Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Likely virus - redirect, and more?

This is a discussion on Likely virus - redirect, and more? within the Resolved HJT Threads forums, part of the Tech Support Forum category.


 
 
Thread Tools Search this Thread
Old 11-17-2013, 02:26 PM   #1
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Okay, I've run through all the pre-posting instructions. Here's what I'm experiencing...

Symptoms:

There are four things going on. I am not sure they are related but they do seem to have surfaced around the same time.

First, sometimes when I run a search in Google and then click on one of the search results, I get redirected. There is no pattern and it happens on a very infrequent basis - maybe once every five or ten searches. The location to which I get redirected has no consistency. For example, the most recent occurrence sent me to an Ask.com-related ad. Before that I ended up on some health information website. Neither had any apparent relationship to the searches I had run or the link I had clicked.

Second, in investigating the first issue I activated the Windows Task Manager, and under “Processes” saw there were at least five or six entries for iexplorer.exe. I am used to seeing only two. A couple were using up a lot of CPU, like in the 70,000 to 120,000 range. Not sure if this just started recently, but it has seemed like my computer was slow online lately.

Third, I am experiencing a lot of difficulty downloading things with IE9. I first noticed this with Outlook (the forced replacement for Hotmail) attachments. Kept trying to download the attachments and getting a message that they couldn’t be downloaded. Note: I only download and open attachments from people I know.

Fourth, my computer has frozen up a few times lately while online. This is not a problem I am used to experiencing.


Basic system info:

I have a Dell Inspiron 1526 with Windows Vista. I typically use IE9 as a browser. I always have AVG Free and Spybot SD running. Occasionally I active Windows Defender, update it, run a scan, and then disable it.

Right now I have both AVG Free and Spybot disabled, but I have not uninstalled them. I also have Hijack This on my computer.

I installed all the important updates for Windows (per the automatic update detection utility) about three days ago, so I’m pretty sure I’m on the most recent Service Pack and updates.

I do have a boot disk.

Here comes the dds log...

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16514 BrowserJavaVersion: 10.5.1
Run by Garth at 14:33:32 on 2013-11-17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.764 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2013 *Disabled/Outdated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\AVG\AVG2013\avgemcx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HPService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1346031182&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080118
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_S7B18.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ROC_ROC_APR2013_AV] c:\users\garth\appdata\roaming\avg april 2013 campaign\AVG-Secure-Search-Update.exe /PROMPT --mid ee92bbab54345b40f688af3d61cbfaca-ad4892debb712105dd469fded4099fca902fef7a --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013
uRun: [TimeServer] "c:\users\garth\appdata\roaming\agelong tree\WINCFFB.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AVG-Secure-Search-Update_0913a] c:\users\garth\appdata\roaming\avg 0913a campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid ee92bbab54345b40f688af3d61cbfaca-ad4892debb712105dd469fded4099fca902fef7a --CMPID 0913a
uRun: [VGworks Update] regsvr32.exe c:\users\garth\appdata\local\vgworks\TeamViewerMeetingAddIn.dll
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10x_Plugin.exe -update plugin
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [Windows Mobile Device Center] c:\windows\windowsmobile\wmdc.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Save video on Savevid.com - <no file>
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://join-test.webex.com/client/T27L/webex/ieatgpc1.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{AAB211BE-F8C8-4C48-8009-B2705BFF0AE8} : DHCPNameServer = 209.18.47.61 209.18.47.62
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
AppInit_DLLs= c:\progra~1\google\google~2\GOEC62~1.DLL
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\garth\appdata\roaming\mozilla\firefox\profiles\vowa3u05.default\
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\garth\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\garth\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\garth\appdata\roaming\mozilla\plugins\npicaN.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_117.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-10-16 22:24; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: !HIDDEN! 2010-12-25 13:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-7-20 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-7-20 246072]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-7-1 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-9-5 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-7-20 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-9-10 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-7-20 171320]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-3-21 182072]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-1-18 73728]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-7-4 4939312]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-7-23 283136]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-8-13 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-10-31 1153368]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]
.
=============== Created Last 30 ================
.
2013-11-16 13:02:30 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-11-16 13:01:55 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-11-16 13:01:54 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-11-12 03:38:11 7796464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5fd4355b-b058-40d1-a5be-3ce056ad9f37}\mpengine.dll
2013-11-07 02:14:29 -------- d-----w- c:\users\garth\appdata\local\VGworks
2013-10-27 22:36:38 -------- d-----w- c:\users\garth\appdata\local\Macromedia
.
==================== Find3M ====================
.
2013-10-27 19:59:14 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-27 19:59:13 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-22 10:22:59 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-09-22 10:14:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-22 10:13:22 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-09-22 10:08:41 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-09-22 1058 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-09-22 10:03:18 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-09-10 05:34:48 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-05 05:43:42 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-03 18:35:12 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-29 07:36:04 2050048 ----a-w- c:\windows\system32\win32k.sys
2013-08-27 02:47:50 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-08-27 02:47:50 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-08-27 02:47:50 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-08-27 02:47:50 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-08-27 01:52:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-08-27 01:50:40 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-08-27 01:32:20 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-08-27 01:28:36 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-08-27 01:28:35 798208 ----a-w- c:\windows\system32\FntCache.dll
1997-01-13 05:00:00 5317904 ----a-w- c:\program files\WINWORD.EXE
.
============= FINISH: 14:34:07.17 ===============
Attached Files
File Type: zip attach (2).zip (7.2 KB, 19 views)

__________________
Wolf321 is offline  
Old 11-17-2013, 05:56 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-17-2013, 07:19 PM   #3
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Thanks for the help. Here's the AdwCleaner log - looks like it turned up some things...

# AdwCleaner v3.012 - Report created 17/11/2013 at 22:13:59
# Updated 11/11/2013 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Username : Garth - GARTH-PC
# Running from : C:\Users\Garth\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\orbitdownloader
Folder Deleted : C:\Users\Garth\AppData\Local\PackageAware

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3F1D494B-0CEF-4468-96C9-386E2E4DEC90}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7854F00C-DC77-477E-A10E-603F48442D3B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0880527-DC28-4EBB-BA27-D22102F22A9F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BCDDE143-FAE3-4C57-B22B-C4E8678CFDC0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7854F00C-DC77-477E-A10E-603F48442D3B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4250488A-CB24-0893-C066-B1AEA57BCFF2}
Key Deleted : HKCU\Software\Orbit
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Orbit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Orbit_is1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Orbit_is1

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16514


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Garth\AppData\Roaming\Mozilla\Firefox\Profiles\vowa3u05.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\Garth\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [2875 octets] - [17/11/2013 22:12:30]
AdwCleaner[S0].txt - [2848 octets] - [17/11/2013 22:13:59]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2908 octets] ##########
__________________
Wolf321 is offline  
Old 11-18-2013, 05:01 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello Wolf321.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please reboot your machine.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-18-2013, 03:59 PM   #5
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



chemist,

No worries, I'm here until this is good and cleaned up. Thanks again for the help. Here's the ComboFix log...

ComboFix 13-11-18.01 - Garth 11/18/2013 18:32:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.923 [GMT -5:00]
Running from: c:\users\Garth\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\$recycle.bin\S-1-5-21-3713671271-1291590987-1051936167-1000\$7faaaafacf142f743593878a94dc601b\@
c:\$recycle.bin\S-1-5-21-3713671271-1291590987-1051936167-1000\$7faaaafacf142f743593878a94dc601b\U\00000001.@
c:\$recycle.bin\S-1-5-21-3713671271-1291590987-1051936167-1000\$7faaaafacf142f743593878a94dc601b\U\80000000.@
c:\$recycle.bin\S-1-5-21-3713671271-1291590987-1051936167-1000\$7faaaafacf142f743593878a94dc601b\U\800000cb.@
c:\programdata\Microsoft\Windows\DRM\5724.tmp
c:\programdata\Microsoft\Windows\DRM\7BE3.tmp
c:\programdata\Microsoft\Windows\DRM\9BB2.tmp
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2013-10-18 to 2013-11-18 )))))))))))))))))))))))))))))))
.
.
2013-11-18 23:42 . 2013-11-18 23:42 -------- d-----w- c:\users\Garth\AppData\Local\temp
2013-11-18 23:42 . 2013-11-18 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-18 03:11 . 2013-11-18 03:14 -------- d-----w- C:\AdwCleaner
2013-11-16 13:02 . 2013-06-04 04:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-11-16 13:01 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-11-16 13:01 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-11-12 03:38 . 2013-10-16 05:20 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5FD4355B-B058-40D1-A5BE-3CE056AD9F37}\mpengine.dll
2013-11-07 02:14 . 2013-11-08 11:32 -------- d-----w- c:\users\Garth\AppData\Local\VGworks
2013-10-27 22:52 . 2013-11-18 03:03 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-10-27 22:36 . 2013-10-27 22:36 -------- d-----w- c:\users\Garth\AppData\Local\Macromedia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-27 19:59 . 2013-07-09 00:07 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-27 19:59 . 2011-11-08 16:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-10 05:34 . 2013-09-10 05:34 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-05 05:43 . 2013-09-05 05:43 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-03 18:35 . 2010-02-20 16:14 238872 ------w- c:\windows\system32\MpSigStub.exe
1997-01-13 05:00 . 2008-07-24 01:37 5317904 ----a-w- c:\program files\WINWORD.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"VGworks Update"="c:\users\Garth\AppData\Local\VGworks\TeamViewerMeetingAddIn.dll" [2013-11-07 804352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-09-23 4411952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-18 50688]
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-7-18 253952]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [1999-2-17 65588]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 15:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-23 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-23 21:16]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.live.com/login.srf?wa=...cxt=mai&snsc=1
uInternet Settings,ProxyOverride = *.local
IE: Save video on Savevid.com
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: westlaw.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Garth\AppData\Roaming\Mozilla\Firefox\Profiles\vowa3u05.default\
FF - ExtSQL: 2013-10-16 22:24; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: !HIDDEN! 2010-12-25 13:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ROC_ROC_APR2013_AV - c:\users\Garth\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe
HKCU-Run-TimeServer - c:\users\Garth\AppData\Roaming\Agelong Tree\WINCFFB.exe
HKCU-Run-AVG-Secure-Search-Update_0913a - c:\users\Garth\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\Winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-11-18 18:42
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-11-18 18:49:14
ComboFix-quarantined-files.txt 2013-11-18 23:49
.
Pre-Run: 169,153,101,824 bytes free
Post-Run: 169,282,617,344 bytes free
.
- - End Of File - - 21B6122522E1595AB1DEFC171065FD5F
CDB4DE4BBD714F152979DA2DCBEF57EB
__________________
Wolf321 is offline  
Old 11-18-2013, 07:09 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321. How is the machine behaving?

One or more of the identified infections was a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Right-click mbam-setup.exe and choose 'Run as administrator' to install it.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Uninstall the following via the Programs and Features Panel (Start->(Settings)->Control Panel->Programs->Programs and Features):

Java(TM) SE Runtime Environment 6

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

In fact, you should be able to update your current Java, Java(TM) 7 Update 5, by going to Control Panel > Programs > Java (looks like a coffee cup). Click on the Update tab. On the lower right, click on Update Now. An update should begin. Allow the install of the new Java.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel > Programs and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options checked in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as Administrator command.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-19-2013, 04:58 PM   #7
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Okay, the multiple iexplorer.exe processes no longer show up in Task Manager (they were showing up even when I was using Firefox), which is a good sign. Computer seems to be running more smoothly. However, after doing Malwarebytes, deleting the old Java SE Runtime Environment, and updating Java, I ran into a snag. Java no longer shows up in my Control Panel (although the updated version does appear in the list of programs to uninstall). So I can't clear the cached applications and applets.

Also, I'm now getting a RegSvr32 box when I boot up, saying a module ("C:\Users\Garth\App...TeamViewerMeetingAddIn.dll") failed to load.

I also briefly got a blank box saying "Form1 (not responding)" but that soon disappeared after boot.

Here's the Malwarebytes log:

Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download

Database version: v2013.11.19.12

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Garth :: GARTH-PC [administrator]

11/19/2013 6:48:25 PM
mbam-log-2013-11-19 (18-48-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209189
Time elapsed: 25 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Garth\AppData\Local\VGworks\TeamViewerMeetingAddIn.dll (VirTool.Vbcrypt) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Garth\AppData\Local\VGworks\TeamViewerMeetingAddIn.dll (VirTool.Vbcrypt) -> Delete on reboot.

(end)


I didn't continue with the ESET stuff as the Java bit didn't go properly.
__________________
Wolf321 is offline  
Old 11-19-2013, 06:39 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321. Open MBAM, go to Quarantine, highlight C:\Users\Garth\AppData\Local\VGworks\TeamViewerMeetingAddIn.dll

Click 'Restore' > 'Exit'. Reboot. Is the RegSvr32 message gone now?

------------------------------------------------------

Quote:
However, after doing Malwarebytes, deleting the old Java SE Runtime Environment, and updating Java, I ran into a snag. Java no longer shows up in my Control Panel (although the updated version does appear in the list of programs to uninstall). So I can't clear the cached applications and applets.
This happened on my computer, and I had to do this:

Uninstall Java 7 Update 45 via Programs and Features. Reboot your computer.

Navigate to, right-click and delete this Folder:

C:\Program Files\Java

Go here and follow the prompts to install the latest Java > java.com: Java + You

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel > Programs and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options checked in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

If successful, go ahead with the ESET scan. Let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-20-2013, 03:06 AM   #9
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Okay, we're getting closer, but still a few hiccups.

The RegSrv32 box no longer appears on boot, so that issue seems to be resolved.

I installed Java. After a while the box to allow a program to make changes to the computer appeared. When I clicked "Allow," I briefly got the message that the Java wizard was interrupted before it could finish installing. However, that disappered; the installation screen seemed to show installation was done; and Java now appears in my Control Panel. I note, however, that the Java Update 45 does not appear in the list of programs to uninstall. Maybe it will after a boot.

I then tried to delete cached applications and logs in Java, and it cranked away for about a half hour and wouldn't let me click out of the Java windows. Eventually I used the Task Manager to end Java. The delete process either was still going on or it was stuck.

Is it supposed to take that kind of time?

As a result of all this, I again held off on the ESET scan.
__________________
Wolf321 is offline  
Old 11-20-2013, 04:16 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321. No, it's not supposed to take that long. Is Spybot a must have?

Uninstall Spybot for now. You can always re-install it once we are done.

Reboot and see if Java 7 Update 45 is listed in Programs and Features. If not, try installing Java again. Regardless if it works, go ahead and do the online scan with ESET. Let me know how it goes.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-21-2013, 03:26 AM   #11
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Sigh...when it looked like we were close to finishing...

Okay. First of all, every time I try to install Java, it tells me the installation was interrupted. I tried several ways, including with Spybot completely uninstalled and AVG Free disabled. Java continues to show up in my Control Panel, but the Java Update 45 or whatever still is absent from the “uninstall” list under Programs and Features. Curiously, Java FX 2.1.1, which had disappeared from that list for a while, is now back in the list. It’s the only Java entry that appears there.

So I tried to use the Java control panel to clear the cached applications and logs, and again it churned away for a while and basically went nowhere. I had to end it using the Task Manager.

...Where I noticed the multiple iexplore.exe processes are back in action again, and using up a lot of CPU (150,000 kb plus), even though I wasn’t using Internet Explorer at the time. It takes a hell of a lot of “end process” directions to get them to stop, too - multiple per process. Pretty soon they reappear. (Sometimes, oddly, they just disappear, too.) There are also now two “javaw.exe” and two “javaws.exe” processes listed.

Then, when I tried to get ESET with Internet Explorer, it told me that I was trying to run the online scan with a browser other than Internet Explorer, so I’d need to download the ESET installer. And as it turns out, I still can’t download things using Internet Explorer; the download fails.

So I downloaded the ESET installer using Firefox. It seems to have found some pretty nasty-looking things, some of which may exploit Java. Here’s the log:

C:\Program Files\Freecorder\freecorder.exe a variant of Win32/Toolbar.Conduit.B application
C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-3713671271-1291590987-1051936167-1000\$7faaaafacf142f743593878a94dc601b\U\80000000.@.vir Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-3713671271-1291590987-1051936167-1000\$7faaaafacf142f743593878a94dc601b\U\800000cb.@.vir Win32/Sirefef.FL trojan
C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\4b4d6381-6297eab2 multiple threats
C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\5519f102-18784bed multiple threats
C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\40a0d418-1dc534aa multiple threats
C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\23e50bde-6c456c4e a variant of Java/Exploit.Agent.NDH trojan
C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\7c1d3fe4-216c0fc0 a variant of Java/Exploit.CVE-2010-0840.NAO trojan
C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\11e970f8-20c1c54b multiple threats
C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\50523bbb-5bbe96ea a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Garth\Downloads\cnet_FCTBSetup_exe.exe a variant of Win32/InstallCore.D application
C:\Users\Garth\Downloads\FCTBSetup.exe multiple threats
__________________
Wolf321 is offline  
Old 11-21-2013, 05:14 AM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321. Qoobox is ComboFix's quarantine folder. It will get deleted when we uninstall ComboFix.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Program Files\Freecorder\freecorder.exe"
"C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\4b4d6381-6297eab2"
"C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\5519f102-18784bed"
"C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\40a0d418-1dc534aa"
"C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\23e50bde-6c456c4e"
"C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\7c1d3fe4-216c0fc0"
"C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\11e970f8-20c1c54b"
"C:\Users\Garth\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\50523bbb-5bbe96ea"
"C:\Users\Garth\Downloads\cnet_FCTBSetup_exe.exe"
"C:\Users\Garth\Downloads\FCTBSetup.exe"


) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Right-click on fix.bat and choose 'Run as administrator' to allow it to run.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it. (Vista/Win7 users, right-click > Run as Administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :folderfind
    java
    
    :regfind
    java
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-21-2013, 05:39 PM   #13
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Okay. When I did the file.bat, it just said the deletion was successful.

Still getting the rogue iexplore.exe processes. Are we close to killing those for good?

Apparently the SystemLook log is too long to include in the reply, so I'm attaching it as a file.
Attached Files
File Type: txt SystemLook.txt (446.0 KB, 2 views)
__________________
Wolf321 is offline  
Old 11-21-2013, 06:18 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321.
  • Download and extract Malwarebytes Anti-Rootkit from here mbar-1.07.0.1007.zip and save it to your desktop.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double-click mbar.exe inside the mbar folder then click 'Next'.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.
  • Click 'Update'.
  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
    • 'Could not load protection driver'. Click 'OK'.
    • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the' Cleanup' button yet. Click 'Exit'.
  • Please zip and attach the two log files created by the tool within the folder from which it was run.
The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-22-2013, 09:08 PM   #15
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Here we go...
Attached Files
File Type: zip system-log.zip (4.2 KB, 2 views)
__________________
Wolf321 is offline  
Old 11-23-2013, 12:45 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321. Still not seeing what is causing the problem.

After running ComboFix, don't do anything else, especially installing Java. We'll proceed from there.

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
Folder::
C:\Program Files\Java
C:\ProgramData\Sun\Java
C:\Users\All Users\Sun\Java
C:\Users\Garth\AppData\LocalLow\Oracle\Java
C:\Users\Garth\AppData\LocalLow\Sun\Java
c:\program files\Common Files\Java
C:\Windows\java

ClearJavaCache::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\JavaSoft]
[-HKEY_CURRENT_USER\Software\JavaSoft]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3713671271-1291590987-1051936167-1000\Software\JavaSoft]
[-HKEY_CURRENT_USER\Software\Microsoft\Java VM]
[-HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\JavaSoft]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.java]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.jnlp]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\java.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\javaw.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaPlugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaScript]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JavaWebStart.isInstalled]
[-HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\javaws.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\JavaFX]
[-HKEY_USERS\.DEFAULT\Software\Classes\JavaPlugin.1050]
[-HKEY_USERS\.DEFAULT\Software\Classes\JavaPlugin.160]
[-HKEY_USERS\.DEFAULT\Software\JavaSoft]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Java VM]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000\Software\AppDataLow\Software\JavaSoft]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000\Software\JavaSoft]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000\Software\Classes\JavaPlugin.10452]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000\Software\Classes\JavaPlugin.1051]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\JavaSoft]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000_Classes\JavaPlugin.10452]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000_Classes\JavaPlugin.1051]
[-HKEY_USERS\S-1-5-21-3713671271-1291590987-1051936167-1000_Classes\VirtualStore\MACHINE\SOFTWARE\JavaSoft]
[-HKEY_USERS\S-1-5-18\Software\Classes\JavaPlugin.1050]
[-HKEY_USERS\S-1-5-18\Software\Classes\JavaPlugin.160]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Java VM]
[-HKEY_USERS\S-1-5-18\Software\JavaSoft]
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix.

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-23-2013, 07:11 PM   #17
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



Here's the log. Had a little trouble with AVG - I temporarily disabled it "until the next restart," not thinking about the fact that ComboFix would restart the computer before it was finished. I don't think it affected anything in the end, though.

ComboFix 13-11-23.02 - Garth 11/23/2013 18:54:55.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.918 [GMT -5:00]
Running from: c:\users\Garth\Desktop\ComboFix.exe
Command switches used :: c:\users\Garth\Desktop\CFScript.txt
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Java
c:\program files\Java\jre7\bin\awt.dll
c:\program files\Java\jre7\bin\axbridge.dll
c:\program files\Java\jre7\bin\client\classes.jsa
c:\program files\Java\jre7\bin\client\jvm.dll
c:\program files\Java\jre7\bin\client\Xusage.txt
c:\program files\Java\jre7\bin\dcpr.dll
c:\program files\Java\jre7\bin\decora-sse.dll
c:\program files\Java\jre7\bin\deploy.dll
c:\program files\Java\jre7\bin\dt_shmem.dll
c:\program files\Java\jre7\bin\dt_socket.dll
c:\program files\Java\jre7\bin\dtplugin\deployJava1.dll
c:\program files\Java\jre7\bin\dtplugin\npdeployJava1.dll
c:\program files\Java\jre7\bin\fontmanager.dll
c:\program files\Java\jre7\bin\fxplugins.dll
c:\program files\Java\jre7\bin\glass.dll
c:\program files\Java\jre7\bin\glib-lite.dll
c:\program files\Java\jre7\bin\gstreamer-lite.dll
c:\program files\Java\jre7\bin\hprof.dll
c:\program files\Java\jre7\bin\installer.dll
c:\program files\Java\jre7\bin\instrument.dll
c:\program files\Java\jre7\bin\j2pcsc.dll
c:\program files\Java\jre7\bin\j2pkcs11.dll
c:\program files\Java\jre7\bin\jaas_nt.dll
c:\program files\Java\jre7\bin\jabswitch.exe
c:\program files\Java\jre7\bin\java-rmi.exe
c:\program files\Java\jre7\bin\java.dll
c:\program files\Java\jre7\bin\java.exe
c:\program files\Java\jre7\bin\java_crw_demo.dll
c:\program files\Java\jre7\bin\JavaAccessBridge.dll
c:\program files\Java\jre7\bin\javacpl.exe
c:\program files\Java\jre7\bin\javafx-font.dll
c:\program files\Java\jre7\bin\javafx-iio.dll
c:\program files\Java\jre7\bin\javaw.exe
c:\program files\Java\jre7\bin\javaws.exe
c:\program files\Java\jre7\bin\jawt.dll
c:\program files\Java\jre7\bin\JAWTAccessBridge.dll
c:\program files\Java\jre7\bin\JdbcOdbc.dll
c:\program files\Java\jre7\bin\jdwp.dll
c:\program files\Java\jre7\bin\jfr.dll
c:\program files\Java\jre7\bin\jfxmedia.dll
c:\program files\Java\jre7\bin\jfxwebkit.dll
c:\program files\Java\jre7\bin\jli.dll
c:\program files\Java\jre7\bin\jp2iexp.dll
c:\program files\Java\jre7\bin\jp2launcher.exe
c:\program files\Java\jre7\bin\jp2native.dll
c:\program files\Java\jre7\bin\jp2ssv.dll
c:\program files\Java\jre7\bin\jpeg.dll
c:\program files\Java\jre7\bin\jpicom.dll
c:\program files\Java\jre7\bin\jpiexp.dll
c:\program files\Java\jre7\bin\jpinscp.dll
c:\program files\Java\jre7\bin\jpioji.dll
c:\program files\Java\jre7\bin\jpishare.dll
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Java\jre7\bin\jsdt.dll
c:\program files\Java\jre7\bin\jsound.dll
c:\program files\Java\jre7\bin\jsoundds.dll
c:\program files\Java\jre7\bin\kcms.dll
c:\program files\Java\jre7\bin\keytool.exe
c:\program files\Java\jre7\bin\kinit.exe
c:\program files\Java\jre7\bin\klist.exe
c:\program files\Java\jre7\bin\ktab.exe
c:\program files\Java\jre7\bin\libxml2.dll
c:\program files\Java\jre7\bin\libxslt.dll
c:\program files\Java\jre7\bin\management.dll
c:\program files\Java\jre7\bin\mlib_image.dll
c:\program files\Java\jre7\bin\msvcr100.dll
c:\program files\Java\jre7\bin\net.dll
c:\program files\Java\jre7\bin\nio.dll
c:\program files\Java\jre7\bin\npjpi170_45.dll
c:\program files\Java\jre7\bin\npoji610.dll
c:\program files\Java\jre7\bin\npt.dll
c:\program files\Java\jre7\bin\orbd.exe
c:\program files\Java\jre7\bin\pack200.exe
c:\program files\Java\jre7\bin\plugin2\msvcr100.dll
c:\program files\Java\jre7\bin\plugin2\npjp2.dll
c:\program files\Java\jre7\bin\policytool.exe
c:\program files\Java\jre7\bin\prism-d3d.dll
c:\program files\Java\jre7\bin\rmid.exe
c:\program files\Java\jre7\bin\rmiregistry.exe
c:\program files\Java\jre7\bin\servertool.exe
c:\program files\Java\jre7\bin\splashscreen.dll
c:\program files\Java\jre7\bin\ssv.dll
c:\program files\Java\jre7\bin\ssvagent.exe
c:\program files\Java\jre7\bin\sunec.dll
c:\program files\Java\jre7\bin\sunmscapi.dll
c:\program files\Java\jre7\bin\t2k.dll
c:\program files\Java\jre7\bin\tnameserv.exe
c:\program files\Java\jre7\bin\unpack.dll
c:\program files\Java\jre7\bin\unpack200.exe
c:\program files\Java\jre7\bin\verify.dll
c:\program files\Java\jre7\bin\w2k_lsa_auth.dll
c:\program files\Java\jre7\bin\WindowsAccessBridge.dll
c:\program files\Java\jre7\bin\wsdetect.dll
c:\program files\Java\jre7\bin\zip.dll
c:\program files\Java\jre7\COPYRIGHT
c:\program files\Java\jre7\lib\accessibility.properties
c:\program files\Java\jre7\lib\alt-rt.jar
c:\program files\Java\jre7\lib\calendars.properties
c:\program files\Java\jre7\lib\charsets.jar
c:\program files\Java\jre7\lib\classlist
c:\program files\Java\jre7\lib\cmm\CIEXYZ.pf
c:\program files\Java\jre7\lib\cmm\GRAY.pf
c:\program files\Java\jre7\lib\cmm\LINEAR_RGB.pf
c:\program files\Java\jre7\lib\cmm\sRGB.pf
c:\program files\Java\jre7\lib\content-types.properties
c:\program files\Java\jre7\lib\currency.data
c:\program files\Java\jre7\lib\deploy.jar
c:\program files\Java\jre7\lib\deploy\ffjcext.zip
c:\program files\Java\jre7\lib\deploy\jqs\jqs.conf
c:\program files\Java\jre7\lib\deploy\jqs\jqsmessages.properties
c:\program files\Java\jre7\lib\deploy\messages.properties
c:\program files\Java\jre7\lib\deploy\messages_de.properties
c:\program files\Java\jre7\lib\deploy\messages_es.properties
c:\program files\Java\jre7\lib\deploy\messages_fr.properties
c:\program files\Java\jre7\lib\deploy\messages_it.properties
c:\program files\Java\jre7\lib\deploy\messages_ja.properties
c:\program files\Java\jre7\lib\deploy\messages_ko.properties
c:\program files\Java\jre7\lib\deploy\messages_pt_BR.properties
c:\program files\Java\jre7\lib\deploy\messages_sv.properties
c:\program files\Java\jre7\lib\deploy\messages_zh_CN.properties
c:\program files\Java\jre7\lib\deploy\messages_zh_HK.properties
c:\program files\Java\jre7\lib\deploy\messages_zh_TW.properties
c:\program files\Java\jre7\lib\deploy\splash.gif
c:\program files\Java\jre7\lib\ext\access-bridge.jar
c:\program files\Java\jre7\lib\ext\dnsns.jar
c:\program files\Java\jre7\lib\ext\jaccess.jar
c:\program files\Java\jre7\lib\ext\localedata.jar
c:\program files\Java\jre7\lib\ext\meta-index
c:\program files\Java\jre7\lib\ext\sunec.jar
c:\program files\Java\jre7\lib\ext\sunjce_provider.jar
c:\program files\Java\jre7\lib\ext\sunmscapi.jar
c:\program files\Java\jre7\lib\ext\sunpkcs11.jar
c:\program files\Java\jre7\lib\ext\zipfs.jar
c:\program files\Java\jre7\lib\flavormap.properties
c:\program files\Java\jre7\lib\fontconfig.bfc
c:\program files\Java\jre7\lib\fontconfig.properties.src
c:\program files\Java\jre7\lib\fonts\LucidaSansRegular.ttf
c:\program files\Java\jre7\lib\i386\jvm.cfg
c:\program files\Java\jre7\lib\images\cursors\cursors.properties
c:\program files\Java\jre7\lib\images\cursors\invalid32x32.gif
c:\program files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif
c:\program files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif
c:\program files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif
c:\program files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif
c:\program files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif
c:\program files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif
c:\program files\Java\jre7\lib\javafx.properties
c:\program files\Java\jre7\lib\javaws.jar
c:\program files\Java\jre7\lib\jce.jar
c:\program files\Java\jre7\lib\jfr.jar
c:\program files\Java\jre7\lib\jfr\default.jfc
c:\program files\Java\jre7\lib\jfr\profile.jfc
c:\program files\Java\jre7\lib\jfxrt.jar
c:\program files\Java\jre7\lib\jsse.jar
c:\program files\Java\jre7\lib\jvm.hprof.txt
c:\program files\Java\jre7\lib\logging.properties
c:\program files\Java\jre7\lib\management-agent.jar
c:\program files\Java\jre7\lib\management\jmxremote.access
c:\program files\Java\jre7\lib\management\jmxremote.password.template
c:\program files\Java\jre7\lib\management\management.properties
c:\program files\Java\jre7\lib\management\snmp.acl.template
c:\program files\Java\jre7\lib\meta-index
c:\program files\Java\jre7\lib\net.properties
c:\program files\Java\jre7\lib\plugin.jar
c:\program files\Java\jre7\lib\psfont.properties.ja
c:\program files\Java\jre7\lib\psfontj2d.properties
c:\program files\Java\jre7\lib\resources.jar
c:\program files\Java\jre7\lib\rt.jar
c:\program files\Java\jre7\lib\security\blacklist
c:\program files\Java\jre7\lib\security\cacerts
c:\program files\Java\jre7\lib\security\java.policy
c:\program files\Java\jre7\lib\security\java.security
c:\program files\Java\jre7\lib\security\javafx.policy
c:\program files\Java\jre7\lib\security\javaws.policy
c:\program files\Java\jre7\lib\security\local_policy.jar
c:\program files\Java\jre7\lib\security\trusted.libraries
c:\program files\Java\jre7\lib\security\US_export_policy.jar
c:\program files\Java\jre7\lib\sound.properties
c:\program files\Java\jre7\lib\tzmappings
c:\program files\Java\jre7\lib\zi\Africa\Abidjan
c:\program files\Java\jre7\lib\zi\Africa\Accra
c:\program files\Java\jre7\lib\zi\Africa\Addis_Ababa
c:\program files\Java\jre7\lib\zi\Africa\Algiers
c:\program files\Java\jre7\lib\zi\Africa\Asmara
c:\program files\Java\jre7\lib\zi\Africa\Bamako
c:\program files\Java\jre7\lib\zi\Africa\Bangui
c:\program files\Java\jre7\lib\zi\Africa\Banjul
c:\program files\Java\jre7\lib\zi\Africa\Bissau
c:\program files\Java\jre7\lib\zi\Africa\Blantyre
c:\program files\Java\jre7\lib\zi\Africa\Brazzaville
c:\program files\Java\jre7\lib\zi\Africa\Bujumbura
c:\program files\Java\jre7\lib\zi\Africa\Cairo
c:\program files\Java\jre7\lib\zi\Africa\Casablanca
c:\program files\Java\jre7\lib\zi\Africa\Ceuta
c:\program files\Java\jre7\lib\zi\Africa\Conakry
c:\program files\Java\jre7\lib\zi\Africa\Dakar
c:\program files\Java\jre7\lib\zi\Africa\Dar_es_Salaam
c:\program files\Java\jre7\lib\zi\Africa\Djibouti
c:\program files\Java\jre7\lib\zi\Africa\Douala
c:\program files\Java\jre7\lib\zi\Africa\El_Aaiun
c:\program files\Java\jre7\lib\zi\Africa\Freetown
c:\program files\Java\jre7\lib\zi\Africa\Gaborone
c:\program files\Java\jre7\lib\zi\Africa\Harare
c:\program files\Java\jre7\lib\zi\Africa\Johannesburg
c:\program files\Java\jre7\lib\zi\Africa\Juba
c:\program files\Java\jre7\lib\zi\Africa\Kampala
c:\program files\Java\jre7\lib\zi\Africa\Khartoum
c:\program files\Java\jre7\lib\zi\Africa\Kigali
c:\program files\Java\jre7\lib\zi\Africa\Kinshasa
c:\program files\Java\jre7\lib\zi\Africa\Lagos
c:\program files\Java\jre7\lib\zi\Africa\Libreville
c:\program files\Java\jre7\lib\zi\Africa\Lome
c:\program files\Java\jre7\lib\zi\Africa\Luanda
c:\program files\Java\jre7\lib\zi\Africa\Lubumbashi
c:\program files\Java\jre7\lib\zi\Africa\Lusaka
c:\program files\Java\jre7\lib\zi\Africa\Malabo
c:\program files\Java\jre7\lib\zi\Africa\Maputo
c:\program files\Java\jre7\lib\zi\Africa\Maseru
c:\program files\Java\jre7\lib\zi\Africa\Mbabane
c:\program files\Java\jre7\lib\zi\Africa\Mogadishu
c:\program files\Java\jre7\lib\zi\Africa\Monrovia
c:\program files\Java\jre7\lib\zi\Africa\Nairobi
c:\program files\Java\jre7\lib\zi\Africa\Ndjamena
c:\program files\Java\jre7\lib\zi\Africa\Niamey
c:\program files\Java\jre7\lib\zi\Africa\Nouakchott
c:\program files\Java\jre7\lib\zi\Africa\Ouagadougou
c:\program files\Java\jre7\lib\zi\Africa\Porto-Novo
c:\program files\Java\jre7\lib\zi\Africa\Sao_Tome
c:\program files\Java\jre7\lib\zi\Africa\Tripoli
c:\program files\Java\jre7\lib\zi\Africa\Tunis
c:\program files\Java\jre7\lib\zi\Africa\Windhoek
c:\program files\Java\jre7\lib\zi\America\Adak
c:\program files\Java\jre7\lib\zi\America\Anchorage
c:\program files\Java\jre7\lib\zi\America\Anguilla
c:\program files\Java\jre7\lib\zi\America\Antigua
c:\program files\Java\jre7\lib\zi\America\Araguaina
c:\program files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires
c:\program files\Java\jre7\lib\zi\America\Argentina\Catamarca
c:\program files\Java\jre7\lib\zi\America\Argentina\Cordoba
c:\program files\Java\jre7\lib\zi\America\Argentina\Jujuy
c:\program files\Java\jre7\lib\zi\America\Argentina\La_Rioja
c:\program files\Java\jre7\lib\zi\America\Argentina\Mendoza
c:\program files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos
c:\program files\Java\jre7\lib\zi\America\Argentina\Salta
c:\program files\Java\jre7\lib\zi\America\Argentina\San_Juan
c:\program files\Java\jre7\lib\zi\America\Argentina\San_Luis
c:\program files\Java\jre7\lib\zi\America\Argentina\Tucuman
c:\program files\Java\jre7\lib\zi\America\Argentina\Ushuaia
c:\program files\Java\jre7\lib\zi\America\Aruba
c:\program files\Java\jre7\lib\zi\America\Asuncion
c:\program files\Java\jre7\lib\zi\America\Atikokan
c:\program files\Java\jre7\lib\zi\America\Bahia
c:\program files\Java\jre7\lib\zi\America\Bahia_Banderas
c:\program files\Java\jre7\lib\zi\America\Barbados
c:\program files\Java\jre7\lib\zi\America\Belem
c:\program files\Java\jre7\lib\zi\America\Belize
c:\program files\Java\jre7\lib\zi\America\Blanc-Sablon
c:\program files\Java\jre7\lib\zi\America\Boa_Vista
c:\program files\Java\jre7\lib\zi\America\Bogota
c:\program files\Java\jre7\lib\zi\America\Boise
c:\program files\Java\jre7\lib\zi\America\Cambridge_Bay
c:\program files\Java\jre7\lib\zi\America\Campo_Grande
c:\program files\Java\jre7\lib\zi\America\Cancun
c:\program files\Java\jre7\lib\zi\America\Caracas
c:\program files\Java\jre7\lib\zi\America\Cayenne
c:\program files\Java\jre7\lib\zi\America\Cayman
c:\program files\Java\jre7\lib\zi\America\Chicago
c:\program files\Java\jre7\lib\zi\America\Chihuahua
c:\program files\Java\jre7\lib\zi\America\Costa_Rica
c:\program files\Java\jre7\lib\zi\America\Creston
c:\program files\Java\jre7\lib\zi\America\Cuiaba
c:\program files\Java\jre7\lib\zi\America\Curacao
c:\program files\Java\jre7\lib\zi\America\Danmarkshavn
c:\program files\Java\jre7\lib\zi\America\Dawson
c:\program files\Java\jre7\lib\zi\America\Dawson_Creek
c:\program files\Java\jre7\lib\zi\America\Denver
c:\program files\Java\jre7\lib\zi\America\Detroit
c:\program files\Java\jre7\lib\zi\America\Dominica
c:\program files\Java\jre7\lib\zi\America\Edmonton
c:\program files\Java\jre7\lib\zi\America\Eirunepe
c:\program files\Java\jre7\lib\zi\America\El_Salvador
c:\program files\Java\jre7\lib\zi\America\Fortaleza
c:\program files\Java\jre7\lib\zi\America\Glace_Bay
c:\program files\Java\jre7\lib\zi\America\Godthab
c:\program files\Java\jre7\lib\zi\America\Goose_Bay
c:\program files\Java\jre7\lib\zi\America\Grand_Turk
c:\program files\Java\jre7\lib\zi\America\Grenada
c:\program files\Java\jre7\lib\zi\America\Guadeloupe
c:\program files\Java\jre7\lib\zi\America\Guatemala
c:\program files\Java\jre7\lib\zi\America\Guayaquil
c:\program files\Java\jre7\lib\zi\America\Guyana
c:\program files\Java\jre7\lib\zi\America\Halifax
c:\program files\Java\jre7\lib\zi\America\Havana
c:\program files\Java\jre7\lib\zi\America\Hermosillo
c:\program files\Java\jre7\lib\zi\America\Indiana\Indianapolis
c:\program files\Java\jre7\lib\zi\America\Indiana\Knox
c:\program files\Java\jre7\lib\zi\America\Indiana\Marengo
c:\program files\Java\jre7\lib\zi\America\Indiana\Petersburg
c:\program files\Java\jre7\lib\zi\America\Indiana\Tell_City
c:\program files\Java\jre7\lib\zi\America\Indiana\Vevay
c:\program files\Java\jre7\lib\zi\America\Indiana\Vincennes
c:\program files\Java\jre7\lib\zi\America\Indiana\Winamac
c:\program files\Java\jre7\lib\zi\America\Inuvik
c:\program files\Java\jre7\lib\zi\America\Iqaluit
c:\program files\Java\jre7\lib\zi\America\Jamaica
c:\program files\Java\jre7\lib\zi\America\Juneau
c:\program files\Java\jre7\lib\zi\America\Kentucky\Louisville
c:\program files\Java\jre7\lib\zi\America\Kentucky\Monticello
c:\program files\Java\jre7\lib\zi\America\La_Paz
c:\program files\Java\jre7\lib\zi\America\Lima
c:\program files\Java\jre7\lib\zi\America\Los_Angeles
c:\program files\Java\jre7\lib\zi\America\Maceio
c:\program files\Java\jre7\lib\zi\America\Managua
c:\program files\Java\jre7\lib\zi\America\Manaus
c:\program files\Java\jre7\lib\zi\America\Martinique
c:\program files\Java\jre7\lib\zi\America\Matamoros
c:\program files\Java\jre7\lib\zi\America\Mazatlan
c:\program files\Java\jre7\lib\zi\America\Menominee
c:\program files\Java\jre7\lib\zi\America\Merida
c:\program files\Java\jre7\lib\zi\America\Metlakatla
c:\program files\Java\jre7\lib\zi\America\Mexico_City
c:\program files\Java\jre7\lib\zi\America\Miquelon
c:\program files\Java\jre7\lib\zi\America\Moncton
c:\program files\Java\jre7\lib\zi\America\Monterrey
c:\program files\Java\jre7\lib\zi\America\Montevideo
c:\program files\Java\jre7\lib\zi\America\Montreal
c:\program files\Java\jre7\lib\zi\America\Montserrat
c:\program files\Java\jre7\lib\zi\America\Nassau
c:\program files\Java\jre7\lib\zi\America\New_York
c:\program files\Java\jre7\lib\zi\America\Nipigon
c:\program files\Java\jre7\lib\zi\America\Nome
c:\program files\Java\jre7\lib\zi\America\Noronha
c:\program files\Java\jre7\lib\zi\America\North_Dakota\Beulah
c:\program files\Java\jre7\lib\zi\America\North_Dakota\Center
c:\program files\Java\jre7\lib\zi\America\North_Dakota\New_Salem
c:\program files\Java\jre7\lib\zi\America\Ojinaga
c:\program files\Java\jre7\lib\zi\America\Panama
c:\program files\Java\jre7\lib\zi\America\Pangnirtung
c:\program files\Java\jre7\lib\zi\America\Paramaribo
c:\program files\Java\jre7\lib\zi\America\Phoenix
c:\program files\Java\jre7\lib\zi\America\Port-au-Prince
c:\program files\Java\jre7\lib\zi\America\Port_of_Spain
c:\program files\Java\jre7\lib\zi\America\Porto_Velho
c:\program files\Java\jre7\lib\zi\America\Puerto_Rico
c:\program files\Java\jre7\lib\zi\America\Rainy_River
c:\program files\Java\jre7\lib\zi\America\Rankin_Inlet
c:\program files\Java\jre7\lib\zi\America\Recife
c:\program files\Java\jre7\lib\zi\America\Regina
c:\program files\Java\jre7\lib\zi\America\Resolute
c:\program files\Java\jre7\lib\zi\America\Rio_Branco
c:\program files\Java\jre7\lib\zi\America\Santa_Isabel
c:\program files\Java\jre7\lib\zi\America\Santarem
c:\program files\Java\jre7\lib\zi\America\Santiago
c:\program files\Java\jre7\lib\zi\America\Santo_Domingo
c:\program files\Java\jre7\lib\zi\America\Sao_Paulo
c:\program files\Java\jre7\lib\zi\America\Scoresbysund
c:\program files\Java\jre7\lib\zi\America\Sitka
c:\program files\Java\jre7\lib\zi\America\St_Johns
c:\program files\Java\jre7\lib\zi\America\St_Kitts
c:\program files\Java\jre7\lib\zi\America\St_Lucia
c:\program files\Java\jre7\lib\zi\America\St_Thomas
c:\program files\Java\jre7\lib\zi\America\St_Vincent
c:\program files\Java\jre7\lib\zi\America\Swift_Current
c:\program files\Java\jre7\lib\zi\America\Tegucigalpa
c:\program files\Java\jre7\lib\zi\America\Thule
c:\program files\Java\jre7\lib\zi\America\Thunder_Bay
c:\program files\Java\jre7\lib\zi\America\Tijuana
c:\program files\Java\jre7\lib\zi\America\Toronto
c:\program files\Java\jre7\lib\zi\America\Tortola
c:\program files\Java\jre7\lib\zi\America\Vancouver
c:\program files\Java\jre7\lib\zi\America\Whitehorse
c:\program files\Java\jre7\lib\zi\America\Winnipeg
c:\program files\Java\jre7\lib\zi\America\Yakutat
c:\program files\Java\jre7\lib\zi\America\Yellowknife
c:\program files\Java\jre7\lib\zi\Antarctica\Casey
c:\program files\Java\jre7\lib\zi\Antarctica\Davis
c:\program files\Java\jre7\lib\zi\Antarctica\DumontDUrville
c:\program files\Java\jre7\lib\zi\Antarctica\Macquarie
c:\program files\Java\jre7\lib\zi\Antarctica\Mawson
c:\program files\Java\jre7\lib\zi\Antarctica\McMurdo
c:\program files\Java\jre7\lib\zi\Antarctica\Palmer
c:\program files\Java\jre7\lib\zi\Antarctica\Rothera
c:\program files\Java\jre7\lib\zi\Antarctica\Syowa
c:\program files\Java\jre7\lib\zi\Antarctica\Vostok
c:\program files\Java\jre7\lib\zi\Asia\Aden
c:\program files\Java\jre7\lib\zi\Asia\Almaty
c:\program files\Java\jre7\lib\zi\Asia\Amman
c:\program files\Java\jre7\lib\zi\Asia\Anadyr
c:\program files\Java\jre7\lib\zi\Asia\Aqtau
c:\program files\Java\jre7\lib\zi\Asia\Aqtobe
c:\program files\Java\jre7\lib\zi\Asia\Ashgabat
c:\program files\Java\jre7\lib\zi\Asia\Baghdad
c:\program files\Java\jre7\lib\zi\Asia\Bahrain
c:\program files\Java\jre7\lib\zi\Asia\Baku
c:\program files\Java\jre7\lib\zi\Asia\Bangkok
c:\program files\Java\jre7\lib\zi\Asia\Beirut
c:\program files\Java\jre7\lib\zi\Asia\Bishkek
c:\program files\Java\jre7\lib\zi\Asia\Brunei
c:\program files\Java\jre7\lib\zi\Asia\Choibalsan
c:\program files\Java\jre7\lib\zi\Asia\Chongqing
c:\program files\Java\jre7\lib\zi\Asia\Colombo
c:\program files\Java\jre7\lib\zi\Asia\Damascus
c:\program files\Java\jre7\lib\zi\Asia\Dhaka
c:\program files\Java\jre7\lib\zi\Asia\Dili
c:\program files\Java\jre7\lib\zi\Asia\Dubai
c:\program files\Java\jre7\lib\zi\Asia\Dushanbe
c:\program files\Java\jre7\lib\zi\Asia\Gaza
c:\program files\Java\jre7\lib\zi\Asia\Harbin
c:\program files\Java\jre7\lib\zi\Asia\Hebron
c:\program files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh
c:\program files\Java\jre7\lib\zi\Asia\Hong_Kong
c:\program files\Java\jre7\lib\zi\Asia\Hovd
c:\program files\Java\jre7\lib\zi\Asia\Irkutsk
c:\program files\Java\jre7\lib\zi\Asia\Jakarta
c:\program files\Java\jre7\lib\zi\Asia\Jayapura
c:\program files\Java\jre7\lib\zi\Asia\Jerusalem
c:\program files\Java\jre7\lib\zi\Asia\Kabul
c:\program files\Java\jre7\lib\zi\Asia\Kamchatka
c:\program files\Java\jre7\lib\zi\Asia\Karachi
c:\program files\Java\jre7\lib\zi\Asia\Kashgar
c:\program files\Java\jre7\lib\zi\Asia\Kathmandu
c:\program files\Java\jre7\lib\zi\Asia\Khandyga
c:\program files\Java\jre7\lib\zi\Asia\Kolkata
c:\program files\Java\jre7\lib\zi\Asia\Krasnoyarsk
c:\program files\Java\jre7\lib\zi\Asia\Kuala_Lumpur
c:\program files\Java\jre7\lib\zi\Asia\Kuching
c:\program files\Java\jre7\lib\zi\Asia\Kuwait
c:\program files\Java\jre7\lib\zi\Asia\Macau
c:\program files\Java\jre7\lib\zi\Asia\Magadan
c:\program files\Java\jre7\lib\zi\Asia\Makassar
c:\program files\Java\jre7\lib\zi\Asia\Manila
c:\program files\Java\jre7\lib\zi\Asia\Muscat
c:\program files\Java\jre7\lib\zi\Asia\Nicosia
c:\program files\Java\jre7\lib\zi\Asia\Novokuznetsk
c:\program files\Java\jre7\lib\zi\Asia\Novosibirsk
c:\program files\Java\jre7\lib\zi\Asia\Omsk
c:\program files\Java\jre7\lib\zi\Asia\Oral
c:\program files\Java\jre7\lib\zi\Asia\Phnom_Penh
c:\program files\Java\jre7\lib\zi\Asia\Pontianak
c:\program files\Java\jre7\lib\zi\Asia\Pyongyang
c:\program files\Java\jre7\lib\zi\Asia\Qatar
c:\program files\Java\jre7\lib\zi\Asia\Qyzylorda
c:\program files\Java\jre7\lib\zi\Asia\Rangoon
c:\program files\Java\jre7\lib\zi\Asia\Riyadh
c:\program files\Java\jre7\lib\zi\Asia\Riyadh87
c:\program files\Java\jre7\lib\zi\Asia\Riyadh88
c:\program files\Java\jre7\lib\zi\Asia\Riyadh89
c:\program files\Java\jre7\lib\zi\Asia\Sakhalin
c:\program files\Java\jre7\lib\zi\Asia\Samarkand
c:\program files\Java\jre7\lib\zi\Asia\Seoul
c:\program files\Java\jre7\lib\zi\Asia\Shanghai
c:\program files\Java\jre7\lib\zi\Asia\Singapore
c:\program files\Java\jre7\lib\zi\Asia\Taipei
c:\program files\Java\jre7\lib\zi\Asia\Tashkent
c:\program files\Java\jre7\lib\zi\Asia\Tbilisi
c:\program files\Java\jre7\lib\zi\Asia\Tehran
c:\program files\Java\jre7\lib\zi\Asia\Thimphu
c:\program files\Java\jre7\lib\zi\Asia\Tokyo
c:\program files\Java\jre7\lib\zi\Asia\Ulaanbaatar
c:\program files\Java\jre7\lib\zi\Asia\Urumqi
c:\program files\Java\jre7\lib\zi\Asia\Ust-Nera
c:\program files\Java\jre7\lib\zi\Asia\Vientiane
c:\program files\Java\jre7\lib\zi\Asia\Vladivostok
c:\program files\Java\jre7\lib\zi\Asia\Yakutsk
c:\program files\Java\jre7\lib\zi\Asia\Yekaterinburg
c:\program files\Java\jre7\lib\zi\Asia\Yerevan
c:\program files\Java\jre7\lib\zi\Atlantic\Azores
c:\program files\Java\jre7\lib\zi\Atlantic\Bermuda
c:\program files\Java\jre7\lib\zi\Atlantic\Canary
c:\program files\Java\jre7\lib\zi\Atlantic\Cape_Verde
c:\program files\Java\jre7\lib\zi\Atlantic\Faroe
c:\program files\Java\jre7\lib\zi\Atlantic\Madeira
c:\program files\Java\jre7\lib\zi\Atlantic\Reykjavik
c:\program files\Java\jre7\lib\zi\Atlantic\South_Georgia
c:\program files\Java\jre7\lib\zi\Atlantic\St_Helena
c:\program files\Java\jre7\lib\zi\Atlantic\Stanley
c:\program files\Java\jre7\lib\zi\Australia\Adelaide
c:\program files\Java\jre7\lib\zi\Australia\Brisbane
c:\program files\Java\jre7\lib\zi\Australia\Broken_Hill
c:\program files\Java\jre7\lib\zi\Australia\Currie
c:\program files\Java\jre7\lib\zi\Australia\Darwin
c:\program files\Java\jre7\lib\zi\Australia\Eucla
c:\program files\Java\jre7\lib\zi\Australia\Hobart
c:\program files\Java\jre7\lib\zi\Australia\Lindeman
c:\program files\Java\jre7\lib\zi\Australia\Lord_Howe
c:\program files\Java\jre7\lib\zi\Australia\Melbourne
c:\program files\Java\jre7\lib\zi\Australia\Perth
c:\program files\Java\jre7\lib\zi\Australia\Sydney
c:\program files\Java\jre7\lib\zi\CET
c:\program files\Java\jre7\lib\zi\CST6CDT
c:\program files\Java\jre7\lib\zi\EET
c:\program files\Java\jre7\lib\zi\EST
c:\program files\Java\jre7\lib\zi\EST5EDT
c:\program files\Java\jre7\lib\zi\Etc\GMT-1
c:\program files\Java\jre7\lib\zi\Etc\GMT-10
c:\program files\Java\jre7\lib\zi\Etc\GMT-11
c:\program files\Java\jre7\lib\zi\Etc\GMT-12
c:\program files\Java\jre7\lib\zi\Etc\GMT-13
c:\program files\Java\jre7\lib\zi\Etc\GMT-14
c:\program files\Java\jre7\lib\zi\Etc\GMT-2
c:\program files\Java\jre7\lib\zi\Etc\GMT-3
c:\program files\Java\jre7\lib\zi\Etc\GMT-4
c:\program files\Java\jre7\lib\zi\Etc\GMT-5
c:\program files\Java\jre7\lib\zi\Etc\GMT-6
c:\program files\Java\jre7\lib\zi\Etc\GMT-7
c:\program files\Java\jre7\lib\zi\Etc\GMT-8
c:\program files\Java\jre7\lib\zi\Etc\GMT-9
c:\program files\Java\jre7\lib\zi\Etc\GMT
c:\program files\Java\jre7\lib\zi\Etc\GMT+1
c:\program files\Java\jre7\lib\zi\Etc\GMT+10
c:\program files\Java\jre7\lib\zi\Etc\GMT+11
c:\program files\Java\jre7\lib\zi\Etc\GMT+12
c:\program files\Java\jre7\lib\zi\Etc\GMT+2
c:\program files\Java\jre7\lib\zi\Etc\GMT+3
c:\program files\Java\jre7\lib\zi\Etc\GMT+4
c:\program files\Java\jre7\lib\zi\Etc\GMT+5
c:\program files\Java\jre7\lib\zi\Etc\GMT+6
c:\program files\Java\jre7\lib\zi\Etc\GMT+7
c:\program files\Java\jre7\lib\zi\Etc\GMT+8
c:\program files\Java\jre7\lib\zi\Etc\GMT+9
c:\program files\Java\jre7\lib\zi\Etc\UCT
c:\program files\Java\jre7\lib\zi\Etc\UTC
c:\program files\Java\jre7\lib\zi\Europe\Amsterdam
c:\program files\Java\jre7\lib\zi\Europe\Andorra
c:\program files\Java\jre7\lib\zi\Europe\Athens
c:\program files\Java\jre7\lib\zi\Europe\Belgrade
c:\program files\Java\jre7\lib\zi\Europe\Berlin
c:\program files\Java\jre7\lib\zi\Europe\Brussels
c:\program files\Java\jre7\lib\zi\Europe\Bucharest
c:\program files\Java\jre7\lib\zi\Europe\Budapest
c:\program files\Java\jre7\lib\zi\Europe\Chisinau
c:\program files\Java\jre7\lib\zi\Europe\Copenhagen
c:\program files\Java\jre7\lib\zi\Europe\Dublin
c:\program files\Java\jre7\lib\zi\Europe\Gibraltar
c:\program files\Java\jre7\lib\zi\Europe\Helsinki
c:\program files\Java\jre7\lib\zi\Europe\Istanbul
c:\program files\Java\jre7\lib\zi\Europe\Kaliningrad
c:\program files\Java\jre7\lib\zi\Europe\Kiev
c:\program files\Java\jre7\lib\zi\Europe\Lisbon
c:\program files\Java\jre7\lib\zi\Europe\London
c:\program files\Java\jre7\lib\zi\Europe\Luxembourg
c:\program files\Java\jre7\lib\zi\Europe\Madrid
c:\program files\Java\jre7\lib\zi\Europe\Malta
c:\program files\Java\jre7\lib\zi\Europe\Minsk
c:\program files\Java\jre7\lib\zi\Europe\Monaco
c:\program files\Java\jre7\lib\zi\Europe\Moscow
c:\program files\Java\jre7\lib\zi\Europe\Oslo
c:\program files\Java\jre7\lib\zi\Europe\Paris
c:\program files\Java\jre7\lib\zi\Europe\Prague
c:\program files\Java\jre7\lib\zi\Europe\Riga
c:\program files\Java\jre7\lib\zi\Europe\Rome
c:\program files\Java\jre7\lib\zi\Europe\Samara
c:\program files\Java\jre7\lib\zi\Europe\Simferopol
c:\program files\Java\jre7\lib\zi\Europe\Sofia
c:\program files\Java\jre7\lib\zi\Europe\Stockholm
c:\program files\Java\jre7\lib\zi\Europe\Tallinn
c:\program files\Java\jre7\lib\zi\Europe\Tirane
c:\program files\Java\jre7\lib\zi\Europe\Uzhgorod
c:\program files\Java\jre7\lib\zi\Europe\Vaduz
c:\program files\Java\jre7\lib\zi\Europe\Vienna
c:\program files\Java\jre7\lib\zi\Europe\Vilnius
c:\program files\Java\jre7\lib\zi\Europe\Volgograd
c:\program files\Java\jre7\lib\zi\Europe\Warsaw
c:\program files\Java\jre7\lib\zi\Europe\Zaporozhye
c:\program files\Java\jre7\lib\zi\Europe\Zurich
c:\program files\Java\jre7\lib\zi\GMT
c:\program files\Java\jre7\lib\zi\HST
c:\program files\Java\jre7\lib\zi\Indian\Antananarivo
c:\program files\Java\jre7\lib\zi\Indian\Chagos
c:\program files\Java\jre7\lib\zi\Indian\Christmas
c:\program files\Java\jre7\lib\zi\Indian\Cocos
c:\program files\Java\jre7\lib\zi\Indian\Comoro
c:\program files\Java\jre7\lib\zi\Indian\Kerguelen
c:\program files\Java\jre7\lib\zi\Indian\Mahe
c:\program files\Java\jre7\lib\zi\Indian\Maldives
c:\program files\Java\jre7\lib\zi\Indian\Mauritius
c:\program files\Java\jre7\lib\zi\Indian\Mayotte
c:\program files\Java\jre7\lib\zi\Indian\Reunion
c:\program files\Java\jre7\lib\zi\MET
c:\program files\Java\jre7\lib\zi\MST
c:\program files\Java\jre7\lib\zi\MST7MDT
c:\program files\Java\jre7\lib\zi\Pacific\Apia
c:\program files\Java\jre7\lib\zi\Pacific\Auckland
c:\program files\Java\jre7\lib\zi\Pacific\Chatham
c:\program files\Java\jre7\lib\zi\Pacific\Chuuk
c:\program files\Java\jre7\lib\zi\Pacific\Easter
c:\program files\Java\jre7\lib\zi\Pacific\Efate
c:\program files\Java\jre7\lib\zi\Pacific\Enderbury
c:\program files\Java\jre7\lib\zi\Pacific\Fakaofo
c:\program files\Java\jre7\lib\zi\Pacific\Fiji
c:\program files\Java\jre7\lib\zi\Pacific\Funafuti
c:\program files\Java\jre7\lib\zi\Pacific\Galapagos
c:\program files\Java\jre7\lib\zi\Pacific\Gambier
c:\program files\Java\jre7\lib\zi\Pacific\Guadalcanal
c:\program files\Java\jre7\lib\zi\Pacific\Guam
c:\program files\Java\jre7\lib\zi\Pacific\Honolulu
c:\program files\Java\jre7\lib\zi\Pacific\Johnston
c:\program files\Java\jre7\lib\zi\Pacific\Kiritimati
c:\program files\Java\jre7\lib\zi\Pacific\Kosrae
c:\program files\Java\jre7\lib\zi\Pacific\Kwajalein
c:\program files\Java\jre7\lib\zi\Pacific\Majuro
c:\program files\Java\jre7\lib\zi\Pacific\Marquesas
c:\program files\Java\jre7\lib\zi\Pacific\Midway
c:\program files\Java\jre7\lib\zi\Pacific\Nauru
c:\program files\Java\jre7\lib\zi\Pacific\Niue
c:\program files\Java\jre7\lib\zi\Pacific\Norfolk
c:\program files\Java\jre7\lib\zi\Pacific\Noumea
c:\program files\Java\jre7\lib\zi\Pacific\Pago_Pago
c:\program files\Java\jre7\lib\zi\Pacific\Palau
c:\program files\Java\jre7\lib\zi\Pacific\Pitcairn
c:\program files\Java\jre7\lib\zi\Pacific\Pohnpei
c:\program files\Java\jre7\lib\zi\Pacific\Port_Moresby
c:\program files\Java\jre7\lib\zi\Pacific\Rarotonga
c:\program files\Java\jre7\lib\zi\Pacific\Saipan
c:\program files\Java\jre7\lib\zi\Pacific\Tahiti
c:\program files\Java\jre7\lib\zi\Pacific\Tarawa
c:\program files\Java\jre7\lib\zi\Pacific\Tongatapu
c:\program files\Java\jre7\lib\zi\Pacific\Wake
c:\program files\Java\jre7\lib\zi\Pacific\Wallis
c:\program files\Java\jre7\lib\zi\PST8PDT
c:\program files\Java\jre7\lib\zi\SystemV\AST4
c:\program files\Java\jre7\lib\zi\SystemV\AST4ADT
c:\program files\Java\jre7\lib\zi\SystemV\CST6
c:\program files\Java\jre7\lib\zi\SystemV\CST6CDT
c:\program files\Java\jre7\lib\zi\SystemV\EST5
c:\program files\Java\jre7\lib\zi\SystemV\EST5EDT
c:\program files\Java\jre7\lib\zi\SystemV\HST10
c:\program files\Java\jre7\lib\zi\SystemV\MST7
c:\program files\Java\jre7\lib\zi\SystemV\MST7MDT
c:\program files\Java\jre7\lib\zi\SystemV\PST8
c:\program files\Java\jre7\lib\zi\SystemV\PST8PDT
c:\program files\Java\jre7\lib\zi\SystemV\YST9
c:\program files\Java\jre7\lib\zi\SystemV\YST9YDT
c:\program files\Java\jre7\lib\zi\WET
c:\program files\Java\jre7\lib\zi\ZoneInfoMappings
c:\program files\Java\jre7\LICENSE
c:\program files\Java\jre7\README.txt
c:\program files\Java\jre7\release
c:\program files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
c:\program files\Java\jre7\THIRDPARTYLICENSEREADME.txt
c:\program files\Java\jre7\Welcome.html
c:\program files\WINWORD.EXE
c:\programdata\Sun\Java
c:\programdata\Sun\Java\Java Update\jaureglist.xml
c:\users\All Users\Sun\Java\Java Update\jaureglist.xml
c:\users\Garth\AppData\LocalLow\Oracle\Java
c:\users\Garth\AppData\LocalLow\Sun\Java
c:\users\Garth\AppData\LocalLow\Sun\Java\AU\au.cab
c:\users\Garth\AppData\LocalLow\Sun\Java\AU\au.msi
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\security\auth.dat
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\security\baseline.timestamp
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\security\baseline.versions
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\security\blacklist.dynamic
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\security\blacklisted.certs
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\security\update.timestamp
c:\users\Garth\AppData\LocalLow\Sun\Java\Deployment\tmp\si\JavaControlPanel-x86_49724
c:\users\Garth\AppData\LocalLow\Sun\Java\jre1.7.0_05\lzma.dll
c:\users\Garth\AppData\LocalLow\Sun\Java\jre1.7.0_45\lzma.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\FlashPlayerApp.exe
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\erdnt\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-10-24 to 2013-11-24 )))))))))))))))))))))))))))))))
.
.
2013-11-24 00:04 . 2013-11-24 00:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-22 23:55 . 2013-11-23 05:06 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-11-22 23:55 . 2013-11-22 23:55 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-22 23:54 . 2013-11-22 23:54 75992 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-21 00:31 . 2013-11-21 00:31 -------- d-----w- c:\program files\ESET
2013-11-20 10:28 . 2013-11-21 00:15 -------- d-----w- c:\programdata\Oracle
2013-11-20 10:26 . 2013-11-21 00:12 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-11-20 00:37 . 2013-11-20 00:37 -------- d-----w- c:\programdata\McAfee
2013-11-19 23:47 . 2013-11-19 23:47 -------- d-----w- c:\users\Garth\AppData\Roaming\Malwarebytes
2013-11-19 23:46 . 2013-11-19 23:46 -------- d-----w- c:\programdata\Malwarebytes
2013-11-19 23:46 . 2013-11-19 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-11-19 23:46 . 2013-04-04 19:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-11-18 23:42 . 2013-11-24 02:55 -------- d-----w- c:\users\Garth\AppData\Local\temp
2013-11-18 03:11 . 2013-11-18 03:14 -------- d-----w- C:\AdwCleaner
2013-11-16 13:02 . 2013-06-04 04:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-11-16 13:01 . 2013-07-03 02:33 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-11-16 13:01 . 2013-07-03 02:10 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-11-12 03:38 . 2013-10-16 05:20 7796464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5FD4355B-B058-40D1-A5BE-3CE056AD9F37}\mpengine.dll
2013-11-07 02:14 . 2013-11-20 10:14 -------- d-----w- c:\users\Garth\AppData\Local\VGworks
2013-10-27 22:52 . 2013-11-18 03:03 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-10-27 22:36 . 2013-10-27 22:36 -------- d-----w- c:\users\Garth\AppData\Local\Macromedia
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-27 19:59 . 2011-11-08 16:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-10 05:34 . 2013-09-10 05:34 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-05 05:43 . 2013-09-05 05:43 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-03 18:35 . 2010-02-20 16:14 238872 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-18 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"VGworks Update"="c:\users\Garth\AppData\Local\VGworks\TeamViewerMeetingAddIn.dll" [2013-11-20 804352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-09-23 4411952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-18 50688]
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2009-7-18 253952]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [1999-2-17 65588]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-23 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-23 21:16]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.live.com/login.srf?wa=...cxt=mai&snsc=1
uInternet Settings,ProxyOverride = *.local
IE: Save video on Savevid.com
Trusted Zone: netzero.com
Trusted Zone: netzero.net
Trusted Zone: westlaw.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Garth\AppData\Roaming\Mozilla\Firefox\Profiles\vowa3u05.default\
FF - ExtSQL: 2013-10-16 22:24; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - ExtSQL: !HIDDEN! 2010-12-25 13:44; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-11-23 21:55
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(6552)
c:\users\Garth\AppData\Local\VGworks\TeamViewerMeetingAddIn.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2013\avgrsx.exe
c:\program files\AVG\AVG2013\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\AVG\AVG2013\avgidsagent.exe
c:\program files\AVG\AVG2013\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\windows\system32\STacSV.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG2013\avgnsx.exe
c:\program files\AVG\AVG2013\avgemcx.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\regsvr32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\AVG\AVG2013\avgcfgex.exe
.
**************************************************************************
.
Completion time: 2013-11-23 22:00:13 - machine was rebooted
ComboFix-quarantined-files.txt 2013-11-24 03:00
ComboFix2.txt 2013-11-18 23:49
.
Pre-Run: 172,771,348,480 bytes free
Post-Run: 171,371,286,528 bytes free
.
- - End Of File - - AC7DB1736F4F6B1AFC21DC95F9278282
CDB4DE4BBD714F152979DA2DCBEF57EB
__________________
Wolf321 is offline  
Old 11-23-2013, 08:26 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321. Are you stil getting multiple iexplore.exe processes?

------------------------------------------------------

Go here and follow the prompts to install the latest Java > java.com: Java + You

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options checked in the window to clear the cache - Leave BOTH Checked
      • Cached Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Cached Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 11-24-2013, 06:38 AM   #19
Registered Member
 
Join Date: Nov 2013
Posts: 15
OS: Windows Vista



chemist - Yes, the rogue iexplore.exe processes are gone, as well as the javaw.exe and javaws.exe processes. Things seem to be moving much cleaner and quicker now.

The Java installation still ended with the message that the installation was interrupted before completing. However, Java does seem to be installed (although it's still not showing up in the uninstall list).

This time the deletion of the cached applications etc. finished almost immediately.

Looking good right now - any cleanup steps we need to take?

Also, should I disable Java from my browser, like the sticky note says? I don't game online much and I don't use this computer for any heavy business applications.

Thanks for all your help throughout this!
__________________
Wolf321 is offline  
Old 11-24-2013, 09:49 AM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 25,643
OS: XP SP3; Win7 32/64-bit



Hello again, Wolf321. You're very welcome. Yes, you can disable Java. I'll give you some instructions on that later.

Weird Java doesn't show as installed. If you wish to pursue it further...

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s > uninstall.txt
notepad uninstall.txt
del %0
Save this as peek.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Right-click on peek.bat and choose 'Run as administrator' to allow it to run. A Notepad file will open. Post attach that file to your next reply.

------------------------------------------------------

If you don't wish to pursue it, let me know and I will give you some final instructions.

------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 01:57 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts