.exe file disappering

Help, First time user here. my issue is this when I want to download a program and click run nothing happens. If I save it to a location it instanlty disappears. My Vipre anti virus did block and delete I think a trojan about a week ago. This all started around then. I have since picked a restore point from about a month ago to no success same goes for safe mode.
I do understand I should download the items in the bulletin for first time users but that happens to be my exact issue. How do get these items onto my computer to do a scan etc.

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*******************************************************
Please use the above method to download and run the scanners.

Please download AdwCleaner by Xplode onto your Desktop.

• Please close all open programs and internet browsers.
  
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile in your reply.
  
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

********************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*********************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

great I will download those to a USB stick and have them handy. my computer does have access to the internet but as stated in my original post I can not run or save and run any exe file or program.

mahalo123 wrote:

great I will download those to a USB stick and have them handy. my computer does have access to the internet but as stated in my original post I can not run or save and run any exe file or program.

Ok, post the logs when you're ready.

OK here are the logs listed below.


# AdwCleaner v3.000 - Report created14/08/2013at00:25:00
# Updated 13/08/2013 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 1 (32 bits)
# Username : Homedesk - HOMEDESK-PC
# Running from : F:\adwcleaner.exe

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\pc optimizer pro
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.19088

[OK] No bad entry found.

-\\ Mozilla Firefox v3.5.3 (en-US)

File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
File Deleted : C:\Users\Homedesk\AppData\Roaming\Mozilla\Firefox\Profiles\br3oyj26.default\user.js

[ File : C:\Users\Homedesk\AppData\Roaming\Mozilla\Firefox\Profiles\br3oyj26.default\prefs.js ]

[OK] No bad entry found.

*************************

AdwCleaner[0].txt - [1439 octets] - [14/08/2013 00:25:00]

########## EOF - C:\AdwCleaner\AdwCleaner[0].txt - [1498 octets] ##########

__________________________________________________

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.14.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Homedesk :: HOMEDESK-PC [administrator]

8/14/2013 12:41:01 AM
mbam-log-2013-08-14 (00-41-01).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 528456
Time elapsed: 3 hour(s), 36 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files\Uniblue\SPEEDUPMYPC (PUP.Optional.SpeedUpMyPC.A) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\ErrorLogs (PUP.Optional.SpeedUpMyPC.A) -> No action taken.

Files Detected: 11
C:\Users\Homedesk\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab (PUP.Optional.OpenCandy) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\cleaner-config.xml (PUP.Optional.SpeedUpMyPC.A) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\CommandDispatchers.xml (PUP.Optional.SpeedUpMyPC.A) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\ERRORLOGS\error_log.txt (PUP.Optional.SpeedUpMyPC.A) -> No action taken.
C:\Users\Homedesk\AppData\Roaming\Sun\ddee.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Homedesk\AppData\Roaming\Sun\mnj.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Homedesk\AppData\Roaming\Sun\mxd1.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Homedesk\AppData\Roaming\Sun\ppkk.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Homedesk\AppData\Roaming\Sun\uuoo.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\{E9C1E1AC-C9B2-4C85-94DE-9C1518918D02}.TLB (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{E9C1E1AC-C9B2-4C85-94DE-9C1518918D02}.TLB (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

(end)
__________________________________________


Results of screen317's Security Check version 0.99.72  
Windows Vista Service Pack 1 x86 (UAC is disabled!)  
Out of date service pack!!
Internet Explorer 8 Out of date!
Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Sunbelt VIPRE  
Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300  
CCleaner    
Java(TM) 6 Update 13  
Java(TM) SE Runtime Environment 6 Update 1
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of Date!
Mozilla Firefox (3.5.3) Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Acronis OnlineBackupStandalone TrueImageMonitor.exe  
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

Please run MBAM again and Remove the infections.

Go to Microsoft Windows Update and get all critical updates including SP2 and the latest Internet Explorer.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
********************************************
It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

i understand your comments and have been doing any password stuff on my tablet...I am currently running malwarebytes...
I am looking to buy a new machine as I really do not trust backing up my outlook etc and then hoping the import works. I would prefer to buy a new machine transfer files and the PST file then wipe old computer. IF you think you cleaning my machine first may have a chance I would be willing so I do not have to make a rash purchase...

points of interest... I use an old vista machine and am a power user of outlook 03 so I have some concerns of my PST import and such and would give me peace of mind to be able to dig into the old machine if need be.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.14.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Homedesk :: HOMEDESK-PC [administrator]

8/14/2013 11:47:21 PM
MBAM-log-2.txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 528289
Time elapsed: 3 hour(s), 35 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files\Uniblue\SPEEDUPMYPC (PUP.Optional.SpeedUpMyPC.A) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\ErrorLogs (PUP.Optional.SpeedUpMyPC.A) -> No action taken.

Files Detected: 4
C:\Users\Homedesk\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab (PUP.Optional.OpenCandy) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\cleaner-config.xml (PUP.Optional.SpeedUpMyPC.A) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\CommandDispatchers.xml (PUP.Optional.SpeedUpMyPC.A) -> No action taken.
C:\Program Files\Uniblue\SPEEDUPMYPC\ERRORLOGS\error_log.txt (PUP.Optional.SpeedUpMyPC.A) -> No action taken.

IF you think you cleaning my machine first may have a chance I would be willing so I do not have to make a rash purchase

I can do my best but I can't be 100% certain that it's clean. The only way to do that is to re-format.

I use an old vista machine and am a power user of outlook 03 so I have some concerns of my PST import and such and would give me peace of mind to be able to dig into the old machine if need be..

I'm not sure that I understand but I really doubt that your email is infected if that's what you're worried about.
The MBAM log still shows "no action taken". You have to make sure all the infections are checked and select "Remove All"

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

selected and cleaned with malbytes... will have to download combo onto usb from another computer tonight.

my email is my own paranoia. Not that it is infected but when I buy new machine i will go ahead and get newer office suite. My fear is that my 12 gig PST file has an error when I reimport from outlook 03 to a newr windows and newer 07 or so outlook... For my own sake makes me feel safer to have old machine with old files instead of wipe clean and hope all goes well with reimport..

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.14.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Homedesk :: HOMEDESK-PC [administrator]

8/14/2013 11:47:21 PM
mbam-log-2013-08-14 (23-47-21).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 528289
Time elapsed: 3 hour(s), 35 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files\Uniblue\SPEEDUPMYPC (PUP.Optional.SpeedUpMyPC.A) -> Quarantined and deleted successfully.
C:\Program Files\Uniblue\SPEEDUPMYPC\ErrorLogs (PUP.Optional.SpeedUpMyPC.A) -> Quarantined and deleted successfully.

Files Detected: 4
C:\Users\Homedesk\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Program Files\Uniblue\SPEEDUPMYPC\cleaner-config.xml (PUP.Optional.SpeedUpMyPC.A) -> Quarantined and deleted successfully.
C:\Program Files\Uniblue\SPEEDUPMYPC\CommandDispatchers.xml (PUP.Optional.SpeedUpMyPC.A) -> Quarantined and deleted successfully.
C:\Program Files\Uniblue\SPEEDUPMYPC\ERRORLOGS\error_log.txt (PUP.Optional.SpeedUpMyPC.A) -> Quarantined and deleted successfully.

(end)

For my own sake makes me feel safer to have old machine with old files instead of wipe clean and hope all goes well with reimport...

Are you saying you want to re-format your harddrive?

not yet, I am trying to get to a good computer tonight to download combo fix to a USB stick... run that... so steps I would like to take if you are in agreement
1 run combo
2 try to fix my machine
3 if unfixable buy new computer, transfer all data to new machine
4 reformat old machine

Ok, post the log when you're ready.

combofix found rootkit.zeroaccess apparanly found commonly in fake adobe update.. anyhow log below
ComboFix 13-08-19.02 - Homedesk 08/20/2013 0:39.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.2371 [GMT -4:00]
Running from: F:\ComboFix.exe
AV: Sunbelt VIPRE *Enabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Sunbelt VIPRE *Enabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\79ejh.pad
c:\programdata\cstsm.pad
c:\programdata\erolpxei.pad
c:\programdata\reyalphsalf.pad
c:\programdata\tsohnoc.pad
c:\users\Homedesk\g2mdlhlpx.exe
c:\windows\$NtUninstallKB29937$
c:\windows\$NtUninstallKB29937$\321621314
c:\windows\$NtUninstallKB35598$
c:\windows\$NtUninstallKB35598$\54922370
c:\windows\iun6002.exe
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT.tmp
c:\windows\system32\eaaaaafab2_z.dll
c:\windows\system32\jucheck.exe
c:\windows\system32\jusched.exe
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-07-20 to 2013-08-20 )))))))))))))))))))))))))))))))
.
.
2013-08-20 04:58 . 2013-08-20 05:04 -------- d-----w- c:\users\Homedesk\AppData\Local\temp
2013-08-20 04:58 . 2013-08-20 04:58 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2013-08-20 04:58 . 2013-08-20 04:58 -------- d-----w- c:\users\LogMeInRemoteUser.Homedesk-PC\AppData\Local\temp
2013-08-20 04:12 . 2013-08-20 04:12 477616 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-08-20 04:12 . 2013-08-20 04:12 473520 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-14 05:49 . 2013-08-14 05:49 -------- d-----w- c:\program files\AnyMeeting Plug-in
2013-08-14 04:24 . 2013-08-14 04:30 -------- d-----w- C:\AdwCleaner
2013-08-13 19:42 . 2013-08-13 19:42 -------- d-----w- c:\windows\CSSync
2013-08-13 19:15 . 2013-08-13 19:15 -------- d-----w- c:\users\Homedesk\AppData\Roaming\QuickScan
2013-08-13 17:09 . 2013-08-13 17:09 -------- d-----w- c:\users\Guest\AppData\Local\Hewlett-Packard
2013-08-13 17:08 . 2013-08-13 17:08 -------- d-----w- c:\users\Guest\AppData\Roaming\RealNetworks
2013-08-12 05:10 . 2013-08-12 05:12 -------- d-----w- c:\users\Homedesk\AppData\Roaming\HpUpdate
2013-08-08 17:43 . 2013-08-08 17:43 -------- d--h--w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-13 17:53 . 2008-08-17 01:33 92 ----a-w- c:\users\Homedesk\AppData\Roaming\netstat.bat
2013-06-25 14:09 . 2013-06-25 14:09 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-25 14:09 . 2011-05-31 03:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-16 04:50 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-06-08 17:41 . 2008-10-31 01:57 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-06-08 17:41 . 2008-10-31 01:57 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-06-08 17:41 . 2008-10-31 01:57 31560 ----a-w- c:\windows\system32\LMIport.dll
2013-06-08 17:41 . 2008-10-31 01:57 92488 ----a-w- c:\windows\system32\LMIinit.dll
2013-05-28 04:56 . 2008-10-31 01:57 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"PlaxoUpdate"="c:\program files\Plaxo\3.14.0.44\PlaxoHelper_en.exe" [2008-07-24 363591]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"CardScan AutoSync"="c:\program files\Corex\CardScan\System\CSyncCfg.exe" [2002-11-14 122955]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-06-27 20097696]
"Eye-Fi"="c:\program files\Eye-Fi\Helper\EyeFiHelper.exe" [2011-12-22 3961464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"WireLessMouse"="c:\program files\Multimedia Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-21 2768248]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-08-02 5417752]
"SAOB Monitor"="c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-08-02 2536376]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-08-02 390736]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-15 152392]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-06-16 295512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\users\Homedesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Homedesk\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-5-23 629248]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2012-10-15 6153080]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-10-24 1157008]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2008\QBW32.EXE -silent [2012-10-24 1179024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk
backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Homedesk^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Oneeko.lnk]
path=c:\users\Homedesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oneeko.lnk
backup=c:\windows\pss\Oneeko.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 10:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScan AutoSync]
2002-11-14 04:59 122955 ----a-w- c:\program files\Corex\CardScan\System\CSyncCfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-26 22:37 135664 ----atw- c:\users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2009-08-05 15:27 1644088 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 16:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoSysTray]
2008-07-24 21:07 20480 ----a-w- c:\program files\Plaxo\3.14.0.44\plaxosystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 07:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-07-30 18:45 1829712 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2008-01-21 02:23 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yugma]
2008-12-09 09:54 207080 ----a-w- c:\users\Homedesk\Yugma\4.1\LaunchExtractor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2011-05-28 3987376]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-05-28 163232]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 00:08]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 00:08]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000Core.job
- c:\users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 22:37]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000UA.job
- c:\users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 22:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: ebay.com
Trusted Zone: ebay.com\signin
Trusted Zone: intuit.com
Trusted Zone: paypal.com\www
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\users\Homedesk\AppData\Roaming\Mozilla\Firefox\Profiles\br3oyj26.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: GeckoNET InkEdit: geckonet_inkedit_4_5@thecatalis.com - %profile%\extensions\geckonet_inkedit_4_5@thecatalis.com
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Acrobat Assistant 7 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-DfrgapiServ - c:\users\Homedesk\AppData\Local\SystemGLInterval\DfrgapiServ.dll
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-20 01:05
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\Default_Monitor\4&1fbdd9f8&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\Default_Monitor\4&1fbdd9f8&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\HWP26A6\4&1fbdd9f8&0&UID256\Device Parameters\MODES]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\HWP26A6\4&1fbdd9f8&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\HWP26A6\4&1fbdd9f8&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4404)
c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Acronis\TrueImageHome\tishell.dll
c:\program files\Acronis\TrueImageHome\timounter.dll
c:\program files\Acronis\TrueImageHome\versions_page.dll
c:\windows\system32\erasext.dll
c:\windows\system32\Eraser.dll
c:\program files\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll
c:\program files\Sunbelt Software\VIPRE\SBAMScanShellExt.dll
c:\program files\Sunbelt Software\VIPRE\SBAMSvcPS.dll
c:\program files\Sunbelt Software\VIPRE\SBFE.DLL
c:\program files\7-Zip\7-zip.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\Multimedia Mouse Driver\MouseDrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intuit\QuickBooks 2008\QBW32.EXE
c:\users\Homedesk\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\LMIGuardianSvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe
c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe
c:\windows\system32\locator.exe
c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe
c:\windows\ehome\ehmsas.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\hp\kbd\kbd.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2013-08-20 01:14:35 - machine was rebooted
ComboFix-quarantined-files.txt 2013-08-20 05:14
.
Pre-Run: 142,855,933,952 bytes free
Post-Run: 142,659,862,528 bytes free
.
- - End Of File - - 4DCEE97992FC6E423EFE561BA0721357
03BA8F890B47C0BE359A4D5A636D214D

second run posted.

ComboFix 13-08-19.02 - Homedesk 08/20/2013 2:04.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1699 [GMT -4:00]
Running from: F:\ComboFix.exe
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-07-20 to 2013-08-20 )))))))))))))))))))))))))))))))
.
.
2013-08-20 06:18 . 2013-08-20 06:18 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2013-08-20 06:18 . 2013-08-20 06:18 -------- d-----w- c:\users\LogMeInRemoteUser.Homedesk-PC\AppData\Local\temp
2013-08-20 06:18 . 2013-08-20 06:18 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-08-20 06:18 . 2013-08-20 06:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-20 05:34 . 2013-08-20 05:40 -------- d-----w- c:\windows\system32\MRT
2013-08-20 04:58 . 2013-08-20 06:18 -------- d-----w- c:\users\Homedesk\AppData\Local\temp
2013-08-20 04:12 . 2013-08-20 04:12 477616 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-08-20 04:12 . 2013-08-20 04:12 473520 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-14 05:49 . 2013-08-14 05:49 -------- d-----w- c:\program files\AnyMeeting Plug-in
2013-08-14 04:24 . 2013-08-14 04:30 -------- d-----w- C:\AdwCleaner
2013-08-13 19:42 . 2013-08-13 19:42 -------- d-----w- c:\windows\CSSync
2013-08-13 19:15 . 2013-08-13 19:15 -------- d-----w- c:\users\Homedesk\AppData\Roaming\QuickScan
2013-08-13 17:09 . 2013-08-13 17:09 -------- d-----w- c:\users\Guest\AppData\Local\Hewlett-Packard
2013-08-13 17:08 . 2013-08-13 17:08 -------- d-----w- c:\users\Guest\AppData\Roaming\RealNetworks
2013-08-12 05:10 . 2013-08-12 05:12 -------- d-----w- c:\users\Homedesk\AppData\Roaming\HpUpdate
2013-08-08 17:43 . 2013-08-08 17:43 -------- d--h--w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-13 17:53 . 2008-08-17 01:33 92 ----a-w- c:\users\Homedesk\AppData\Roaming\netstat.bat
2013-06-25 14:09 . 2013-06-25 14:09 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-25 14:09 . 2011-05-31 03:00 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-16 04:50 . 2003-02-21 08:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-06-08 17:41 . 2008-10-31 01:57 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-06-08 17:41 . 2008-10-31 01:57 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-06-08 17:41 . 2008-10-31 01:57 31560 ----a-w- c:\windows\system32\LMIport.dll
2013-06-08 17:41 . 2008-10-31 01:57 92488 ----a-w- c:\windows\system32\LMIinit.dll
2013-05-28 04:56 . 2008-10-31 01:57 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-06-27 20:11 579024 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"PlaxoUpdate"="c:\program files\Plaxo\3.14.0.44\PlaxoHelper_en.exe" [2008-07-24 363591]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"CardScan AutoSync"="c:\program files\Corex\CardScan\System\CSyncCfg.exe" [2002-11-14 122955]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-06-27 20097696]
"Eye-Fi"="c:\program files\Eye-Fi\Helper\EyeFiHelper.exe" [2011-12-22 3961464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"WireLessMouse"="c:\program files\Multimedia Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-04-04 38840]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-21 2768248]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-08-02 5417752]
"SAOB Monitor"="c:\program files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-08-02 2536376]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2010-08-02 390736]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-15 152392]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-06-16 295512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\users\Homedesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Homedesk\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-5-23 629248]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2012-10-15 6153080]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-10-24 1157008]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2008\QBW32.EXE -silent [2012-10-24 1179024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk
backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Homedesk^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Oneeko.lnk]
path=c:\users\Homedesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Oneeko.lnk
backup=c:\windows\pss\Oneeko.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 10:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 20:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScan AutoSync]
2002-11-14 04:59 122955 ----a-w- c:\program files\Corex\CardScan\System\CSyncCfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-26 22:37 135664 ----atw- c:\users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2009-08-05 15:27 1644088 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 16:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoSysTray]
2008-07-24 21:07 20480 ----a-w- c:\program files\Plaxo\3.14.0.44\plaxosystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 07:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2008-07-30 18:45 1829712 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2008-01-21 02:23 2153472 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yugma]
2008-12-09 09:54 207080 ----a-w- c:\users\Homedesk\Yugma\4.1\LaunchExtractor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2011-05-28 3987376]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-05-28 163232]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 00:08]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 00:08]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000Core.job
- c:\users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 22:37]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000UA.job
- c:\users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 22:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: ebay.com
Trusted Zone: ebay.com\signin
Trusted Zone: intuit.com
Trusted Zone: paypal.com\www
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\users\Homedesk\AppData\Roaming\Mozilla\Firefox\Profiles\br3oyj26.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: GeckoNET InkEdit: geckonet_inkedit_4_5@thecatalis.com - %profile%\extensions\geckonet_inkedit_4_5@thecatalis.com
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-20 02:18
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\Default_Monitor\4&1fbdd9f8&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\Default_Monitor\4&1fbdd9f8&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\HWP26A6\4&1fbdd9f8&0&UID256\Device Parameters\MODES]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\HWP26A6\4&1fbdd9f8&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Enum\DISPLAY\HWP26A6\4&1fbdd9f8&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5216)
c:\users\Homedesk\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
Completion time: 2013-08-20 02:20:54
ComboFix-quarantined-files.txt 2013-08-20 06:20
ComboFix2.txt 2013-08-20 05:14
.
Pre-Run: 141,768,196,096 bytes free
Post-Run: 141,706,829,824 bytes free
.
- - End Of File - - CC9F679BD55F6402FE8F2AE3DD599D0A
03BA8F890B47C0BE359A4D5A636D214D

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Homedesk [Admin rights]
Mode : Scan -- Date : 08/20/2013 15:49:03
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000UA.job : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000Core.job : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000Core : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000UA : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST336032 0AS SCSI Disk Device +++++
--- User ---
[MBR] 1b6b35e7d06033949b0dcd235292fdee
[BSP] 309fdfd200901d3359dd1e035123a213 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 333835 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 683694270 | Size: 9562 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_08202013_154903.txt >>

Please run RogueKiller again and delete those items.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

rogue delete log

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Homedesk [Admin rights]
Mode : Remove -- Date : 08/20/2013 23:13:44
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000UA.job : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> DELETED
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000Core.job : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000Core : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-3198697312-3725550950-1262520190-1000UA : C:\Users\Homedesk\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> ERROR DELETING TASK

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost

version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-21 00:39:43
-----------------------------
00:39:43.584 OS Version: Windows 6.0.6001 Service Pack 1
00:39:43.584 Number of processors: 2 586 0x6B02
00:39:43.584 ComputerName: HOMEDESK-PC UserName: Homedesk
00:39:48.795 Initialize success
00:40:32.616 AVAST engine defs: 13082001
00:41:28.540 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000059
00:41:28.540 Disk 0 Vendor: ST336032 3.CH Size: 343399MB BusType: 6
00:41:28.665 Disk 0 MBR read successfully
00:41:28.665 Disk 0 MBR scan
00:41:28.665 Disk 0 unknown MBR code
00:41:28.680 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 333835 MB offset 63
00:41:28.758 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9562 MB offset 683694270
00:41:28.790 Disk 0 scanning sectors +703277505
00:41:29.039 Disk 0 scanning C:\Windows\system32\drivers
00:41:54.640 Service scanning
00:42:32.124 Modules scanning
00:42:49.267 Disk 0 trace - called modules:
00:42:49.298 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
00:42:49.314 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865d0030]
00:42:49.314 3 CLASSPNP.SYS[80736745] -> nt!IofCallDriver -> [0x8608d700]
00:42:49.329 5 acpi.sys[806136a0] -> nt!IofCallDriver -> \Device\00000059[0x85c54890]
00:42:51.825 AVAST engine scan C:\Windows
00:43:00.292 AVAST engine scan C:\Windows\system32
00:50:26.216 AVAST engine scan C:\Windows\system32\drivers
00:51:18.866 AVAST engine scan C:\Users\Homedesk
01:13:53.657 Disk 0 MBR has been saved successfully to "C:\Users\Homedesk\Desktop\MBR.dat"
01:13:53.657 The log file has been saved successfully to "C:\Users\Homedesk\Desktop\aswMBR1.txt"

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-21 00:39:43
-----------------------------
00:39:43.584 OS Version: Windows 6.0.6001 Service Pack 1
00:39:43.584 Number of processors: 2 586 0x6B02
00:39:43.584 ComputerName: HOMEDESK-PC UserName: Homedesk
00:39:48.795 Initialize success
00:40:32.616 AVAST engine defs: 13082001
00:41:28.540 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000059
00:41:28.540 Disk 0 Vendor: ST336032 3.CH Size: 343399MB BusType: 6
00:41:28.665 Disk 0 MBR read successfully
00:41:28.665 Disk 0 MBR scan
00:41:28.665 Disk 0 unknown MBR code
00:41:28.680 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 333835 MB offset 63
00:41:28.758 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9562 MB offset 683694270
00:41:28.790 Disk 0 scanning sectors +703277505
00:41:29.039 Disk 0 scanning C:\Windows\system32\drivers
00:41:54.640 Service scanning
00:42:32.124 Modules scanning
00:42:49.267 Disk 0 trace - called modules:
00:42:49.298 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
00:42:49.314 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865d0030]
00:42:49.314 3 CLASSPNP.SYS[80736745] -> nt!IofCallDriver -> [0x8608d700]
00:42:49.329 5 acpi.sys[806136a0] -> nt!IofCallDriver -> \Device\00000059[0x85c54890]
00:42:51.825 AVAST engine scan C:\Windows
00:43:00.292 AVAST engine scan C:\Windows\system32
00:50:26.216 AVAST engine scan C:\Windows\system32\drivers
00:51:18.866 AVAST engine scan C:\Users\Homedesk
01:13:53.657 Disk 0 MBR has been saved successfully to "C:\Users\Homedesk\Desktop\MBR.dat"
01:13:53.657 The log file has been saved successfully to "C:\Users\Homedesk\Desktop\aswMBR1.txt"
01:16:52.379 AVAST engine scan C:\ProgramData
01:24:28.811 Scan finished successfully
01:25:21.040 Disk 0 MBR has been saved successfully to "C:\Users\Homedesk\Desktop\MBR.dat"
01:25:21.040 The log file has been saved successfully to "C:\Users\Homedesk\Desktop\aswMBR2.txt"

We need to fix the Master Boot Record using aswMBR now.

• Double click aswMBR.exe to run it like before
  
• Once the scan finishes click FixMBR to remove the infection as illustrated below
  

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

.

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-21 23:48:25
-----------------------------
23:48:25.477 OS Version: Windows 6.0.6002 Service Pack 2
23:48:25.477 Number of processors: 2 586 0x6B02
23:48:25.477 ComputerName: HOMEDESK-PC UserName: Homedesk
23:48:26.537 Initialize success
23:58:46.394 AVAST engine defs: 13082100
23:59:40.667 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000059
23:59:40.682 Disk 0 Vendor: ST336032 3.CH Size: 343399MB BusType: 6
23:59:40.838 Disk 0 MBR read successfully
23:59:40.838 Disk 0 MBR scan
23:59:40.869 Disk 0 unknown MBR code
23:59:40.869 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 333835 MB offset 63
23:59:40.916 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9562 MB offset 683694270
23:59:40.947 Disk 0 scanning sectors +703277505
23:59:41.150 Disk 0 scanning C:\Windows\system32\drivers
00:00:05.097 Service scanning
00:00:38.575 Modules scanning
00:00:49.167 Disk 0 trace - called modules:
00:00:49.198 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
00:00:49.214 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865cda40]
00:00:49.230 3 CLASSPNP.SYS[8072f8b3] -> nt!IofCallDriver -> [0x8608d698]
00:00:49.245 5 acpi.sys[8060c6a0] -> nt!IofCallDriver -> \Device\00000059[0x85c2c8f8]
00:00:50.696 AVAST engine scan C:\Windows
00:00:58.402 AVAST engine scan C:\Windows\system32
00:10:01.777 AVAST engine scan C:\Windows\system32\drivers
00:10:38.820 AVAST engine scan C:\Users\Homedesk
00:29:32.607 AVAST engine scan C:\ProgramData
00:37:11.821 Scan finished successfully
00:39:05.312 Verifying
00:39:15.359 Disk 0 Windows 600 MBR fixed successfully
00:39:43.454 Disk 0 MBR has been saved successfully to "C:\Users\Homedesk\Desktop\MBR.dat"
00:39:43.486 The log file has been saved successfully to "C:\Users\Homedesk\Desktop\aswMBR3.txt"

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

C:\Users\Homedesk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-2b018eca a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Users\Homedesk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-36e3c119 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Users\Homedesk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-3cf24ee2 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Users\Homedesk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-40e8c702 a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Users\Homedesk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-56cbe3af a variant of Java/Exploit.CVE-2010-4452.B trojan
C:\Users\Homedesk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\21b718cc-6e7fd420 a variant of Java/TrojanDownloader.OpenStream.NCE trojan cleaned by deleting - quarantined
C:\Users\Homedesk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\78a7dab-58b93a7a a variant of Java/Exploit.CVE-2010-4452.B trojan cleaned by deleting - quarantined

How's your computer running now? Any other issues before we clean up?

all seems to be running well..

Download this program and run it Uninstall ComboFix .It will remove ComboFix for you.

*************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

greath thank you... you have been a lifesaver. where do I click to donate

mahalo123 wrote:

greath thank you... you have been a lifesaver.  where do I click to donate

I looked everywhere on the site and I can't find a place to donate so I would like to suggest that you do something similiar for someone else.