Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Wife's PC has malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My Wife's PC has malware

Unread postby tnesler » November 6th, 2013, 9:21 am

Hello

I did not I would need help again so soon. My computer was infected in October and now my Wife's PC is infected. She is not getting any symptoms except her security center service won't start up. I ran MalwareBytes free program and it detected 40+ bad files,keys,etc. She has Vista as her OS.

Here are the files you request:

DDS.Txt

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16514 BrowserJavaVersion: 1.6.0_30
Run by Kathy at 7:02:51 on 2013-11-06
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1978.947 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe
c:\program files\soluto\soluto.exe
C:\Windows\Explorer.EXE
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Soluto\SolutoLauncherService.exe
C:\Program Files\Soluto\SolutoService.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe
C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Windows\system32\WebUpdateSvc4.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files\WordWeb\wweb32.exe
C:\program files\palmone\hotsync.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\igfxtray.exe
C:\Windows\system32\hkcmd.exe
C:\Program Files\real\realplayer\update\realsched.exe
C:\Users\Kathy\appdata\roaming\dropbox\bin\dropbox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&p2=^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA
uWindow Title = Internet Explorer, optimized for Bing and MSN
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: <No Name>: {4c60e5ab-5c68-4c59-abaa-885010b24b32} - c:\program files\fromdoctopdf_65\bar\1.bin\65SrcAs.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
mWinlogon: Userinit = c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Toolbar BHO: {a235e1e3-6296-4710-af39-104a7faa6c7c} - c:\program files\fromdoctopdf_65\bar\1.bin\65bar.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Search Assistant BHO: {f236ca79-3123-4afb-9f74-e98117ad5625} - c:\program files\fromdoctopdf_65\bar\1.bin\65SrcAs.dll
TB: FromDocToPDF: {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - c:\program files\fromdoctopdf_65\bar\1.bin\65bar.dll
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [AmIcoSinglun] c:\program files\selective suspend driver\AmIcoSinglun.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Acer ePower Management] c:\program files\acer\acer epower management\ePowerTray.exe
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [FromDocToPDF Search Scope Monitor] "c:\progra~1\fromdo~2\bar\1.bin\65srchmn.exe" /m=2 /w /h
mRun: [FromDocToPDF_65 Browser Plugin Loader] c:\progra~1\fromdo~2\bar\1.bin\65brmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: NameServer = 192.168.10.1
TCP: Interfaces\{1A48B34A-7608-4D4D-AFC9-BC7194A9B2B1} : DHCPNameServer = 192.168.10.1
TCP: Interfaces\{B5DF368C-F419-4932-BD75-7A02B9585635} : DHCPNameServer = 192.168.10.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kathy\appdata\roaming\mozilla\firefox\profiles\ojyrvpn2.default\
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff8.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\kathy\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
FF - ExtSQL: 2013-09-12 18:43; {DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}; c:\programdata\realnetworks\realdownloader\browserplugins\firefox\Ext
FF - ExtSQL: !HIDDEN! 2010-03-26 14:45; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2013-06-24 21:13; 65ffxtbr@FromDocToPDF_65.com; c:\program files\fromdoctopdf_65\bar\1.bin
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(extensions.BabylonToolbar_i.babTrack, affID=114066&tt=2912_7
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 285fc8d00000000000000022fb66b6b8
FF - user.js: extensions.BabylonToolbar_i.hardId - 285fc8d00000000000000022fb66b6b8
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15539
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1710:23:16
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R0 Soluto;Soluto;c:\windows\system32\drivers\Soluto.sys [2013-2-3 51144]
R1 DPMemGridVista;Physical Memory I/O for GridVista;c:\program files\gridvista\DPMemGridVista.sys [2009-6-27 10504]
R1 MpKsla3230ca5;MpKsla3230ca5;c:\programdata\microsoft\microsoft antimalware\definition updates\{1fd712a7-a4b8-4bf3-8ac7-850baed02ae2}\MpKsla3230ca5.sys [2013-11-5 40392]
R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer epower management\ePowerSvc.exe [2009-6-27 723488]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 FromDocToPDF_65Service;FromDocToPDFService;c:\progra~1\fromdo~2\bar\1.bin\65barsvc.exe [2013-6-24 42504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 107392]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-8-14 39056]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-6-27 237568]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
R2 SolutoLauncherService;Soluto Launcher Service;c:\program files\soluto\SolutoLauncherService.exe [2013-1-27 166880]
R2 SolutoService;Soluto PCGenome Core Service;c:\program files\soluto\SolutoService.exe [2013-1-27 553440]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2008-9-15 262360]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-6-27 112640]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C60x86.sys [2009-6-27 50176]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-6-27 4232704]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-8-12 295376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 SolutoRemoteService;Soluto Remote Service;c:\program files\soluto\SolutoRemoteService.exe [2013-1-27 1239552]
S3 SSDISK;SSDISK Filter;c:\windows\system32\drivers\SSDISK.sys [2009-3-30 10752]
S3 SSUSB;SSUSB Filter;c:\windows\system32\drivers\SSUSB.sys [2009-4-7 14848]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
SUnknown MpKsle768448c;MpKsle768448c; [x]
.
=============== Created Last 30 ================
.
2013-11-05 21:01:34 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1fd712a7-a4b8-4bf3-8ac7-850baed02ae2}\offreg.dll
2013-11-05 12:25:02 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1fd712a7-a4b8-4bf3-8ac7-850baed02ae2}\MpKsla3230ca5.sys
2013-11-05 02:29:29 7796464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1fd712a7-a4b8-4bf3-8ac7-850baed02ae2}\mpengine.dll
2013-11-05 00:40:24 7796464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-10-18 03:05:44 719224 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0aeb5bac-b82f-492f-a6ff-52d7a2174565}\gapaengine.dll
2013-10-13 08:14:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-13 08:14:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-10-13 08:14:00 149656 ----a-w- c:\program files\internet explorer\sqmapi.dll
2013-10-10 18:21:15 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-10-10 18:21:15 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-10-10 18:21:15 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-10-10 18:21:15 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-10-10 18:21:14 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-10-10 18:21:14 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-10-10 18:21:14 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-10-10 18:21:14 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-10-10 18:21:14 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-10-10 18:21:11 638400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-10-10 18:21:10 37376 ----a-w- c:\windows\system32\cdd.dll
2013-10-10 18:21:07 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-10 18:21:05 2050048 ----a-w- c:\windows\system32\win32k.sys
2013-10-10 18:20:58 197632 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-10-10 18:20:57 73216 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-10-10 18:20:57 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-10-10 18:20:57 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-10-10 18:20:57 23552 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-10-10 18:20:57 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-10-10 18:17:56 134272 ----a-w- c:\windows\system32\drivers\usbvideo.sys
2013-10-10 18:17:54 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-10-10 18:17:53 293376 ----a-w- c:\windows\system32\atmfd.dll
2013-10-10 18:17:52 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-10-10 18:17:49 532480 ----a-w- c:\windows\system32\comctl32.dll
2013-10-10 18:17:47 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-10-09 15:58:02 4879744 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2013-10-09 15:58:02 4879744 ----a-w- c:\program files\mozilla firefox\browser\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
.
==================== Find3M ====================
.
2013-10-08 19:07:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-08 19:07:50 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-22 10:22:59 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-09-22 10:14:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-22 10:13:22 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-09-22 10:08:41 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-09-16 18:16:09 0 ----a-w- C:\DFRE253.tmp
2013-09-12 23:39:45 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-09-12 23:39:45 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-10 17:44:38 3080864 ----a-w- c:\program files\install_flash_player.exe
2001-05-11 16:39:16 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2001-05-08 21:36:42 114688 ----a-w- c:\program files\lxarscan.dll
.
============= FINISH: 7:04:00.74 ===============

Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 7/31/2009 11:42:34 AM
System Uptime: 11/5/2013 10:54:51 PM (9 hours ago)
.
Motherboard: Acer | | Base Board Product Name
Processor: Intel(R) Core(TM)2 Solo CPU U3500 @ 1.40GHz | CPU | 1400/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 221 GiB total, 132.92 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Acer Assist
Acer Crystal Eye webcam Ver:1.1.87.603
Acer ePower Management
Acer eRecovery Management
Acer Registration
Acer ScreenSaver
Acer VCM
Acrobat.com
Adobe AIR
Adobe Digital Editions 2.0
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.2
Alcor Micro Card Rader Driver and Utility
Amazon Kindle For PC
Amazon MP3 Downloader 1.0.17
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
C:\Program Files\Acer GameZone\GameConsole
Canon DIGITAL CAMERA Solution Disk Software Guide
Canon IJ Network Scan Utility
Canon IJ Network Tool
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon MG5200 series MP Drivers
Canon MG5200 series User Registration
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 4.0
Canon My Printer
Canon PowerShot ELPH 300 HS_IXUS 220 HS Camera User Guide
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Choice Guard
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Cradle of Rome
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dropbox
Emicsoft DVD Ripper
eSobi v2
Facebook Video Calling 1.2.0.287
Free Mp3 Wma Converter V 1.91
FromDocToPDF Toolbar
Galapago
GridVista
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 30
Junk Mail filter update
Launch Manager
LG CyberLink PowerBackup
LG CyberLink PowerProducer
LG CyberLink YouCam
LG Power Tools
Mahjong Escape Ancient China
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
Orion
palmOne
PowerDVD
Premier Predictor Pro
Print Artist Silver 22
Puzzle Express
Rainbow Web
RealDownloader
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealNetworks - Microsoft Visual C++ 2010 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Search Toolbar
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687276) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2794707) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
Security Update for Microsoft Visio 2010 (KB2810068) 32-Bit Edition
Skype Click to Call
Skype™ 5.10
Software Update Wizard (Redistributable) 4.5
Soluto
SplashShopper
SplashShopper Desktop 3.1.0
Synaptics Pointing Device Driver
Ticket To Ride 1.0
Tri-Peaks Solitaire To Go
Tumble Bees To Go
UMPlayer 0.98 [P3]
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2827323) 32-Bit Edition
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Word Jong To Go
WordWeb
Zuma Deluxe
.
==== End Of File ===========================

Thanks in advance for your help!

Tom Nesler
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am
Advertisement
Register to Remove

Re: My Wife's PC has malware

Unread postby nunped » November 7th, 2013, 3:04 pm

Hello tnesler, and welcome to the forum.

My name is nunped and I'll be helping you with any malware problems.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Here are some guidelines for the cleaning process to run as easy as possible.

  1. Please read this topic: ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
  2. The instructions being given are for YOUR computer and system only! Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  3. You must have Administrator rights permissions for this computer.
  4. DO NOT run any other fix or removal tools unless instructed to do so!
  5. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  6. Only post your problem at one help site. Applying fixes from multiple help sites can cause problems.
  7. Only reply to this thread. Do not start another thread.
  8. The absence of symptoms does not imply the absence of malware. Please continue responding until I give you the "All Clean".
  9. No Reply Within 3 Days will result in your topic being closed!


Read through these instructions with your full attention.
Please ask first if you have any doubts.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby nunped » November 7th, 2013, 3:38 pm

Hi tnesler,

There are definitely some bad things to clean, but first I'd like a couple of other scans:
Step 1 - TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  • Right-click on TDSSKiller.exe and select "run as administrator" to run the tool for known TDSS variants.
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com). If you don't see file extensions, please see: How to change the file extension.
  • Click the Start Scan button. Do not use the computer during the scan!
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure SKIP is selected... DO NOT attempt to FIX anything yet!
    • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C: ).
  • Copy and paste the contents of that file in your next reply.

Step 2 - OTL
Please download OTL by Old Timer. Save it to your Desktop.
If you can't download the exe file, try these links:
http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr
  • Right-click OTL.exe (or OTL.com or OTL.scr) and select "Run as Administrator" to launch the program.
  • Click the Scan All Users checkbox.
    Leave the remaining selections to the default settings.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened, maximized
    • Extras.txt <-- Will be minimized on task bar.
  • Please post the contents of both OTL.txt and Extras.txt files in your next reply.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 8th, 2013, 9:35 am

Here are the results of the scans:

TDSKiller did not find any rootkit items.

*---------------OTL.Txt --------------------------------------*
OTL logfile created on: 11/7/2013 6:14:26 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathy\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 0.82 Gb Available Physical Memory | 42.57% Memory free
4.10 Gb Paging File | 2.58 Gb Available in Paging File | 62.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.88 Gb Total Space | 132.94 Gb Free Space | 60.18% Space Free | Partition Type: NTFS

Computer Name: KATHYS-PC | User Name: Kathy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/11/07 18:13:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
PRC - [2013/10/09 09:58:16 | 003,275,136 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013/09/12 17:39:59 | 000,295,512 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
PRC - [2013/09/06 19:53:20 | 001,423,008 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
PRC - [2013/08/14 14:19:24 | 000,039,056 | ---- | M] () -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
PRC - [2013/08/12 09:12:38 | 000,295,376 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/08/12 09:12:38 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/06/24 20:12:32 | 000,044,784 | ---- | M] (MindSpark) -- C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe
PRC - [2013/06/24 20:12:18 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) -- C:\Program Files\FromDocToPDF_65\bar\1.bin\65barsvc.exe
PRC - [2013/06/24 20:12:18 | 000,030,096 | ---- | M] (VER_COMPANY_NAME) -- C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe
PRC - [2013/05/24 18:47:30 | 027,776,968 | ---- | M] (Dropbox, Inc.) -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2013/01/27 09:04:34 | 000,166,880 | ---- | M] (Soluto) -- C:\Program Files\Soluto\SolutoLauncherService.exe
PRC - [2013/01/27 09:04:32 | 000,553,440 | ---- | M] (Soluto) -- C:\Program Files\Soluto\SolutoService.exe
PRC - [2013/01/27 09:04:30 | 001,229,280 | ---- | M] (Soluto) -- c:\Program Files\Soluto\Soluto.exe
PRC - [2010/03/24 20:50:00 | 002,516,296 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2010/03/02 19:52:00 | 000,140,640 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2009/11/08 22:18:00 | 000,065,216 | ---- | M] (WordWeb Software) -- C:\Program Files\WordWeb\wweb32.exe
PRC - [2009/07/31 10:49:54 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe
PRC - [2009/06/18 19:00:24 | 000,723,488 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
PRC - [2009/06/18 19:00:24 | 000,703,008 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
PRC - [2009/06/18 19:00:22 | 000,453,152 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
PRC - [2009/04/29 16:09:14 | 000,237,568 | ---- | M] (AlcorMicro Co., Ltd.) -- C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/16 17:14:00 | 000,565,248 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\AcerVCM.exe
PRC - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/02/11 18:38:38 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/02/05 09:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\RS_Service.exe
PRC - [2008/09/15 03:57:04 | 000,262,360 | ---- | M] (Data Perceptions / PowerProgrammer) -- C:\Windows\System32\WebUpdateSvc4.exe
PRC - [2004/06/09 13:27:34 | 000,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\palmOne\Hotsync.exe


========== Modules (No Company Name) ==========

MOD - [2013/10/13 03:22:41 | 000,039,936 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGRSPProbe\4de87dcff56b1cc480bc9489122b35e0\PCGRSPProbe.ni.dll
MOD - [2013/10/13 03:22:39 | 000,055,296 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGUsersCenter\f5bad3277e4eb7b75277bb33f6d8e325\PCGUsersCenter.ni.dll
MOD - [2013/10/13 03:22:37 | 000,156,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAppControlPlugin#\4e76c0ef0b27898e1287e1992c35cf6b\PCGAppControlPluginLoader.ni.dll
MOD - [2013/10/13 03:22:34 | 003,510,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGClientCommon\1a0c08e04a85290bfc9711006f51bbf1\PCGClientCommon.ni.dll
MOD - [2013/10/13 03:22:22 | 000,157,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGBootVisualizingC#\5fe86020912d2e6925231ba54be932f3\PCGBootVisualizingCommon.ni.dll
MOD - [2013/10/13 03:22:19 | 000,221,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGDriverProbe\730d462a7e3a215f3ed446a536604690\PCGDriverProbe.ni.dll
MOD - [2013/10/13 03:21:09 | 000,068,096 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGConfiguration\f3880f6048502089cfad0cb7bb86e67c\PCGConfiguration.ni.dll
MOD - [2013/10/13 03:21:06 | 002,617,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGDatabase\92e575065f18cf53803222d76c14fa4a\PCGDatabase.ni.dll
MOD - [2013/10/13 03:20:57 | 001,550,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAzureShared\1f8ab68728e907a1baad5cda57dda0a9\PCGAzureShared.ni.dll
MOD - [2013/10/13 03:20:52 | 001,197,056 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGCommunication\3f02b42d4f0ea21dd631f3433d6b9b91\PCGCommunication.ni.dll
MOD - [2013/10/13 03:18:46 | 000,188,416 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPrestoSerializer\2e1807f7639b94cb03fc048c33c7d8ba\PCGPrestoSerializer.ni.dll
MOD - [2013/10/13 03:18:42 | 002,128,384 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Newtonsoft.Json.Net#\c7d17aafbcdcc3aa47f35d53f325bda8\Newtonsoft.Json.Net35.ni.dll
MOD - [2013/10/13 03:18:19 | 002,731,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGFramework\d1c2b9f1041e0151787073a4b1888746\PCGFramework.ni.dll
MOD - [2013/10/13 03:17:49 | 001,620,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Soluto\ddd7b435f33a355a1d6d5977fe3ab7b3\Soluto.ni.exe
MOD - [2013/10/13 03:13:11 | 000,978,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\f453ecc6bb7fc8d52d61247676944623\System.Configuration.ni.dll
MOD - [2013/10/13 03:08:16 | 012,434,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\73d9bc894522543b561a0342dac87c06\System.Windows.Forms.ni.dll
MOD - [2013/10/13 03:07:54 | 002,518,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\3815d0ee28da0b5a6e6c1f083ef437f6\System.Data.Linq.ni.dll
MOD - [2013/10/13 03:07:47 | 002,295,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\ab40b51ac49fbee9a48b5b74ff78d5d6\System.Core.ni.dll
MOD - [2013/08/16 19:14:17 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5974034f0f53755b11bde4c9698261cb\System.ServiceProcess.ni.dll
MOD - [2013/08/16 19:13:48 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\59eba2680c01c33b2b3f5385979e32c6\System.Web.ni.dll
MOD - [2013/08/16 16:54:30 | 002,327,552 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Community.CsharpSql#\6c07f76ab73ce7b4dc02ccfec040ddc3\Community.CsharpSqlite.ni.dll
MOD - [2013/08/16 16:40:00 | 000,656,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPostBootResources\05f479f87e6ac55f0fd3cd6ae1c10739\PCGPostBootResources.ni.dll
MOD - [2013/08/16 16:39:59 | 000,051,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGHIDProbe\c3d6831db800db604e16702ac6a0d091\PCGHIDProbe.ni.dll
MOD - [2013/08/16 16:32:52 | 000,048,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAzureEntityFrame#\6260744bbbdeb48359e51f5d24f8cf3d\PCGAzureEntityFramework.ni.dll
MOD - [2013/08/16 16:32:42 | 001,707,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPreCompiled\074b1bcfde67d61ff1989f4818b0f419\PCGPreCompiled.ni.dll
MOD - [2013/08/16 15:17:43 | 000,596,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Ionic.Zip.Reduced\36bdd5973166173b1547256acbedb674\Ionic.Zip.Reduced.ni.dll
MOD - [2013/08/16 11:48:46 | 005,462,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09f5b3f7a363b742a73937e818595597\System.Xml.ni.dll
MOD - [2013/08/16 11:46:37 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\c0df7e124d8d5e2821fd7d3921d404f7\System.Drawing.ni.dll
MOD - [2013/08/16 11:39:26 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\d7153acb7b6ccb5a6a886d6f0ab732b1\System.ni.dll
MOD - [2013/07/23 18:40:08 | 000,202,240 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGWuInfo\fe73c0ce3b7f9f61db4b2f8453521a2d\PCGWuInfo.ni.dll
MOD - [2013/07/23 18:40:07 | 000,100,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\449c932b29b1df04449197f0693226a0\Interop.IWshRuntimeLibrary.ni.dll
MOD - [2013/07/21 16:58:41 | 002,052,096 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2013/07/21 16:58:40 | 000,425,984 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2013/07/11 12:12:33 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6a938df70a8b7996a3890b4f34c83906\mscorlib.ni.dll
MOD - [2013/03/13 14:48:52 | 024,978,944 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\libcef.dll
MOD - [2013/01/27 09:00:18 | 000,077,880 | ---- | M] () -- c:\Program Files\Soluto\PCGDllExportInspector.dll
MOD - [2012/11/13 17:32:50 | 003,558,400 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll
MOD - [2012/10/05 04:59:03 | 003,194,880 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2011/03/16 23:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2011/02/18 09:04:04 | 000,196,448 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL
MOD - [2010/03/25 06:57:51 | 000,667,648 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll
MOD - [2009/08/19 19:59:06 | 000,022,736 | ---- | M] () -- C:\Program Files\WordWeb\WUCNT.dll
MOD - [2009/07/31 10:49:54 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe


========== Services (SafeList) ==========

SRV - [2013/10/09 09:58:16 | 003,275,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013/10/08 13:07:50 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/08/14 14:19:24 | 000,039,056 | ---- | M] () [Auto | Running] -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)
SRV - [2013/08/12 09:12:38 | 000,295,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/08/12 09:12:38 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/06/24 20:12:18 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) [Auto | Running] -- C:\Program Files\FromDocToPDF_65\bar\1.bin\65barsvc.exe -- (FromDocToPDF_65Service)
SRV - [2013/01/27 09:04:34 | 000,166,880 | ---- | M] (Soluto) [Auto | Running] -- C:\Program Files\Soluto\SolutoLauncherService.exe -- (SolutoLauncherService)
SRV - [2013/01/27 09:04:32 | 000,553,440 | ---- | M] (Soluto) [Auto | Running] -- C:\Program Files\Soluto\SolutoService.exe -- (SolutoService)
SRV - [2013/01/27 09:00:18 | 001,239,552 | ---- | M] (Soluto) [On_Demand | Stopped] -- C:\Program Files\Soluto\SolutoRemoteService.exe -- (SolutoRemoteService)
SRV - [2012/07/13 18:17:12 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe -- (MozillaMaintenance)
SRV - [2012/07/13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2009/06/18 19:00:24 | 000,723,488 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
SRV - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2009/02/05 09:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2008/09/15 03:57:04 | 000,262,360 | ---- | M] (Data Perceptions / PowerProgrammer) [Auto | Running] -- C:\Windows\System32\WebUpdateSvc4.exe -- (WebUpdate4)
SRV - [2008/01/20 20:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LV302V32.SYS -- (PID_PEPI)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lv302af.sys -- (pepifilter)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\npbgsgld.sys -- (npbgsgld)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Kathy\AppData\Local\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\Lxarscan.sys -- (LXARScan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\TEMP\cpuz136\cpuz136_x32.sys -- (cpuz136)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\TEMP\cpuz135\cpuz135_x32.sys -- (cpuz135)
DRV - [2013/11/07 18:11:01 | 000,040,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A4AC8977-8438-4010-B824-9307E3751523}\MpKsl35a872e1.sys -- (MpKsl35a872e1)
DRV - [2013/06/18 20:50:08 | 000,107,392 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2013/01/27 08:59:58 | 000,051,144 | ---- | M] (Soluto LTD.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Soluto.sys -- (Soluto)
DRV - [2010/03/28 18:24:37 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2009/04/27 02:16:04 | 000,050,176 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C60x86.sys -- (L1C)
DRV - [2009/04/07 21:14:40 | 000,014,848 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SSUSB.sys -- (SSUSB)
DRV - [2009/03/30 15:35:12 | 000,010,752 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SSDISK.sys -- (SSDISK)
DRV - [2009/03/03 20:49:22 | 004,232,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32)
DRV - [2008/12/04 12:25:38 | 000,112,640 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV - [2008/09/30 21:50:50 | 000,010,504 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\GridVista\DPMemGridVista.sys -- (DPMemGridVista)
DRV - [2003/10/01 08:29:50 | 000,069,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\OEM\factory\int15.sys -- (int15.sys)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
IE - HKLM\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE9HP&PC=UP50
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77DE8857&p2=^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://mail.google.com/a/dishmail.net/? ... .net#inbox
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\URLSearchHook: {4c60e5ab-5c68-4c59-abaa-885010b24b32} - No CLSID value found
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{2487D5C1-0C30-4457-8532-2431C3BCB8EE}: "URL" = http://isearch.avg.com/search?cid={DECFAAD5-80B9-48B6-B814-2D9C0F3A1129}&mid=812065f8a3e237250d9030fa7aa40137-b60c989b9a805664a229481db4ea5b647d6c2de4&lang=en&ds=AVG&pr=fr&d=2011-10-15 14:24:37&v=9.0.0.18&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_en
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7ACAW_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://www.bing.com/search?FORM=UP50DF&PC=UP50&q={searchTerms}&src=IE-SearchBox
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82079&iwk=273&lng=en
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.4.8.20120412011105
FF - prefs.js..extensions.enabledAddons: amznUWL2@amazon.com:1.10
FF - prefs.js..extensions.enabledAddons: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:6.11.0.13348


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@FromDocToPDF_65.com/Plugin: C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll (MindSpark)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.3.51: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.3.51: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Kathy\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\65ffxtbr@FromDocToPDF_65.com: C:\Program Files\FromDocToPDF_65\bar\1.bin [2013/11/05 05:21:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013/09/12 17:42:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/09/12 17:42:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/17 18:17:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/09/12 17:40:57 | 000,000,000 | ---D | M]

[2010/03/24 18:34:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Extensions
[2013/06/24 20:13:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions
[2010/06/07 17:36:07 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/05/19 18:38:27 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2013/06/24 20:13:09 | 000,000,000 | ---D | M] (FromDocToPDF) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\65ffxtbr@FromDocToPDF_65.com
[2011/02/03 20:24:36 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\searchtoolbar@zugo.com
[2012/10/06 21:11:02 | 000,243,287 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\amznUWL2@amazon.com.xpi
[2011/02/03 20:24:38 | 000,001,919 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\searchplugins\bing-zugo.xml
[2012/07/17 18:17:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/10/20 14:09:47 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013/04/24 11:44:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/10/20 14:09:46 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/07/13 18:17:47 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/03/18 12:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2013/09/12 17:40:31 | 000,124,504 | ---- | M] (RealPlayer) -- C:\Program Files\mozilla firefox\plugins\nprpplugin.dll
[2012/07/09 16:16:47 | 000,003,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/07/18 09:23:08 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012/07/13 18:16:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/07/13 18:16:36 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Toolbar BHO) - {a235e1e3-6296-4710-af39-104a7faa6c7c} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Search Assistant BHO) - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
O3 - HKLM\..\Toolbar: (FromDocToPDF) - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4 - HKLM..\Run: [AmIcoSinglun] C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe (AlcorMicro Co., Ltd.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [FromDocToPDF Search Scope Monitor] C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe (MindSpark)
O4 - HKLM..\Run: [FromDocToPDF_65 Browser Plugin Loader] C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe (VER_COMPANY_NAME)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4 - HKLM..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 File not found
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000..\Run: [Google Update] Reg Error: Value error. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A48B34A-7608-4D4D-AFC9-BC7194A9B2B1}: DhcpNameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B5DF368C-F419-4932-BD75-7A02B9585635}: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\program files\soluto\soluto.exe /userinit) - c:\program files\soluto\soluto.exe (Soluto)
O24 - Desktop WallPaper: C:\Users\Kathy\Pictures\Lighthouse.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kathy\Pictures\Lighthouse.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{7e71ba7c-376f-11df-9e5f-00269e0b901e}\Shell - "" = AutoRun
O33 - MountPoints2\{7e71ba7c-376f-11df-9e5f-00269e0b901e}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\{de46b73d-1093-11e0-ab74-00269e0b901e}\Shell\AutoRun\command - "" = E:\Windows\bin\eblSetup.exe
O33 - MountPoints2\{ef6316fd-2fea-11e0-abad-00269e0b901e}\Shell - "" = AutoRun
O33 - MountPoints2\{ef6316fd-2fea-11e0-abad-00269e0b901e}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/11/07 18:13:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
[2013/11/07 18:10:00 | 004,121,952 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Kathy\Desktop\tdsskiller.exe
[2013/11/05 12:26:05 | 000,000,000 | ---D | C] -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD
[2013/10/13 02:14:01 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/10/13 02:13:59 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/10/13 02:13:58 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/10/13 02:13:58 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/10/13 02:13:57 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/10/13 02:13:55 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/10/13 02:13:54 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/10/13 02:13:51 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/10/10 12:21:15 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2013/10/10 12:21:15 | 001,069,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2013/10/10 12:21:15 | 000,486,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2013/10/10 12:21:14 | 001,029,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2013/10/10 12:21:14 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2013/10/10 12:21:14 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2013/10/10 12:21:14 | 000,189,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2013/10/10 12:21:14 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2013/10/10 12:21:10 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2013/10/10 12:21:07 | 000,102,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
[2013/10/10 12:21:05 | 002,050,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/10/10 12:20:57 | 000,226,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbport.sys
[2013/10/10 12:20:57 | 000,006,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbd.sys
[2013/10/10 12:17:53 | 000,293,376 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2013/10/10 12:17:52 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2013/10/10 12:17:47 | 000,025,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\hidparse.sys
[2011/06/10 11:44:36 | 003,080,864 | ---- | C] (Adobe Systems, Inc.) -- C:\Program Files\install_flash_player.exe
[1964/01/03 08:35:38 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe
[4 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/11/07 18:13:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
[2013/11/07 18:10:04 | 004,121,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kathy\Desktop\tdsskiller.exe
[2013/11/07 18:09:26 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/11/07 18:08:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/11/06 21:42:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/11/06 21:42:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/11/06 21:22:02 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000UA.job
[2013/11/06 21:21:00 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000Core.job
[2013/11/05 12:27:46 | 000,618,148 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/11/05 12:27:46 | 000,109,218 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/11/05 06:21:50 | 2075,045,888 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/04 21:28:52 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/04 18:39:22 | 264,443,960 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/10/25 13:15:45 | 001,822,775 | ---- | M] () -- C:\Users\Kathy\Desktop\ColoringPages.pdf
[2013/10/25 11:53:07 | 000,002,637 | ---- | M] () -- C:\Users\Kathy\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word 2010.lnk
[2013/10/16 02:03:05 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/10/13 03:03:24 | 000,403,736 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[4 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/11/04 21:28:52 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/25 13:15:45 | 001,822,775 | ---- | C] () -- C:\Users\Kathy\Desktop\ColoringPages.pdf
[2012/09/19 13:54:47 | 000,047,633 | ---- | C] () -- C:\Windows\System32\wuwuninst.exe
[2012/07/17 18:27:14 | 000,000,193 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2012/07/14 22:03:55 | 000,027,520 | ---- | C] () -- C:\Users\Kathy\AppData\Local\dt.dat
[2011/04/06 14:54:18 | 000,000,680 | ---- | C] () -- C:\Users\Kathy\AppData\Local\d3d9caps.dat
[2011/03/29 21:33:28 | 000,000,000 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\124tre.ini
[2010/06/14 17:14:02 | 000,000,000 | ---- | C] () -- C:\Users\Kathy\AppData\Local\prvlcl.dat
[2010/03/24 18:44:53 | 000,020,480 | ---- | C] () -- C:\Users\Kathy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/23 20:25:09 | 000,000,210 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\wklnhst.dat
[2001/07/20 09:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB
[2000/12/05 14:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll
[2000/01/11 11:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini
[1964/01/18 07:07:18 | 000,000,768 | ---- | C] () -- C:\Program Files\x73_lut.dat
[1964/01/03 08:25:18 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini

========== ZeroAccess Check ==========

[2011/04/02 11:52:34 | 001,150,396 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1403424136-2531779536-1460617787-1000\$RFTDUQK\L.JPG
[2006/11/02 06:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 177 bytes -> C:\ProgramData\TEMP:DCAF903C
@Alternate Data Stream - 173 bytes -> C:\ProgramData\TEMP:F94CB4DD
@Alternate Data Stream - 169 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 163 bytes -> C:\ProgramData\TEMP:F7862839
@Alternate Data Stream - 160 bytes -> C:\ProgramData\TEMP:8750DCE4
@Alternate Data Stream - 157 bytes -> C:\ProgramData\TEMP:798A3728
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:51574724
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:94188BC6
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:BB24555F
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:B203B914
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:3064D21D
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:9E22BBE8
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:131C0EE9
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:ABE89FFE
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:CE0A077E
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:35759C73

< End of report >

*------------------------ OTL Extras -----------------------------*
OTL Extras logfile created on: 11/7/2013 6:14:26 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathy\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 0.82 Gb Available Physical Memory | 42.57% Memory free
4.10 Gb Paging File | 2.58 Gb Available in Paging File | 62.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.88 Gb Total Space | 132.94 Gb Free Space | 60.18% Space Free | Partition Type: NTFS

Computer Name: KATHYS-PC | User Name: Kathy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistUMP] -- "C:\Program Files\UMPlayer\umplayer.exe" -add-to-playlist "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithUMP] -- "C:\Program Files\UMPlayer\umplayer.exe" -play-dir "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = LG CyberLink YouCam
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{047F790A-7A2A-4B6A-AD02-38092BA63DAC}" = Acer VCM
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG5200_series" = Canon MG5200 series MP Drivers
"{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 30
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer ePower Management
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4D24F198-A2CB-46B5-BB16-41B69C644B6C}" = Microsoft Security Client
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{59716973-C123-4B46-B44B-36FCD9CEB8A3}" = Print Artist Silver 22
"{5B63A470-9334-44D1-AF61-6CE2DB565AE9}" = Orion
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6471B123-F60F-4DC8-8FB4-DE0879A01BB3}" = Alcor Micro Card Rader Driver and Utility
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71C2828F-2678-4675-BDEC-895424861262}_is1" = C:\Program Files\Acer GameZone\GameConsole
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}" = Zuma Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110184263}" = Puzzle Express
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111125700}" = Rainbow Web
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111202970}" = Word Jong To Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11120457}" = Tumble Bees To Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111205743}" = Tri-Peaks Solitaire To Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}" = Mahjong Escape Ancient China
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}" = Galapago
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11219217}" = Cradle of Rome
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A048005D-3B95-4830-BC02-5CA5C4C55257}" = Soluto
"{AAECF7BA-E83B-4A10-87EA-DE0B333F8734}" = RealNetworks - Microsoft Visual C++ 2010 Runtime
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.2
"{ADD5DB49-72CF-11D8-9D75-000129760D75}" = LG CyberLink PowerBackup
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = LG CyberLink PowerProducer
"{B92C5909-1D37-4C51-8397-A28BB28E5DC3}" = Facebook Video Calling 1.2.0.287
"{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}" = RealDownloader
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0ACE89D-EC7F-470F-80BE-4C98ED366B32}" = Acer Crystal Eye webcam Ver:1.1.87.603
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{DF592394-16C4-4C44-9A31-C8241A55164A}" = Premier Predictor Pro
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0681859-D086-4384-B204-386FA7D80A5B}" = SplashShopper
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"{FF24F097-D090-41D2-8E9C-BAFEBBFD938C}" = palmOne
"Acer Assist" = Acer Assist
"Acer Registration" = Acer Registration
"Acer Screensaver" = Acer ScreenSaver
"Adobe AIR" = Adobe AIR
"Adobe Digital Editions 2.0" = Adobe Digital Editions 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.17
"CameraUserGuide-PSELPH300HS_IXUS220HS" = Canon PowerShot ELPH 300 HS_IXUS 220 HS Camera User Guide
"CameraWindowDC8" = Canon Utilities CameraWindow DC 8
"CameraWindowLauncher" = Canon Utilities CameraWindow Launcher
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon MG5200 series User Registration" = Canon MG5200 series User Registration
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon My Printer
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"Emicsoft DVD Ripper_is1" = Emicsoft DVD Ripper
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.91
"FromDocToPDF_65bar Uninstall" = FromDocToPDF Toolbar
"GridVista" = GridVista
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = LG CyberLink YouCam
"InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
"InstallShield_{6471B123-F60F-4DC8-8FB4-DE0879A01BB3}" = Alcor Micro Card Rader Driver and Utility
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MovieUploaderForYouTube" = Canon Utilities Movie Uploader for YouTube
"Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator EX 4.0" = Canon MP Navigator EX 4.0
"MyCamera" = Canon Utilities MyCamera
"MyCamera Download Plugin" = CANON iMAGE GATEWAY MyCamera Download Plugin
"Office14.SingleImage" = Microsoft Office Home and Student 2010
"PhotoStitch" = Canon Utilities PhotoStitch
"Premier Predictor Pro" = Premier Predictor Pro
"RealPlayer 16.0" = RealPlayer
"Search Toolbar" = Search Toolbar
"Software Guide" = Canon DIGITAL CAMERA Solution Disk Software Guide
"Software Update Wizard (Redistributable)" = Software Update Wizard (Redistributable) 4.5
"SplashShopper Desktop" = SplashShopper Desktop 3.1.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Ticket To Ride 1.0" = Ticket To Ride 1.0
"TVWiz" = Intel(R) TV Wizard
"UMPlayer" = UMPlayer 0.98 [P3]
"WinLiveSuite_Wave3" = Windows Live Essentials
"WordWeb" = WordWeb
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Amazon Kindle For PC" = Amazon Kindle For PC
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/5/2013 4:56:25 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:25 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:29 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:29 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:30 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:30 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:31 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:31 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:33 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 11/5/2013 4:56:33 PM | Computer Name = Kathys-PC | Source = Windows Search Service | ID = 3013
Description =

[ Media Center Events ]
Error - 5/11/2011 12:32:29 PM | Computer Name = Kathys-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 5/25/2011 2:41:16 PM | Computer Name = Kathys-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 7/31/2011 6:34:59 PM | Computer Name = Kathys-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 8/27/2011 8:28:16 PM | Computer Name = Kathys-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 10/7/2011 1:31:31 PM | Computer Name = Kathys-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 4/21/2012 3:10:47 PM | Computer Name = Kathys-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 5/20/2012 9:35:39 PM | Computer Name = Kathys-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/21/2012 2:26:21 PM | Computer Name = Kathys-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/22/2012 5:56:57 PM | Computer Name = Kathys-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 5/18/2013 1:12:55 PM | Computer Name = Kathys-PC | Source = MCUpdate | ID = 0
Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed
due to an abandoned mutex.'.

[ System Events ]
Error - 11/4/2013 8:41:04 PM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 11/4/2013 8:41:04 PM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/4/2013 8:41:05 PM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 11/4/2013 8:47:54 PM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/4/2013 8:47:54 PM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 11/5/2013 7:25:09 AM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/5/2013 7:25:09 AM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 11/5/2013 8:23:41 AM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 11/5/2013 8:23:41 AM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 11/6/2013 2:12:30 PM | Computer Name = Kathys-PC | Source = Service Control Manager | ID = 7011
Description =


< End of report >
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 8th, 2013, 12:27 pm

Hi tnesler,

I'm afraid I have some bad news:

Your logs show signs of a Remote Access Infection on your computer.

[2011/04/02 11:52:34 | 001,150,396 | ---- | M] () -- C:\$Recycle.bin\S-1-5-21-1403424136-2531779536-1460617787-1000\$RFTDUQK\L.JPG
[2006/11/02 06:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini


These indicate you are infected with ....

ZeroAccess

http://www.microsoft.com/security/porta ... Sirefef.AC

Please take time to carefully read THIS topic, then let me know how you want to proceed.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 8th, 2013, 1:14 pm

Hello!

This is very scary information. I am not ready to reset my wife's hard drive as yet, although I understand this is only a temporary fix.

Please go ahead and give me instructions on how to remove this Virus. I will contact my banks and put a watch on my credit card accounts.

Thanks!

Tom Nesler
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 8th, 2013, 1:22 pm

Hi tnesler,

Ok! Lets continue.
If you haven't backed up your personal files and documents, please do so before proceeding.

Download and Run ComboFix
  • Please download ComboFix. (Alternate site: here)
    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Right click on ComboFix.exe and select "Run as Administrator" & follow the prompts
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    When finished, Notepad will open a log file called "ComboFix.txt".
  • Please copy/paste the contents of ComboFix.txt in your next reply.

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 8th, 2013, 9:00 pm

I tried to run ComboFix but after it unpacked it said that Microsoft Security Essentials was active. (Spyware and Antivirus). My problem is, I don't know how to disable this program. When MSE starts up, I get an error: "An error has occurred during initialization. If this problem continues, please contact your system administrator. Error code 0x80073b01

I don't see any obvious processes running that I can kill. Should I continue? Or should I try to run this in Safe Mode?

What do you recommend?
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 10th, 2013, 10:11 am

Hi tnesler,

Are you able to follow these steps to disable MSE?
1. Find the Security Essentials icon in your System Tray (usually it's represented by a little green house with a flag on top). Right-click it and choose Open.
2. Click the Settings tab.
3. Click Real-time protection.
4. Uncheck the box next to Turn on real-time protection (recommended).
5. Click the Save changes button.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 10th, 2013, 3:56 pm

I was not able to do any of those steps because my MSE is not in the system tray. When I turn on the computer, I get the error message described earlier and then MSE seems to failed to start. If I try to manually start it, I get the same results. That's why I am confused that ComboFix is sayning my MSE is still running.

I hope this makes sense to you. Please refer to my last message for the error that occurs when MSE starts.

Thanks!

Tom Nesler
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 10th, 2013, 5:36 pm

That error may be related to the infection.

So, please try to run Combofix under safe mode, following my guidelines posted before.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 11th, 2013, 12:02 am

I started the PC in safe mode. Ran ComboFix as Admin. Got the same warning message that MSE was still active...<arrgghh> I am still playing it safe. What do you recommend now? I was unaware that Antivirus software was even active when you were in safe mode without networking...;-/
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 11th, 2013, 4:51 am

Hi tnesler,

Let's try another one:
FRST - Farbar Recovery Scanner Tool for Vista-W7 Image

Please download FRST.exe ... by Farbar. Save it to your desktop.
  1. Double-click to run it. When the tool opens click Yes to disclaimer.
  2. Press Scan button.
  3. ... A log will be created FRST.txt in the same directory the tool is run.
  4. Please copy/paste FRST.txt it to your reply.
  5. The first time the tool is run, it makes also another log... Addition.txt.
  6. Please copy/paste Addition.txt in your reply.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 11th, 2013, 4:20 pm

I ran the FRST scan. I copied the program file to the computer from a USB drive since I am trying to keep this computer off the internet. I noticed that I could not remove the USB drive for several minutes due to the fact that the computer was doing something with the drive. I saw the light on the hard drive and the USB drive flickering while this was taking place. Is it possible that my USB drive is now infected too? Is there a tool to scan a USB drive for malware?

Anyway,

Here are the files from FRST.

FRST.Txt ****************
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2013 01
Ran by Kathy (administrator) on KATHYS-PC on 11-11-2013 07:34:29
Running from C:\Users\Kathy\Desktop
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Soluto) c:\program files\soluto\soluto.exe
(Lexmark International, Inc.) C:\Windows\System32\LEXBCES.EXE
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(COMPANYVERS_NAME) C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer VCM\RS_Service.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Soluto) C:\Program Files\Soluto\SolutoLauncherService.exe
(Soluto) C:\Program Files\Soluto\SolutoService.exe
(Data Perceptions / PowerProgrammer) C:\Windows\system32\WebUpdateSvc4.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(AlcorMicro Co., Ltd.) C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
() C:\Windows\PLFSetI.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(CANON INC.) C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(MindSpark) C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe
(VER_COMPANY_NAME) C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe
(Acer Incorporated) C:\Program Files\Acer\Acer VCM\AcerVCM.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\system32\igfxext.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(WordWeb Software) C:\Program Files\WordWeb\wweb32.exe
(PalmSource, Inc) C:\program files\palmone\hotsync.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\system32\igfxtray.exe
(Intel Corporation) C:\Windows\system32\hkcmd.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MpCmdRun.exe
(Intel Corporation) C:\Windows\System32\GfxUI.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IAAnotif] - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [186904 2009-02-11] (Intel Corporation)
HKLM\...\Run: [AmIcoSinglun] - C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe [237568 2009-04-29] (AlcorMicro Co., Ltd.)
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7539232 2009-06-09] (Realtek Semiconductor)
HKLM\...\Run: [Acer ePower Management] - C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [703008 2009-06-18] (Acer Incorporated)
HKLM\...\Run: [Acer Assist Launcher] - C:\Program Files\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
HKLM\...\Run: [PLFSetI] - C:\Windows\PLFSetI.exe [200704 2009-07-31] ()
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE [2516296 2010-03-24] (CANON INC.)
HKLM\...\Run: [IJNetworkScanUtility] - C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [140640 2010-03-02] (CANON INC.)
HKLM\...\Run: [ROC_roc_dec12] - "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-08-12] (Microsoft Corporation)
HKLM\...\Run: [FromDocToPDF Search Scope Monitor] - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe [44784 2013-06-24] (MindSpark)
HKLM\...\Run: [FromDocToPDF_65 Browser Plugin Loader] - C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe [30096 2013-06-24] (VER_COMPANY_NAME)
HKLM\...\Winlogon: [Userinit] c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit,
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {7e71ba7c-376f-11df-9e5f-00269e0b901e} - D:\LaunchU3.exe -a
MountPoints2: {de46b73d-1093-11e0-ab74-00269e0b901e} - E:\Windows\bin\eblSetup.exe
MountPoints2: {ef6316fd-2fea-11e0-abad-00269e0b901e} - D:\LaunchU3.exe -a
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files\Acer\Screensaver\run_Acer.exe [ 2009-06-16] ()
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files\Acer\Screensaver\run_Acer.exe [ 2009-06-16] ()
HKU\Guest\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=77DE8857&p2=^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE9HP&PC=UP50
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://mail.google.com/a/dishmail.net/? ... .net#inbox
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
URLSearchHook: HKCU - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {2487D5C1-0C30-4457-8532-2431C3BCB8EE} URL = http://isearch.avg.com/search?cid={DECFAAD5-80B9-48B6-B814-2D9C0F3A1129}&mid=812065f8a3e237250d9030fa7aa40137-b60c989b9a805664a229481db4ea5b647d6c2de4&lang=en&ds=AVG&pr=fr&d=2011-10-15 14:24:37&v=9.0.0.18&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://www.bing.com/search?FORM=UP50DF&PC=UP50&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82079&iwk=273&lng=en
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Toolbar BHO - {a235e1e3-6296-4710-af39-104a7faa6c7c} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: Search Assistant BHO - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKLM - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.10.1

FireFox:
========
FF ProfilePath: C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default
FF user.js: detected! => C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\user.js
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin: @canon.com/MycameraPlugin - C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF Plugin: @FromDocToPDF_65.com/Plugin - C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll (MindSpark)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8051.1204 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 - c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Kathy\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)
FF SearchPlugin: C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\searchplugins\bing-zugo.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: FromDocToPDF - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\65ffxtbr@FromDocToPDF_65.com
FF Extension: Search Toolbar - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\searchtoolbar@zugo.com
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: Yahoo! Toolbar - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF Extension: amznUWL2 - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\amznUWL2@amazon.com.xpi
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [65ffxtbr@FromDocToPDF_65.com] - C:\Program Files\FromDocToPDF_65\bar\1.bin
FF Extension: FromDocToPDF - C:\Program Files\FromDocToPDF_65\bar\1.bin
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\

========================== Services (Whitelisted) =================

R2 ePowerSvc; C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [723488 2009-06-18] (Acer Incorporated)
R2 FromDocToPDF_65Service; C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe [42504 2013-06-24] (COMPANYVERS_NAME)
R2 LexBceS; C:\Windows\System32\LEXBCES.EXE [311296 2001-10-05] (Lexmark International, Inc.)
S3 MozillaMaintenance; C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe [113120 2012-07-13] (Mozilla Foundation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-08-12] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-08-12] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
R2 RS_Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [237568 2009-02-05] (Acer Incorporated)
R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 SolutoLauncherService; C:\Program Files\Soluto\SolutoLauncherService.exe [166880 2013-01-27] (Soluto)
S3 SolutoRemoteService; C:\Program Files\Soluto\SolutoRemoteService.exe [1239552 2013-01-27] (Soluto)
R2 SolutoService; C:\Program Files\Soluto\SolutoService.exe [553440 2013-01-27] (Soluto)
R2 WebUpdate4; C:\Windows\system32\WebUpdateSvc4.exe [262360 2008-09-15] (Data Perceptions / PowerProgrammer)

==================== Drivers (Whitelisted) ====================

R1 DPMemGridVista; C:\Program Files\GridVista\DPMemGridVista.sys [10504 2008-09-30] (Dritek System Inc.)
S3 int15.sys; C:\Windows\System32\OEM\Factory\int15.sys [69632 2003-10-01] ()
R3 L1C; C:\Windows\System32\DRIVERS\L1C60x86.sys [50176 2009-04-27] (Atheros Communications, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
R1 MpKsl2f659b20; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F41BC052-ACF4-4846-AC14-26F032E4EA31}\MpKsl2f659b20.sys [40392 2013-11-11] (Microsoft Corporation)
S3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16694 2010-03-28] (PalmSource, Inc.)
R0 Soluto; C:\Windows\System32\DRIVERS\Soluto.sys [51144 2013-01-27] (Soluto LTD.)
R3 SSDISK; C:\Windows\System32\DRIVERS\SSDISK.sys [10752 2009-03-30] (Alcor Micro, Corp.)
R3 SSUSB; C:\Windows\System32\DRIVERS\SSUSB.sys [14848 2009-04-07] (Alcor Micro, Corp.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x32.sys [x]
R3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x32.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 LVRS; system32\DRIVERS\lvrs.sys [x]
S3 LVUSBSta; system32\drivers\LVUSBSta.sys [x]
S2 LXARScan; System32\Drivers\Lxarscan.sys [x]
S1 npbgsgld; \??\C:\Windows\system32\drivers\npbgsgld.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 pepifilter; system32\DRIVERS\lv302af.sys [x]
S3 PID_PEPI; system32\DRIVERS\LV302V32.SYS [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-11 07:34 - 2013-11-11 07:34 - 00000000 ____D C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD
2013-11-11 07:33 - 2013-11-11 07:33 - 00000000 ____D C:\FRST
2013-11-11 07:31 - 2009-08-04 02:02 - 00754688 _____ (Microsoft Corporation) C:\Windows\system32\webservices.dll
2013-11-11 07:28 - 2013-11-11 07:21 - 01090275 _____ (Farbar) C:\Users\Kathy\Desktop\FRST.exe
2013-11-10 21:58 - 2013-11-10 21:58 - 00000000 ___SD C:\ComboFix
2013-11-08 18:51 - 2011-06-26 00:45 - 00256000 _____ C:\Windows\PEV.exe
2013-11-08 18:51 - 2010-11-07 11:20 - 00208896 _____ C:\Windows\MBR.exe
2013-11-08 18:51 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-11-08 18:51 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-11-08 18:51 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-11-08 18:51 - 2000-08-30 18:00 - 00098816 _____ C:\Windows\sed.exe
2013-11-08 18:51 - 2000-08-30 18:00 - 00080412 _____ C:\Windows\grep.exe
2013-11-08 18:51 - 2000-08-30 18:00 - 00068096 _____ C:\Windows\zip.exe
2013-11-08 18:48 - 2013-11-08 18:48 - 00000000 ____D C:\Windows\erdnt
2013-11-08 18:48 - 2013-11-08 18:48 - 00000000 ____D C:\Qoobox
2013-11-08 18:47 - 2013-11-08 17:31 - 05145633 ____R (Swearware) C:\Users\Kathy\Desktop\ComboFix.exe
2013-11-07 18:42 - 2013-11-07 18:42 - 00041982 _____ C:\Users\Kathy\Desktop\Extras.Txt
2013-11-07 18:36 - 2013-11-07 18:36 - 00092490 _____ C:\Users\Kathy\Desktop\OTL.Txt
2013-11-07 18:13 - 2013-11-07 18:13 - 00602112 _____ (OldTimer Tools) C:\Users\Kathy\Desktop\OTL.exe
2013-11-07 18:10 - 2013-11-07 18:10 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\Kathy\Desktop\tdsskiller.exe
2013-11-06 07:05 - 2013-11-06 07:05 - 00009670 _____ C:\Users\Kathy\Desktop\attach.txt
2013-11-06 07:05 - 2013-11-06 07:04 - 00020152 _____ C:\Users\Kathy\Desktop\dds.txt
2013-11-04 21:28 - 2013-11-04 21:28 - 00000910 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-04 18:40 - 2013-11-04 18:40 - 00151752 _____ C:\Windows\Minidump\Mini110413-01.dmp
2013-10-13 02:14 - 2013-09-22 04:06 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-10-13 02:14 - 2013-09-22 04:03 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-10-13 02:14 - 2013-09-22 04:03 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-10-13 02:13 - 2013-09-22 04:29 - 12336128 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-10-13 02:13 - 2013-09-22 04:22 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-10-13 02:13 - 2013-09-22 04:22 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-10-13 02:13 - 2013-09-22 04:14 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-10-13 02:13 - 2013-09-22 04:13 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-10-13 02:13 - 2013-09-22 04:13 - 01104896 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-10-13 02:13 - 2013-09-22 04:12 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-10-13 02:13 - 2013-09-22 04:09 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-10-13 02:13 - 2013-09-22 04:08 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-10-13 02:13 - 2013-09-22 04:07 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-10-13 02:13 - 2013-09-22 04:05 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-10-13 02:13 - 2013-09-22 04:03 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-10-13 02:13 - 2013-09-22 03:59 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

==================== One Month Modified Files and Folders =======

2013-11-11 07:36 - 2011-11-09 16:37 - 00000000 ____D C:\Users\Kathy\AppData\Roaming\Dropbox
2013-11-11 07:35 - 2011-11-09 16:42 - 00000000 ___RD C:\Users\Kathy\Dropbox
2013-11-11 07:34 - 2013-11-11 07:34 - 00000000 ____D C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD
2013-11-11 07:34 - 2009-07-31 10:38 - 01250949 _____ C:\Windows\WindowsUpdate.log
2013-11-11 07:33 - 2013-11-11 07:33 - 00000000 ____D C:\FRST
2013-11-11 07:32 - 2006-11-02 04:33 - 00722102 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-11 07:27 - 2006-11-02 06:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-11 07:27 - 2006-11-02 06:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-11 07:26 - 2006-11-02 07:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-11 07:21 - 2013-11-11 07:28 - 01090275 _____ (Farbar) C:\Users\Kathy\Desktop\FRST.exe
2013-11-10 21:58 - 2013-11-10 21:58 - 00000000 ___SD C:\ComboFix
2013-11-10 21:52 - 2006-11-02 07:01 - 00032626 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-11-10 13:06 - 2012-04-28 15:04 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-09 21:22 - 2012-01-24 14:46 - 00000928 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000UA.job
2013-11-09 21:21 - 2012-01-24 14:46 - 00000906 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000Core.job
2013-11-08 18:48 - 2013-11-08 18:48 - 00000000 ____D C:\Windows\erdnt
2013-11-08 18:48 - 2013-11-08 18:48 - 00000000 ____D C:\Qoobox
2013-11-08 17:31 - 2013-11-08 18:47 - 05145633 ____R (Swearware) C:\Users\Kathy\Desktop\ComboFix.exe
2013-11-07 18:42 - 2013-11-07 18:42 - 00041982 _____ C:\Users\Kathy\Desktop\Extras.Txt
2013-11-07 18:36 - 2013-11-07 18:36 - 00092490 _____ C:\Users\Kathy\Desktop\OTL.Txt
2013-11-07 18:13 - 2013-11-07 18:13 - 00602112 _____ (OldTimer Tools) C:\Users\Kathy\Desktop\OTL.exe
2013-11-07 18:10 - 2013-11-07 18:10 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\Kathy\Desktop\tdsskiller.exe
2013-11-06 07:05 - 2013-11-06 07:05 - 00009670 _____ C:\Users\Kathy\Desktop\attach.txt
2013-11-06 07:04 - 2013-11-06 07:05 - 00020152 _____ C:\Users\Kathy\Desktop\dds.txt
2013-11-05 06:21 - 2008-01-20 20:47 - 00877642 _____ C:\Windows\PFRO.log
2013-11-05 06:21 - 2006-11-02 06:37 - 00000000 ____D C:\Windows\twain_32
2013-11-05 05:21 - 2011-02-03 20:24 - 00000000 ____D C:\Program Files\Search Toolbar
2013-11-04 21:28 - 2013-11-04 21:28 - 00000910 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-11-04 21:28 - 2011-04-06 14:48 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-11-04 18:40 - 2013-11-04 18:40 - 00151752 _____ C:\Windows\Minidump\Mini110413-01.dmp
2013-11-04 18:40 - 2010-11-08 17:39 - 00000000 ____D C:\Windows\Minidump
2013-11-04 18:40 - 2010-03-23 17:02 - 00000000 ____D C:\Users\Kathy
2013-11-04 18:39 - 2010-11-08 17:39 - 264443960 _____ C:\Windows\MEMORY.DMP
2013-11-02 12:49 - 2012-09-14 10:55 - 00000000 ____D C:\Users\Kathy\Desktop\OCC coloring pages
2013-10-20 14:09 - 2011-08-08 18:58 - 00000000 ___RD C:\Program Files\Skype
2013-10-20 14:09 - 2011-08-08 18:58 - 00000000 ____D C:\ProgramData\Skype
2013-10-16 02:03 - 2012-08-13 19:30 - 00001945 _____ C:\Windows\epplauncher.mif
2013-10-16 02:02 - 2012-08-13 19:24 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-15 20:30 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-10-13 03:03 - 2006-11-02 06:47 - 00403736 _____ C:\Windows\system32\FNTCACHE.DAT
2013-10-13 03:02 - 2011-12-16 13:57 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-13 02:38 - 2009-06-27 19:53 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-13 02:28 - 2013-08-15 12:54 - 00000000 ____D C:\Windows\system32\MRT
2013-10-13 02:21 - 2006-11-02 04:24 - 78106760 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

Files to move or delete:
====================
C:\Users\Kathy\AppData\Roaming\124tre.ini
ZeroAccess:
C:\Users\Kathy\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install


Some content of TEMP:
====================
C:\Users\Kathy\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Kathy\AppData\Local\Temp\iGearedHelper.dll
C:\Users\Kathy\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Kathy\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Kathy\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Kathy\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Kathy\AppData\Local\Temp\lowproc.exe
C:\Users\Kathy\AppData\Local\Temp\mpam-f01db222.exe
C:\Users\Kathy\AppData\Local\Temp\ose00000.exe
C:\Users\Kathy\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Kathy\AppData\Local\Temp\stubhelper.dll
C:\Users\Kathy\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Kathy\AppData\Local\Temp\UNINSTALL.EXE


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-11-11 07:38

==================== End Of Log ============================

Here is the Addition.Txt file **********


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 10-11-2013 01
Ran by Kathy at 2013-11-11 07:41:54
Running from C:\Users\Kathy\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Acer Assist
Acer Crystal Eye webcam Ver:1.1.87.603 (Version: 1.1.87.603)
Acer ePower Management (Version: 4.00.3008)
Acer eRecovery Management (Version: 4.00.3008)
Acer Registration
Acer ScreenSaver (Version: 1.1.0623)
Acer VCM (Version: 4.00.3008)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Adobe AIR (Version: 1.0.4990)
Adobe AIR (Version: 1.0.8.4990)
Adobe Digital Editions 2.0 (Version: 2.0)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.9.900.117)
Adobe Reader 9.5.2 (Version: 9.5.2)
Alcor Micro Card Rader Driver and Utility (Version: 1.1.1017.1)
Amazon Kindle For PC
Amazon MP3 Downloader 1.0.17 (Version: 1.0.17)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (Version: 1.0.0.19)
C:\Program Files\Acer GameZone\GameConsole (Version: 2.0.1.6)
Canon DIGITAL CAMERA Solution Disk Software Guide (Version: 1.4.0.1)
Canon IJ Network Scan Utility
Canon IJ Network Tool
CANON iMAGE GATEWAY MyCamera Download Plugin (Version: 3.1.1.2)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.9.0.9)
Canon MG5200 series MP Drivers
Canon MG5200 series User Registration
Canon MOV Decoder (Version: 1.8.0.7)
Canon MOV Encoder (Version: 1.6.0.1)
Canon MovieEdit Task for ZoomBrowser EX (Version: 3.7.0.4)
Canon MP Navigator EX 4.0
Canon My Printer
Canon PowerShot ELPH 300 HS_IXUS 220 HS Camera User Guide (Version: 1.0.0.1)
Canon Utilities CameraWindow DC 8 (Version: 8.4.0.3)
Canon Utilities CameraWindow Launcher (Version: 7.5.0.2)
Canon Utilities Movie Uploader for YouTube (Version: 1.2.0.7)
Canon Utilities MyCamera (Version: 7.4.0.2)
Canon Utilities PhotoStitch (Version: 3.1.22.46)
Canon Utilities ZoomBrowser EX (Version: 6.7.0.24)
Canon ZoomBrowser EX Memory Card Utility (Version: 1.5.0.9)
Choice Guard (Version: 1.2.87.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Coupon Printer for Windows (Version: 5.0.0.1)
Cradle of Rome
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dropbox (HKCU Version: 2.0.22)
Emicsoft DVD Ripper
eSobi v2 (Version: 2.0.3.000223)
Facebook Video Calling 1.2.0.287 (Version: 1.2.287)
Free Mp3 Wma Converter V 1.91 (Version: 1.91.0.0)
FromDocToPDF Toolbar
Galapago
GridVista (Version: 2.77.0507)
Intel(R) Graphics Media Accelerator Driver
Intel(R) TV Wizard
Intel® Matrix Storage Manager
Java Auto Updater (Version: 2.0.6.1)
Java(TM) 6 Update 30 (Version: 6.0.300)
Junk Mail filter update (Version: 14.0.8050.1202)
Launch Manager (Version: 2.0.00)
LG CyberLink PowerBackup (Version: 2.5.4511)
LG CyberLink PowerProducer (Version: 085312a(3.7)_Vista_LG)
LG CyberLink YouCam (Version: 1.0.2609)
LG Power Tools (Version: 6.0.2806)
Mahjong Escape Ancient China
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Home and Student 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Security Client (Version: 4.3.0219.0)
Microsoft Security Essentials (Version: 4.3.219.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 9.7.0621)
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
neroxml (Version: 1.0.0)
Orion (Version: 2.5.0)
palmOne (Version: 4.1.0420)
PowerDVD (Version: 7.0.4030.0)
Premier Predictor Pro
Premier Predictor Pro (Version: 3.0)
Print Artist Silver 22 (Version: 22.0.0.38)
Puzzle Express
Rainbow Web
RealDownloader (Version: 1.3.3)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0)
RealPlayer (Version: 16.0.3)
Realtek High Definition Audio Driver (Version: 6.0.1.5869)
RealUpgrade 1.1 (Version: 1.1.0)
Search Toolbar (Version: 1.2)
Skype Click to Call (Version: 6.13.13771)
Skype™ 5.10 (Version: 5.10.116)
Software Update Wizard (Redistributable) 4.5 (Version: 4.5)
Soluto (Version: 1.3.1140.0)
SplashShopper (Version: 1.00.000)
SplashShopper Desktop 3.1.0 (Version: 3.1.0)
Synaptics Pointing Device Driver (Version: 12.2.4.1)
Ticket To Ride 1.0
Tri-Peaks Solitaire To Go
Tumble Bees To Go
UMPlayer 0.98 [P3] (Version: 0.98)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (Version: 3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2827323) 32-Bit Edition
Windows Live Call (Version: 14.0.8050.1202)
Windows Live Communications Platform (Version: 14.0.8050.1202)
Windows Live Essentials (Version: 14.0.8050.1202)
Windows Live Mail (Version: 14.0.8050.1202)
Windows Live Messenger (Version: 14.0.8050.1202)
Windows Live Photo Gallery (Version: 14.0.8051.1204)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Sync (Version: 14.0.8050.1202)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8050.1202)
Word Jong To Go
WordWeb (Version: 6)
Zuma Deluxe

==================== Restore Points =========================

28-09-2013 04:12:19 Windows Update
01-10-2013 21:29:28 Windows Update
05-10-2013 18:18:12 Windows Update
09-10-2013 18:54:37 Windows Update
13-10-2013 01:52:58 Windows Update
13-10-2013 08:00:38 Windows Update
16-10-2013 08:00:27 Windows Update
19-10-2013 19:10:44 Windows Update
23-10-2013 01:04:20 Windows Update
26-10-2013 19:54:48 Windows Update
30-10-2013 04:28:39 Windows Update
03-11-2013 03:42:44 Windows Update
05-11-2013 02:27:13 Windows Update
09-11-2013 00:57:20 Windows Update
11-11-2013 13:31:00 Windows Update

==================== Hosts content: ==========================

2006-11-02 04:23 - 2006-09-18 15:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {320124A7-D70F-41DE-A9D1-D5E8E19D5D91} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {37C97736-A809-46AB-8AD7-3EA913E9F98F} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-1403424136-2531779536-1460617787-1000 => C:\Program Files\real\RealUpgrade\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\System32\RacAgent.exe [2008-01-20] (Microsoft Corporation)
Task: {56AA86B6-4C55-42FE-8E5D-06CD6F0A0104} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000Core => C:\Users\Kathy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-11] (Facebook Inc.)
Task: {5D697BB5-CE17-42AB-977A-8E538520A785} - System32\Tasks\Acer\Acer Assist\New Message Check - Kathy2 => C:\Program Files\Acer\Acer Assist\AcerAssist.exe [2007-11-19] (Acer Incorporated)
Task: {699189F8-685E-4BDE-9326-E232303B9996} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000UA => C:\Users\Kathy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-11] (Facebook Inc.)
Task: {764502C0-50CD-4780-BC3C-A6B9C231329C} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {97777C7E-93B2-4004-AC6C-4797A92A4E11} - \NCH Swift Sound\fastfoxSevenDays No Task File
Task: {AF505F2B-D8BF-4DEE-BAF2-F4AFCB80E198} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1403424136-2531779536-1460617787-1000 => C:\Program Files\real\RealUpgrade\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {BE09BED8-083F-43DC-B831-6C3E36F02D43} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-08] (Adobe Systems Incorporated)
Task: {C6648F1F-F7E2-4024-BD30-15EFCED048F5} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1403424136-2531779536-1460617787-1000 => C:\Program Files\real\RealUpgrade\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\System32\gatherWirelessInfo.vbs [2008-01-20] ()
Task: {F06DCF0A-BC7F-4873-816D-53CCC53449CF} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-1403424136-2531779536-1460617787-1000 => C:\Program Files\real\RealUpgrade\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000Core.job => C:\Users\Kathy\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000UA.job => C:\Users\Kathy\AppData\Local\Facebook\Update\FacebookUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-10-13 03:22 - 2013-10-13 03:22 - 00156160 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAppControlPlugin#\4e76c0ef0b27898e1287e1992c35cf6b\PCGAppControlPluginLoader.ni.dll
2013-08-16 16:32 - 2013-08-16 16:32 - 01707008 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPreCompiled\074b1bcfde67d61ff1989f4818b0f419\PCGPreCompiled.ni.dll
2013-01-27 09:00 - 2013-01-27 09:00 - 00077880 _____ () c:\program files\soluto\PCGDllExportInspector.dll
2010-08-17 18:27 - 2009-08-19 19:59 - 00022736 ____N () C:\Program Files\WordWeb\WUCNT.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\TEMP:131C0EE9
AlternateDataStreams: C:\ProgramData\TEMP:3064D21D
AlternateDataStreams: C:\ProgramData\TEMP:35759C73
AlternateDataStreams: C:\ProgramData\TEMP:51574724
AlternateDataStreams: C:\ProgramData\TEMP:798A3728
AlternateDataStreams: C:\ProgramData\TEMP:8750DCE4
AlternateDataStreams: C:\ProgramData\TEMP:94188BC6
AlternateDataStreams: C:\ProgramData\TEMP:9E22BBE8
AlternateDataStreams: C:\ProgramData\TEMP:ABE89FFE
AlternateDataStreams: C:\ProgramData\TEMP:B203B914
AlternateDataStreams: C:\ProgramData\TEMP:B623B5B8
AlternateDataStreams: C:\ProgramData\TEMP:BB24555F
AlternateDataStreams: C:\ProgramData\TEMP:CE0A077E
AlternateDataStreams: C:\ProgramData\TEMP:DCAF903C
AlternateDataStreams: C:\ProgramData\TEMP:F7862839
AlternateDataStreams: C:\ProgramData\TEMP:F94CB4DD

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/11/2013 07:27:29 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:29 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:25 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:25 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:25 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"1".
Dependent Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/11/2013 07:27:03 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (11/11/2013 07:27:05 AM) (Source: Service Control Manager) (User: )
Description: cdrom

Error: (11/11/2013 07:27:05 AM) (Source: Service Control Manager) (User: )
Description: Lexmark X73 MFP Scanner%%2

Error: (11/10/2013 09:58:41 PM) (Source: Service Control Manager) (User: )
Description: Windows Management Instrumentation3

Error: (11/10/2013 09:58:41 PM) (Source: Service Control Manager) (User: )
Description: User Profile Service23000001Restart the service

Error: (11/10/2013 09:57:01 PM) (Source: Service Control Manager) (User: )
Description: 1Restart the serviceWindows Management Instrumentation%%1056

Error: (11/10/2013 09:56:50 PM) (Source: Service Control Manager) (User: )
Description: Windows Management Instrumentation23000001Restart the service

Error: (11/10/2013 09:56:50 PM) (Source: Service Control Manager) (User: )
Description: PEVSystemStart

Error: (11/10/2013 09:56:50 PM) (Source: Service Control Manager) (User: )
Description: Windows Management Instrumentation11200001Restart the service

Error: (11/10/2013 09:56:50 PM) (Source: Service Control Manager) (User: )
Description: User Profile Service11200001Restart the service

Error: (11/10/2013 09:56:50 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068


Microsoft Office Sessions:
=========================
Error: (11/11/2013 07:27:29 AM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (11/11/2013 07:27:29 AM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide)(User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide)(User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide)(User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe

Error: (11/11/2013 07:27:26 AM) (Source: SideBySide)(User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe

Error: (11/11/2013 07:27:25 AM) (Source: SideBySide)(User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe

Error: (11/11/2013 07:27:25 AM) (Source: SideBySide)(User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe

Error: (11/11/2013 07:27:25 AM) (Source: SideBySide)(User: )
Description: msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksCal.exe

Error: (11/11/2013 07:27:03 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
Date: 2013-11-11 07:36:06.417
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-11 07:36:06.059
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-11 07:36:05.684
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-11 07:36:05.294
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-07 18:20:35.727
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-07 18:20:35.383
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-07 18:20:35.040
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-07 18:20:34.679
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-07 18:20:34.329
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-11-07 18:20:33.989
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\Soluto.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 69%
Total physical RAM: 1978.18 MB
Available physical RAM: 610.46 MB
Total Pagefile: 4197.4 MB
Available Pagefile: 2685.93 MB
Total Virtual: 2047.88 MB
Available Virtual: 1911.26 MB

==================== Drives ================================

Drive c: (ACER) (Fixed) (Total:220.88 GB) (Free:138.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 1F8ECF12)
Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
Partition 2: (Active) - (Size=221 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Thanks for your patience!
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 11th, 2013, 6:04 pm

Hi tnesler,

Yes, it's possible that the pen drive is infected. I suggest that you scan it with an updated antivirus in a clean computer.

Now is time to start cleaning. It looks a bit complicated, but please bear with me:
  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad (Do not include the words "Code: Select all", click "select all" to select all the content of the box)

Code: Select all
(COMPANYVERS_NAME) C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe
(MindSpark) C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe
(VER_COMPANY_NAME) C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe
HKLM\...\Run: [FromDocToPDF Search Scope Monitor] - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe [44784 2013-06-24] (MindSpark)
HKLM\...\Run: [FromDocToPDF_65 Browser Plugin Loader] - C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe [30096 2013-06-24] (VER_COMPANY_NAME)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {7e71ba7c-376f-11df-9e5f-00269e0b901e} - D:\LaunchU3.exe -a
MountPoints2: {de46b73d-1093-11e0-ab74-00269e0b901e} - E:\Windows\bin\eblSetup.exe
MountPoints2: {ef6316fd-2fea-11e0-abad-00269e0b901e} - D:\LaunchU3.exe -a
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml ... 57&p2= ^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA
URLSearchHook: HKCU - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {2487D5C1-0C30-4457-8532-2431C3BCB8EE} URL = http://isearch.avg.com/search?cid= {DECFAAD5-80B9-48B6-B814-2D9C0F3A1129}&mid=812065f8a3e237250d9030fa7aa40137-b60c989b9a805664a229481db4ea5b647d6c2de4&lang=en&ds=AVG&pr=fr&d=2011-10-15 14:24:37&v=9.0.0.18&sap=dsp&q={searchTerms}
BHO: Toolbar BHO - {a235e1e3-6296-4710-af39-104a7faa6c7c} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Assistant BHO - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKLM - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
FF Plugin: @FromDocToPDF_65.com/Plugin - C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll (MindSpark)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: FromDocToPDF - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\65ffxtbr@FromDocToPDF_65.com
FF Extension: Search Toolbar - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\searchtoolbar@zugo.com
FF HKLM\...\Firefox\Extensions: [65ffxtbr@FromDocToPDF_65.com] - C:\Program Files\FromDocToPDF_65\bar\1.bin
FF Extension: FromDocToPDF - C:\Program Files\FromDocToPDF_65\bar\1.bin
R2 FromDocToPDF_65Service; C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe [42504 2013-06-24] (COMPANYVERS_NAME)
2013-11-05 05:21 - 2011-02-03 20:24 - 00000000 ____D C:\Program Files\Search Toolbar
C:\Users\Kathy\AppData\Roaming\124tre.ini
C:\Users\Kathy\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install

  • Save it to your USB flashdrive as fixlist.txt

  1. Plug the flashdrive into the infected PC.
  2. Enter System Recovery Options.
    1. To enter System Recovery Options from the Boot Menu ....
      • Restart the computer.
      • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
      • Use the arrow keys to select Repair your computer.
      • Select the operating system you want to repair, and then click Next.
      • Select your user account and click Next.
    2. To enter System Recovery Options by using Windows installation disk ....
      • Insert the installation disk.
      • Restart your computer.
      • If prompted, press any key to start Windows from the installation disc.
      • If your computer is not configured to start from a CD or DVD, check your BIOS settings.
      • Choose your language settings, and then click Next.
      • Click Repair your computer.
      • Select the operating system you want to repair, and then click Next.
      • Select your user account and click Next.
  3. In the System Recovery Options Menu you will see the following options:
      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Scan your computer's memory for errors.
      Command Prompt
    1. Select Command Prompt
      • In the command window type in notepad and press Enter.
      • Notepad will open.
        Under File menu select Open.
      • Select "Computer" and find your flash drive letter.
      • Close Notepad.
    2. In the command window type E:\frst.exe and press Enter. (Note: Replace letter E with the drive letter of your flash drive.)
  4. The tool will start to run.
  5. When the tool opens click Yes to disclaimer.
  6. Press the Fix button once and wait.
  7. FRST will process fixlist.txt
  8. When finished, it will produce a log fixlog.txt on your USB flashdrive.
  9. Exit out of Recovery Environment and post the log.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 304 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware