PDA

View Full Version : win32adware



joykins
2010-12-14, 12:16
Hi,

Apparently I'm having trouble understanding and following the instructions I've been given for posting - I apologize, please be patient with us "odiesl" :oops:

Here's the links to my two previous threads:

http://forums.spybot.info/showthread.php?t=60658

http://forums.spybot.info/showthread.php?t=60870

Looks like I'm supposed to re-post the DDS log. The DDS.txt file is pasted below. The attach.txt file is compressed and attached.

The first link above contains the original post with the original DDS log results and the second link contains the OTL logs.

Thanks so much


DDS (Ver_10-11-27.01) - NTFSx86
Run by Joy at 5:04:18.28 on Tue 12/14/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1008 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\igfxpers.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Real\realplayer\Update\realsched.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\GamesBar\SearchEngineProtection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Microsoft Office\Office14\OfficeSAS\officeSASscheduler.exe
C:\Program Files\Citrix\ICA Client\PNAMAIN.EXE
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\cvh.exe
C:\Program Files\e-Sword\e-Sword.exe
C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
Q:\140061.enu\Office14\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://start.att.iplay.com/?o=shp
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: GamesBarBHO Class: {cb0d163c-e9f4-4236-9496-0597e24b23a5} - c:\program files\gamesbar\2.0.1.55\oberontb.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: D-Link Toolbar Loader: {f01858c7-2a68-4d93-9e22-502eae3917c2} - c:\program files\d-link toolbar\dlinktb.dll
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files\d-link toolbar\dlinktb.dll
TB: GamesBar: {6f282b65-56bf-4bd1-a8b2-a4449a05863d} - c:\program files\gamesbar\2.0.1.55\oberontb.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Free Download Manager] "c:\program files\free download manager\fdm.exe" -autorun
uRun: [Software Informer] "c:\program files\software informer\softinfo.exe" -autorun
uRun: [SearchEngineProtection] c:\program files\gamesbar\SearchEngineProtection.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\joy\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\desktop\erunt\AUTOBACK.EXE
StartupFolder: c:\users\joy\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office14\officesas\officeSASscheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\online~1.lnk - c:\windows\installer\{b8a2256e-6225-4d9e-b1c9-c26ca1e22feb}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - c:\program files\gamesbar\2.0.1.55\oberontb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.att.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://search.addthis.com/search?pco=fxe-3.1.0&locale=en-US&sl=ub&q=
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\joy\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\oberongamehost@oberongames.com\platform\winnt_x86-msvc\plugins\npOberonGameHost.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: AnyColor: anycolor.pavlos256@gmail.com - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\anycolor.pavlos256@gmail.com
FF - Extension: Read It Later: isreaditlater@ideashower.com - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\isreaditlater@ideashower.com
FF - Extension: Morning Coffee: morningCoffee@shaneliesegang - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\morningCoffee@shaneliesegang
FF - Extension: Oberon Game Host: OberonGameHost@OberonGames.com - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\OberonGameHost@OberonGames.com
FF - Extension: Oberon Game Host: OberonGameHost@OberonGames.com - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\OberonGameHost@OberonGames.com
FF - Extension: Personas: personas@christopher.beard - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\personas@christopher.beard
FF - Extension: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Extension: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Extension: D-Link Toolbar: {926a10d2-4ce7-4331-b96f-ca4e22590fac} - c:\users\joy\appdata\roaming\mozilla\firefox\profiles\9ak4t7jr.default\extensions\{926a10d2-4ce7-4331-b96f-ca4e22590fac}
FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 50
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100

============= SERVICES / DRIVERS ===============

R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-7-13 4608]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-30 165584]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2010-10-2 401920]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-30 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-30 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-28 40384]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\common files\magix services\database\bin\FABS.exe [2009-8-27 1253376]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-30 1153368]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-28 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-28 40384]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-4-24 550760]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-4-24 195944]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-4-24 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-4-24 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-24 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\common files\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-7 1343400]
S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2009-8-4 33736]

=============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-12-14 01:09:05 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{031e7dcb-6889-4329-8549-326325ffd0b7}\mpengine.dll
2010-12-01 12:05:45 466944 ----a-w- c:\program files\mozilla firefox\plugins\NPcol500.dll
2010-12-01 12:05:45 466944 ----a-w- c:\program files\mozilla firefox\plugins\NPcol400.dll
2010-12-01 12:05:45 -------- d-----w- c:\users\joy\appdata\roaming\Catalina Marketing Corp
2010-12-01 12:05:41 521760 ----a-w- c:\users\joy\appdata\roaming\microsoft\windows\start menu\programs\catalina marketing corp\UninstallCouponActivator.exe
2010-12-01 11:33:40 -------- d-----w- c:\program files\Coupons
2010-11-30 10:52:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-30 10:52:05 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-11-30 10:27:46 -------- d-----w- c:\users\joy\appdata\local\WinZip
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 21:16:45 38848 ----a-w- c:\windows\avastSS.scr
2010-11-27 14:08:08 -------- d-----w- c:\program files\WIDI 3.3 Pro
2010-11-25 13:46:41 -------- d-----w- c:\users\joy\appdata\local\Real
2010-11-25 13:46:15 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2010-11-25 13:45:54 -------- d-----w- c:\program files\common files\xing shared
2010-11-25 13:45:37 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-11-25 13:45:18 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-11-24 11:41:40 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-17 10:18:05 -------- d-----w- c:\program files\iPod
2010-11-17 10:18:03 -------- d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-11-25 13:45:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-11-25 13:45:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-23 11:45:14 87608 ----a-w- c:\users\joy\appdata\roaming\inst.exe
2010-10-23 11:45:14 47360 ----a-w- c:\users\joy\appdata\roaming\pcouffin.sys
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 5:05:20.90 ===============

ken545
2010-12-19, 11:59
Hi,

I reopened your original thread but with the confusion lets just let it be and work on this one. Please be advised that as busy as the forum gets if a helper responds to your post and there is no reply from you in four days that the thread is archived.


So lets start from square one as things may have changed on your sytem

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please






OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

joykins
2010-12-19, 14:13
Hi Ken, thanks for the help!

I installed and ran the malwarebytes scan which found no infected files . . . would love to believe that's true, but I'm the eternal skeptic.

Here's the results:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5356

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/19/2010 6:55:15 AM
mbam-log-2010-12-19 (06-55-15).txt

Scan type: Quick scan
Objects scanned: 153506
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I'll run OTL and repost next.

Thanks again,
Joy

joykins
2010-12-19, 14:23
Here's the results of the OTL scan

OTL.txt file: (the OTL Extras.txt will be next)

OTL logfile created on: 12/19/2010 7:16:33 AM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Downloads\Software
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 270.65 Gb Total Space | 32.07 Gb Free Space | 11.85% Space Free | Partition Type: NTFS
Drive D: | 8.78 Gb Total Space | 0.48 Gb Free Space | 5.50% Space Free | Partition Type: FAT32
Drive E: | 460.11 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 465.76 Gb Total Space | 223.21 Gb Free Space | 47.92% Space Free | Partition Type: NTFS

Computer Name: JOY-PC | User Name: Joy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Downloads\Software\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\GamesBar\SearchEngineProtection.exe (Oberon Media )
PRC - C:\Program Files\Free Download Manager\fdm.exe (FreeDownloadManager.ORG)
PRC - C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\dvd43\DVD43_Tray.exe ()
PRC - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe (Amazon.com)
PRC - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)
PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSAS.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Office\Office14\OfficeSAS\OfficeSASScheduler.exe (Microsoft Corporation)
PRC - C:\Program Files\Citrix\ICA Client\pnamain.exe (Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\ICA Client\wfcrun32.exe (Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\ICA Client\ssonsvr.exe (Citrix Systems, Inc.)
PRC - C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe (MAGIX AG)
PRC - C:\Windows\System32\wisptis.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Downloads\Software\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\softkbd.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)
MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)
MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)
MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)
MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Akamai) -- c:\Program Files\Common Files\Akamai\netsession_win_aeec0f0.dll ()
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (Amazon Download Agent) -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe (Amazon.com)
SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (Fabs) -- C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe (MAGIX AG)
SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)
SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)
SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)
SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)
SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)
SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)
SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)
SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)
SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)
SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)
SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (FirebirdServerMAGIXInstance) -- C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe (MAGIX®)


========== Driver Services (SafeList) ==========

DRV - (dvd43llh) -- C:\Windows\System32\drivers\dvd43llh.sys (RIF)
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Sftvol) -- C:\Windows\System32\drivers\Sftvollh.sys (Microsoft Corporation)
DRV - (Sftredir) -- C:\Windows\System32\drivers\Sftredirlh.sys (Microsoft Corporation)
DRV - (Sftplay) -- C:\Windows\System32\drivers\Sftplaylh.sys (Microsoft Corporation)
DRV - (Sftfs) -- C:\Windows\System32\drivers\Sftfslh.sys (Microsoft Corporation)
DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)
DRV - (ctxusbm) -- C:\Windows\System32\drivers\ctxusbm.sys (Citrix Systems, Inc.)
DRV - (YMIDUSBW) Yamaha USB-MIDI Driver (WDM) -- C:\Windows\System32\drivers\ymidusbw.sys (Yamaha Corporation)
DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)
DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)
DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)
DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)
DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)
DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)
DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)
DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)
DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)
DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)
DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)
DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)
DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)
DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)
DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)
DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)
DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)
DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)
DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)
DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)
DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)
DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)
DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)
DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)
DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)
DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)
DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)
DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)
DRV - (rdpbus) -- C:\Windows\system32\DRIVERS\rdpbus.sys (Microsoft Corporation)
DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)
DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)
DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)
DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)
DRV - (1394ohci) -- C:\Windows\System32\drivers\1394ohci.sys (Microsoft Corporation)
DRV - (UmPass) -- C:\Windows\system32\DRIVERS\umpass.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)
DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)
DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)
DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)
DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)
DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)
DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)
DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)
DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)
DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)
DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)
DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (USBPNPA) -- C:\Windows\System32\drivers\CM108.sys (C-Media Inc)
DRV - (Icam4USB) -- C:\Windows\System32\drivers\Icam4USB.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\URLSearchHook: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.att.iplay.com/?o=shp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 5A 78 17 69 30 7E CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo!"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Yahoo!"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://google.com"
FF - prefs.js..extensions.enabledItems: anycolor.pavlos256@gmail.com:0.3.3
FF - prefs.js..extensions.enabledItems: isreaditlater@ideashower.com:2.0.6
FF - prefs.js..extensions.enabledItems: morningCoffee@shaneliesegang:1.33
FF - prefs.js..extensions.enabledItems: OberonGameHost@OberonGames.com:1.0.5.1462
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.1
FF - prefs.js..extensions.enabledItems: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}:2.0.2
FF - prefs.js..extensions.enabledItems: {3e0e7d2a-070f-4a47-b019-91fe5385ba79}:3.1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
FF - prefs.js..extensions.enabledItems: {926a10d2-4ce7-4331-b96f-ca4e22590fac}:5.45.3.3629
FF - prefs.js..extensions.enabledItems: fdm_ffext@freedownloadmanager.org:1.3.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://search.addthis.com/search?pco=fxe-3.1.0&locale=en-US&sl=ub&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - user.js..browser.search.openintab: false

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/11/25 08:45:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/13 20:05:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/13 20:05:19 | 000,000,000 | ---D | M]

[2010/01/11 04:13:49 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Extensions
[2010/01/10 17:43:16 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\extensions
[2010/01/10 17:43:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/12/19 06:39:39 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions
[2010/09/24 19:09:32 | 000,000,000 | ---D | M] (Forecastfox Weather) -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2010/04/28 03:33:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/05 05:41:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
[2010/09/09 05:14:01 | 000,000,000 | ---D | M] (AddThis) -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2010/08/05 05:41:19 | 000,000,000 | ---D | M] (D-Link Toolbar) -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\{926a10d2-4ce7-4331-b96f-ca4e22590fac}
[2010/08/23 01:47:36 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\anycolor.pavlos256@gmail.com
[2010/04/07 04:55:59 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\isreaditlater@ideashower.com
[2010/01/10 17:43:20 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\morningCoffee@shaneliesegang
[2010/07/03 06:41:21 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\OberonGameHost@OberonGames.com
[2010/09/13 03:12:07 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\extensions\personas@christopher.beard
[2009/12/16 04:46:28 | 000,002,171 | ---- | M] () -- C:\Users\Joy\AppData\Roaming\Mozilla\Firefox\Profiles\9ak4t7jr.default\searchplugins\bing.xml
[2010/11/24 06:32:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/29 04:50:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/24 06:32:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2009/09/12 23:05:42 | 000,124,240 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CCMSDK.dll
[2009/09/12 23:06:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2009/09/12 23:06:32 | 000,091,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2009/09/12 23:06:28 | 000,022,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2009/03/23 22:29:44 | 000,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2010/12/01 07:05:45 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2010/12/01 07:05:45 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
[2009/11/19 17:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/09/12 23:08:36 | 000,406,864 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2009/11/19 17:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2009/08/03 15:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
[2009/09/12 23:06:24 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll
[2010/10/16 18:47:54 | 000,001,943 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\Yahooober26752984.xml

O1 HOSTS File: ([2009/06/10 16:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (GamesBarBHO Class) - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files\GamesBar\2.0.1.55\oberontb.dll (Oberon Media Ltd.)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O2 - BHO: (D-Link Toolbar Loader) - {f01858c7-2a68-4d93-9e22-502eae3917c2} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (D-Link Toolbar) - {61874dfa-9adf-44e5-8e61-f3913707e7d7} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (GamesBar) - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\2.0.1.55\oberontb.dll (Oberon Media Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (D-Link Toolbar) - {61874DFA-9ADF-44E5-8E61-F3913707E7D7} - C:\Program Files\D-Link Toolbar\dlinktb.dll (AOL LLC.)
O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [dvd43] C:\Program Files\dvd43\DVD43_Tray.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe (FreeDownloadManager.ORG)
O4 - HKCU..\Run: [SearchEngineProtection] C:\Program Files\GamesBar\SearchEngineProtection.exe (Oberon Media )
O4 - HKCU..\Run: [Software Informer] C:\Program Files\Software Informer\softinfo.exe File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Users\Joy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\desktop\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Joy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - Reg Error: Value error. File not found
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: //@surf.mar@/ ([]money in Local intranet)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} http://games.att.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab (Oberon Flash Game Host)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 07:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2009/07/01 18:49:32 | 000,000,062 | ---- | M] () - F:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/15 18:51:46 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/12/15 18:51:41 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/12/15 18:51:39 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/12/15 18:51:39 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/12/15 18:51:39 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/12/15 18:51:38 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/12/15 18:51:38 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/12/15 18:51:38 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/12/15 18:51:38 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/12/15 18:51:38 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/12/15 18:51:38 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/12/15 18:51:38 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/12/15 18:51:31 | 000,496,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskschd.dll
[2010/12/15 18:51:31 | 000,351,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmicmiplugin.dll
[2010/12/15 18:51:31 | 000,305,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskcomp.dll
[2010/12/15 18:51:31 | 000,179,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe
[2010/12/15 18:51:25 | 000,314,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webio.dll
[2010/12/15 18:51:25 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/12/15 18:51:24 | 000,101,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\consent.exe
[2010/12/15 18:51:24 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/12/15 18:51:23 | 002,327,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/12/13 20:04:52 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/12/01 07:05:45 | 000,000,000 | ---D | C] -- C:\Users\Joy\AppData\Roaming\Catalina Marketing Corp
[2010/12/01 06:33:40 | 000,000,000 | ---D | C] -- C:\Program Files\Coupons
[2010/11/30 05:52:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/11/30 05:52:05 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/11/30 05:27:46 | 000,000,000 | ---D | C] -- C:\Users\Joy\AppData\Local\WinZip
[2010/11/30 05:27:41 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/11/29 17:38:30 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/11/29 17:38:30 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2010/11/28 16:16:45 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/11/27 09:08:08 | 000,000,000 | ---D | C] -- C:\Program Files\WIDI 3.3 Pro
[2010/11/25 08:46:41 | 000,000,000 | ---D | C] -- C:\Users\Joy\AppData\Local\Real
[2010/11/25 08:45:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/11/25 08:45:37 | 000,199,904 | ---- | C] (RealNetworks, Inc.) -- C:\Windows\System32\rmoc3260.dll
[2010/11/25 08:45:13 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\Windows\System32\pndx5016.dll
[2010/11/25 08:45:13 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\Windows\System32\pndx5032.dll
[2010/11/25 08:45:12 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\Windows\System32\pncrt.dll
[2010/11/24 06:31:57 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/11/24 06:31:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/11/24 06:31:57 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/10/23 06:45:14 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Joy\AppData\Roaming\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2010/12/19 06:48:17 | 000,001,102 | ---- | M] () -- C:\Users\Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/12/19 06:44:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/19 06:36:22 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/12/19 06:36:22 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/12/19 06:28:48 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/19 06:28:36 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/12/19 06:28:32 | 1603,112,960 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/16 07:24:46 | 000,492,536 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/12/14 05:07:57 | 000,002,489 | ---- | M] () -- C:\Users\Joy\Desktop\Attach.zip
[2010/12/13 20:09:39 | 000,002,503 | ---- | M] () -- C:\Users\Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/12/13 20:09:38 | 000,002,479 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2010/12/13 20:05:11 | 000,001,826 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/12/03 21:57:23 | 000,028,160 | ---- | M] () -- C:\Users\Joy\Desktop\Help Me.doc
[2010/11/30 05:52:14 | 000,001,251 | ---- | M] () -- C:\Users\Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/11/30 05:52:14 | 000,001,227 | ---- | M] () -- C:\Users\Joy\Desktop\Spybot - Search & Destroy.lnk
[2010/11/30 05:27:55 | 000,002,216 | ---- | M] () -- C:\Users\Public\Desktop\WinZip.lnk
[2010/11/30 04:48:42 | 000,000,860 | ---- | M] () -- C:\Users\Joy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/30 04:48:29 | 000,000,685 | ---- | M] () -- C:\Users\Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010/11/30 04:48:29 | 000,000,680 | ---- | M] () -- C:\Users\Joy\Desktop\NTREGOPT.lnk
[2010/11/30 04:48:29 | 000,000,661 | ---- | M] () -- C:\Users\Joy\Desktop\ERUNT.lnk
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/11/29 17:38:30 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTimeVR.qtx
[2010/11/29 17:38:30 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\Windows\System32\QuickTime.qts
[2010/11/28 16:16:46 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/11/27 09:08:09 | 000,001,004 | ---- | M] () -- C:\Users\Joy\Desktop\WIDI 3.3 Pro.lnk
[2010/11/25 08:46:06 | 000,001,012 | ---- | M] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2010/11/25 08:45:37 | 000,199,904 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\System32\rmoc3260.dll
[2010/11/25 08:45:13 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\System32\pndx5016.dll
[2010/11/25 08:45:13 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\Windows\System32\pndx5032.dll
[2010/11/25 08:45:12 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\Windows\System32\pncrt.dll
[2010/11/23 08:21:31 | 000,627,288 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/11/23 08:21:31 | 000,107,346 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/11/20 10:53:49 | 000,025,600 | ---- | M] () -- C:\Users\Joy\Documents\ControlChartRules.xls

========== Files Created - No Company Name ==========

[2010/12/19 06:48:17 | 000,001,102 | ---- | C] () -- C:\Users\Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/12/14 05:07:57 | 000,002,489 | ---- | C] () -- C:\Users\Joy\Desktop\Attach.zip
[2010/12/13 20:05:11 | 000,001,826 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/11/30 05:52:14 | 000,001,251 | ---- | C] () -- C:\Users\Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/11/30 05:52:14 | 000,001,227 | ---- | C] () -- C:\Users\Joy\Desktop\Spybot - Search & Destroy.lnk
[2010/11/30 05:27:55 | 000,002,216 | ---- | C] () -- C:\Users\Public\Desktop\WinZip.lnk
[2010/11/30 04:48:42 | 000,000,860 | ---- | C] () -- C:\Users\Joy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/30 04:48:29 | 000,000,685 | ---- | C] () -- C:\Users\Joy\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010/11/27 09:08:09 | 000,001,004 | ---- | C] () -- C:\Users\Joy\Desktop\WIDI 3.3 Pro.lnk
[2010/11/25 08:46:06 | 000,001,012 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
[2010/10/23 06:45:59 | 000,000,034 | ---- | C] () -- C:\Users\Joy\AppData\Roaming\pcouffin.log
[2010/10/23 06:45:14 | 000,087,608 | ---- | C] () -- C:\Users\Joy\AppData\Roaming\inst.exe
[2010/10/23 06:45:14 | 000,007,887 | ---- | C] () -- C:\Users\Joy\AppData\Roaming\pcouffin.cat
[2010/10/23 06:45:14 | 000,001,144 | ---- | C] () -- C:\Users\Joy\AppData\Roaming\pcouffin.inf
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/01/15 03:31:00 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx14_ic.ini
[2007/04/27 08:43:58 | 000,120,200 | ---- | C] () -- C:\Windows\System32\DLLDEV32i.dll
[2002/06/06 01:01:58 | 000,029,696 | ---- | C] () -- C:\Windows\System32\asutl8.dll

========== LOP Check ==========

[2010/04/11 07:28:07 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Alawar Entertainment
[2010/05/23 10:59:57 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Amazon
[2010/09/25 20:33:19 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Anvil Studio
[2010/04/18 20:25:15 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Arkadium
[2010/01/24 16:17:26 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Articulate
[2010/05/22 10:19:25 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Artogon
[2010/04/19 03:51:44 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Big Fish Games
[2010/12/01 07:05:45 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Catalina Marketing Corp
[2010/01/11 06:38:36 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Citrix
[2010/09/06 04:43:10 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Crosswind PM Inc
[2010/10/20 03:37:00 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\DVDVideoSoft
[2010/06/13 11:30:40 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Farm Mania
[2010/05/08 08:10:35 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Flood Light Games
[2010/06/05 09:18:05 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Floodlight Games
[2010/12/19 07:18:04 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Free Download Manager
[2010/02/28 03:50:53 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Gaijin Ent
[2010/06/13 18:47:04 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\GetRightToGo
[2010/04/04 18:59:33 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\GOA
[2010/10/17 18:09:32 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Hardcore
[2010/01/17 10:26:58 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\ICAClient
[2010/06/10 04:15:41 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\iWin
[2010/05/24 05:31:25 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\JewelMatch2
[2010/11/07 17:34:12 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\MAGIX
[2010/03/27 17:44:08 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Merscom
[2010/11/27 09:08:42 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Music Recognition
[2010/04/02 04:36:06 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\MysteryStudio
[2010/10/16 18:49:23 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Oberon Media
[2010/10/16 18:50:00 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Oberonv1000
[2010/03/04 01:25:07 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Oberonv1002
[2010/03/27 11:50:16 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Princess Isabella
[2010/04/24 06:15:36 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Settlement. Colossus
[2010/04/25 06:56:34 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Silverback Productions
[2010/02/28 04:57:42 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Skunk Studios
[2010/12/16 07:21:25 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\SoftGrid Client
[2010/11/27 05:50:11 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\TP
[2010/11/06 18:29:03 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Vso
[2010/09/25 16:29:26 | 000,000,000 | ---D | M] -- C:\Users\Joy\AppData\Roaming\Z-Systems
[2010/12/15 04:30:20 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 655 bytes -> C:\Users\Joy\Documents\Important _ Billing Problem.eml:OECustomProperty
@Alternate Data Stream - 207 bytes -> C:\ProgramData\TEMP:1013B07C
@Alternate Data Stream - 206 bytes -> C:\ProgramData\TEMP:F8A67568
@Alternate Data Stream - 204 bytes -> C:\ProgramData\TEMP:B84EF836
@Alternate Data Stream - 198 bytes -> C:\ProgramData\TEMP:48529647
@Alternate Data Stream - 197 bytes -> C:\ProgramData\TEMP:373C6DC2
@Alternate Data Stream - 196 bytes -> C:\ProgramData\TEMP:C44E62F1
@Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:EF4B1DA9
@Alternate Data Stream - 193 bytes -> C:\ProgramData\TEMP:1198CD34
@Alternate Data Stream - 189 bytes -> C:\ProgramData\TEMP:8C885EDD
@Alternate Data Stream - 189 bytes -> C:\ProgramData\TEMP:3965C4E8
@Alternate Data Stream - 186 bytes -> C:\ProgramData\TEMP:2A8A3140
@Alternate Data Stream - 185 bytes -> C:\ProgramData\TEMP:91CF76E3
@Alternate Data Stream - 182 bytes -> C:\ProgramData\TEMP:017D5143
@Alternate Data Stream - 181 bytes -> C:\ProgramData\TEMP:7E4695C4
@Alternate Data Stream - 179 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 152 bytes -> C:\ProgramData\TEMP:AE8D8202
@Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:8F7ECF6A
@Alternate Data Stream - 145 bytes -> C:\ProgramData\TEMP:1AB9C966
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:C8E9D804
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:CDF47D67
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:3867977D
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:E8C4808B
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:1BC99E01
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:E35A81F4
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:940C4202
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:3FBB88CF
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:41B89F80
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:D8EA2847
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:D0F51BEA
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:E60C72DB
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:81B52FA6
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:E1069F99
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:DB0CD29E
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:8DCF53BE
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:252E6179
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:029E021F
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:C18032C3
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:2B9724CF

< End of report >

joykins
2010-12-19, 14:28
Hi Ken,

An OTL Extras.txt file was not generated with this run. The only Extras.txt file is from the first run on 12/13 and is still attached to the original post.

Did I do something wrong?

Thanks,
Joy

ken545
2010-12-19, 15:25
Ahhhh, we're finally on the same page

Thats fine, not to worry about the extras right now.

I am not looking at anything malicious on your log. Let me ask you, what are you experiencing to make you think your infected ? Are you getting any browser redirects or unwanted popup windows ?

Run this free online virus scanner and post the log please.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

joykins
2010-12-19, 18:02
Hi Ken,

The reason that I thought I was infected was that my anti-virus program (Avast) detected a Threat ("Win32:adware-gen") and when I told Avast to delete it, it said that it could not locate it. When I rescanned, the threat was still there.

I was not getting any re-directs. There was a poppup for McAlfee Anti-virus software (which I had never installed on my computer). A couple of strange things were occuring:

1. My browser window (firefox) would no longer close when I would click the X in the right upper corner. I would have to ctrl alt del to close the browser window.
2. Even though I was using Avast anti-virus software, suddenly another anti-virus software program was popping up on my screen (McAlfee, I think). I had never downloaded or used McAlfee (that I recall), so I have no idea where it came from and I thought it was strange that it showed up rather uninvited. I suspected that it wasn't really McAlfee and was just one of those fake screens that shows up when you've been hit by a virus.
3. Since all of the above started happening, my computer freezes up completely and won't respond to my keyboard or mouse, in which case I have to manually reset (pressing and holding the power button) until the computer shuts off. When I restart it, I get an error message that says something about the fan failing, press F2 to continue. Everything seems to run pretty well once it reboots and I can actually hear the fan running, so I don't think it's a problem. I tried unplugging the computer and plugging it in again (someone's recommendation I read on some forum website). That seemed to help, but then the message returned later.

Other than the my browser freezing up and failing to respond as I would like for it to, everything else seems pretty normal.

I will attach the results of the ESET scan shortly.

Thanks again,
Joy

joykins
2010-12-19, 20:16
the good news (I think). . . ESET is finding "threats"

So far, 2 threats have been identified - "Win32/Adware.ADON application" and it says, "probably a variant of Win32/TrojanDropper.agent.NGCANKT trojan"

The first threat said something similar.

The bad news . . . my thread will probably be archived again before the scan finishes running :D:

It is taking a while!

Joy

ken545
2010-12-19, 20:39
Don't worry, I am still with you

joykins
2010-12-19, 22:20
I've included the results of the ESET scan below:

C:\Downloads\Software\1clickdvdcopyprosetup4.2.3.2.exe probably a variant of Win32/TrojanDropper.Agent.NGCANKT trojan
C:\Windows.old\Documents and Settings\HP_Administrator\Application Data\Desktopicon\eBayShortcuts.exe Win32/Adware.ADON application


That certainly took a long time!

Joy

ken545
2010-12-19, 22:43
I have run this on my own system and it took around 40 minutes but I have had users post and said it took a long time, depends on the size of your drive and how full it is.

How are things running now ?

joykins
2010-12-20, 00:20
Well, the browser window is still locking up and won't close without using ctrl alt del.

But, I'm a little confused. I had unchecked the box to remove the infected files in the online ESET scan, so I haven't done anything to remove the infected files, only scanned to identify that they are there.

Did I miss a step?

Thanks,
Joy

ken545
2010-12-20, 01:25
Well,

This one looks like it was downloaded illegally
It appears to have been downloaded from a site that offers Cracked/ Keygens , all illegal.
C:\Downloads\Software\1clickdvdcopyprosetup4.2.3.2.exe


This one is bad and needs to go.
C:\Windows.old\Documents and Settings\HP_Administrator\Application Data\Desktopicon\eBayShortcuts.exe





Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL



:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


:Services

:Reg

:Files
C:\Downloads\Software\1clickdvdcopyprosetup4.2.3.2.exe
C:\Windows.old\Documents and Settings\HP_Administrator\Application Data\Desktopicon\eBayShortcuts.exe


:Commands
[purity]
[emptytemp]
[RESETHOSTS]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post the results of the log

joykins
2010-12-20, 02:48
Sorry for the delay . . . had to do battle with my teenager and then my spouse! I have no idea what Cracked/Keygens is referring to, but both my child and my husband seemed to understand what you are talking about. I'll leave the rest to your imagination!!

The log of the OTL.exe is pasted below. I will play around and see how things are going now.

Thanks,
Joy

Here's the results of the OTL.exe log:

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Downloads\Software\1clickdvdcopyprosetup4.2.3.2.exe moved successfully.
C:\Windows.old\Documents and Settings\HP_Administrator\Application Data\Desktopicon\eBayShortcuts.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Joy
->Temp folder emptied: 7137437 bytes
->Temporary Internet Files folder emptied: 114450551 bytes
->Java cache emptied: 19675002 bytes
->FireFox cache emptied: 60328723 bytes
->Flash cache emptied: 66181 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 100647285 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 288.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 12192010_193702

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

joykins
2010-12-20, 03:26
My browser still freezes up requiring Ctrl Alt Del to close. Do you think maybe it has nothing to do with a virus?

Everything else seems to be working fine.

Thanks again for your help. Is there any way that I can compensate you for your time and effort?

Joy

ken545
2010-12-20, 03:35
Bump to next thread

ken545
2010-12-20, 03:37
Joy,

There are sites on the internet that you can get all sorts of free software, like Microsoft office, Adobe Photoshop, anti virus software, even windows and many more, there altered to allow bypassing the product key, the only catch is that almost 100% of them include malicious code. So by downloading them not only are you infecting your computer but your installing illegal software.

Ok, those two baddies are gone.

Try this, it will set Internet Explorer back to factory defaults.

Open Internet Explorer and go to Tools> Internet Options > Advanced Tab> Reset Internet Explorer Setting > Reset.......takes a few seconds...when its done, ok your way out, close IE and then reopen it and see if it helped

joykins
2010-12-20, 04:07
I reset the browser settings for internet explorer AND firefox. Internet explorer is working fine. Firefox is still locking up. Firefox is the browser I usually use. Seems like someone suggested it to me because it supposedly has less issues than internet explorer - maybe not. Computers can be such aggravating machines!

Thanks,
Joy

ken545
2010-12-20, 10:50
Good Morning Joy,

Firefox is the browser I use all the time, its a bit more secure than IE.

You can open Firefox and go to Tools > Add Ons > Plugins and disable each plug in one at a time until you feel you browser is working ok

joykins
2010-12-20, 12:02
Thanks Ken,

Wow! Who knew there were so many add ons . . . 26 all together!

I'll play around and see if it has any affect.

I think I'm good for now. Thanks again for all your help. I stopped by your homepage.

Merry Christmas!

Joy

ken545
2010-12-20, 14:12
Wow! Who knew there were so many add ons . . . 26 all together!
Thats a lot, one or more of them is causing you problems. If you can attach a screenshot of them do so and let me look at them

Glad you liked my site, thank you for the donation :)

joykins
2010-12-21, 11:30
Your welcome . . . just a little appreciation for your time and expertise!

I've attached a screenshot of the add ons.

Thank you - again.

Joy

ken545
2010-12-21, 13:48
Joy,

You can click on the ones you want and select disable, you can always re enable the ones you want . You have a ton of them, no wonder your browser is giving you problems, i looked in mine and I have 4

These are the ones I would get rid of

Coupon Network
Coupons
Downloader Update
All of Real Player

Disable them and close out firefox and then restart it and see if it makes a difference.

joykins
2010-12-21, 13:55
I disabled those you suggested and we'll see. It is sort of an intermittent problem in that it doesn't seem to happen every time I launch the browser, so I'll leave them disabled for a while and see what happens.

Thanks so much,
Joy

ken545
2010-12-21, 13:59
Joy,

You can also post here directly in the Firefox forum, these are the people that built the browser and can offer more information than I can.

http://forums.mozillazine.org/viewforum.php?f=38

Let me know how it went.

If I don't hear back from you in the next few days, a Merry Christmas to you and your family