefiStartup.job
[2012/06/16 16:05:25 | 000,000,987 | ---- | M] () -- C:\Users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2012/06/16 16:04:58 | 000,000,953 | ---- | M] () -- C:\Users\Beth\Desktop\Dropbox.lnk
[2012/06/14 09:39:32 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/06/14 09:39:31 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/06/14 05:38:39 | 000,399,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/06/12 17:19:02 | 004,293,778 | ---- | M] () -- C:\Users\Beth\Documents\Cultural intelligence.pdf
[2012/06/12 17:16:27 | 000,309,874 | ---- | M] () -- C:\Users\Beth\Documents\Leading by Leveraging Culture.pdf
[2012/06/12 17:12:08 | 005,762,419 | ---- | M] () -- C:\Users\Beth\Documents\Leadership that gets Results article.pdf
[2012/06/06 07:12:50 | 000,006,080 | ---- | M] () -- C:\Users\Beth\AppData\Local\d3d9caps.dat
[2012/06/02 18:19:33 | 000,045,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll
[2012/06/02 18:19:32 | 000,035,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2012/06/02 18:19:23 | 000,577,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2012/06/02 18:12:32 | 002,422,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll
[2012/06/02 18:12:13 | 000,088,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2012/06/02 15:19:42 | 000,171,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2012/06/02 15:12:20 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[2012/06/01 22:47:10 | 000,001,743 | ---- | M] () -- C:\Users\Beth\Desktop\Spotify.lnk
[2012/05/19 14:30:22 | 000,001,726 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[7 C:\Users\Beth\Documents\*.tmp files -> C:\Users\Beth\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/17 13:06:17 | 000,000,384 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2012/06/12 17:18:43 | 004,293,778 | ---- | C] () -- C:\Users\Beth\Documents\Cultural intelligence.pdf
[2012/06/12 17:16:27 | 000,309,874 | ---- | C] () -- C:\Users\Beth\Documents\Leading by Leveraging Culture.pdf
[2012/06/12 17:12:04 | 005,762,419 | ---- | C] () -- C:\Users\Beth\Documents\Leadership that gets Results article.pdf
[2012/06/01 22:47:10 | 000,001,743 | ---- | C] () -- C:\Users\Beth\Desktop\Spotify.lnk
[2012/06/01 22:47:10 | 000,001,729 | ---- | C] () -- C:\Users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
[2012/05/19 14:30:22 | 000,001,726 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/02/05 14:03:43 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2012/02/05 14:03:43 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2012/01/05 21:05:00 | 000,000,000 | ---- | C] () -- C:\Windows\Game.INI
[2012/01/03 20:06:41 | 000,000,000 | ---- | C] () -- C:\Windows\Waverly.INI
[2011/02/03 23:51:56 | 000,000,000 | ---- | C] () -- C:\Windows\Shadow.INI
[2010/12/04 00:24:57 | 000,000,000 | ---- | C] () -- C:\Windows\Twister.INI

========== Custom Scans ==========

< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2012/06/16 16:02:02 | 000,117,728 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2012/06/16 16:02:02 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2012/06/16 16:02:01 | 000,113,120 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\maintenanceservice.exe
[2012/06/16 16:02:01 | 000,157,608 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
[2012/06/16 16:01:57 | 000,016,864 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2012/06/16 16:01:57 | 000,265,184 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2012/03/24 13:32:40 | 000,000,000 | ---D | M] -- C:\Program Files\1ClickDownload
[2010/11/06 06:18:43 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2012/01/03 18:46:02 | 000,000,000 | ---D | M] -- C:\Program Files\Amazon
[2011/08/04 17:51:16 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/01/16 06:08:35 | 000,000,000 | ---D | M] -- C:\Program Files\AWS
[2012/03/20 01:21:50 | 000,000,000 | ---D | M] -- C:\Program Files\Barnes & Noble
[2009/12/26 00:38:38 | 000,000,000 | ---D | M] -- C:\Program Files\Broadcom
[2011/02/28 20:32:19 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2010/01/05 00:31:17 | 000,000,000 | ---D | M] -- C:\Program Files\Combined Community Codec Pack
[2011/12/27 21:14:10 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/01/16 06:04:34 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2010/03/01 21:20:42 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools Lite
[2009/12/26 00:36:15 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2010/05/24 02:48:30 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2012/03/24 13:32:41 | 000,000,000 | ---D | M] -- C:\Program Files\fbphotozoom
[2012/03/16 20:59:51 | 000,000,000 | ---D | M] -- C:\Program Files\Her Interactive
[2009/12/26 00:49:54 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2011/10/12 16:29:00 | 000,000,000 | ---D | M] -- C:\Program Files\HMA! Pro VPN
[2009/01/16 06:16:08 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2009/12/29 19:53:52 | 000,000,000 | ---D | M] -- C:\Program Files\HP Games
[2009/12/26 00:37:41 | 000,000,000 | ---D | M] -- C:\Program Files\IDT
[2012/03/16 20:59:46 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2009/12/26 00:39:30 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2012/06/14 05:27:41 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2011/05/23 21:50:48 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/01/16 06:07:41 | 000,000,000 | ---D | M] -- C:\Program Files\JunoPreloader
[2012/02/02 13:59:27 | 000,000,000 | ---D | M] -- C:\Program Files\Lavasoft
[2010/03/31 03:17:19 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2010/01/05 00:57:00 | 000,000,000 | ---D | M] -- C:\Program Files\Media Player Classic
[2010/08/23 21:43:20 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2006/11/02 08:37:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games
[2010/03/22 14:35:00 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/05/18 13:12:37 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office Labs
[2012/04/25 03:02:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Security Client
[2012/06/06 18:24:27 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2010/03/22 14:34:49 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/03/22 14:31:17 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 8
[2011/10/22 03:50:55 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2010/06/26 03:02:11 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/08/12 01:43:10 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2012/06/16 16:02:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2012/06/17 09:46:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Maintenance Service
[2010/03/22 14:35:13 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2009/12/29 21:12:30 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/12/26 00:52:53 | 000,000,000 | ---D | M] -- C:\Program Files\muvee Technologies
[2011/12/27 21:14:05 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew
[2012/02/12 11:23:11 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew Curse of Blackmoor Manor
[2012/02/02 13:28:23 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew Danger By Design
[2012/01/09 18:10:25 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew Danger on Deception Island
[2012/01/25 17:50:49 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew Last Train to Blue Moon Canyon
[2012/01/24 19:12:44 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew Legend of the Crystal Skull
[2012/01/19 11:53:59 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew The Creature of Kapu Cave
[2012/01/26 13:43:13 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew The Haunted Carousel
[2012/01/16 18:58:04 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew The Haunting of Castle Malloy
[2012/01/05 20:47:38 | 000,000,000 | ---D | M] -- C:\Program Files\Nancy Drew Warnings at Waverly Academy
[2009/01/16 06:08:19 | 000,000,000 | ---D | M] -- C:\Program Files\NetZeroPreloader
[2009/12/26 02:30:28 | 000,000,000 | R--D | M] -- C:\Program Files\Online Services
[2009/12/30 05:33:26 | 000,000,000 | ---D | M] -- C:\Program Files\Pidgin
[2010/02/11 11:30:15 | 000,000,000 | ---D | M] -- C:\Program Files\pidgin-otr
[2012/05/19 14:30:37 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/08/04 23:21:12 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2009/12/26 00:37:44 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2006/11/02 08:37:34 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/06/19 10:36:07 | 000,000,000 | ---D | M] -- C:\Program Files\Siber Systems
[2010/04/13 22:11:25 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2009/12/27 22:55:03 | 000,000,000 | ---D | M] -- C:\Program Files\SMINST
[2009/12/29 20:16:43 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/29 19:49:22 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2009/12/29 19:46:26 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec Endpoint Protection
[2009/12/26 00:35:31 | 000,000,000 | ---D | M] -- C:\Program Files\Synaptics
[2009/12/29 20:46:36 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2011/03/10 14:34:26 | 000,000,000 | ---D | M] -- C:\Program Files\TurboTax
[2006/11/02 09:01:55 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2012/01/04 16:43:22 | 000,000,000 | ---D | M] -- C:\Program Files\Vuze
[2011/04/03 18:32:09 | 000,000,000 | ---D | M] -- C:\Program Files\WeFi
[2011/09/22 11:20:26 | 000,000,000 | ---D | M] -- C:\Program Files\WinDirStat
[2009/12/30 22:45:55 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Calendar
[2009/12/30 22:45:53 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Collaboration
[2009/12/30 22:45:48 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Defender
[2012/05/10 03:53:31 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Journal
[2011/11/07 22:10:47 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2012/04/11 03:37:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Mail
[2010/10/20 03:28:42 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2006/11/02 08:37:34 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2009/12/30 22:45:51 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Photo Gallery
[2009/12/30 23:04:29 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Portable Devices
[2009/12/30 22:45:54 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2010/03/30 13:34:38 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2011/05/27 13:20:15 | 000,000,000 | ---D | M] -- C:\Program Files\Word Metadata Changer
[2010/04/17 00:23:57 | 000,000,000 | ---D | M] -- C:\Program Files\Xobni
[2012/06/14 09:42:35 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!

< MD5 for: AGP440.SYS >
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 22:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 22:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2009/01/16 06:13:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=9C0E70031905ADBF94EDB9EA14AF943B -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7f3e4ed9\atapi.sys
[2009/01/16 06:13:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=9C0E70031905ADBF94EDB9EA14AF943B -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22193_none_dd6376773aedb5e4\atapi.sys
[2009/01/16 06:13:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E26DDFE464B464DAF1C739122978D1D6 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b7393fc6\atapi.sys
[2009/01/16 06:13:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E26DDFE464B464DAF1C739122978D1D6 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20847_none_dbb74a7b3d9afbc1\atapi.sys

< MD5 for: DISK.SYS >
[2009/04/11 02:32:31 | 000,053,736 | ---- | M] (Microsoft Corporation) MD5=5D4AEFC3386920236A548271F8F1AF6A -- C:\Windows\System32\drivers\disk.sys
[2009/04/11 02:32:31 | 000,053,736 | ---- | M] (Microsoft Corporation) MD5=5D4AEFC3386920236A548271F8F1AF6A -- C:\Windows\System32\DriverStore\FileRepository\disk.inf_5c850fad\disk.sys
[2009/04/11 02:32:31 | 000,053,736 | ---- | M] (Microsoft Corporation) MD5=5D4AEFC3386920236A548271F8F1AF6A -- C:\Windows\winsxs\x86_disk.inf_31bf3856ad364e35_6.0.6002.18005_none_fbb1faf0714e4ea6\disk.sys
[2008/01/20 22:23:20 | 000,055,352 | ---- | M] (Microsoft Corporation) MD5=64109E623ABD6955C8FB110B592E68B7 -- C:\Windows\System32\DriverStore\FileRepository\disk.inf_90722180\disk.sys
[2008/01/20 22:23:20 | 000,055,352 | ---- | M] (Microsoft Corporation) MD5=64109E623ABD6955C8FB110B592E68B7 -- C:\Windows\winsxs\x86_disk.inf_31bf3856ad364e35_6.0.6001.18000_none_f9c681e4742c835a\disk.sys
[2006/11/02 05:49:51 | 000,052,840 | ---- | M] (Microsoft Corporation) MD5=841AF4C4D41D3E3B2F244E976B0F7963 -- C:\Windows\System32\DriverStore\FileRepository\disk.inf_e0b0b355\disk.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/20 22:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/20 22:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-06-14 09:08:32

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/06/16 16:01:57 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/06/16 16:01:57 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/06/16 16:01:57 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/06/16 16:02:02 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/06/16 16:02:02 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/06/16 16:02:02 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2012/02/21 04:04:24 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2012/02/21 04:04:24 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2012/02/21 04:04:24 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/06/16 16:01:57 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/06/16 16:01:57 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/06/16 16:01:57 | 000,867,072 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/06/16 16:02:02 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/06/16 16:02:02 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/06/16 16:02:02 | 000,913,888 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2012/02/21 04:04:24 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2012/02/21 04:04:24 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2012/02/21 04:04:24 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)

< End of report >

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 5:26 am

OTL Extras logfile created on: 6/17/2012 1:30:33 PM - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\Beth\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.93 Gb Total Physical Memory | 2.10 Gb Available Physical Memory | 71.75% Memory free
6.06 Gb Paging File | 5.46 Gb Available in Paging File | 90.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.45 Gb Total Space | 30.23 Gb Free Space | 10.55% Space Free | Partition Type: NTFS
Drive D: | 11.63 Gb Total Space | 1.81 Gb Free Space | 15.55% Space Free | Partition Type: NTFS
Drive E: | 577.26 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BETH-PC | User Name: Beth | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00686844-F12A-452F-BDB7-030C0FBB1B27}" = lport=139 | protocol=6 | dir=in | app=system |
"{05D94445-479F-4713-93C6-C9EBEE078D9B}" = lport=10243 | protocol=6 | dir=in | app=system |
"{0886C2DF-ACA0-4B02-8156-EDC94A0141A3}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{1AA1CFDA-00A1-4EC7-A620-017C69000BF7}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1D4AFBAF-5145-43F5-9827-641EFFFE21E2}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1E508077-A4A1-4090-9128-CE0F8B731126}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{1F4BA0C2-A855-411C-B4CB-9C5EF5930CB3}" = rport=10243 | protocol=6 | dir=out | app=system |
"{27A8881A-D977-4F33-8D67-BA4A48E0E6C7}" = rport=445 | protocol=6 | dir=out | app=system |
"{3856C87A-8DF7-45F0-9785-F853966CA39E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3A680A82-DC8D-4FD5-B2CD-76C9512F2782}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{3D619AD7-875C-40EA-9077-08907EE4D2BB}" = lport=445 | protocol=6 | dir=in | app=system |
"{415BB8C9-0F27-4EAE-B1D0-C1220E8429E6}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{49A23ACD-D7BB-4464-8734-A18006EF7F4C}" = rport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdateservice.exe |
"{57C2D381-E05C-4F8D-A975-DE993F1C430D}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{5C6C71B0-02D0-43BC-9DCC-2E08C82C36ED}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{67020803-CCC1-4AD9-B635-CBF19EFE0D98}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{6F26A46C-0F61-41D6-9676-7A051A94B4A0}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{6FA8A9FD-5393-4165-9E49-D9FF5A0986A0}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{745A8377-A0C7-4F28-85D3-1A2E8D484AEC}" = lport=137 | protocol=17 | dir=in | app=system |
"{75F965BB-0C9A-47CA-A4B4-1405A21DEE27}" = rport=139 | protocol=6 | dir=out | app=system |
"{7AFE3421-9E85-45A3-AEEF-692A286CB7E7}" = rport=137 | protocol=17 | dir=out | app=system |
"{7D465406-F45D-4965-B191-24BFBED41D88}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{8C6FE88C-B22B-4DD3-B5AD-5356507881DD}" = lport=138 | protocol=17 | dir=in | app=system |
"{967DE430-5B32-4E1C-8502-C83A45F557A6}" = lport=2869 | protocol=6 | dir=in | app=system |
"{9CF975AA-B3AB-4605-B9B3-063485BF6001}" = rport=138 | protocol=17 | dir=out | app=system |
"{9E4CD7CA-0986-48E9-B7A0-4D302AA570CA}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{9F542F73-26B8-4D2D-9330-FD10D99925A0}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{AC4C9705-2D06-4B95-85A7-859CDCF10623}" = rport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdater.exe |
"{AD3CEDC3-A15A-4657-8F13-D63AE2B36CB6}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{BE93C562-561E-47B6-B254-B826FBCA1FE0}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D687B20D-BA50-45B9-AFA5-E128AEC311BA}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{D6CBB580-BA51-4C35-8F6E-60E0C4577E3A}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0009E5F3-DC4E-48E4-B0F4-A01C8C5FF30E}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{07D8410E-4058-473C-BAF0-1E3F4932539F}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{0ADBF4D9-80BE-4126-86B4-74BC41F4F6A3}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{0C8838B0-9B63-47AD-B5B4-94029D7AAA74}" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"{0FE27372-6A39-4842-AFFE-1677BF842F6C}" = dir=in | app=c:\program files\hewlett-packard\media\tv\qpservice.exe |
"{13D5F403-0DE2-4703-934B-95D3F8B36B42}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{142F16FC-006C-43BC-95ED-0B7282BA9563}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{1CA8D7F7-7ABF-4010-B6B9-6B0122AFA328}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{24DF210B-F6DB-4734-B588-65386969E27C}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{26B74B93-4807-4EA9-95EC-3AC38A1AF5DA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{272BB689-DBCA-4C78-AE8C-4D8362719854}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartvideo.exe |
"{2E54E9E7-6F70-4DFF-9B7E-5A609F50271A}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartphoto.exe |
"{314B2CEE-5A26-410E-9245-54CD364935FC}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{35A51F89-E8E7-4B3F-BD72-63306213CFBC}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\tsmagent.exe |
"{3BC1E9CA-31F8-47F0-B77B-1C0F39E0D360}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{45D03282-EBEB-4203-B8C5-CA768C3BC311}" = protocol=17 | dir=in | app=c:\users\beth\appdata\roaming\dropbox\bin\dropbox.exe |
"{48C07177-6584-4A3E-9BD0-34835809F5FC}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartphoto.exe |
"{4ABC591F-B882-4191-B8C1-C1E9AC994A40}" = protocol=6 | dir=in | app=c:\program files\aim\aim.exe |
"{536EA4EB-8387-46CD-A944-527FF7E09D6C}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{54068006-E366-4214-9710-1FAC9B722370}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartvideo.exe |
"{5822B436-B944-41C2-9F32-75CFA52E1AAD}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{58FA5E29-3BBD-4450-9E81-7BD2255CC794}" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |
"{669B8660-7E77-417E-8FB9-5DA91CE64B91}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{674AD567-B3A5-4FB6-816F-6D6401603376}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hpdvdsmart.exe |
"{67D5102A-67E9-47BD-92C6-D67914FFB0B6}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{70ABE288-CFAB-4199-8C06-8EF7BEB0CB8B}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{72E19F76-5339-476B-AFD9-1B34343AD1C1}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{758538BF-89D4-463A-9106-6E9B6C20B108}" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |
"{804AFBC1-3B45-47BE-AA29-AFC135890163}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{83FB5DE5-4FAD-406A-8044-F4A7020A3DB1}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{88C6A119-1343-43FC-98D1-F45251757DEC}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{8A6680EB-4BA5-415A-B2AB-DE9ECFE32F91}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8BA2E468-D2D4-4F8E-876A-25CCFA52DCF6}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{8E07C5F1-0CD2-4224-8178-1545CD5AC27A}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{8F5FD2EC-32B0-4AD4-8E5B-1E8E91E5CCF5}" = protocol=6 | dir=out | app=system |
"{90DF5F4D-18C8-4870-9709-00DDBD589C43}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\hptouchsmartmusic.exe |
"{92859101-38F4-4F12-8689-618B2D54D134}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\tsmagent.exe |
"{92B5CB4E-2BFB-47C6-98F8-4E47FE469DA0}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{92B98A28-F8BA-41B9-BFD5-4BE78C93F3E0}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{93B7839D-ED0C-4BAD-9156-63E1EC1AF7FB}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{977FFD3D-2258-45A8-92CF-91D9A9D5EBCA}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{999F7A70-B1CA-4B22-BD16-82DF48B22F2E}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{99F60A6A-F2C3-431C-8438-2A288A6521FD}" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"{A1272904-48BE-490D-9120-FB622AAFD0B2}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{B36E7301-7F6B-4136-9042-BCA30DE1EABD}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{B6822023-4432-4599-8ED0-0DD910ED7217}" = protocol=6 | dir=in | app=c:\users\beth\appdata\roaming\dropbox\bin\dropbox.exe |
"{B8C56595-06F1-4D22-8B80-9B547CF07F93}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe |
"{BAE5AD11-FCC9-4C24-B6FF-8FD9788E3E0E}" = dir=in | app=c:\program files\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe |
"{CB2DF0DD-D118-43CC-92D1-E7F59A3DE658}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{D81514C1-B26A-4D6F-81A9-C197746B7DCB}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{DB9D3EEB-F8BF-43FF-89F2-0F5D5E13EB6C}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\hptouchsmartmusic.exe |
"{DCCF1D63-B1A1-42E8-AA66-FBBB664EC504}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DCECFE1A-4D5C-41EE-AEFE-404C1DEDD02D}" = dir=in | app=c:\program files\hewlett-packard\media\tv\qp.exe |
"{DD407257-953B-4951-B340-C184252D4BB4}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{E46B8A83-859B-48BB-99B3-94BB7CA63704}" = dir=in | app=c:\program files\hewlett-packard\touchsmart\media\kernel\clml\clmlsvc.exe |
"{E61E8ECD-1921-4688-A576-FD10C151FEFD}" = protocol=17 | dir=in | app=c:\program files\aim\aim.exe |
"{EEC5F06B-E718-405F-8A32-C9DB36762235}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe |
"{F1B7BE60-ED3C-4CD8-A9AE-FBCB6C542645}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{F9AAE9CB-7E37-42C3-BCBF-C8E7A903E743}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"TCP Query User{17C10074-DC1E-4CCF-B1C3-51489C2FAF36}C:\users\beth\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\beth\appdata\roaming\spotify\spotify.exe |
"TCP Query User{4D0D6050-82E5-4C0D-A0DC-6BA239CFD8FD}C:\users\beth\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=6 | dir=in | app=c:\users\beth\appdata\roaming\dropbox\bin\dropbox.exe |
"TCP Query User{78840E6A-0261-4CF7-886C-38651CC80FA7}C:\program files\pidgin\pidgin.exe" = protocol=6 | dir=in | app=c:\program files\pidgin\pidgin.exe |
"TCP Query User{DBE65C39-2559-4CB0-9EA9-5DE4172630F0}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"TCP Query User{EF22F546-8BC2-4C9A-B099-9B204E80CB79}C:\program files\pidgin\pidgin.exe" = protocol=6 | dir=in | app=c:\program files\pidgin\pidgin.exe |
"UDP Query User{13FDB498-7F99-4879-94CD-A01BD97F74D7}C:\users\beth\appdata\roaming\dropbox\bin\dropbox.exe" = protocol=17 | dir=in | app=c:\users\beth\appdata\roaming\dropbox\bin\dropbox.exe |
"UDP Query User{5A8D1F5A-5A47-4861-8028-39942D9AE24F}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{67DBB363-B9AE-4B30-A95E-D18FF18BE381}C:\program files\pidgin\pidgin.exe" = protocol=17 | dir=in | app=c:\program files\pidgin\pidgin.exe |
"UDP Query User{AE5B5372-5FE3-4902-A5E2-FC6E7D7936EF}C:\program files\pidgin\pidgin.exe" = protocol=17 | dir=in | app=c:\program files\pidgin\pidgin.exe |
"UDP Query User{E22BC7E8-80E0-414D-8769-CB0171A2D424}C:\users\beth\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\beth\appdata\roaming\spotify\spotify.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = HP MediaSmart Webcam
"{0240CDAE-20F6-4381-A56E-BD2AE3B4B5D0}" = Nancy Drew: Trail of the Twister
"{03DF638A-D61C-4893-B8B9-845900C03163}" = TurboTax 2010 wnyiper
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{08FBA49B-702A-471E-A512-8D21A0D936C4}" = Nancy Drew: Alibi in Ashes
"{0A0A59B1-043F-42EF-A885-344262AAD4A2}_is1" = Word Metadata Changer 2.0
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software 1.14.17.1
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{1088F929-91D9-4FD5-8AE8-E9593CD47CD7}" = Nancy Drew: Ransom of the Seven Ships
"{10A10C6C-FF5E-40B2-A343-8D69E24167DF}" = Nancy Drew: Shadow at the Water's Edge
"{113AC946-0CEB-49C7-828A-230FF9EB1DBB}" = TurboTax 2010 wmdiper
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 24
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 L1
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZero Preloader
"{36E90C09-EB23-4EAC-8B47-12C0CA5DBD3A}" = HP User Guides 0126
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{47F36D92-E58E-456D-B73C-3382737E4C42}" = HP Update
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6423EF83-6E1D-4D22-A36F-689CD19FD4D2}" = Juno Preloader
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{67626E09-5366-4480-8F1E-93FADF50CA15}" = HP MediaSmart TV
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{732A3F80-008B-4350-BD58-EC5AE98707B8}" = HP Common Access Service Library
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DC069E7-893C-41E1-9442-DE89FEC33371}" = Xobni Core
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{932D0FC7-6DF1-4136-A2EC-166E8DEFD6A4}" = Ad-Aware
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{958287E0-A34F-40C7-B06A-0FD18E0BBA49}" = Nancy Drew: Treasure in the Royal Tower
"{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 ATL (x86) WinSXS MSM
"{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT (x86) WinSXS MSM
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{A5D73F1B-C475-4158-BD83-35A8B94F1018}" = Nancy Drew: The Captive Curse
"{A7AC8E69-01FF-494E-9A2C-423B82CEA604}" = HP MediaSmart SmartMenu
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAD72731-807A-4B79-AE05-9190B7002B7B}" = ProtectSmart Hard Drive Protection
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"{DDC4F97A-5487-4D7A-907A-CB1AD98F665F}" = Microsoft Office Labs Ribbon Hero
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E5E29403-3D25-40C6-892B-F9FEE2A95585}" = HP Wireless Assistant
"{E8020EC7-5DD8-80C9-7237-7B2E9BDA8CC6}" = muvee Reveal
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"1ClickDownload" = 1ClickDownload
"7DE39862CC26DCE2446838AAF7CD5C163F835A57" = Windows Driver Package - ENE (enecir) HIDClass (09/04/2008 2.6.0.0)
"8461-7759-5462-8226" = Vuze
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Amazon Games & Software Downloader_is1" = Amazon Games & Software Downloader
"BN_DesktopReader" = NOOK for PC
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CameraUserGuide-PSSD1400IS_IXUS130" = Canon PowerShot SD1400 IS_IXUS 130 Camera User Guide
"CameraWindowDC8" = Canon Utilities CameraWindow DC 8
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"DivX Setup.divx.com" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HMA! Pro VPN" = HMA! Pro VPN 2.6.9
"HP.MediaSmartSlingPlayer_is1" = HP MediaSmart SlingPlayer
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = HP MediaSmart Webcam
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{67626E09-5366-4480-8F1E-93FADF50CA15}" = HP MediaSmart TV
"InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"LimeWire" = LimeWire 5.5.8
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Media Player Classic" = Media Player Classic
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MovieUploaderForYouTube" = Canon Utilities Movie Uploader for YouTube
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MyCamera" = Canon Utilities MyCamera
"Nancy Drew Curse of Blackmoor Manor_is1" = Nancy Drew Curse of Blackmoor Manor
"Nancy Drew Danger By Design_is1" = Nancy Drew Danger By Design
"Nancy Drew Danger on Deception Island_is1" = Nancy Drew Danger on Deception Island
"Nancy Drew Last Train to Blue Moon Canyon_is1" = Nancy Drew Last Train to Blue Moon Canyon
"Nancy Drew Legend of the Crystal Skull_is1" = Nancy Drew Legend of the Crystal Skull
"Nancy Drew The Creature of Kapu Cave_is1" = Nancy Drew The Creature of Kapu Cave
"Nancy Drew The Haunted Carousel_is1" = Nancy Drew The Haunted Carousel
"Nancy Drew The Haunting of Castle Malloy_is1" = Nancy Drew The Haunting of Castle Malloy
"Nancy Drew Warnings at Waverly Academy_is1" = Nancy Drew Warnings at Waverly Academy
"Personal Printing Guide" = Canon Personal Printing Guide
"PhotoStitch" = Canon Utilities PhotoStitch
"Pidgin" = Pidgin
"pidgin-otr" = pidgin-otr 3.2.0-1
"RealPlayer 12.0" = RealPlayer
"Software Guide" = Canon DIGITAL CAMERA Solution Disk Software Guide
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TurboTax 2010" = TurboTax 2010
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"WeFi" = WeFi 4.0.0.16
"WildTangent hp Master Uninstall" = My HP Games
"WinLiveSuite" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"XobniMain" = Xobni
"YTdetect" = Yahoo! Detect
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Move Media Player" = Move Media Player
"Spotify" = Spotify
"WinDirStat" = WinDirStat 1.1.2

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 1/2/2012 12:02:38 AM | Computer Name = Beth-PC | Source = Perflib | ID = 1008
Description =

Error - 1/2/2012 12:02:39 AM | Computer Name = Beth-PC | Source = Perflib | ID = 1008
Description =

Error - 1/4/2012 3:15:23 AM | Computer Name = Beth-PC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Unavailable by: Manual
scan. Action: Quarantine failed : Leave Alone failed. Action Description: The
file was deleted successfully.

Error - 1/4/2012 5:24:55 PM | Computer Name = Beth-PC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Unavailable by: Scheduled
scan. Action: Quarantine failed : Leave Alone failed. Action Description: The
file was deleted successfully.

Error - 1/4/2012 6:37:50 PM | Computer Name = Beth-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 1/7/2012 12:11:42 PM | Computer Name = Beth-PC | Source = Application Hang | ID = 1002
Description = The program HMA! Pro VPN.exe version 2.0.0.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: eec Start Time: 01cccc04fc399770 Termination Time: 109

Error - 1/7/2012 12:16:02 PM | Computer Name = Beth-PC | Source = WinMgmt | ID = 10
Description =

Error - 1/9/2012 9:50:02 PM | Computer Name = Beth-PC | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 9.0.1.4371 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 14c8 Start Time: 01cccd58b11d0d54 Termination Time: 94

Error - 1/10/2012 12:43:44 AM | Computer Name = Beth-PC | Source = Application Hang | ID = 1002
Description = The program Game.RWG version 4.9.7.0 stopped interacting with Windows
and was closed. To see if more information about the problem is available, check
the problem history in the Problem Reports and Solutions control panel. Process
ID: 13c8 Start Time: 01cccf187f052114 Termination Time: 12

Error - 1/11/2012 1:09:37 PM | Computer Name = Beth-PC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Tracking Cookies in File: Unavailable by: Scheduled
scan. Action: Quarantine failed : Leave Alone failed. Action Description: The
file was deleted successfully.

[ OSession Events ]
Error - 6/26/2010 2:28:09 PM | Computer Name = Beth-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 277801
seconds with 840 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 6/17/2012 1:06:15 PM | Computer Name = Beth-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 6/17/2012 1:06:15 PM | Computer Name = Beth-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 6/17/2012 1:06:16 PM | Computer Name = Beth-PC | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description =

Error - 6/17/2012 1:06:21 PM | Computer Name = Beth-PC | Source = DCOM | ID = 10005
Description =

Error - 6/17/2012 1:06:38 PM | Computer Name = Beth-PC | Source = DCOM | ID = 10005
Description =

Error - 6/17/2012 1:06:41 PM | Computer Name = Beth-PC | Source = DCOM | ID = 10005
Description =

Error - 6/17/2012 1:07:13 PM | Computer Name = Beth-PC | Source = DCOM | ID = 10005
Description =

Error - 6/17/2012 1:16:31 PM | Computer Name = Beth-PC | Source = DCOM | ID = 10005
Description =

Error - 6/17/2012 1:16:31 PM | Computer Name = Beth-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.127.2148.0 Update Source: %%859 Update Stage:
%%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x8007043c Error
description: This service cannot be started in Safe Mode

Error - 6/17/2012 1:17:59 PM | Computer Name = Beth-PC | Source = DCOM | ID = 10005
Description =


< End of report >

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 5:27 am

Results of screen317's Security Check version 0.99.41
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Lavasoft Ad-Watch Live! Anti-Virus
Symantec Endpoint Protection
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Out of date HijackThis installed!
Spybot - Search & Destroy
HijackThis 2.0.2
Java(TM) 6 Update 24
Java(TM) 6 Update 7
Java version out of date!
Adobe Flash Player 11.3.300.257
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (13.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 5:28 am

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-17 13:31:27
-----------------------------
13:31:27.329 OS Version: Windows 6.0.6002 Service Pack 2
13:31:27.329 Number of processors: 2 586 0x170A
13:31:27.345 ComputerName: BETH-PC UserName: Beth
13:31:49.965 Initialize success
13:32:43.645 AVAST engine defs: 12061700
13:32:53.457 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:32:53.457 Disk 0 Vendor: ST9320325AS P003HPM1 Size: 305245MB BusType: 3
13:32:53.488 Disk 0 MBR read successfully
13:32:53.504 Disk 0 MBR scan
13:32:53.504 Disk 0 unknown MBR code
13:32:53.675 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293327 MB offset 2048
13:32:53.753 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11914 MB offset 600735744
13:32:53.753 Disk 0 scanning sectors +625135616
13:32:53.894 Disk 0 scanning C:\Windows\system32\drivers
13:33:32.161 Service scanning
13:34:11.410 Service SymEvent C:\Windows\system32\Drivers\SYMEVENT.SYS **LOCKED** 32
13:34:21.067 Modules scanning
13:34:42.064 Disk 0 trace - called modules:
13:34:42.610 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll acpi.sys ataport.SYS PCIIDEX.SYS msahci.sys
13:34:42.626 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x860b8030]
13:34:42.626 3 CLASSPNP.SYS[8ab0a8b3] -> nt!IofCallDriver -> [0x86032900]
13:34:42.626 5 hpdskflt.sys[8b9a6f05] -> nt!IofCallDriver -> [0x85f31b18]
13:34:42.641 7 acpi.sys[827b76bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85efdb98]
13:34:56.993 AVAST engine scan C:\Windows
13:35:22.421 AVAST engine scan C:\Windows\system32
13:45:17.468 AVAST engine scan C:\Windows\system32\drivers
13:46:15.188 AVAST engine scan C:\Users\Beth
14:03:06.723 AVAST engine scan C:\ProgramData
14:07:19.817 Scan finished successfully
14:09:09.782 Disk 0 MBR has been saved successfully to "C:\Users\Beth\Documents\Spyware Removal\MBR.dat"
14:09:09.797 The log file has been saved successfully to "C:\Users\Beth\Documents\Spyware Removal\aswMBR.txt"



thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 6:13 am

Also, for what it's worth, this is my hijackthis log (apparently my client is outdated, but I can't update it as I cannot run my computer in normal mode, and installing the new hijack this does not work in safe mode):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:07 PM, on 6/17/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16446)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Beth\Downloads\OTL.com
C:\Users\Beth\Downloads\aswMBR.exe
C:\Users\Beth\Downloads\SecurityCheck.exe
C:\Windows\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\notepad.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Beth\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [AutoLaunch] C:\Program Files\Lavasoft\Ad-Aware\AutoLaunch.exe monthly (User 'Default user')
O4 - Startup: Dropbox.lnk = Beth\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WeFi Engine Service (WefiEngSvc) - WeFi - C:\Program Files\WeFi\WefiEngSvc.exe

--
End of file - 8019 bytes



thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by Pancake on Mon 18 Jun 2012, 10:34 am


Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.]
Alternate link: [You must be registered and logged in to see this link.]

(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.
If Malwarebytes fails to download please use the following link:

[You must be registered and logged in to see this link.]



=============================================


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.


  • Close any open windows and double click PCHelpForum.exe to run it.

    You will see the following image:




Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:





As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.





Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.







Last edited by Pancake on Mon 18 Jun 2012, 2:56 pm; edited 1 time in total






Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 1:26 pm

Neither of the links for MBAM worked, so I downloaded it from CNET, which I understand to be a trustworthy source. Please let me know if this was the wrong thing to do. Otherwise, the scans will be running ASAP.

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 3:47 pm

MBAM:
Malwarebytes Anti-Malware 1.61.0.1400
[You must be registered and logged in to see this link.]

Database version: v2012.06.17.07

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Beth :: BETH-PC [administrator]

6/17/2012 10:28:55 PM
mbam-log-2012-06-17 (22-28-55).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 446784
Time elapsed: 1 hour(s), 22 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 3:48 pm

combo:
ComboFix 12-06-16.02 - Beth 06/18/2012 0:25.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.2023 [GMT -4:00]
Running from: c:\users\Beth\Downloads\PCHelpForum.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Beth\AppData\Local\assembly\tmp
c:\users\Beth\Documents\~WRD0740.tmp
c:\users\Beth\Documents\~WRL0062.tmp
c:\users\Beth\Documents\~WRL0153.tmp
c:\users\Beth\Documents\~WRL0201.tmp
c:\users\Beth\Documents\~WRL1911.tmp
c:\users\Beth\Documents\~WRL2071.tmp
c:\users\Beth\Documents\~WRL2392.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-18 to 2012-06-18 )))))))))))))))))))))))))))))))
.
.
2012-06-18 04:31 . 2012-06-18 04:35 -------- d-----w- c:\users\Beth\AppData\Local\temp
2012-06-18 02:27 . 2012-06-18 02:27 -------- d-----w- c:\users\Beth\AppData\Roaming\Malwarebytes
2012-06-18 02:27 . 2012-06-18 02:27 -------- d-----w- c:\programdata\Malwarebytes
2012-06-18 02:27 . 2012-06-18 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-18 02:27 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-16 15:04 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{64A31253-4515-47E2-9745-C4C65F4467CA}\mpengine.dll
2012-06-15 09:51 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-14 13:43 . 2012-06-14 13:43 -------- d-----w- c:\users\Beth\AppData\Local\Macromedia
2012-06-14 07:08 . 2012-05-17 22:35 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-13 09:18 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 09:18 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 09:18 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 09:14 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 09:09 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-06-12 22:44 . 2012-02-10 08:29 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BFA42323-8E28-4A1B-8D12-84E274FF5853}\gapaengine.dll
2012-06-09 00:55 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-09 00:55 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-09 00:55 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-09 00:55 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-09 00:55 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-09 00:55 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-09 00:55 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-09 00:54 . 2012-06-02 19:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-09 00:54 . 2012-06-02 19:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-06 14:34 . 2012-06-06 14:34 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-06 14:34 . 2012-06-06 14:34 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-05-19 18:29 . 2012-05-19 18:29 -------- d-----w- c:\programdata\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-14 13:39 . 2012-04-11 15:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-14 13:39 . 2011-11-10 13:42 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-19 00:56 . 2012-04-19 00:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 00:56 . 2012-04-19 00:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-04-03 08:16 . 2012-05-09 07:44 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-03 08:16 . 2012-05-09 07:44 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 12:39 . 2012-05-09 07:44 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 13:39 . 2012-05-09 07:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-03-21 00:44 . 2012-03-21 00:44 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-20 23:28 . 2012-05-09 07:44 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-06-16 20:02 . 2011-05-08 05:42 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Beth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Beth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Beth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Spotify Web Helper"="c:\users\Beth\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-06-02 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-11 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-11 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-11 154136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-24 1348904]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-10-27 115560]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2012-05-24 663360]
.
c:\users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Beth\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Beth^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Beth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer for HP TouchSmart]
2008-12-25 21:41 189736 ------w- c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDAgent]
2008-11-29 02:04 1148200 ------w- c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 15:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 23:34 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 18:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartMenu]
2008-11-19 03:35 914224 ----a-w- c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2009-06-04 04:43 450652 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-08-05 03:20 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSMAgent]
2008-12-25 21:41 1316136 ------w- c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVAgent]
2009-05-09 01:32 206120 ------w- c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2008-11-15 06:02 218408 ------w- c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-14 02:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-10-30 19:51 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-14 02:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-11-26 19:34 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessAssistant]
2008-12-08 19:25 432432 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 257224]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 13:39]
.
2012-06-18 c:\windows\Tasks\WefiStartup.job
- c:\program files\WeFi\WefiStartup.exe [2010-09-06 14:43]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\b26e7yv9.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.] target="_blank" rel="nofollow">hxxp://www.facebook.com/home.php?#!/?ref=home|http://caloriecount.about.com/cc/account/index.php|https://mail.google.com/mail/?shva=1#inbox|http://www.weather.com/weather/today/21117:4:US|www.saveswatts.com|www.npr.org
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2692)
c:\users\Beth\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
c:\program files\SMINST\BLService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\WeFi\WefiEngSvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\WeFi\WeFi.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-06-18 00:43:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-18 04:42
.
Pre-Run: 32,686,645,248 bytes free
Post-Run: 29,897,859,072 bytes free
.
- - End Of File - - 00C23BB383A8EFC1F158076FE8BAA07B

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Mon 18 Jun 2012, 3:49 pm

Thanks, by the way, for your help so far!!

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by Pancake on Mon 18 Jun 2012, 4:03 pm

Ok.All done.I see no more malware.Log looks good! All that was detected is now either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


You can now uninstall ComboFix



  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall





(Note: Make sure there's a space between the word ComboFix and the forward-slash.)



  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.



Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.


Please download OTC to your desktop.


Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.


Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Afterwork

Malware Prevention

How Did I Get Infected

More Tips on Prevention

=============================








Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by thecynic69 on Tue 19 Jun 2012, 1:53 am

The Combofix /Uninstall command produces an error (Windows cannot find 'combofix'). Is there another way to uninstall it?

thecynic69

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2012-06-18
Operating System : Vista

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by Pancake on Tue 19 Jun 2012, 9:34 am

Ok.Leave Combofix uninstall for the time being as the is a problem with it that the programer is fixing.I will get back to you when its fixed.






Home Town Web Page

Pancake

Tech Staff
Tech Staff

Posts : 222
Joined : 2010-03-06
Operating System : Windows 7

View user profile

Back to top Go down

Re: Trojan.pidief and Trojan.maljava (I think!)

Post by Sponsored content Today at 7:49 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum