Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 37

Thread: Redirect issues & DDS can't be downloaded

  1. 2012-07-15, 11:33 #11
    jpatrick
    jpatrick is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Exclamation

    Good morning Jack&Jill,

    I tried to download OTL.exe and I got a security warning from my SmartScreen filter which said something to the effect: the program is not commonly downloaded, it isn't signed by the auther and it could harm my computer.

    Are you sure you want me to download OTL.exe?

    On the Firefox issue, I uninstalled it yesterday, I rebooted my system then reinstalled it and the redirect issue seems to be gone.

    FYI: After the above reboot ERDNT didn't show any errors.

    Jpatrick
  2. 2012-07-15, 19:24 #12
    Jack&Jill
    Jack&Jill is offline
    Security Expert Jack&Jill's Avatar
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello jpatrick ,

    Yes, please download OTL and complete the steps.
    Jack&Jill
    MRU Teacher of Malware Removal University.
    Member of ASAP and UNITE.

    Your donation helps in improving Spybot-S&D!
  3. 2012-07-15, 20:10 #13
    jpatrick
    jpatrick is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Post OTL Log

    Jack&Jill,

    OTL LOG:


    OTL logfile created on: 7/15/2012 1:32:27 PM - Run 1
    OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Admin\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.75 Gb Total Physical Memory | 2.45 Gb Available Physical Memory | 65.41% Memory free
    7.50 Gb Paging File | 5.53 Gb Available in Paging File | 73.76% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.66 Gb Total Space | 351.32 Gb Free Space | 75.45% Space Free | Partition Type: NTFS
    Drive D: | 634.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/07/15 05:23:19 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe
    PRC - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
    PRC - [2012/04/05 05:12:34 | 002,587,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    PRC - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    PRC - [2012/01/16 21:39:13 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
    PRC - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2010/04/28 18:17:04 | 000,512,000 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanCU.exe
    PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
    PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    PRC - [2008/09/08 12:03:58 | 000,113,136 | ---- | M] () -- C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe


    ========== Modules (No Company Name) ==========

    MOD - [2010/04/28 18:17:04 | 000,512,000 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanCU.exe
    MOD - [2009/10/07 17:58:10 | 000,376,832 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WlanDll.dll
    MOD - [2009/03/10 20:03:52 | 000,184,320 | ---- | M] () -- C:\Program Files\TRENDnet\TEW-421PC_TEW-423PI\WPSCtrl.dll
    MOD - [2008/09/08 12:03:58 | 000,113,136 | ---- | M] () -- C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
    SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
    SRV - [2012/01/03 09:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2008/09/09 10:07:54 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
    SRV - [2008/09/09 10:07:14 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/04/19 04:50:26 | 000,028,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\avgidsha.sys -- (AVGIDSHA)
    DRV:64bit: - [2012/03/19 05:17:26 | 000,383,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
    DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2012/02/22 05:25:32 | 000,289,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
    DRV:64bit: - [2012/01/31 04:46:48 | 000,036,944 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
    DRV:64bit: - [2011/12/23 13:32:14 | 000,047,696 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
    DRV:64bit: - [2011/12/23 13:32:04 | 000,029,776 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\avgidsfiltera.sys -- (AVGIDSFilter)
    DRV:64bit: - [2011/12/23 13:31:58 | 000,124,496 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\avgidsdrivera.sys -- (AVGIDSDriver)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
    DRV:64bit: - [2010/08/12 13:07:50 | 000,350,952 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvmf6264.sys -- (NVNET)
    DRV:64bit: - [2010/07/02 10:08:52 | 002,061,928 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTL85n64.sys -- (RTL85n64)
    DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/06/10 16:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
    DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2008/06/16 04:00:00 | 000,055,024 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
    DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
    DRV - [2008/09/09 11:12:54 | 000,065,520 | ---- | M] (Sonic Solutions) [File_System | System | Stopped] -- C:\Windows\SysWOW64\drivers\RxFilter.sys -- (RxFilter)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/tenda...ngton+VT+05201
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B8 60 BF 6A 0E D6 CC 01 [binary data]
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..\SearchScopes,DefaultScope = {7C0FB11C-C21D-472D-BEB2-B7CEBE00D336}
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..\SearchScopes\{7C0FB11C-C21D-472D-BEB2-B7CEBE00D336}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
    IE - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..network.proxy.type: 0
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG2012\Firefox4\ [2012/07/06 09:17:48 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\flashcatch@flashcatch.com: C:\Program Files (x86)\FlashCatch\firefox [2012/03/19 01:34:08 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/02 09:19:39 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/14 11:22:51 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

    [2012/07/14 11:23:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Admin\AppData\Roaming\Mozilla\Extensions
    [2012/07/14 11:22:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2012/01/19 23:58:41 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    [2012/06/14 18:20:49 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2012/01/13 11:14:47 | 000,003,739 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
    [2012/06/14 18:19:40 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/06/14 18:19:40 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/07/16 15:19:25 | 000,443,522 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 1000gratisproben.com
    O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
    O1 - Hosts: 127.0.0.1 1001namen.com
    O1 - Hosts: 127.0.0.1 www.1001namen.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 1-2005-search.com
    O1 - Hosts: 127.0.0.1 www.1-2005-search.com
    O1 - Hosts: 127.0.0.1 www.123fporn.info
    O1 - Hosts: 15233 more lines...
    O2:64bit: - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)
    O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (FlashCatchBHO Class) - {88618A96-6D8A-42E7-B932-9073D5B2080F} - C:\Program Files (x86)\FlashCatch\flashcatch.dll (Level 9 Technology, Inc.)
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O3 - HKLM\..\Toolbar: (FlashCatch) - {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - C:\Program Files (x86)\FlashCatch\flashcatch.dll (Level 9 Technology, Inc.)
    O3 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..\Toolbar\WebBrowser: (FlashCatch) - {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - C:\Program Files (x86)\FlashCatch\flashcatch.dll (Level 9 Technology, Inc.)
    O4:64bit: - HKLM..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\Windows\SysNative\MSTMON_S.EXE (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
    O4 - HKLM..\Run: [DMXLauncher] C:\Program Files (x86)\Roxio\CinePlayer\DMXLauncher.exe ()
    O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe ()
    O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe (Adobe Systems, Inc.)
    O4 - Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O9:64bit: - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)
    O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
    O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O1364bit: - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O15 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..Trusted Domains: microsoft.com ([oas.support] http in Trusted sites)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{27A76691-41C0-4E44-995C-D5AC9A99A256}: DhcpNameServer = 192.168.1.1 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{96B9080E-81CC-4304-A255-8ED57B92B0A3}: DhcpNameServer = 75.75.75.75 75.75.76.76
    O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll (AVG Technologies CZ, s.r.o.)
    O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
    O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [1999/09/23 11:38:49 | 000,000,045 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
    O33 - MountPoints2\{609edac7-3df9-11e1-b644-806e6f6e6963}\Shell - "" = AutoRun
    O33 - MountPoints2\{609edac7-3df9-11e1-b644-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [1999/09/23 11:58:15 | 000,025,600 | R--- | M] ()
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/07/15 05:23:19 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe
    [2012/07/14 11:22:58 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Mozilla
    [2012/07/14 03:49:49 | 000,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Malwarebytes
    [2012/07/14 03:49:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/07/14 03:49:30 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/07/14 03:49:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/07/14 03:49:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/07/13 07:18:39 | 010,652,120 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Admin\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/07/13 04:03:21 | 000,000,000 | ---D | C] -- C:\Users\Admin\Desktop\RK_Quarantine
    [2012/07/09 20:48:23 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Admin\Desktop\aswMBR.exe
    [2012/07/08 14:33:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/07/08 14:32:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
    [2012/07/08 14:32:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
    [2012/07/08 14:29:31 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Users\Admin\Desktop\erunt-setup.exe
    [2012/07/06 09:17:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
    [2012/01/20 22:52:21 | 000,258,560 | ---- | C] (Quad-Lock) -- C:\Program Files\UnitConverter.exe
    [2001/06/20 17:34:39 | 000,127,488 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\QuickTimeUpdater.exe
    [2001/06/20 17:34:38 | 001,043,968 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\QuickTimePlayer.exe
    [2001/06/20 17:34:38 | 000,303,616 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\PictureViewer.exe
    [2001/06/20 17:34:38 | 000,225,792 | ---- | C] (Apple Computer, Inc.) -- C:\Program Files\QTInfo.exe
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/07/15 13:26:04 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/07/15 13:25:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/07/15 05:23:19 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\Admin\Desktop\OTL.exe
    [2012/07/15 05:19:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/07/14 18:01:49 | 101,528,768 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
    [2012/07/14 11:27:10 | 000,022,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/07/14 11:27:10 | 000,022,064 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/07/14 11:24:13 | 000,792,118 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/07/14 11:24:13 | 000,668,836 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/07/14 11:24:13 | 000,125,022 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/07/14 11:22:53 | 000,001,134 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2012/07/14 11:19:51 | 3018,690,560 | -HS- | M] () -- C:\hiberfil.sys
    [2012/07/14 04:37:43 | 000,032,894 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 4.jpg
    [2012/07/14 04:37:11 | 000,035,537 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 3.jpg
    [2012/07/14 04:36:31 | 000,033,751 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 2.jpg
    [2012/07/14 04:35:44 | 000,052,417 | ---- | M] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT.jpg
    [2012/07/14 04:27:48 | 000,047,009 | ---- | M] () -- C:\Users\Admin\Desktop\Malwarebytes results 07142012.jpg
    [2012/07/14 03:49:31 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/13 09:40:18 | 000,013,312 | -H-- | M] () -- C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/07/13 07:19:36 | 010,652,120 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Admin\Desktop\mbam-setup-1.62.0.1300.exe
    [2012/07/13 04:01:29 | 001,558,016 | ---- | M] () -- C:\Users\Admin\Desktop\RogueKiller.exe
    [2012/07/13 03:58:57 | 000,000,512 | ---- | M] () -- C:\Users\Admin\Desktop\MBR.dat
    [2012/07/12 09:01:41 | 000,076,515 | ---- | M] () -- C:\Users\Admin\Desktop\VPT malware issue 07122012.jpg
    [2012/07/12 09:00:01 | 000,387,979 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-World-Detailed.pdf
    [2012/07/12 08:58:01 | 000,088,275 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-World-Grid.pdf
    [2012/07/12 08:57:05 | 000,108,656 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-Create-Grid.pdf
    [2012/07/12 08:56:06 | 000,388,956 | ---- | M] () -- C:\Users\Admin\Desktop\2012-07-VPT-Detailed.pdf
    [2012/07/11 22:19:57 | 000,443,522 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/07/11 22:14:54 | 000,000,938 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120711-221957.backup
    [2012/07/11 22:13:58 | 000,443,522 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120711-221454.backup
    [2012/07/11 12:32:41 | 000,007,611 | -H-- | M] () -- C:\Users\Admin\AppData\Local\resmon.resmoncfg
    [2012/07/10 10:41:51 | 017,855,727 | ---- | M] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.wmv
    [2012/07/10 10:40:02 | 023,780,647 | ---- | M] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.flv
    [2012/07/10 10:24:02 | 015,478,199 | ---- | M] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..wmv
    [2012/07/10 10:21:24 | 015,722,051 | ---- | M] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..flv
    [2012/07/09 20:48:23 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Admin\Desktop\aswMBR.exe
    [2012/07/08 22:09:52 | 000,277,807 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm
    [2012/07/08 14:32:23 | 000,001,108 | ---- | M] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2012/07/08 14:32:00 | 000,000,928 | ---- | M] () -- C:\Users\Admin\Desktop\NTREGOPT.lnk
    [2012/07/08 14:32:00 | 000,000,909 | ---- | M] () -- C:\Users\Admin\Desktop\ERUNT.lnk
    [2012/07/07 15:27:22 | 000,017,884 | ---- | M] () -- C:\Users\Admin\Documents\cc_20120707_152716.reg
    [2012/07/06 20:38:29 | 000,443,048 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120711-221358.backup
    [2012/07/06 09:17:48 | 000,000,965 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
    [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/07/02 17:00:16 | 000,001,369 | ---- | M] () -- C:\Windows\wininit.ini
    [2012/07/02 11:43:12 | 000,442,922 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120706-203829.backup
    [2012/07/02 11:39:37 | 000,046,270 | ---- | M] () -- C:\Users\Admin\Documents\cc_20120702_113920.reg
    [2012/06/26 10:32:43 | 000,442,922 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120702-114312.backup
    [2012/06/16 02:37:20 | 000,442,922 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20120626-103243.backup
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/07/14 11:22:52 | 000,001,134 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2012/07/14 04:37:43 | 000,032,894 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 4.jpg
    [2012/07/14 04:37:11 | 000,035,537 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 3.jpg
    [2012/07/14 04:36:31 | 000,033,751 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT 2.jpg
    [2012/07/14 04:35:44 | 000,052,417 | ---- | C] () -- C:\Users\Admin\Desktop\Reboot notice ERDNT.jpg
    [2012/07/14 04:27:48 | 000,047,009 | ---- | C] () -- C:\Users\Admin\Desktop\Malwarebytes results 07142012.jpg
    [2012/07/14 03:49:31 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/07/13 04:01:28 | 001,558,016 | ---- | C] () -- C:\Users\Admin\Desktop\RogueKiller.exe
    [2012/07/12 09:01:41 | 000,076,515 | ---- | C] () -- C:\Users\Admin\Desktop\VPT malware issue 07122012.jpg
    [2012/07/12 09:00:01 | 000,387,979 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-World-Detailed.pdf
    [2012/07/12 08:58:01 | 000,088,275 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-World-Grid.pdf
    [2012/07/12 08:57:05 | 000,108,656 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-Create-Grid.pdf
    [2012/07/12 08:56:06 | 000,388,956 | ---- | C] () -- C:\Users\Admin\Desktop\2012-07-VPT-Detailed.pdf
    [2012/07/10 10:40:26 | 017,855,727 | ---- | C] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.wmv
    [2012/07/10 10:35:42 | 023,780,647 | ---- | C] () -- C:\Users\Admin\Documents\Styx The Grand Illusion with lyrics.flv
    [2012/07/10 10:22:49 | 015,478,199 | ---- | C] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..wmv
    [2012/07/10 10:17:46 | 015,722,051 | ---- | C] () -- C:\Users\Admin\Documents\Why America is NOT the greatest country in the world, anymore..flv
    [2012/07/09 20:50:33 | 000,000,512 | ---- | C] () -- C:\Users\Admin\Desktop\MBR.dat
    [2012/07/08 14:32:23 | 000,001,108 | ---- | C] () -- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2012/07/08 14:32:00 | 000,000,928 | ---- | C] () -- C:\Users\Admin\Desktop\NTREGOPT.lnk
    [2012/07/08 14:32:00 | 000,000,909 | ---- | C] () -- C:\Users\Admin\Desktop\ERUNT.lnk
    [2012/07/07 15:27:20 | 000,017,884 | ---- | C] () -- C:\Users\Admin\Documents\cc_20120707_152716.reg
    [2012/07/02 17:00:11 | 000,001,369 | ---- | C] () -- C:\Windows\wininit.ini
    [2012/07/02 11:39:31 | 000,046,270 | ---- | C] () -- C:\Users\Admin\Documents\cc_20120702_113920.reg
    [2012/02/16 23:43:03 | 000,000,000 | -H-- | C] () -- C:\Users\Admin\AppData\Local\rx_image32.Cache
    [2012/02/05 15:56:35 | 000,013,312 | -H-- | C] () -- C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/02 20:43:30 | 000,007,611 | -H-- | C] () -- C:\Users\Admin\AppData\Local\resmon.resmoncfg
    [2012/01/30 02:14:08 | 000,000,061 | ---- | C] () -- C:\Windows\avinstalled.ini
    [2012/01/14 17:19:30 | 000,020,436 | ---- | C] () -- C:\Windows\W2BNEUnin.dat
    [2012/01/13 19:14:43 | 000,019,632 | ---- | C] () -- C:\Windows\MSTMON_S.INI
    [2012/01/13 19:14:43 | 000,019,472 | ---- | C] () -- C:\Windows\MSUMLT_S.INI
    [2012/01/13 19:04:01 | 000,000,000 | ---- | C] () -- C:\Windows\OpPrintServer.INI
    [2012/01/13 10:01:49 | 000,785,842 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2012/01/13 09:48:10 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini
    [2001/06/20 17:34:32 | 000,082,395 | ---- | C] () -- C:\Program Files\Sample.mov
    [2001/06/20 17:34:32 | 000,029,363 | ---- | C] () -- C:\Program Files\Sample.qtif
    [2001/06/20 17:34:32 | 000,004,653 | ---- | C] () -- C:\Program Files\readme.wri

    ========== LOP Check ==========

    [2012/03/13 00:16:44 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\Audacity
    [2012/01/13 11:26:36 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\AVG2012
    [2012/01/13 23:19:05 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\IrfanView
    [2012/01/13 11:36:51 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\OpenOffice.org
    [2012/01/20 22:52:27 | 000,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\UnitConverter
    [2009/07/14 01:08:49 | 000,011,634 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    < End of report >
    Last edited by Jack&Jill; 2012-07-18 at 01:36. Reason: Disable live links
  4. 2012-07-15, 20:13 #14
    jpatrick
    jpatrick is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Post Otl extras log

    Jack&Jill,

    The OTL EXTRAS log:



    OTL Extras logfile created on: 7/15/2012 1:32:27 PM - Run 1
    OTL by OldTimer - Version 3.2.54.0 Folder = C:\Users\Admin\Desktop
    64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.75 Gb Total Physical Memory | 2.45 Gb Available Physical Memory | 65.41% Memory free
    7.50 Gb Paging File | 5.53 Gb Available in Paging File | 73.76% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.66 Gb Total Space | 351.32 Gb Free Space | 75.45% Space Free | Partition Type: NTFS
    Drive D: | 634.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: ADMIN-PC | User Name: Admin | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [print] -- "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
    InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [edit] -- Reg Error: Key error.
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

    ========== System Restore Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0313D945-F3CA-4A16-BD78-89DF7D2F0F68}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{050DABD9-4A75-4E2D-B1C8-CFD58A1BCA20}" = rport=445 | protocol=6 | dir=out | app=system |
    "{21E3C675-D447-47CC-9B8F-886C6F1C61BD}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
    "{2E014DC4-D5D4-479D-A653-B1243CAC1708}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{2E68E02A-77DE-4B71-8FAE-9577E33E9E46}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{40E0EC41-9C56-4DD7-AF30-B29B4EEB3DE2}" = rport=10243 | protocol=6 | dir=out | app=system |
    "{546F77E4-5094-4585-A81E-B6453F3FC62C}" = rport=138 | protocol=17 | dir=out | app=system |
    "{5C4A16DF-1703-4B1E-BA03-8F3AA19E3A40}" = rport=137 | protocol=17 | dir=out | app=system |
    "{880992ED-1D4A-4977-B00A-5E38AC14C024}" = lport=10243 | protocol=6 | dir=in | app=system |
    "{95FAAE37-E3E2-4DE8-8A70-A428A373578E}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{AC786BA4-6710-4AFF-ACE0-931D1B7B00F7}" = rport=139 | protocol=6 | dir=out | app=system |
    "{AD8C752E-CB35-49FF-A727-7525B5BC8C29}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{B37C10B1-D8E5-4947-B3D4-FCD0156A897D}" = lport=138 | protocol=17 | dir=in | app=system |
    "{B8CB82F6-4191-4F56-AC33-517F830DC390}" = lport=137 | protocol=17 | dir=in | app=system |
    "{BA649EEA-4A4A-4BB6-9140-9D103140CD0F}" = lport=445 | protocol=6 | dir=in | app=system |
    "{BB01630B-62FA-4407-8E43-A1889F28A3B3}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
    "{C305C4F3-6B45-405F-BE6B-970FE95EDC0A}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{D2231BD0-CF34-46EF-B243-E2E6316BDAF9}" = lport=2869 | protocol=6 | dir=in | app=system |
    "{D39A4952-41BF-430D-A129-E6298FFB2CF9}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
    "{D96CC3DB-2F9B-4C62-91D9-A4840F653BAE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{E390A330-17A6-4F41-B478-F541301832C9}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
    "{F264C598-DEBB-4814-BB14-73966FF719E8}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
    "{FDC38785-F232-4A8B-8AEF-9F1B6474C637}" = lport=139 | protocol=6 | dir=in | app=system |

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{06C8BDA1-8C18-499A-92D8-F8EFFEEC28D9}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
    "{07426982-116A-4E74-A7B6-5C49B6EB9F07}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
    "{0AF34461-C86A-4A00-8495-1FAC66BD8325}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
    "{11854DCA-E797-428F-8941-0B8966D463DE}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
    "{20451FE7-1A62-4450-A362-636931BF15C9}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
    "{25ADB5D1-5A66-4C6F-AF62-D8D736C258A4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{28EA1FE0-5DE3-4AE7-8512-04B4CCD0CC3E}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
    "{2C7AAD98-C5BE-4831-9BF1-F6E459F804AE}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{2F624ED8-FEA0-40B3-85E9-E5D4895D845B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{2FD21A30-E388-478B-9BC2-05219A8C024F}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
    "{3351907B-64BE-40B0-9456-9AFD61E5E9E4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{40242CD5-69F3-4CB8-A473-1C8122EB64A5}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
    "{474BDA8B-22C2-47B4-98D8-6ABF81964276}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{491962E1-44D2-4015-82F6-34413D18FD9C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{4EE3A50E-F34D-4594-8EE6-1FD91AC2E030}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
    "{61F4C2B7-D9B1-4B62-91C5-BBA7BA527E84}" = protocol=6 | dir=out | app=system |
    "{6C862B35-73D7-40B5-BDF4-66B5AC2DF649}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{6FCF89EF-1D22-44AD-811A-4AA29D4C16EF}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
    "{79A25403-6BCE-448F-91D6-D45BC3C1290A}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
    "{7C8422A9-2A8F-42D0-BF0D-0C0272BADBD5}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
    "{7FDB253E-FD6D-4BE5-A7D2-7F2D36CBDE9F}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{8D9A7334-8751-4E72-8E6F-747E0EEF9EE1}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
    "{A16378D3-7E9D-4A9D-A039-BE1A8D28C83F}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
    "{AB565E20-D988-474F-9933-1D393374B8AB}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
    "{AE31AF2C-BC48-4580-85A6-C3FE7E8AB566}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{C6690302-D785-491E-8473-C67B468866A9}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgemca.exe |
    "{CE3562A2-C2B6-4B32-824C-C8E9CC45DD6F}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
    "{E4010475-DDBA-420F-B548-DC4941205A8A}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
    "{E55D9CB9-F7FF-4D00-A42B-9104497BD890}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
    "{E63B6197-4630-4DD1-93C0-3461DF0F738A}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgnsa.exe |
    "{E6FD7598-4A42-4489-924B-E0CBC1BE01E9}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
    "{E7E75174-4AE2-4E08-BE8E-20537A27AD1A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
    "{E947FC74-0A10-4984-94A2-44FC93F20116}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
    "{EDD3CFF4-8E2C-42E0-9AB0-194D6B5D6C18}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2012\avgdiagex.exe |
    "{F8B53D5C-E4DB-4A24-8A95-0B26B2A7D004}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2012\avgmfapx.exe |
    "{FBC1E7CB-C3D5-4531-9AB2-605147C9648A}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{3C8159DD-1890-4625-A5B2-E3D8D78D4486}" = AVG 2012
    "{6B9CE44B-52D0-4B2F-BDFA-56FF4977A790}" = AVG 2012
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
    "{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
    "{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
    "1196D442E5ECB5E86948906FE5B87E4D58C27BA4" = Windows Driver Package - Realtek Semiconductor Corp (RTL85n64) Net (06/15/2010 6.1125.0615.2010)
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit
    "AVG" = AVG 2012
    "CCleaner" = CCleaner
    "KONICA MINOLTA magicolor 2400W" = KONICA MINOLTA magicolor 2400W
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "NVIDIA Display Control Panel" = NVIDIA Display Control Panel
    "NVIDIA Drivers" = NVIDIA Drivers
    "VueScan" = VueScan

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{03F1CC67-5BD8-4C36-8394-76311B2AE69A}" = ArcSoft PhotoStudio 5
    "{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
    "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
    "{098122AB-C605-4853-B441-C0A4EB359B75}" = DirectXInstallService
    "{1B683082-8791-4D00-8ADE-6C8986FCCC68}" = Roxio CinePlayer
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
    "{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = PhotoStitch
    "{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 30
    "{26E80502-72BB-4095-877F-44925A5D6B91}" = FrenchNow!
    "{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = RemoteCapture Task 1.1
    "{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
    "{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
    "{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = RAW Image Task 1.2
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4C96958A-6562-4143-B820-FF4890D3B734}" = Camera Window DVC
    "{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Creator 10 CE
    "{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
    "{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
    "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
    "{7CFD02D2-44CF-4033-97E8-768A82C4C007}" = Roxio Plextor Driver Documentation
    "{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software
    "{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = MovieEdit Task
    "{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Roxio CinePlayer Decoder Pack
    "{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Camera Window DS
    "{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Camera Support Core Library
    "{99024F9F-40ED-4CBF-9744-2015334006E0}" = GrammarPro!
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A0AB2980-1FDD-4b6c-940C-FC87C84F05B7}_is1" = FlashCatch
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
    "{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
    "{B1BDEA80-95CE-4DFB-B9D3-DC800E7F87B4}" = TRENDnet 802.11g Wireless CardBus/PCI Adapter
    "{B2DC3F08-2EB2-49A5-AA24-15DFC8B1CB83}" = @BIOS
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
    "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
    "{C1D14C0D-FDAA-4DF2-8441-A902805CCE8C}" = ArcSoft PhotoBase 3
    "{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX
    "{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Camera Window MC
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CB3C10B1-C8C2-4197-A687-0901064F68AB}" = Roxio Creator 10 CE
    "{D533DC05-E776-4ABC-82E1-D8D733D2E6B3}" = AncestryView 2.6
    "{EC877639-07AB-495C-BFD1-D63AF9140810}" = Roxio Activation Module
    "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
    "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
    "Adobe AIR" = Adobe AIR
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.6
    "Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.14 (Unicode)
    "Digital Editions" = Adobe Digital Editions
    "ERUNT_is1" = ERUNT 1.1j
    "InstallShield_{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = Canon Utilities PhotoStitch 3.1
    "InstallShield_{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = Canon RemoteCapture Task for ZoomBrowser EX
    "InstallShield_{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = Canon RAW Image Task for ZoomBrowser EX
    "InstallShield_{4C96958A-6562-4143-B820-FF4890D3B734}" = Canon Camera Window DVC for ZoomBrowser EX
    "InstallShield_{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = Canon MovieEdit Task for ZoomBrowser EX
    "InstallShield_{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Canon Camera Window DS for ZoomBrowser EX
    "InstallShield_{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Canon Camera Support Core Library
    "InstallShield_{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Canon Camera Window for ZoomBrowser EX
    "InstallShield_{D533DC05-E776-4ABC-82E1-D8D733D2E6B3}" = AncestryView 2.6
    "IrfanView" = IrfanView (remove only)
    "LAME_is1" = LAME v3.99.3 (for Windows)
    "Legacy 6.0" = Legacy 6.0
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
    "Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
    "QuickTime" = QuickTime
    "Universal Extractor_is1" = Universal Extractor 1.6.1
    "Warcraft II BNE" = Warcraft II BNE

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "BandiZip" = BandiZip

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 7/10/2012 12:31:28 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    Error - 7/12/2012 4:33:02 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    Error - 7/12/2012 8:56:39 AM | Computer Name = Admin-PC | Source = Application Hang | ID = 1002
    Description = The program iexplore.exe version 9.0.8112.16421 stopped interacting
    with Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Action Center control panel. Process ID: 13a0 Start
    Time: 01cd6029b0c545b4 Termination Time: 47 Application Path: C:\Program Files (x86)\Internet
    Explorer\iexplore.exe Report Id:

    Error - 7/12/2012 8:58:22 AM | Computer Name = Admin-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
    time stamp: 0x4d76255d Faulting module name: unknown, version: 0.0.0.0, time stamp:
    0x00000000 Exception code: 0xc0000005 Fault offset: 0x73b0c9f1 Faulting process id:
    0xc98 Faulting application start time: 0x01cd602de556ed24 Faulting application path:
    C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: unknown
    Report
    Id: 423d3674-cc21-11e1-9de3-50e5499d7e93

    Error - 7/12/2012 9:00:07 AM | Computer Name = Admin-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: iexplore.exe, version: 9.0.8112.16421,
    time stamp: 0x4d76255d Faulting module name: unknown, version: 0.0.0.0, time stamp:
    0x00000000 Exception code: 0xc0000005 Fault offset: 0x00e05ab0 Faulting process id:
    0x10c0 Faulting application start time: 0x01cd602e0fefa684 Faulting application path:
    C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path: unknown
    Report
    Id: 80cbb94c-cc21-11e1-9de3-50e5499d7e93

    Error - 7/12/2012 1:57:28 PM | Computer Name = Admin-PC | Source = Application Hang | ID = 1002
    Description = The program iexplore.exe version 9.0.8112.16421 stopped interacting
    with Windows and was closed. To see if more information about the problem is available,
    check the problem history in the Action Center control panel. Process ID: 1dc Start
    Time: 01cd60527d3d2b70 Termination Time: 30 Application Path: C:\Program Files (x86)\Internet
    Explorer\iexplore.exe Report Id:

    Error - 7/13/2012 7:45:56 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    Error - 7/14/2012 4:33:53 AM | Computer Name = Admin-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 7/14/2012 11:20:00 AM | Computer Name = Admin-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 7/15/2012 6:27:29 AM | Computer Name = Admin-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files (x86)\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
    files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
    attribute "language" in element "assemblyIdentity" is invalid.

    [ System Events ]
    Error - 7/9/2012 8:28:30 PM | Computer Name = Admin-PC | Source = DCOM | ID = 10016
    Description =

    Error - 7/13/2012 4:06:40 AM | Computer Name = Admin-PC | Source = DCOM | ID = 10016
    Description =

    Error - 7/13/2012 7:18:11 PM | Computer Name = Admin-PC | Source = DCOM | ID = 10016
    Description =

    Error - 7/14/2012 4:33:52 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7000
    Description = The SessionLauncher service failed to start due to the following error:
    %%2

    Error - 7/14/2012 4:34:02 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    RxFilter

    Error - 7/14/2012 7:40:55 AM | Computer Name = Admin-PC | Source = Microsoft-Windows-HAL | ID = 12
    Description = The platform firmware has corrupted memory across the previous system
    power transition. Please check for updated firmware for your system.

    Error - 7/14/2012 11:19:59 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7000
    Description = The SessionLauncher service failed to start due to the following error:
    %%2

    Error - 7/14/2012 11:20:06 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    RxFilter

    Error - 7/14/2012 11:21:23 AM | Computer Name = Admin-PC | Source = Service Control Manager | ID = 7034
    Description = The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 7/14/2012 11:03:54 PM | Computer Name = Admin-PC | Source = Microsoft-Windows-HAL | ID = 12
    Description = The platform firmware has corrupted memory across the previous system
    power transition. Please check for updated firmware for your system.


    < End of report >
  5. 2012-07-15, 20:51 #15
    jpatrick
    jpatrick is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Post Eset log

    Jack&Jill,

    ESET LOG:


    C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll a variant of Win32/Kryptik.AIGG trojan
    C:\Users\Admin\Desktop\RK_Quarantine\ggqkf.dll.vir a variant of Win32/Kryptik.AIGG trojan
    C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe Win32/OpenCandy application
    C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe Win32/Toolbar.Widgi application
    C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe a variant of Win32/Toolbar.Widgi application
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe a variant of Win32/Toolbar.Widgi application
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe Win32/Toolbar.Widgi application
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial Win32/Toolbar.Widgi application
    C:\Utilities\produkey\produkey.zip a variant of Win32/PSWTool.ProductKey application
  6. 2012-07-16, 17:29 #16
    Jack&Jill
    Jack&Jill is offline
    Security Expert Jack&Jill's Avatar
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello jpatrick ,

    Fix with OTL
    • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
    • If you need help to disable your protection programs see here and here.
    • Double click on OTL.exe to run it.
    • Copy and paste the following text into the white box below Custom Scans/Fixes:
      Code:
      :otl
O15 - HKU\S-1-5-21-4245015985-2778896149-1756623667-1000\..Trusted Domains: microsoft.com ([oas.support] http in Trusted sites)

:files
C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll
C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe
C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe
C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[EMPTYTEMP]
    • Click Run Fix. Everything on the desktop may disappear, this is normal. Please wait until the tool completes its routine.
    • Please post the contents of the fix log file back here if you are prompted to open the file. It can also be found at C:\_OTL\Moved Files as MMDDYYY_HHMMSS.log where MMDDYYY is date format and HHMMSS is time format.
    • If requested to reboot, please do so. The log file will open after restart.
    • Enable back your security softwares as soon as you completed the OTL fix steps.

    --------------------

    Please post back:
    1. the OTL fix log
    2. any more problems?
    Jack&Jill
    MRU Teacher of Malware Removal University.
    Member of ASAP and UNITE.

    Your donation helps in improving Spybot-S&D!
  7. 2012-07-16, 21:40 #17
    jpatrick
    jpatrick is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Thumbs up OTL fix log

    Hello Jack&Jill,

    The OTL fix log:

    All processes killed
    ========== OTL ==========
    Registry key HKEY_USERS\S-1-5-21-4245015985-2778896149-1756623667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\oas.support\ deleted successfully.
    ========== FILES ==========
    C:\Users\Admin\AppData\Local\VirtualStore\Temp\ggqkf.dll moved successfully.
    C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe moved successfully.
    C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe moved successfully.
    C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe moved successfully.
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe moved successfully.
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe moved successfully.
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial moved successfully.
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Admin\Desktop\cmd.bat deleted successfully.
    C:\Users\Admin\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========
    Restore point Set: OTL Restore Point

    [EMPTYTEMP]

    User: Admin
    ->Temp folder emptied: 66048856 bytes
    ->Temporary Internet Files folder emptied: 33544541 bytes
    ->Java cache emptied: 5004506 bytes
    ->FireFox cache emptied: 65404611 bytes
    ->Flash cache emptied: 120955 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56475 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 747776 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
    RecycleBin emptied: 9533158 bytes

    Total Files Cleaned = 172.00 mb


    OTL by OldTimer - Version 3.2.54.0 log created on 07162012_150319

    Files\Folders moved on Reboot...
    C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...
    File C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!

    Registry entries deleted on Reboot...



    Jack&Jill,


    FYI: After the fix/reboot, I noticed that an issue I had been having for a few months had been resolved. In windows 7, on the desktop, the tool bar at the bottom of the page allows you to "pin" application icon shortcuts. Two of those icons had "lost" their image and in their place was the unrecognized file icon. Strange how this was connected to the redirect infection.

    I will post questions & concerns in the next post.

    Thanks,

    Jpatrick
  8. 2012-07-16, 23:12 #18
    jpatrick
    jpatrick is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Question Questions/Concerns

    Hello Jack&Jill,

    Below are some questions/concerns that I have:


    - What should I do with the programs: OTL, aswMBR, RogueKiller, mbam & ESET(this one I didn't delete after the online scan)?

    - I use Spybot & AVG, but neither of these detected any problems. Should I keep mbam & bag one of the others?

    - I noted that these program setup files were "infected":

    C:\Users\Admin\Desktop\Various\Applications\IE7ProSetup_2.5.1.exe
    C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.1.setup.exe
    C:\Users\Admin\Desktop\Various\Applications\media.player.codec.pack.v3.9.9.setup.exe
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup272.exe
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe
    C:\Users\Admin\Desktop\Various\Applications\YouTubeDownloaderSetup35.exe.yc1ptij.partial

    Two issues: 1. Were these infected when I downloaded them from CNET, or where they infected by malware after I downloaded them, or were they not "infected", but just a vehicle for infections, PUP type programs? 2. I have backed up those files on an EXTERNAL hard drive. Can I go into that external hd and delete those files without reinfecting my system? Is it possible to scan the external drive with the programs you had me download?

    - I have also used USB Flash drives to backup some files... none of those files. Is there a threat with those?

    - The RogueKiller, -RK_Quarantine folder-, with contents, is still on my desktop. Should I delete the folder and/or the contents?

    - Could this malware issue have made me vulnerable to identity theft? Do I need to change passwords or call my bank?

    This is all I can think of right now.

    Thank you for taking the time to answer the above.

    Jpatrick
  9. 2012-07-17, 04:01 #19
    Jack&Jill
    Jack&Jill is offline
    Security Expert Jack&Jill's Avatar
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello jpatrick ,

    Two issues: 1. Were these infected when I downloaded them from CNET, or where they infected by malware after I downloaded them, or were they not "infected", but just a vehicle for infections, PUP type programs? 2. I have backed up those files on an EXTERNAL hard drive. Can I go into that external hd and delete those files without reinfecting my system? Is it possible to scan the external drive with the programs you had me download?

    - I have also used USB Flash drives to backup some files... none of those files. Is there a threat with those?
    They are PUP or borderline type, basicaly from the source. Yes, you can go into the external drive and delete them. To be sure, you can try MBAM or ESET on any drives or USB device you have.

    - Could this malware issue have made me vulnerable to identity theft? Do I need to change passwords or call my bank?
    As far as I can tell, the threat is not that severe, but with malware, you will never know. Due to this, better safe than sorry.

    For the rest of your questions, the answers are below.

    --------------------

    Congratulations, you are All Clear to go. Glad to hear everything is good and running . If you have any more problems, please let me know.

    Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.
    • Run OTL by double clicking on OTL.exe. Click on CleanUp, proceed to reboot if prompted.
    • Delete the aswMBR and RogueKiller files on your desktop.
    • Delete any logs on the desktop.


    Some tips to help you stay clean and safe:

    1. Keep your Windows up to date. Enable Automatic Updates for Windows 7 to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

    2. Purge System Restore, for this one time only. A recovery feature will only be useful if it is clean from malwares. See Windows 7 System Restore Guide for some detail explanations.

    3. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials and Avast are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 and Kaspersky are some good options. Please keep only one AV installed.

    4. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

    5. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications. You need to choose between Spybot or Winpatrol.

    6. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose. You don't need this if you have Spybot's immunization.

    7. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

    8. Protect your computer from removable or USB drive infections with MCShield, an effective method to prevent malware from spreading.

    9. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

    10. Make full use of Windows 7 firewall to step up the defense against internet dangers.

    11. Also look up:
    Computer Security - a short guide to staying safer online
    PC Safety and Security - What Do I Need? By Glaswegian
    How to prevent malware: By miekiemoes
    So how did I get infected in the first place? By Tony Klein
    Microsoft Online Safety

    Stay safe.

    Your donation helps in improving Spybot-S&D!
    Jack&Jill
    MRU Teacher of Malware Removal University.
    Member of ASAP and UNITE.

    Your donation helps in improving Spybot-S&D!
  10. 2012-07-17, 08:19 #20
    jpatrick
    jpatrick is offline
    Junior Member
    Join Date
    Apr 2011
    Posts
    25

    Angry Issue returned!! MBAM scan: Trojan.BHO

    Hello Jack&Jill,

    This is getting ridiculous! I was using Firefox (I usually use IE9... I've heard/read the Firefox is more secure so I thought I use that more regularly.) and again, when I right click on a link to open it in a new tab I've been redirected!!

    I ran MBAM and it found this:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.07.14.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Admin :: ADMIN-PC [administrator]

    7/17/2012 1:01:05 AM
    mbam-log-2012-07-17 (01-47-51).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 320813
    Time elapsed: 30 minute(s), 34 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\Admin\AppData\Local\Temp\0.8223045982200018 (Trojan.BHO)     -> No action taken.

    (end)


    WTF!!

    I didn't delete it... I wanted you to see it first.

    I had an XP machine for 9 years.... that's right 9 years! I was infected once, in April 2011. I thought an 'upgrade' might be in order.... 1/2 a gigbyte of RAM memory was ridiculously slow, but the cost of this new operating system & newer IE is making me long XP Home & IE7!!

    What could be causing this reinfection? I have NOT connected my external HD to deal with the PUP programs we deleted early yesterday nor have I used the flash drives. I just surfed in Firefox!

    I checked the Add-on Manager in Firefox & the Java plug-in has issues but Firefox has blocked it's use. Spybot TeaTimer is running.

    FYI: I haven't deleted any of the programs we used to diagnose these problems if we need to use the them again.

    Now what?

    Jpatrick
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules