Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Search Babylon redirect plus slow PC

  1. #1
    Member
    Join Date
    Oct 2010
    Posts
    34

    Default Search Babylon redirect plus slow PC

    I haven't used this PC for a while but need to do so over the next few weeks. Whenever I open up an internet browser I am redirected to a search babylon page. Not sure if this is related but I also have some strange flashing blue/yellow lines that resemble barcodes going down my screen making things a little hard to see although I guess that's more of a hardware issue.

    Here is my DDS log:

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_22
    Run by Marcus at 12:58:44 on 2012-12-04
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2047.598 [GMT 0:00]
    .
    AV: Norton AntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
    SP: Norton AntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\SLsvc.exe
    C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Microsoft\BingBar\BBSvc.EXE
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\hp\support\hpsysdrv.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
    C:\Program Files\ByteGems.com\I Hate This Key\IHateThisKey.exe
    C:\Program Files\Registry Mechanic\RMTray.exe
    C:\Program Files\ManyCam 2.4\ManyCam.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Users\Marcus\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
    C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\msiexec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\MsiExec.exe
    C:\Program Files\Ask.com\SaUpdate.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\System32\svchost.exe -k swprv
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.babylon.com/?affID=111576&tt=050412_30b~171011_prot&babsrc=HP_ss&mntrId=d6db8b98000000000000001bfcdfb611
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
    uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
    mWinlogon: Userinit = c:\windows\system32\userinit.exe
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
    BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\17.0.0.136\IPSBHO.dll
    BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Help the General-Search Project: {CA4520F3-AE13-4FB1-A513-58E23991C86D} - c:\users\marcus\appdata\roaming\media finder\extensions\gencrawler_gc.dll
    BHO: Complitly: {D27FC31C-6E3D-4305-8D53-ACDAEFA5F862} - c:\users\marcus\appdata\roaming\complitly\Complitly.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
    BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
    uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
    uRun: [IHateThisKey] c:\program files\bytegems.com\i hate this key\IHateThisKey.exe
    uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
    uRun: [ManyCam] "c:\program files\manycam 2.4\ManyCam.exe"
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [BitTorrent DNA] "c:\users\marcus\program files\dna\btdna.exe"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [NltYsmms] c:\users\marcus\appdata\local\ficmijdg\nltysmms.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [KBD] c:\hp\kbd\KbdStub.EXE
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [CCUTRAYICON] FactoryMode
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [RegKillElbyCheck] "c:\program files\elaborate bytes\dvd region killer\ElbyCheck.exe" /L RegKill
    mRun: [RegKillTray] "c:\program files\elaborate bytes\dvd region killer\RegKillTray.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    StartupFolder: c:\users\marcus\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: Download with &Media Finder - c:\program files\media finder\hook.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{19AB887A-494A-4D58-A9B3-3D97A38222AC} : DHCPNameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{47C31F12-7350-4B4A-B5B0-533A22C18501} : DHCPNameServer = 192.168.1.254
    TCP: Interfaces\{C292A6E2-AFFA-4AF4-9307-D9D5C99AAF8E} : DHCPNameServer = 208.67.220.220,208.67.222.222
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\marcus\appdata\roaming\mozilla\firefox\profiles\i5auhz8l.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111576&tt=050412_30b~171011_prot&babsrc=HP_ss&mntrId=d6db8b98000000000000001bfcdfb611
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&q=
    FF - component: c:\users\marcus\appdata\roaming\mozilla\firefox\profiles\i5auhz8l.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
    FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\marcus\program files\dna\plugins\npbtdna.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: SearchInOneStep: {8771569D-6C8B-45B5-8D74-5A80DDDF668D} - c:\program files\mozilla firefox\extensions\{8771569D-6C8B-45B5-8D74-5A80DDDF668D}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    FF - user.js: extensions.BabylonToolbar_i.id - d6db8b98000000000000001bfcdfb611
    FF - user.js: extensions.BabylonToolbar_i.hardId - d6db8b98000000000000001bfcdfb611
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15439
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:32:18
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111576&tt=050412_30b~171011_prot
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-10-18 28552]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-31 207280]
    R2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
    R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-5-31 112592]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-4-7 378472]
    R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athur.sys [2012-5-27 1439744]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
    R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-27 6400]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
    S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2003-11-1 17920]
    S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [2001-11-27 10880]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-20 54632]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-6-7 38224]
    S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-12-27 27192]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-5-31 358600]
    S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-5-31 1141200]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    2012-12-04 12:52:10 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-12-04 12:52:10 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    .
    ============= FINISH: 13:07:08.03 ===============

    Followed by aswMBR log:

    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-12-04 13:11:06
    -----------------------------
    13:11:06.172 OS Version: Windows 6.0.6001 Service Pack 1
    13:11:06.172 Number of processors: 2 586 0xF0B
    13:11:06.172 ComputerName: MARCUS-PC UserName: Marcus
    13:11:08.293 Initialize success
    13:12:00.339 AVAST engine defs: 12120301
    13:15:54.732 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    13:15:54.735 Disk 0 Vendor: ST3320820AS 3.AHG Size: 305245MB BusType: 3
    13:15:54.746 Disk 0 MBR read successfully
    13:15:54.749 Disk 0 MBR scan
    13:15:54.754 Disk 0 unknown MBR code
    13:15:54.757 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 297163 MB offset 63
    13:15:54.785 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8079 MB offset 608590395
    13:15:54.806 Disk 0 scanning sectors +625137345
    13:15:54.875 Disk 0 scanning C:\Windows\system32\drivers
    13:16:11.873 Service scanning
    13:16:42.741 Modules scanning
    13:16:52.557 Disk 0 trace - called modules:
    13:16:52.600 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll ataport.SYS pciide.sys
    13:16:52.627 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89b1d820]
    13:16:52.628 3 CLASSPNP.SYS[8cf9d745] -> nt!IofCallDriver -> [0x89b06050]
    13:16:52.628 5 PCTCore.sys[807c388f] -> nt!IofCallDriver -> [0x89a0a918]
    13:16:52.629 7 acpi.sys[8c8c56a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x899f8ba0]
    13:16:57.623 AVAST engine scan C:\Windows
    13:17:05.026 AVAST engine scan C:\Windows\system32
    13:21:34.420 AVAST engine scan C:\Windows\system32\drivers
    13:21:53.478 AVAST engine scan C:\Users\Marcus
    13:32:01.289 File: C:\Users\Marcus\AppData\Local\Temp\ftotuoodnwwgkpja.exe **INFECTED** Win32:Katusha-FK [Trj]
    14:10:25.405 File: C:\Users\Marcus\Downloads\Bobafett\BOBAFETT.EXE **INFECTED** Win32:CIH-C
    14:12:16.524 File: C:\Users\Marcus\Downloads\XvidSetup(2).exe **INFECTED** Win32:HotBar-BL [Adw]
    14:12:16.665 File: C:\Users\Marcus\Downloads\XvidSetup(3).exe **INFECTED** Win32:HotBar-BL [Adw]
    14:12:16.774 File: C:\Users\Marcus\Downloads\XvidSetup(4).exe **INFECTED** Win32:HotBar-BL [Adw]
    14:12:16.852 File: C:\Users\Marcus\Downloads\XvidSetup.exe **INFECTED** Win32:HotBar-BL [Adw]
    14:26:56.493 AVAST engine scan C:\ProgramData
    14:30:21.477 Scan finished successfully
    14:34:17.099 Disk 0 MBR has been saved successfully to "C:\Users\Marcus\Desktop\MBR.dat"
    14:34:17.131 The log file has been saved successfully to "C:\Users\Marcus\Desktop\aswMBR.txt"

  2. #2
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hello marcus89,

    My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

    Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice, this will be a team effort. This may cause a delay, but I will do my best to keep it as short as possible. Please bear with me, I will post back to you as soon as I can.
    • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
    • The fixes are specific to your problem and should only be used for the issues on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
    • It's often worth reading through these instructions and printing them for ease of reference.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.

    IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

    Important Note for Vista and Windows 7 users:

    These tools MUST be run from the executable.(.exe) every time you run them with Admin Rights (Right click, choose "Run as Administrator")

    Please stay with this topic until I let you know that your system appears to be "All Clear"
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  3. #3
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi marcus89,

    IMPORTANT NOTE: Unfortunately, one or more of the identified infections is a backdoor trojan.

    This allows hackers to remotely control your computer, steal critical system information and download and execute files.
    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    When Should I Format, How Should I Reinstall

    Next

    Please download DeFogger to your desktop.
    Right click DeFogger and select "Run as Administrator" to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • If it needs to, DeFogger may ask to reboot the machine - click OK

    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
    Do not re-enable these drivers until otherwise instructed.

    Next

    Refer to the ComboFix User's Guide

    1. Download ComboFix from the following location:

      Link

      * IMPORTANT !!! Place ComboFix.exe on your Desktop
    2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
      You can get help on disabling your protection programs here
    3. Double click on ComboFix.exe & follow the prompts.
    4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
    5. When finished, it shall produce a log for you. Post that log in your next reply

      Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

      ---------------------------------------------------------------------------------------------
    6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

      ---------------------------------------------------------------------------------------------

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

    In your next post please provide the following:
    • ComboFix log
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  4. #4
    Member
    Join Date
    Oct 2010
    Posts
    34

    Default

    Hi, apologies for the late reply. I've followed your instructions and will copy and paste the combofix log:

    ComboFix 12-12-07.01 - Marcus 08/12/2012 11:01:59.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2047.503 [GMT 0:00]
    Running from: c:\users\Marcus\Downloads\ComboFix.exe
    AV: Norton AntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Norton AntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Complitly
    c:\program files\Complitly\chrome\ComplitlyChrome.crx
    c:\program files\Complitly\FireFoxExtension.exe
    c:\program files\Complitly\InstTracker.exe
    c:\program files\Complitly\support@Complitly.com\chrome.manifest
    c:\program files\Complitly\support@Complitly.com\chrome\content\appIcon.png
    c:\program files\Complitly\support@Complitly.com\chrome\content\browserOverlay.xul
    c:\program files\Complitly\support@Complitly.com\chrome\content\options.js
    c:\program files\Complitly\support@Complitly.com\chrome\content\options.xul
    c:\program files\Complitly\support@Complitly.com\chrome\content\utils.js
    c:\program files\Complitly\support@Complitly.com\defaults\preferences\predictad.js
    c:\program files\Complitly\support@Complitly.com\install.rdf
    c:\program files\Complitly\unins000.dat
    c:\program files\Complitly\unins000.exe
    c:\users\Marcus\AppData\Local\ficmijdg\nltysmms.exe
    c:\users\Marcus\AppData\Roaming\Rewire.dll
    c:\users\Marcus\AppData\Roaming\REX Shared Library.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-08 to 2012-12-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-08 11:20 . 2012-12-08 11:20 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-12-08 11:20 . 2012-12-08 11:20 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-12-08 11:20 . 2012-12-08 11:20 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
    2012-12-08 11:20 . 2012-12-08 11:20 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-08 10:55 . 2012-12-08 10:55 -------- d-----w- c:\program files\Common Files\Skype
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-04 13:47 . 2012-04-09 13:22 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-12-04 13:47 . 2011-06-17 12:46 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-01-03 16:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2006-12-01 95800]
    "IHateThisKey"="c:\program files\ByteGems.com\I Hate This Key\IHateThisKey.exe" [2008-11-08 716800]
    "RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]
    "ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2010-03-03 1824040]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
    "BitTorrent DNA"="c:\users\Marcus\Program Files\DNA\btdna.exe" [2011-12-27 342848]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CCUTRAYICON"="FactoryMode" [X]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-27 185896]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
    "RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
    "RegKillTray"="c:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-27 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    .
    c:\users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-17 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-08 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 13:47]
    .
    2012-10-09 c:\windows\Tasks\ReclaimerResumeInstall_Marcus.job
    - c:\users\Marcus\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-10-01 18:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.babylon.com/?affID=111576&tt=050412_30b~171011_prot&babsrc=HP_ss&mntrId=d6db8b98000000000000001bfcdfb611
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{C292A6E2-AFFA-4AF4-9307-D9D5C99AAF8E}: DhcpNameServer = 208.67.220.220,208.67.222.222
    FF - ProfilePath - c:\users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\i5auhz8l.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=111576&tt=050412_30b~171011_prot&babsrc=HP_ss&mntrId=d6db8b98000000000000001bfcdfb611
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: SearchInOneStep: {8771569D-6C8B-45B5-8D74-5A80DDDF668D} - c:\program files\Mozilla Firefox\extensions\{8771569D-6C8B-45B5-8D74-5A80DDDF668D}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    FF - user.js: extensions.BabylonToolbar_i.id - d6db8b98000000000000001bfcdfb611
    FF - user.js: extensions.BabylonToolbar_i.hardId - d6db8b98000000000000001bfcdfb611
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15439
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:32
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111576&tt=050412_30b~171011_prot
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-NltYsmms - c:\users\Marcus\AppData\Local\ficmijdg\nltysmms.exe
    AddRemove-Complitly_is1 - c:\program files\Complitly\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-08 11:30
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1589503311-819724082-689753091-1001\¬ î**]
    @Allowed: (Read) (RestrictedCode)
    "MachineID"=hex:98,8b,c0,2a,df,b6,11,00
    DUMPHIVE0.003 (REGF)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3072)
    c:\program files\ByteGems.com\I Hate This Key\ihtkh.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
    c:\program files\Microsoft\BingBar\BBSvc.EXE
    c:\program files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
    c:\hp\kbd\kbd.exe
    c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    .
    **************************************************************************
    .
    Completion time: 2012-12-08 11:41:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-12-08 11:41
    ComboFix2.txt 2011-12-15 23:05
    .
    Pre-Run: 63,909,015,552 bytes free
    Post-Run: 63,172,444,160 bytes free
    .
    - - End Of File - - 6114F177685C2C9F732AC04018C0AC5B

  5. #5
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi marcus89,

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Next
    • Download OTL to your desktop.
    • To run OTL, Right click and select "Run as Administrator". Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

    In your next post please provide the following:
    • JRT.txt
    • OTL.txt
    • Extras.txt
    • How is your computer running at the moment?
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  6. #6
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi marcus89,

    Just checking in to see if you still need help?
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  7. #7
    Member
    Join Date
    Oct 2010
    Posts
    34

    Default

    Hi, sorry again for my late reply, here is the JRT log:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.1.0 (12.12.2012:3)
    OS: Windows Vista (TM) Home Premium x86
    Ran by Marcus on 13/12/2012 at 13:25:16.63
    Blog: http://thisisudax.blogspot.com
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values

    Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\apnupdater
    Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
    Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page
    Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page
    Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page
    Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page
    Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page
    Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1589503311-819724082-689753091-1001\software\microsoft\internet explorer\main\\Start Page
    Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1589503311-819724082-689753091-1001\software\microsoft\internet explorer\searchscopes\\DefaultScope
    Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\abouturls\\Tabs
    Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{00000000-6e41-4fd3-8538-502f5495e5fc}
    Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{d4027c7f-154a-4066-a1ad-4243d8127440}
    Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{d4027c7f-154a-4066-a1ad-4243d8127440}



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] "hkey_current_user\software\complitly"
    Successfully deleted: [Registry Key] "hkey_current_user\software\conduit"
    Successfully deleted: [Registry Key] "hkey_current_user\software\mediafinder"
    Successfully deleted: [Registry Key] "hkey_current_user\software\microsoft\internet explorer\menuext\download with &media finder"
    Successfully deleted: [Registry Key] "hkey_current_user\software\softonic"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\babylon"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\complitly.dll"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\dnu.exe"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\escort.dll"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\conduit.engine"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\dnupdate"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\dnupdater.downloaduibrowser"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\dnupdater.downloaduibrowser.1"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\dnupdater.downloadupdcontroller"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\dnupdater.downloadupdcontroller.1"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\gencrawler_gc.gencrawler"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\features\a28b4d68debaa244eb686953b7074fef"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\products\a28b4d68debaa244eb686953b7074fef"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\mf"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\prod.cap"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\conduit"
    Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0ecdf796-c2dc-4d79-a620-cce0c0a66cc9}
    Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{171debeb-c3d4-40b7-ac73-056a5eba4a7e}
    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{2eecd738-5844-4a99-b4b6-146bf802613b}
    Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{443789b7-f39c-4b5c-9287-da72d38f4fe6}
    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{443789b7-f39c-4b5c-9287-da72d38f4fe6}
    Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{e46c8196-b634-44a1-af6e-957c64278ab1}
    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}
    Successfully deleted: [Registry Key] hkey_classes_root\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}
    Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4027c7f-154a-4066-a1ad-4243d8127440}
    Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd"
    Successfully deleted: [Registry Key] "hkey_classes_root\genericasktoolbar.toolbarwnd.1"
    Successfully deleted: [Registry Key] "hkey_current_user\software\apn"
    Successfully deleted: [Registry Key] "hkey_current_user\software\appdatalow\software\asktoolbar"
    Successfully deleted: [Registry Key] "hkey_current_user\software\ask.com"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\apn"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\asktoolbar"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\classes\appid\genericasktoolbar.dll"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\0e12f736682067fde4d1158d5940a82e"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\1a24b5bb8521b03e0c8d908f5abc0ae6"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\261f213d1f55267499b1f87d0cc3bcf7"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\2b0d56c4f4c46d844a57ffed6f0d2852"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\49d4375fe41653242aea4c969e4e65e0"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\6aa0923513360135b272e8289c5f13fa"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\6f7467af8f29c134cbbab394eccfde96"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\741b4adf27276464790022c965ab6da8"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\7de196b10195f5647a2b21b761f3de01"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\922525dcc5199162f8935747ca3d8e59"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\9d4f5849367142e4685ed8c25e44c5ed"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\a5875b04372c19545beb90d4d606c472"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\a876d9e80b896ec44a8620248cc79296"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\b66ffab725b92594c986de826a867888"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\bcda179d619b91648538e3394cac94cc"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\d677b1a9671d4d4004f6f2a4469e86ea"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\dd1402a9dd4215a43abde169a41afa0e"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\e36e114a0ead2ad46b381d23ad69cddf"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\components\ef8e618db3aedfbb384561b5c548f65e"
    Successfully deleted: [Registry Key] "hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\s-1-5-18\products\a28b4d68debaa244eb686953b7074fef"



    ~~~ Files

    Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnu.dll"
    Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnu.xpt"
    Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnupdater2.dll"
    Successfully deleted: [File] "C:\Program Files\mozilla firefox\plugins\npdnupdater2.xpt"



    ~~~ Folders

    Successfully deleted: [Folder] "C:\ProgramData\babylon"
    Successfully deleted: [Folder] "C:\ProgramData\installmate"
    Successfully deleted: [Folder] "C:\ProgramData\premium"
    Successfully deleted: [Folder] "C:\ProgramData\viewpoint"
    Successfully deleted: [Folder] "C:\Users\Marcus\AppData\Roaming\babylon"
    Successfully deleted: [Folder] "C:\Users\Marcus\AppData\Roaming\complitly"
    Successfully deleted: [Folder] "C:\Users\Marcus\AppData\Roaming\media finder"
    Successfully deleted: [Folder] "C:\Users\Marcus\appdata\local\babylon"
    Successfully deleted: [Folder] "C:\Users\Marcus\appdata\local\speedapps"
    Successfully deleted: [Folder] "C:\Users\Marcus\appdata\locallow\babylontoolbar"
    Successfully deleted: [Folder] "C:\Users\Marcus\appdata\locallow\speedapps"
    Successfully deleted: [Folder] "C:\Program Files\Common Files\software update utility"
    Successfully deleted: [Folder] "C:\Users\Marcus\appdata\locallow\asktoolbar"
    Successfully deleted: [Folder] "C:\Program Files\ask.com"
    Successfully deleted: [Folder] "C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}"



    ~~~ FireFox

    Successfully deleted: [File] C:\user.js
    Successfully deleted: [File] "C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml"
    Successfully deleted: [File] C:\Users\Marcus\AppData\Roaming\mozilla\firefox\profiles\i5auhz8l.default\user.js
    Successfully deleted: [File] C:\Users\Marcus\AppData\Roaming\mozilla\firefox\profiles\i5auhz8l.default\searchplugins\askcom.xml
    Successfully deleted: [File] C:\Users\Marcus\AppData\Roaming\mozilla\firefox\profiles\i5auhz8l.default\searchplugins\conduit.xml
    Successfully deleted: [Folder] C:\Users\Marcus\AppData\Roaming\mozilla\firefox\profiles\i5auhz8l.default\extensions\engine@conduit.com
    Successfully deleted the following from C:\Users\Marcus\AppData\Roaming\mozilla\firefox\profiles\i5auhz8l.default\prefs.js

    user_pref("CommunityToolbar.CantToolbarBeEngineOwner", "");
    user_pref("CommunityToolbar.ETag.http://Settings.toolbar.search.conduit.com/root/CT2790392/CT2790392", "\"02992a2cf51639933e67422a185fcf4c1\"");
    user_pref("CommunityToolbar.ETag.http://Settings.toolbar.search.conduit.com/root/CT2801948/CT2801948", "\"4b06e7159f6e9dd4b6a070ffb76b2f931\"");
    user_pref("CommunityToolbar.ETag.http://Translation.engine.conduit-se...&lut=5/12/2011 4:15:34 PM&locale=en-GB", "\"2554-3c64e4c0\"");
    user_pref("CommunityToolbar.ETag.http://alerts.conduit-services.com/root/1182482/1178159/UK", "\"0\"");
    user_pref("CommunityToolbar.ETag.http://alerts.conduit-services.com/root/1194029/1189706/UK", "\"0\"");
    user_pref("CommunityToolbar.ETag.http://alerts.conduit-services.com/root/909619/905414/UK", "\"0\"");
    user_pref("CommunityToolbar.ETag.http://appsmetadata.toolbar.conduit-services.com/?ctid=CT2790392", "\"1318881119\"");
    user_pref("CommunityToolbar.ETag.http://appsmetadata.toolbar.conduit-services.com/?ctid=CT2801948", "\"0\"");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en", "MUj9hNyEiPxkVQ8Q8IYZ6A==");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en-us", "L+tncv4eqt6Qm5T3dzChdA==");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en", "ZF/VZo7UyQBp8ghNNzhnSQ==");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en-us", "poKjTfHs0NrVUIalKI8jyg==");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en", "+RsYuZ9IN1smka6Zuggr5w==");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en-us", "QmycQXJXVyFVAzIiNllWhQ==");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en", "t6SQZ7j9WsBHhE8zC0kAEQ==");
    user_pref("CommunityToolbar.ETag.http://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en-us", "SuMy8xgBA7+FodOxmk9aiQ==");
    user_pref("CommunityToolbar.ETag.http://newtab.conduit-hosting.com/newtab/?ctid=CT2790392", "\"2554-3c64e4c0\"");
    user_pref("CommunityToolbar.ETag.http://newtab.conduit-hosting.com/newtab/?ctid=CT2801948", "\"2554-3c64e4c0\"");
    user_pref("CommunityToolbar.ETag.http://servicemap.conduit-services.com/toolbar/", "\"75babe825203d7a8eecb898dcf55bf17\"");
    user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-services.com/?browser=FF&lut=0", "634285417620000000");
    user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-servi...&lut=1/11/2011 5:25:10 PM", "634303635100000000");
    user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-servi...lut=12/27/2010 12:43:05 PM", "634293235860000000");
    user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-servi...lut=12/30/2010 4:33:06 PM", "634303635100000000");
    user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-servi...&lut=2/17/2011 12:59:49 PM", "634339976460000000");
    user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-servi...&lut=2/22/2011 6:54:06 PM", "634356118310000000");
    user_pref("CommunityToolbar.ETag.http://settings.engine.conduit-servi...&lut=3/13/2011 11:17:11 AM", "634356118310000000");
    user_pref("CommunityToolbar.ETag.http://settings.toolbar.conduit-services.com/?ctid=CT2790392&octid=CT2790392", "\"1321973041\"");
    user_pref("CommunityToolbar.ETag.http://settings.toolbar.conduit-services.com/?ctid=CT2801948&octid=CT2801948", "\"1321973107\"");
    user_pref("CommunityToolbar.ETag.http://settings.toolbar.search.conduit.com/root/CT2790392/CT2790392", "\"1311168866\"");
    user_pref("CommunityToolbar.ETag.http://settings.toolbar.search.conduit.com/root/CT2801948/CT2801948", "\"1311168850\"");
    user_pref("CommunityToolbar.ETag.http://storage.conduit.com/BankImages/RadioSkins/Tapuz/idel.gif", "\"802b1fef4e19c81:0\"");
    user_pref("CommunityToolbar.ETag.http://storage.conduit.com/BankImages/RadioSkins/Tapuz/minimize.gif", "\"802b1fef4e19c81:0\"");
    user_pref("CommunityToolbar.ETag.http://storage.conduit.com/BankImages/RadioSkins/Tapuz/play.gif", "\"802b1fef4e19c81:0\"");
    user_pref("CommunityToolbar.ETag.http://storage.conduit.com/BankImages/RadioSkins/Tapuz/stop.gif", "\"802b1fef4e19c81:0\"");
    user_pref("CommunityToolbar.ETag.http://storage.conduit.com/BankImages/RadioSkins/Tapuz/vol.gif", "\"802b1fef4e19c81:0\"");
    user_pref("CommunityToolbar.ETag.http://translation.toolbar.conduit-services.com/?locale=EB_LOCALE", "\"634351849102130000\"");
    user_pref("CommunityToolbar.ETag.http://translation.toolbar.conduit-services.com/?locale=en", "\"ced64c3c2c583b79e12b73d4f9b02d35\"");
    user_pref("CommunityToolbar.ETag.http://translation.toolbar.conduit-services.com/?locale=en-us", "\"7332ceccda78fecf0735910f5095f094\"");
    user_pref("CommunityToolbar.EngineOwner", "ConduitEngine");
    user_pref("CommunityToolbar.EngineOwnerGuid", "engine@conduit.com");
    user_pref("CommunityToolbar.EngineOwnerToolbarId", "conduitengine");
    user_pref("CommunityToolbar.IsMyStuffImportedToEngine", true);
    user_pref("CommunityToolbar.OriginalEngineOwner", "CT2790392");
    user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "{88c7f2aa-f93f-432c-8f0e-b7d85967a527}");
    user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId", "bittorrentbar");
    user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.properties");
    user_pref("CommunityToolbar.ToolbarsList", "ConduitEngine");
    user_pref("CommunityToolbar.ToolbarsList2", "ConduitEngine");
    user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);
    user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Sat Dec 08 2012 11:46:43 GMT+0000 (GMT Standard Time)");
    user_pref("CommunityToolbar.alert.clientsServerUrl", "http://alert.client.conduit.com");
    user_pref("CommunityToolbar.alert.locale", "en");
    user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
    user_pref("CommunityToolbar.alert.loginLastCheckTime", "Sat Dec 08 2012 11:46:43 GMT+0000 (GMT Standard Time)");
    user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1313487611");
    user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
    user_pref("CommunityToolbar.alert.servicesServerUrl", "http://alert.services.conduit.com");
    user_pref("CommunityToolbar.alert.showTrayIcon", false);
    user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
    user_pref("CommunityToolbar.alert.userId", "f211d5b2-d336-4725-a62c-2a2adfd7f340");
    user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Mon Apr 09 2012 14:23:38 GMT+0100 (GMT Daylight Time)");
    user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2801948");
    user_pref("ConduitEngine.CTID", "ConduitEngine");
    user_pref("ConduitEngine.FirstServerDate", "12/27/2010 18");
    user_pref("ConduitEngine.FirstTime", true);
    user_pref("ConduitEngine.FirstTimeFF3", true);
    user_pref("ConduitEngine.FixPageNotFoundErrors", false);
    user_pref("ConduitEngine.HasUserGlobalKeys", true);
    user_pref("ConduitEngine.HideEngineAfterRestart", false);
    user_pref("ConduitEngine.Initialize", true);
    user_pref("ConduitEngine.InitializeCommonPrefs", true);
    user_pref("ConduitEngine.InstallationType", "UnknownIntegration");
    user_pref("ConduitEngine.InstalledDate", "Mon Dec 27 2010 15:29:11 GMT+0000 (GMT Standard Time)");
    user_pref("ConduitEngine.IsMulticommunity", false);
    user_pref("ConduitEngine.IsOpenThankYouPage", false);
    user_pref("ConduitEngine.IsOpenUninstallPage", false);
    user_pref("ConduitEngine.LanguagePackLastCheckTime", "Mon Apr 09 2012 14:23:40 GMT+0100 (GMT Daylight Time)");
    user_pref("ConduitEngine.LastLogin_3.2.3.3", "Tue Feb 08 2011 20:09:39 GMT+0000 (GMT Standard Time)");
    user_pref("ConduitEngine.LastLogin_3.2.5.2", "Mon Apr 09 2012 14:23:40 GMT+0100 (GMT Daylight Time)");
    user_pref("ConduitEngine.PublisherContainerWidth", 0);
    user_pref("ConduitEngine.SavedHomepage", "www.google.com");
    user_pref("ConduitEngine.SearchFromAddressBarIsInit", true);
    user_pref("ConduitEngine.SearchFromAddressBarUrl", "http://search.conduit.com/ResultsExt.aspx?ctid=CTXXXX&q=");
    user_pref("ConduitEngine.SettingsLastCheckTime", "Mon Apr 09 2012 14:23:40 GMT+0100 (GMT Daylight Time)");
    user_pref("ConduitEngine.UserID", "UN28780611490878959");
    user_pref("ConduitEngine.engineLocale", "en-GB");
    user_pref("ConduitEngine.enngineContextMenuLastCheckTime", "Mon Apr 09 2012 14:23:40 GMT+0100 (GMT Daylight Time)");
    user_pref("ConduitEngine.initDone", true);
    user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
    user_pref("browser.search.defaultengine", "Ask.com");
    user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
    user_pref("browser.search.defaultthis.engineName", "NCH EN Customized Web Search");
    user_pref("browser.search.defaulturl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&SearchSource=3&q={searchTerms}");
    user_pref("browser.search.order.1", "Search the web (Babylon)");
    user_pref("browser.startup.homepage", "http://search.babylon.com/?affID=111576&tt=050412_30b~171011_prot&babsrc=HP_ss&mntrId=d6db8b98000000000000001bfcdfb611");
    user_pref("extensions.BabylonToolbar.admin", false);
    user_pref("extensions.BabylonToolbar.aflt", "babsst");
    user_pref("extensions.BabylonToolbar.babExt", "");
    user_pref("extensions.BabylonToolbar.babTrack", "affID=111576&tt=050412_30b~171011_prot");
    user_pref("extensions.BabylonToolbar.bbDpng", 9);
    user_pref("extensions.BabylonToolbar.dfltLng", "en");
    user_pref("extensions.BabylonToolbar.dfltSrch", true);
    user_pref("extensions.BabylonToolbar.hmpg", true);
    user_pref("extensions.BabylonToolbar.id", "d6db8b98000000000000001bfcdfb611");
    user_pref("extensions.BabylonToolbar.instlDay", "15439");
    user_pref("extensions.BabylonToolbar.instlRef", "sst");
    user_pref("extensions.BabylonToolbar.keyWordUrl", "http://search.babylon.com/?affID=111576&tt=050412_30b~171011_prot&babsrc=KW_ss&mntrId=d6db8b98000000000000001bfcdfb611&q=");
    user_pref("extensions.BabylonToolbar.lastDP", 9);
    user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1714:32:18");
    user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "3.0");
    user_pref("extensions.BabylonToolbar.newTab", false);
    user_pref("extensions.BabylonToolbar.newTabUrl", "http://search.babylon.com/?affID=111576&tt=050412_30b~171011_prot&babsrc=NT_ss&mntrId=d6db8b98000000000000001bfcdfb611");
    user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
    user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
    user_pref("extensions.BabylonToolbar.propectorlck", 72541320);
    user_pref("extensions.BabylonToolbar.prtkDS", 1);
    user_pref("extensions.BabylonToolbar.prtkHmpg", 1);
    user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
    user_pref("extensions.BabylonToolbar.ptch_0717", true);
    user_pref("extensions.BabylonToolbar.smplGrp", "none");
    user_pref("extensions.BabylonToolbar.srcExt", "ss");
    user_pref("extensions.BabylonToolbar.tlbrId", "base");
    user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");
    user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1714:32:18");
    user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");
    user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
    user_pref("extensions.BabylonToolbar_i.babExt", "");
    user_pref("extensions.BabylonToolbar_i.babTrack", "affID=111576&tt=050412_30b~171011_prot");
    user_pref("extensions.BabylonToolbar_i.hardId", "d6db8b98000000000000001bfcdfb611");
    user_pref("extensions.BabylonToolbar_i.id", "d6db8b98000000000000001bfcdfb611");
    user_pref("extensions.BabylonToolbar_i.instlDay", "15439");
    user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
    user_pref("extensions.BabylonToolbar_i.newTab", false);
    user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
    user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
    user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
    user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
    user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
    user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
    user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1714:32:18");
    user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
    user_pref("extensions.asktb.InstallDir", "C:\\Program Files\\Ask.com\\");
    user_pref("extensions.asktb.abar-war-timeout", "4000");
    user_pref("extensions.asktb.apn_dbr", "ff_3.0.19");
    user_pref("extensions.asktb.autofill-competitor-query-enabled", true);
    user_pref("extensions.asktb.autofill-text-highlight-enabled", true);
    user_pref("extensions.asktb.cbid", "9D");
    user_pref("extensions.asktb.config-updated", true);
    user_pref("extensions.asktb.crumb", "2011.12.08+11.42.41-toolbar008iad-GB-TG9uZG9uLFVuaXRlZCBLaW5nZG9t");
    user_pref("extensions.asktb.default-channel-url-mask", "http://uk.ask.com/web?qsrc={qsrc}&o={o}&l={l}&q={query}&dm=all&gct=bar");
    user_pref("extensions.asktb.displaybehavior", "");
    user_pref("extensions.asktb.displaytext", "");
    user_pref("extensions.asktb.dtid", "YYYYYYYYGB");
    user_pref("extensions.asktb.dyn-weather-do-locid-lookup-weatherWidget", false);
    user_pref("extensions.asktb.dyn-weather-locid-weatherWidget", "UKXX0085");
    user_pref("extensions.asktb.dyn-weather-tempunit-weatherWidget", "C");
    user_pref("extensions.asktb.ff-original-keyword-url", "chrome://browser-region/locale/region.properties");
    user_pref("extensions.asktb.first-launch-url", "http://go.microsoft.com/fwlink/?LinkId=54729");
    user_pref("extensions.asktb.fresh-install", false);
    user_pref("extensions.asktb.guid", "0E65DD15-E42A-49C2-8C22-D65774416CB3");
    user_pref("extensions.asktb.hpr", "YES");
    user_pref("extensions.asktb.http-header-whitelist-hosts", "[\"static-dev.en.dev.ask.com\", \"ask.com\", \"www.facebook.com\", \"www.playsushi.com\", \"WWW.google.com\", \"http
    user_pref("extensions.asktb.if", "first");
    user_pref("extensions.asktb.l", "dis");
    user_pref("extensions.asktb.last-config-req", "1333977815784");
    user_pref("extensions.asktb.last-v", "3.14.0.100009");
    user_pref("extensions.asktb.locale", "en_UK");
    user_pref("extensions.asktb.location", "London,United Kingdom");
    user_pref("extensions.asktb.lstation", "");
    user_pref("extensions.asktb.new-tab-enabled", true);
    user_pref("extensions.asktb.news-native-on", true);
    user_pref("extensions.asktb.o", "41648107");
    user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
    user_pref("extensions.asktb.pstate", "");
    user_pref("extensions.asktb.qsrc", "2871");
    user_pref("extensions.asktb.r", "5");
    user_pref("extensions.asktb.sa", "YES");
    user_pref("extensions.asktb.saguid", "5C1275F6-A498-49EA-A05C-C73F5EFD2463");
    user_pref("extensions.asktb.search-plugin-suggestions-url", "http://ss.websearch.uk.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}");
    user_pref("extensions.asktb.search-suggestions-enabled", true);
    user_pref("extensions.asktb.silent-upgrade", true);
    user_pref("extensions.asktb.silent-upgrade-from-pre-newtabs-build", false);
    user_pref("extensions.asktb.socialmini-first", true);
    user_pref("extensions.asktb.socialmini-interval", "1200000");
    user_pref("extensions.asktb.socialmini-max-char-ticker", "33");
    user_pref("extensions.asktb.socialmini-max-items", "30");
    user_pref("extensions.asktb.socialmini-native-on", true);
    user_pref("extensions.asktb.socialmini-speed", "10000");
    user_pref("extensions.asktb.socialmini-transition-first-open", false);
    user_pref("extensions.asktb.themeid", "");
    user_pref("extensions.asktb.timeinstalled", "08/12/2011 19:43:07");
    user_pref("extensions.asktb.to", "");
    user_pref("extensions.asktb.v", "3.14.1.100010");
    user_pref("extensions.asktb.volume", "");
    user_pref("extensions.enabledItems", "engine@conduit.com:3.2.3.3,gencrawler@some.com:2.0,{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22,{20a82645-c095-46ed-80e3-08825760534b}:1
    user_pref("keyword.URL", "http://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&q=");



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 13/12/2012 at 13:30:06.72
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    And the OTL log:

    OTL logfile created on: 13/12/2012 13:32:50 - Run 3
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Marcus\Downloads
    Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19088)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 31.60% Memory free
    4.24 Gb Paging File | 2.88 Gb Available in Paging File | 68.07% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 290.20 Gb Total Space | 58.17 Gb Free Space | 20.04% Space Free | Partition Type: NTFS
    Drive D: | 7.89 Gb Total Space | 1.04 Gb Free Space | 13.15% Space Free | Partition Type: NTFS
    Drive E: | 0.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: MARCUS-PC | User Name: Marcus | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - C:\Users\Marcus\Downloads\OTL(2).exe (OldTimer Tools)
    PRC - C:\Users\Marcus\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
    PRC - C:\Program Files\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)
    PRC - C:\Program Files\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
    PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
    PRC - C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (NVIDIA Corporation)
    PRC - C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe (NVIDIA Corporation)
    PRC - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
    PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
    PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
    PRC - C:\Program Files\ManyCam 2.4\ManyCam.exe (ManyCam LLC)
    PRC - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)
    PRC - C:\Program Files\ByteGems.com\I Hate This Key\IHateThisKey.exe (ByteGems.com Software)
    PRC - C:\Windows\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\Registry Mechanic\RMTray.exe (PC Tools)
    PRC - C:\Program Files\Winamp\winampa.exe ()
    PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
    PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    PRC - C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
    PRC - C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.)
    PRC - C:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
    PRC - C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe (Elaborate Bytes)


    ========== Modules (No Company Name) ==========

    MOD - C:\Program Files\ManyCam 2.4\ImageLayer.dll ()
    MOD - C:\Program Files\ManyCam 2.4\VideoSrc.ax ()
    MOD - C:\Program Files\ManyCam 2.4\InputFilter.ax ()
    MOD - C:\Program Files\ManyCam 2.4\CrashRpt.dll ()
    MOD - C:\Program Files\ByteGems.com\I Hate This Key\ihtkh.dll ()
    MOD - C:\Program Files\ManyCam 2.4\zlib.dll ()
    MOD - C:\Program Files\ManyCam 2.4\cyltracker08.dll ()
    MOD - C:\Program Files\Winamp\winampa.exe ()


    ========== Services (SafeList) ==========

    SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
    SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
    SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)
    SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
    SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe (NVIDIA Corporation)
    SRV - (Stereo Service) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
    SRV - (Browser Defender Update Service) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)
    SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
    SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
    SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
    SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
    SRV - (Remote UI Service) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe (Intel(R) Corporation)
    SRV - (MCLServiceATL) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe (Intel(R) Corporation)
    SRV - (ISSM) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe (Intel(R) Corporation)
    SRV - (AlertService) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe (Intel(R) Corporation)
    SRV - (DQLWinService) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe ()
    SRV - (M1 Server) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe ()
    SRV - (IntelDHSvcConf) -- C:\Program Files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe (Intel(R) Corporation)


    ========== Driver Services (SafeList) ==========

    DRV - (SYMTDIv) -- File not found
    DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
    DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
    DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
    DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
    DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
    DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
    DRV - (athur) -- C:\Windows\System32\drivers\athur.sys (Atheros Communications, Inc.)
    DRV - (MBAMSwissArmy) -- C:\Windows\System32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
    DRV - (Revoflt) -- C:\Windows\System32\drivers\revoflt.sys (VS Revo Group)
    DRV - (PCTCore) -- C:\Windows\System32\drivers\PCTCore.sys (PC Tools)
    DRV - (pavboot) -- C:\Windows\System32\drivers\pavboot.sys (Panda Security, S.L.)
    DRV - (ISODrive) -- C:\Program Files\UltraISO\drivers\ISODrive.sys (EZB Systems, Inc.)
    DRV - (sptd) -- C:\Windows\System32\drivers\sptd.sys (Duplex Secure Ltd.)
    DRV - (USB_RNDIS) -- C:\Windows\System32\drivers\usb8023.sys (Microsoft Corporation)
    DRV - (ManyCam) -- C:\Windows\System32\drivers\ManyCam.sys (ManyCam LLC.)
    DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
    DRV - (Ps2) -- C:\Windows\System32\drivers\PS2.sys (Hewlett-Packard Company)
    DRV - (CEUSBAUD) -- C:\Windows\System32\drivers\ceusbaud.sys (CEntrance, Inc.)
    DRV - (RegKill) -- C:\Windows\System32\drivers\RegKill.sys (Elaborate Bytes)
    DRV - (DfuUsb) -- C:\Windows\System32\drivers\DFUUsb.sys (Texas Instruments)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    IE - HKLM\..\SearchScopes,DefaultScope = {0633ee93-d776-472f-a0ff-e1416b8b2e3a}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\..\SearchScopes,DefaultScope = {0633ee93-d776-472f-a0ff-e1416b8b2e3a}
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?FORM=IEFM1&q={searchTerms}
    IE - HKCU\..\SearchScopes\{5B291E6C-9A74-4034-971B-A4B007A0B315}: "URL" = http://playbox.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp
    IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7HPEA_en-GB
    IE - HKCU\..\SearchScopes\{9F7C261E-CA8A-4667-8904-2F99F0A06BE3}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE - HKCU\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB9}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
    IE - HKCU\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q={searchTerms}&crm=1&toolbar=BLP
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
    FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
    FF - prefs.js..browser.search.selectedEngine: ""
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..extensions.enabledItems: gencrawler@some.com:2.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {8771569D-6C8B-45B5-8D74-5A80DDDF668D}:1.0
    FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.2.0.7165
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
    FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Users\Marcus\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll File not found
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.3: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2629: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/17 17:29:00 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/13 13:25:38 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{1C530A94-FB03-4325-9678-3898A46EC5CF}: C:\Users\Marcus\AppData\Local\{1C530A94-FB03-4325-9678-3898A46EC5CF}

    [2008/11/02 09:15:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marcus\AppData\Roaming\mozilla\Extensions
    [2012/12/13 13:30:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marcus\AppData\Roaming\mozilla\Firefox\Profiles\i5auhz8l.default\extensions
    [2010/09/11 21:56:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Marcus\AppData\Roaming\mozilla\Firefox\Profiles\i5auhz8l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2012/04/09 13:26:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marcus\AppData\Roaming\mozilla\Firefox\Profiles\i5auhz8l.default\extensions\staged
    [2012/03/17 15:41:38 | 000,021,906 | ---- | M] () (No name found) -- C:\Users\Marcus\AppData\Roaming\mozilla\firefox\profiles\i5auhz8l.default\extensions\staged\coupons@chilicoupon.com.xpi
    [2009/02/21 16:12:16 | 000,001,632 | ---- | M] () -- C:\Users\Marcus\AppData\Roaming\mozilla\firefox\profiles\i5auhz8l.default\searchplugins\live-search.xml
    [2012/04/09 14:21:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2009/01/22 21:17:41 | 000,000,000 | ---D | M] (SearchInOneStep) -- C:\Program Files\Mozilla Firefox\extensions\{8771569D-6C8B-45B5-8D74-5A80DDDF668D}
    [2011/12/08 21:26:10 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    [2010/10/21 12:41:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2011/12/15 18:19:32 | 000,000,000 | ---D | M] (General Crawler) -- C:\USERS\MARCUS\APPDATA\ROAMING\MOZILLA\EXTENSIONS\{EC8030F7-C20A-464F-9B0E-13A3A9E97384}\GENCRAWLER@SOME.COM
    [2008/09/04 00:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
    [2010/10/21 12:41:28 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2009/11/18 16:18:58 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2009/11/18 16:18:58 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2009/11/18 16:18:58 | 000,000,759 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2009/01/22 11:50:44 | 000,002,420 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\searchin1172.xml
    [2009/11/18 16:18:58 | 000,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    ========== Chrome ==========

    CHR - homepage: http://www.google.com/

    O1 HOSTS File: ([2012/12/08 11:30:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
    O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.0.0.136\IPSBHO.dll (Symantec Corporation)
    O2 - BHO: (Help the General-Search Project) - {CA4520F3-AE13-4FB1-A513-58E23991C86D} - C:\Users\Marcus\AppData\Roaming\MEDIAF~1\EXTENS~1\GENCRA~1.DLL File not found
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
    O4 - HKLM..\Run: [CCUTRAYICON] FactoryMode File not found
    O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
    O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
    O4 - HKLM..\Run: [RegKillElbyCheck] C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe (Elaborate Bytes AG)
    O4 - HKLM..\Run: [RegKillTray] C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe (Elaborate Bytes)
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
    O4 - HKCU..\Run: [BitTorrent DNA] C:\Users\Marcus\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
    O4 - HKCU..\Run: [IHateThisKey] C:\Program Files\ByteGems.com\I Hate This Key\IHateThisKey.exe (ByteGems.com Software)
    O4 - HKCU..\Run: [ManyCam] C:\Program Files\ManyCam 2.4\ManyCam.exe (ManyCam LLC)
    O4 - HKCU..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.)
    O4 - HKCU..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe (PC Tools)
    O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
    O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
    O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
    O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/english...an_unicode.cab (CKAVWebScan Object)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downlo...eckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin.com/cab/LinkedIn...derControl.cab (LinkedIn ContactFinderControl)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{19AB887A-494A-4D58-A9B3-3D97A38222AC}: DhcpNameServer = 192.168.1.254 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{47C31F12-7350-4B4A-B5B0-533A22C18501}: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C292A6E2-AFFA-4AF4-9307-D9D5C99AAF8E}: DhcpNameServer = 208.67.220.220,208.67.222.222
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
    O24 - Desktop BackupWallPaper: C:\Users\Marcus\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/06/27 22:42:23 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/12/13 13:25:10 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
    [2012/12/13 13:24:43 | 000,000,000 | ---D | C] -- C:\JRT
    [2012/12/08 11:41:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/12/08 11:30:46 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2012/12/08 10:55:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
    [2012/12/08 10:55:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
    [2012/12/04 13:11:00 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\Marcus\Desktop\aswMBR.exe
    [2012/12/04 12:58:12 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Marcus\Desktop\dds.scr

    ========== Files - Modified Within 30 Days ==========

    [2012/12/13 13:28:38 | 000,607,600 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/12/13 13:28:37 | 000,107,478 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/12/13 13:28:11 | 000,002,708 | ---- | M] () -- C:\Users\Marcus\AppData\Local\d3d9caps.dat
    [2012/12/13 13:24:30 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/12/13 13:24:30 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/12/13 13:21:30 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/12/13 13:21:25 | 2144,673,792 | -HS- | M] () -- C:\hiberfil.sys
    [2012/12/08 11:47:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/12/08 11:30:43 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/12/08 10:55:23 | 000,001,878 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
    [2012/12/08 10:46:10 | 000,000,138 | ---- | M] () -- C:\Users\Marcus\defogger_reenable
    [2012/12/04 14:39:11 | 000,000,210 | ---- | M] () -- C:\Users\Marcus\Desktop\Search Babylon redirect plus slow PC - Safer-Networking Forums.url
    [2012/12/04 14:34:17 | 000,000,512 | ---- | M] () -- C:\Users\Marcus\Desktop\MBR.dat
    [2012/12/04 13:47:23 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
    [2012/12/04 13:47:23 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
    [2012/12/04 13:31:08 | 000,605,098 | ---- | M] () -- C:\Users\Marcus\Desktop\Porcine Aviation riff.WAV
    [2012/12/04 13:11:03 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\Marcus\Desktop\aswMBR.exe
    [2012/12/04 12:58:19 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Marcus\Desktop\dds.scr

    ========== Files Created - No Company Name ==========

    [2012/12/08 10:46:08 | 000,000,138 | ---- | C] () -- C:\Users\Marcus\defogger_reenable
    [2012/12/04 14:39:11 | 000,000,210 | ---- | C] () -- C:\Users\Marcus\Desktop\Search Babylon redirect plus slow PC - Safer-Networking Forums.url
    [2012/12/04 14:34:17 | 000,000,512 | ---- | C] () -- C:\Users\Marcus\Desktop\MBR.dat
    [2012/12/04 13:31:08 | 000,605,098 | ---- | C] () -- C:\Users\Marcus\Desktop\Porcine Aviation riff.WAV
    [2011/12/15 22:34:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/12/15 22:34:30 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/12/15 22:34:30 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/12/15 22:34:30 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/12/15 22:34:30 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/05/26 14:27:32 | 000,000,552 | ---- | C] () -- C:\Users\Marcus\AppData\Local\d3d8caps.dat
    [2011/03/21 15:12:25 | 000,002,708 | ---- | C] () -- C:\Users\Marcus\AppData\Local\d3d9caps.dat
    [2010/05/25 14:28:53 | 000,000,000 | ---- | C] () -- C:\Users\Marcus\AppData\Local\Ltomariv.bin
    [2010/05/25 14:28:51 | 000,000,120 | ---- | C] () -- C:\Users\Marcus\AppData\Local\Usejadiruvup.dat
    [2010/05/25 14:26:44 | 000,000,016 | ---- | C] () -- C:\Users\Marcus\AppData\Roaming\vqdlkr.dat
    [2010/03/29 22:23:44 | 000,000,982 | -HS- | C] () -- C:\Users\Marcus\AppData\Local\nSVDb4q65iE
    [2010/03/23 22:46:13 | 000,010,402 | -HS- | C] () -- C:\Users\Marcus\AppData\Local\20xYJkS83BHk4
    [2010/03/23 22:46:13 | 000,010,402 | -HS- | C] () -- C:\ProgramData\20xYJkS83BHk4
    [2010/01/01 17:16:57 | 000,000,608 | -H-- | C] () -- C:\ProgramData\T2
    [2010/01/01 17:16:57 | 000,000,604 | -H-- | C] () -- C:\Program Files\STLL Notifier
    [2008/09/29 19:05:22 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2008/05/13 19:36:54 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
    [2008/05/13 09:35:45 | 000,109,852 | ---- | C] () -- C:\ProgramData\BMd5e8b8ab.xml
    [2008/05/13 09:35:45 | 000,000,022 | ---- | C] () -- C:\ProgramData\pskt.ini
    [2007/11/01 19:14:52 | 000,012,308 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
    [2007/08/27 12:22:59 | 000,053,760 | ---- | C] () -- C:\Users\Marcus\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    ========== ZeroAccess Check ==========

    [2006/11/02 12:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2011/01/21 15:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation)

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2011/01/21 15:46:32 | 011,582,464 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/03/03 04:36:24 | 000,615,424 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2008/01/19 07:36:49 | 000,347,648 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2008/07/13 16:24:02 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Ableton
    [2007/10/16 18:34:51 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\acccore
    [2011/07/10 19:22:58 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Antares
    [2011/11/28 01:23:47 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\BitTorrent
    [2008/03/13 08:42:08 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\BitTorrent DNA
    [2010/12/27 19:50:13 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\CheeseSoft
    [2012/04/09 13:26:53 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\ChiliCoupon
    [2012/07/09 07:50:17 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\DAEMON Tools
    [2012/12/13 13:53:21 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\DNA
    [2007/12/20 16:16:05 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Grisoft
    [2012/04/09 13:26:47 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\IE ChiliCoupon
    [2010/04/17 18:52:05 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\ImgBurn
    [2010/05/03 10:27:49 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\ManyCam
    [2011/02/08 20:53:33 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\NCH Swift Sound
    [2011/01/26 22:58:24 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Neuratron
    [2008/05/13 09:42:40 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Propellerhead Software
    [2007/11/29 19:20:04 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\RhythmRascal
    [2008/09/14 14:52:28 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\SecondLife
    [2012/05/20 16:07:49 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Spotify
    [2010/03/17 20:10:27 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Steinberg
    [2012/01/07 19:53:31 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Synthesia
    [2011/05/26 14:27:24 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\SystemRequirementsLab
    [2012/01/14 15:39:17 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\Thinstall
    [2009/04/07 15:03:33 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\uTorrent
    [2008/03/04 11:41:21 | 000,000,000 | ---D | M] -- C:\Users\Marcus\AppData\Roaming\WinBatch

    ========== Purity Check ==========



    ========== Files - Unicode (All) ==========
    [2012/04/29 20:40:25 | 000,010,222 | ---- | M] ()(C:\Users\Marcus\Documents\?????????? ???????????? ?????????????????????????? ?????????.docx) -- C:\Users\Marcus\Documents\ส็็็็็็็็็ ส็็็็ส็็็็็็ ส็็็็็็็็็็็็็็็็็็็็็็็็็ ส็็็็็็็็.docx
    [2012/04/29 20:40:21 | 000,010,222 | ---- | C] ()(C:\Users\Marcus\Documents\?????????? ???????????? ?????????????????????????? ?????????.docx) -- C:\Users\Marcus\Documents\ส็็็็็็็็็ ส็็็็ส็็็็็็ ส็็็็็็็็็็็็็็็็็็็็็็็็็ ส็็็็็็็็.docx
    [2009/08/18 19:24:32 | 000,009,981 | ---- | M] ()(C:\Users\Marcus\Documents\Ko?n.docx) -- C:\Users\Marcus\Documents\KoЯn.docx
    [2009/08/18 19:24:31 | 000,009,981 | ---- | C] ()(C:\Users\Marcus\Documents\Ko?n.docx) -- C:\Users\Marcus\Documents\KoЯn.docx

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 177 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:D1B5B4F1

    < End of report >

    I'm afraid I couldn't find the extras text, I had a look in my C drive and downloads folder but there isn't an OTL folder. The OTL.txt came up automatically and seems to be saved in my download folder but no extras.txt.

  8. #8
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi marcus89,

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the codebox below into it:

    Code:
    File::
    C:\Users\Marcus\AppData\Roaming\vqdlkr.dat
    C:\Users\Marcus\AppData\Local\nSVDb4q65iE
    C:\Users\Marcus\AppData\Local\20xYJkS83BHk4
    C:\ProgramData\20xYJkS83BHk4
    C:\Users\Marcus\AppData\Local\Ltomariv.bin
    C:\Users\Marcus\AppData\Local\Usejadiruvup.dat
    
    Folder::
    c:\users\Marcus\AppData\Local\ficmijdg
    Save this as CFScript.txt, in the same location as ComboFix.exe





    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, please post the C:\ComboFix.txt for further review.

    Next

    P2P - I see you have/had P2P software uTorrent & BitTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I would strongly recommend that you uninstall these now.

    Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:
    • uTorrent
    • BitTorrent
    If you choose to not remove these programs please refrain from using them until we have finished cleaning your computer.

    Next

    Locate Malwarebytes' Anti-Malware (it should be on your desktop).

    • Right click and select "Run as Administrator" mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan as shown below.



    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    Next

    Please run Eset Online Scanner
    Administrator rights are required to run ESET Online Scanner
    • Place a check mark in the box YES, I accept the Terms Of Use
    • Click the Start button.
    • Now click the Install button.
    • Click Start. The scanner engine will initialize and update.
    • Do Not place a check mark in the box beside Remove found threats.
    • Click the Scan button. The scan will now run, please be patient.
    • When the scan finishes click the Details tab.
    • Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.

    In your next post please provide the following:
    • ComboFix.txt
    • MBAM log
    • ESET report
    • Describe how your computer is running at the moment.
    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

  9. #9
    Member
    Join Date
    Oct 2010
    Posts
    34

    Default

    Hi, I couldn't find any of the bit torrent programs in the uninstall programs list, I deleted all the bittorrent related folders on my C drive but not sure what else can be done for now.

    Here is the mbam log:

    Malwarebytes Anti-Malware (Trial) 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.15.03

    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 8.0.6001.19088
    Marcus :: MARCUS-PC [administrator]

    Protection: Enabled

    15/12/2012 11:38:17
    mbam-log-2012-12-15 (11-38-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 249826
    Time elapsed: 5 minute(s), 50 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 4
    HKCR\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 7
    C:\Users\Marcus\Desktop\MusicConverterSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Users\Marcus\Downloads\XvidSetup(2).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
    C:\Users\Marcus\Downloads\XvidSetup(3).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
    C:\Users\Marcus\Downloads\XvidSetup(4).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
    C:\Users\Marcus\Downloads\XvidSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
    C:\Users\Marcus\Downloads\SetupRegKill.exe (Adware.CommonName) -> Quarantined and deleted successfully.
    C:\Users\Marcus\Downloads\SetupRegKill2702.exe (Adware.CommonName) -> Quarantined and deleted successfully.

    (end)

    Combofix:

    ComboFix 12-12-14.01 - Marcus 15/12/2012 11:08:52.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2047.769 [GMT 0:00]
    Running from: c:\users\Marcus\Downloads\ComboFix.exe
    Command switches used :: c:\users\Marcus\Desktop\CFScript.txt
    AV: Norton AntiVirus *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Norton AntiVirus *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\programdata\20xYJkS83BHk4"
    "c:\users\Marcus\AppData\Local\20xYJkS83BHk4"
    "c:\users\Marcus\AppData\Local\Ltomariv.bin"
    "c:\users\Marcus\AppData\Local\nSVDb4q65iE"
    "c:\users\Marcus\AppData\Local\Usejadiruvup.dat"
    "c:\users\Marcus\AppData\Roaming\vqdlkr.dat"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Marcus\AppData\Local\ficmijdg
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-15 to 2012-12-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-15 11:24 . 2012-12-15 11:24 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-12-15 11:24 . 2012-12-15 11:24 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-12-15 11:24 . 2012-12-15 11:24 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
    2012-12-15 11:24 . 2012-12-15 11:24 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-13 13:25 . 2012-12-13 13:25 -------- d-----w- c:\windows\ERUNT
    2012-12-13 13:24 . 2012-12-13 13:24 -------- d-----w- C:\JRT
    2012-12-08 10:55 . 2012-12-08 10:55 -------- d-----w- c:\program files\Common Files\Skype
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-13 13:47 . 2012-04-09 13:22 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-12-13 13:47 . 2011-06-17 12:46 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
    "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2006-12-01 95800]
    "IHateThisKey"="c:\program files\ByteGems.com\I Hate This Key\IHateThisKey.exe" [2008-11-08 716800]
    "RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]
    "ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2010-03-03 1824040]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
    "BitTorrent DNA"="c:\users\Marcus\Program Files\DNA\btdna.exe" [2011-12-27 342848]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CCUTRAYICON"="FactoryMode" [X]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-27 185896]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
    "RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
    "RegKillTray"="c:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-27 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    .
    c:\users\Marcus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-17 113664]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-15 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 13:47]
    .
    2012-10-09 c:\windows\Tasks\ReclaimerResumeInstall_Marcus.job
    - c:\users\Marcus\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-10-01 18:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    TCP: Interfaces\{C292A6E2-AFFA-4AF4-9307-D9D5C99AAF8E}: DhcpNameServer = 208.67.220.220,208.67.222.222
    FF - ProfilePath - c:\users\Marcus\AppData\Roaming\Mozilla\Firefox\Profiles\i5auhz8l.default\
    FF - prefs.js: browser.search.selectedEngine -
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: SearchInOneStep: {8771569D-6C8B-45B5-8D74-5A80DDDF668D} - c:\program files\Mozilla Firefox\extensions\{8771569D-6C8B-45B5-8D74-5A80DDDF668D}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-SoftwareUpdUtility - c:\program files\Common Files\Software Update Utility\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-15 11:24
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1589503311-819724082-689753091-1001\¬ î**]
    @Allowed: (Read) (RestrictedCode)
    "MachineID"=hex:98,8b,c0,2a,df,b6,11,00
    DUMPHIVE0.003 (REGF)
    .
    Completion time: 2012-12-15 11:29:44
    ComboFix-quarantined-files.txt 2012-12-15 11:29
    ComboFix2.txt 2012-12-08 11:41
    ComboFix3.txt 2011-12-15 23:05
    .
    Pre-Run: 62,631,510,016 bytes free
    Post-Run: 61,866,610,688 bytes free
    .
    - - End Of File - - B752E907B3D382D7DDC58DBF6088D1A7

    ESET:

    ESETSmartInstaller@High as downloader log:
    Can not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
    Can not open internetESETSmartInstaller@High as downloader log:
    all ok
    # version=8
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6844
    # api_version=3.0.2
    # EOSSerial=3e3399b27dadc7459d789b11b080e3af
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=false
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-12-15 02:42:35
    # local_time=2012-12-15 02:42:35 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.0.6001 NT Service Pack 1
    # compatibility_mode=5892 16776574 100 100 85931533 193115283 0 0
    # scanned=281084
    # found=9
    # cleaned=0
    # scan_time=6913
    C:\Program Files\Perfect Uninstaller\RkHitApi.dll a variant of Win32/Adware.SpywareCease.AA application (unable to clean) 339B726E4B3D7F4AE77D75F69B6EF8B01E433A14 I
    C:\Program Files\SearchIn1Step\searchin1.exe a variant of Win32/Adware.OneStep application (unable to clean) 70227ECD635D953CD973099AF83F7EEA202A065A I
    C:\Program Files\SearchIn1Step\si1opt.exe a variant of Win32/Adware.OneStep.B application (unable to clean) E7F1C57318FC5C5EADD94A526AA8F4638315667E I
    C:\Qoobox\Quarantine\C\Users\Marcus\AppData\Local\usrHelpppm\SystemMain32.dll.vir probably a variant of Win32/Sefnit.CD trojan (unable to clean) 4D512B7520A0D53910D84EA2A55A32F794A374F9 I
    C:\Qoobox\Quarantine\C\Users\Marcus\AppData\Local\{1C530A94-FB03-4325-9678-3898A46EC5CF}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan (unable to clean) C1BAC22B767030CB056CCA7E6BD1AB42348E3EEE I
    C:\Qoobox\Quarantine\C\Windows\System32\edgtdhiy.ini.vir Win32/Adware.Virtumonde.NEO application (unable to clean) 9917D386E707B6A6E2863F68F8740923A3A51E42 I
    C:\Users\Marcus\Documents\Downloads\Magic ISO Maker 5.4+_KEYGEN.EXE Win32/VB.NKW trojan (unable to clean) 203AD087330FB208F04E08DAFB09AB6C0871F5D5 I
    C:\Users\Marcus\Documents\Downloads\Perfect Uninstaller™ V6.3.2.2\PerfectUninstaller_Setup.exe a variant of Win32/Adware.SpywareCease.AA application (unable to clean) 5A3709471657F0897A07D1A2454C340D554F6ACC I
    C:\Users\Marcus\Downloads\PerfectUninstaller_Setup.exe a variant of Win32/Adware.SpywareCease.AA application (unable to clean) 81AF828FBB11A22979325D1523FEF64C49BAFF0D I

  10. #10
    Malware Team-Emeritus
    Join Date
    Sep 2012
    Location
    Florida, USA
    Posts
    1,161

    Default

    Hi marcus89,

    Re-run OTL (it should be located on your desktop).

    Windows Vista and Windows 7 users Right Click and select "Run as Administrator" on the icon to run it.
    • Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Uncheck the boxes beside LOP Check and Purity Check.
    • Under Extra Registry place the check mark in Use Safe List -- special instructions
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:The log can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of the file, and post it with your next reply.


    In your next post please provide the following:

    • OTL.txt
    • Extras.txt

    OCD
    ----------
    Graduate of WTT Classroom
    Member of UNITE

    Threads will be closed if no response after 5 days

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •