View Full Version : My giftload.click problem woops
Hello- I seem to have gotten this terrible infection yesterday. I think I picked it up from a google image result page when I visited a wallpapers page but didnt download anything intentionally. I saw a pop-up and tried to click No but I think I clicked the wrong button when going too quickly. I aborted the install process I thought, but not fast enough.
I have a C drive with opsys and regular files but I also use 2 other internal drives in RAID1
Windows Vista Business SP1
I use only firefox for browsing- no IE
I used IOLO System mechanic pro 10 on startup with all features enabled.
I have SpybotSD
I have Spyware doctor.
I checked the FAQs and downloaded Erunt and DDS
Erunt seems to have made a backup OK but after trying to run DDS, the txt I see is just full of garbled characters.
I have my laptop running also but they do not share drives and I have not used a thumbdrive at all this week.
Any help is appreciated.
Here is my Spybot log file from my last run an hour ago.
I am on Eastern time US
--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows Vista (Build: 6001) Service Pack 1 (6.0.6001)
--- Startup entries list ---
Located: HK_LM:Run, Conime
command: %windir%\system32\conime.exe
file: C:\Windows\system32\conime.exe
size: 69120
MD5: F96EBC5A624349D81DCC7600A3C5DC43
Located: HK_LM:Run, Corel File Shell Monitor
command: C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
file: C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
size: 16712
MD5: B4A8BA5ABF4BDBE0171ED23F7535654A
Located: HK_LM:Run, EKIJ5000StatusMonitor
command: C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
file: C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
size: 1638400
MD5: A3CF6E5E3AF52AEC92551A6D4F011C3D
Located: HK_LM:Run, HDAudDeck
command: C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
file: C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
size: 15519744
MD5: 01BE90D0E016D674D1DD4A26387EDECE
Located: HK_LM:Run, iolo Startup
command: "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
file: C:\Program Files\iolo\Common\Lib\ioloLManager.exe
size: 434360
MD5: 48536B1B118F6AFD39DB547947AE83AD
Located: HK_LM:Run, ISTray
command: "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI
file: C:\Program Files\PC Tools Security\pctsGui.exe
size: 1589208
MD5: 79F731182BB91E6BEE76803BF968C4AA
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 421160
MD5: 2DFCB2393528446AEB9FB861A8FC39AB
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
file: C:\Windows\system32\NvCpl.dll
size: 13535776
MD5: 7522597DD61F651A95A471D798E08304
Located: HK_LM:Run, Windows Defender
command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
Located: HK_CU:Run, Irocamodetak
where: S-1-5-21-522819725-4015885625-1306769688-1000...
command: rundll32.exe "C:\Users\1\AppData\Local\mscluay.dll",Startup
file: "C:\Users\1\AppData\Local\mscluay.dll"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{D4027C7F-154A-4066-A1AD-4243D8127440} (Ask Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Ask Toolbar BHO
CLSID name:
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 9/15/2010 7:20:48 AM
Date (last access): 11/19/2010 1:16:04 PM
Date (last write): 9/15/2010 7:20:48 AM
Filesize: 41760
Attributes: archive
MD5: 3F59EDE1444C14CFBAA15C7EBBFE6196
CRC32: 847C94E6
Version: 6.0.220.4
--- ActiveX list ---
{483EB14D-AF1C-4951-81B0-4E2B41829FF6} ()
DPF name:
CLSID name:
Installer:
Codebase: https://www.select2perform.com/cabs/QOLCheck.ocx
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_22
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/18/2010 4:16:58 PM
Date (last access): 9/15/2074 5:52:30 AM
Date (last write): 9/15/2010 5:50:40 AM
Filesize: 108320
Attributes: archive
MD5: 6A25F175BC9D7709ABEA66086489121D
CRC32: 3BFA8F9A
Version: 6.0.220.4
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_05
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_05.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/18/2010 4:16:58 PM
Date (last access): 9/15/2074 5:52:30 AM
Date (last write): 9/15/2010 5:50:40 AM
Filesize: 108320
Attributes: archive
MD5: 6A25F175BC9D7709ABEA66086489121D
CRC32: 3BFA8F9A
Version: 6.0.220.4
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_22
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/18/2010 4:16:58 PM
Date (last access): 9/15/2074 5:52:30 AM
Date (last write): 9/15/2010 5:50:40 AM
Filesize: 108320
Attributes: archive
MD5: 6A25F175BC9D7709ABEA66086489121D
CRC32: 3BFA8F9A
Version: 6.0.220.4
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_22
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_22.dll
Short name: NPJPI1~1.DLL
Date (created): 9/15/2010 3:29:52 AM
Date (last access): 9/15/2074 5:52:42 AM
Date (last write): 9/15/2010 5:50:46 AM
Filesize: 141088
Attributes: archive
MD5: AFB7EFCDE5277F6514EF0E9FF8D8D862
CRC32: 2A43B8CC
Version: 6.0.220.4
--- Process list ---
PID: 2128 (2076) C:\Program Files\PC Tools Security\pctsGui.exe
size: 1589208
MD5: 79F731182BB91E6BEE76803BF968C4AA
PID: 2816 (1120) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 59903071D7ACE6A02093C47E9E38AF97
PID: 4040 (2136) C:\Windows\Explorer.EXE
size: 2927104
MD5: 4F554999D7D5F05DAAEBBA7B5BA1089D
PID: 2668 (1140) C:\Windows\system32\wuauclt.exe
size: 53472
MD5: 62BB79160F86CD962F312C68C6239BFD
PID: 2900 (4040) C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
PID: 4084 (4040) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
size: 15519744
MD5: 01BE90D0E016D674D1DD4A26387EDECE
PID: 3540 (4040) C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
size: 16712
MD5: B4A8BA5ABF4BDBE0171ED23F7535654A
PID: 3204 (4040) C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
size: 1638400
MD5: A3CF6E5E3AF52AEC92551A6D4F011C3D
PID: 3848 (4040) C:\Program Files\iTunes\iTunesHelper.exe
size: 421160
MD5: 2DFCB2393528446AEB9FB861A8FC39AB
PID: 3168 (4040) C:\Windows\System32\rundll32.exe
size: 44544
MD5: 4B555106290BD117334E9A08761C035A
PID: 3712 (4040) C:\Program Files\Mozilla Firefox\firefox.exe
size: 912344
MD5: 0F3FA9FDB976C567EC0491685CF4FDF7
PID: 4056 (2904) C:\Windows\system32\taskeng.exe
size: 171520
MD5: EAFB5897AC9CD84890171AC38862320F
PID: 5440 (2904) C:\Windows\system32\wuauclt.exe
size: 53472
MD5: 62BB79160F86CD962F312C68C6239BFD
PID: 5248 (4040) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 468 ( 4) smss.exe
size: 64000
PID: 560 ( 548) csrss.exe
size: 6144
PID: 608 ( 548) wininit.exe
size: 96768
PID: 616 ( 600) csrss.exe
size: 6144
PID: 652 ( 608) services.exe
size: 279040
PID: 664 ( 608) lsass.exe
size: 9728
PID: 672 ( 608) lsm.exe
size: 229888
PID: 700 ( 600) winlogon.exe
size: 314880
PID: 860 ( 652) svchost.exe
size: 21504
PID: 912 ( 652) nvvsvc.exe
size: 118784
PID: 940 ( 652) svchost.exe
size: 21504
PID: 1016 ( 652) svchost.exe
size: 21504
PID: 1088 ( 652) svchost.exe
size: 21504
PID: 1120 ( 652) svchost.exe
size: 21504
PID: 1288 (1088) audiodg.exe
size: 88064
PID: 1316 ( 652) svchost.exe
size: 21504
PID: 1380 ( 652) SLsvc.exe
size: 2623488
PID: 1440 ( 652) svchost.exe
size: 21504
PID: 1528 ( 912) rundll32.exe
size: 44544
PID: 1592 ( 652) svchost.exe
size: 21504
PID: 1864 ( 652) spoolsv.exe
size: 126464
PID: 1904 ( 652) svchost.exe
size: 21504
PID: 528 ( 652) AppleMobileDeviceService.exe
PID: 524 ( 652) mDNSResponder.exe
PID: 1516 ( 652) ekdiscovery.exe
PID: 1408 ( 652) svchost.exe
size: 21504
PID: 1644 ( 652) PsiService_2.exe
PID: 2060 ( 652) pctsAuxs.exe
PID: 2076 ( 652) pctsSvc.exe
PID: 2168 ( 652) svchost.exe
size: 21504
PID: 2196 ( 652) vsedsps.exe
PID: 2252 ( 652) svchost.exe
size: 21504
PID: 2312 ( 652) SearchIndexer.exe
size: 302080
PID: 2344 ( 652) vseamps.exe
PID: 2448 ( 652) SDWinSec.exe
MD5: 794D4B48DFB6E999537C7C3947863463
PID: 2548 (1120) WUDFHost.exe
size: 142336
PID: 2528 ( 652) iPodService.exe
PID: 2904 ( 652) svchost.exe
size: 21504
PID: 4504 (2904) taskeng.exe
size: 171520
PID: 5688 (2904) taskeng.exe
size: 171520
PID: 4460 (4040) C:\Program Files\Mozilla Firefox\firefox.exe
size: 912344
MD5: 0F3FA9FDB976C567EC0491685CF4FDF7
PID: 5168 (2312) SearchProtocolHost.exe
size: 179200
PID: 4224 (2312) SearchFilterHost.exe
size: 76800
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/30/2011 4:22:06 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\System32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
--- Winsock Layered Service Provider list ---
Protocol 0: iolo System Shield over [MSAFD Tcpip [TCP/IP]]
GUID: {675963A8-C019-4E5C-B384-3311400E063C}
Filename: C:\Windows\system32\iavlsp.dll
Protocol 1: iolo System Shield over [MSAFD Tcpip [UDP/IP]]
GUID: {2E3F279E-FE22-4166-A228-DAF44EB32487}
Filename: C:\Windows\system32\iavlsp.dll
Protocol 2: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 4: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 5: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 6: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 7: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 8: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 9: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 10: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 11: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 12: iolo System Shield
GUID: {4BBEB896-088E-44CB-A88F-193AD0CCABEC}
Filename: C:\Windows\system32\iavlsp.dll
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{44E983D2-22F1-4957-80A8-3D098BC11B18}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{44E983D2-22F1-4957-80A8-3D098BC11B18}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8140FCBC-F926-41EB-BE7F-D03644C5AC3B}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8140FCBC-F926-41EB-BE7F-D03644C5AC3B}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:
Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:
Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 6: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Hi Ken! Thanks for helping.
I ran ATF cleaner like you asked.
I ran Malwarebytes after that. Here is the results log from that scan...
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6221
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19019
3/30/2011 9:12:13 PM
mbam-log-2011-03-30 (21-12-13).txt
Scan type: Quick scan
Objects scanned: 141146
Time elapsed: 5 minute(s), 35 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\eba.exe (Trojan.Agent) -> 2088 -> Unloaded process successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\eba.exe (Trojan.Agent) -> 4116 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Irocamodetak (Trojan.Hiloti.Gen) -> Value: Irocamodetak -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\eba.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\1\AppData\Local\mscluay.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\Users\1\local settings\application data\mscluay.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
I am going to run OLT now since you asked that I post this log result and then mentioned the OLD scan in your instructions.
Hi Ken, here is my OLT log...standing by.
OTL logfile created on: 3/30/2011 9:28:53 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 49.44 Gb Free Space | 33.17% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 283.30 Gb Free Space | 60.95% Space Free | Partition Type: NTFS
Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe ()
PRC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
PRC - C:\Program Files\PC Tools Security\pctsGui.exe (PC Tools)
PRC - C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
PRC - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
========== Modules (SafeList) ==========
MOD - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\PC Tools Security\PCTGMhk.dll (PC Tools)
========== Win32 Services (SafeList) ==========
SRV - (ioloSystemService) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (vseqrts) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
========== Driver Services (SafeList) ==========
DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (pctEFA) -- C:\Windows\system32\drivers\pctEFA.sys (PC Tools)
DRV - (pctDS) -- C:\Windows\system32\drivers\pctDS.sys (PC Tools)
DRV - (FileDisk) -- C:\Windows\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (AMP) -- C:\Windows\System32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- C:\Windows\System32\drivers\ampse.sys (Authentium, Inc)
DRV - (ElRawDisk) -- C:\Windows\System32\drivers\ElRawDsk.sys (EldoS Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (VIAHdAudAddService) -- C:\Windows\System32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (nsiproxy) -- C:\Windows\System32\drivers\nsiproxy.sys ()
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SI3114r) -- C:\Windows\system32\DRIVERS\SI3114r.sys (Silicon Image, Inc)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C EB 20 59 84 C8 CB 01 [binary data]
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/02/18 16:17:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions
[2011/02/18 16:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2011/03/30 14:00:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions
[2010/11/18 00:14:03 | 000,000,000 | ---D | M] (Map This) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
[2010/11/21 01:04:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/08 00:10:40 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/02/09 14:38:50 | 000,000,000 | ---D | M] ("Gmail Checker") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}
[2011/03/29 19:19:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/12 14:20:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/11/18 00:16:51 | 000,000,000 | ---D | M] (Zoom toolbar) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
[2011/03/29 19:19:41 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\foxmarks@kei.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com-trash
[2011/01/26 13:54:53 | 000,000,000 | ---D | M] (printpdf) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\printpdf@pavlov.net
[2011/03/22 09:59:34 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\screencaptureelite@plugin
[2011/02/09 14:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/18 16:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/19 13:17:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
O1 HOSTS File: ([2011/03/29 23:30:54 | 000,431,419 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14852 more lines...
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [iolo Startup] C:\Program Files\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [ISTray] C:\Program Files\PC Tools Security\pctsGui.exe (PC Tools)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O13 - gopher Prefix: missing
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} https://www.select2perform.com/cabs/QOLCheck.ocx (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O35 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/03/30 21:04:30 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Malwarebytes
[2011/03/30 21:04:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/30 21:04:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 21:04:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/30 21:04:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/30 21:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/30 20:54:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\insightdesk
[2011/03/30 20:47:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:24 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 15:55:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/30 15:18:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/03/30 15:18:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/03/30 07:22:44 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/03/29 23:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/29 20:34:56 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/03/29 20:34:56 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/03/29 20:34:55 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/03/29 20:34:55 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/03/29 20:34:52 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/03/29 20:34:52 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/03/29 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/03/29 20:34:43 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/03/29 20:15:36 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13
[2011/03/16 18:26:56 | 000,056,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\offreg.dll
[2011/03/09 10:06:14 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:06:14 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:06:13 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:06:13 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2011/03/08 16:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/03/08 16:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/03/08 16:07:46 | 004,537,088 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Greyfirst
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\Greyfirst
[2011/03/07 23:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celtx
[2011/03/07 23:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Celtx
[2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule
[1 C:\*.tmp files -> C:\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/03/30 21:21:14 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/30 21:21:14 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/30 21:16:48 | 000,000,448 | ---- | M] () -- C:\Windows\System32\iolo.ini
[2011/03/30 21:16:27 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/30 21:16:20 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/30 21:16:20 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/30 21:16:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/30 21:15:59 | 2144,493,568 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/30 21:12:04 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/30 21:04:47 | 000,009,946 | -HS- | M] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 21:04:25 | 000,000,938 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:53:29 | 000,009,954 | -HS- | M] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 20:47:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:25 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 20:43:36 | 000,001,356 | ---- | M] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2011/03/30 17:28:04 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2011/03/30 15:55:32 | 000,000,746 | ---- | M] () -- C:\Users\1\Desktop\ERUNT.lnk
[2011/03/30 15:23:08 | 000,625,664 | ---- | M] () -- C:\Users\1\Desktop\dds.scr
[2011/03/29 23:30:54 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
[2011/03/29 20:35:15 | 001,772,938 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/03/25 18:05:16 | 000,002,121 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 15:24:20 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\IncContxMenu.dll
[2011/03/15 15:23:32 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2011/03/15 15:23:26 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2011/03/15 15:21:16 | 002,234,552 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator.dll
[2011/03/15 12:10:27 | 002,503,745 | ---- | M] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/08 16:07:49 | 004,537,088 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:10 | 000,001,670 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[1 C:\*.tmp files -> C:\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/03/30 21:16:48 | 000,000,448 | ---- | C] () -- C:\Windows\System32\iolo.ini
[2011/03/30 21:04:25 | 000,000,938 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:50:06 | 2144,493,568 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/30 20:43:09 | 000,009,946 | -HS- | C] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 16:33:41 | 000,009,954 | -HS- | C] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 15:55:32 | 000,000,746 | ---- | C] () -- C:\Users\1\Desktop\ERUNT.lnk
[2011/03/30 15:23:04 | 000,625,664 | ---- | C] () -- C:\Users\1\Desktop\dds.scr
[2011/03/25 18:05:16 | 000,002,121 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 12:10:25 | 002,503,745 | ---- | C] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/07 23:04:10 | 000,001,670 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[2011/02/09 17:18:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 14:16:25 | 000,000,094 | ---- | C] () -- C:\Windows\awshkwv.ini
[2011/02/04 20:33:09 | 000,000,010 | ---- | C] () -- C:\Windows\Wininit.ini
[2010/12/17 20:24:26 | 000,009,216 | ---- | C] () -- C:\Users\1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/21 00:45:52 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/11/18 18:07:41 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2010/11/18 17:35:19 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/17 23:54:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/11/17 22:13:09 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010/11/17 22:13:01 | 000,030,434 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/11/17 22:09:26 | 000,001,356 | ---- | C] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/01/20 22:25:51 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/01/20 22:25:11 | 000,016,384 | ---- | C] () -- C:\Windows\System32\drivers\nsiproxy.sys
[2008/01/20 22:24:41 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2007/12/28 03:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2006/11/02 08:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:43 | 000,251,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
========== LOP Check ==========
[2011/03/29 20:44:30 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13
[2011/03/30 12:15:46 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\BitTorrent
[2010/11/18 12:22:06 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Foxit Software
[2011/03/07 23:04:22 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Greyfirst
[2010/12/16 16:11:16 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\iolo
[2010/11/20 20:54:01 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\NeatImage PS
[2010/11/23 10:29:19 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\OpenOffice.org
[2011/01/26 13:42:45 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\PrimoPDF
[2011/03/01 15:19:38 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Temp
[2011/02/18 16:18:09 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Thunderbird
[2011/03/30 21:13:29 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
< End of report >
OTL Extras logfile created on: 3/30/2011 9:28:54 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 49.44 Gb Free Space | 33.17% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 283.30 Gb Free Space | 60.95% Space Free | Partition Type: NTFS
Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
[HKEY_USERS\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with Corel Paint Shop Pro Photo X2] -- "C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A8A8058-DA51-4421-BF54-E9202790A6A4}" = lport=9322 | protocol=6 | dir=in | name=ekdiscovery |
"{B1D1F633-0246-4A4D-AA6C-86E0C8F51405}" = lport=5353 | protocol=17 | dir=in | name=bonjour port 5353 |
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0138D0BB-7F4B-455E-A0E4-53C0422709BE}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{5EDD8C94-953B-4137-82B9-C39602BE05D2}" = protocol=6 | dir=in | app=c:\program files\iolo\system mechanic professional\sysmech.exe |
"{A9718FA5-33F8-4437-807A-6B7345DA789A}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{E262BA75-18B5-4246-8238-D689FDF01014}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{FB253B2B-5A03-420D-8793-6FD6948F98A2}" = protocol=17 | dir=in | app=c:\program files\iolo\system mechanic professional\sysmech.exe |
"TCP Query User{6A683606-2861-454E-AD38-84A8C8AD1EF5}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{C6EE8DEF-E2CB-43D4-9B38-C0C4B9395A04}C:\program files\emule\emule.exe" = protocol=6 | dir=in | app=c:\program files\emule\emule.exe |
"TCP Query User{E75502DE-1F00-48F0-8DF2-D1ACAFF6ABF8}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
"UDP Query User{1D671F8C-9446-4B65-8257-C4AAE1940031}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{510AD074-BB5F-422F-9A58-3D5EA0D34C43}C:\program files\emule\emule.exe" = protocol=17 | dir=in | app=c:\program files\emule\emule.exe |
"UDP Query User{FE43DC31-A168-415D-8531-40C2543D7C91}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 22
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{30DBAD4A-BA6D-4F9D-8AB0-2F6C7B0612A4}" = AVSDK5
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{6845255F-15CC-4DD1-94D5-D38F370118B3}_is1" = Auslogics Duplicate File Finder
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BBD3F66B-1180-4785-B679-3F91572CD3B4}_is1" = iolo technologies' System Mechanic Professional
"{C158BAF3-D76F-FE96-2934-A5940020A971}" = ATI Catalyst Install Manager
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C768790F-04FB-11E0-9B2C-001AA037B01E}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Celtx (2.9)" = Celtx (2.9)
"ERUNT_is1" = ERUNT 1.1j
"Eye Candy 3" = Eye Candy 3
"Eye Candy 4000" = Eye Candy 4000 Demo
"Foxit PDF Editor" = Foxit PDF Editor
"Foxit Reader" = Foxit Reader
"Google Chrome" = Google Chrome
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"Mozilla Thunderbird (3.1.7)" = Mozilla Thunderbird (3.1.7)
"Neat Image_is1" = Neat Image v6 Demo (with plug-in)
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"Spyware Doctor" = Spyware Doctor 8.0
"virtualPhotographer_is1" = virtualPhotographer 1.5.6
"WinRAR archiver" = WinRAR archiver
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 3/30/2011 6:03:45 PM | Computer Name = davesbigmachine | Source = SPP | ID = 16387
Description =
Error - 3/30/2011 6:03:45 PM | Computer Name = davesbigmachine | Source = System Restore | ID = 8193
Description =
Error - 3/30/2011 7:13:10 PM | Computer Name = davesbigmachine | Source = SPP | ID = 16387
Description =
Error - 3/30/2011 7:13:10 PM | Computer Name = davesbigmachine | Source = System Restore | ID = 8193
Description =
Error - 3/30/2011 7:13:10 PM | Computer Name = davesbigmachine | Source = System Restore | ID = 8210
Description =
Error - 3/30/2011 8:24:29 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =
Error - 3/30/2011 8:41:33 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =
Error - 3/30/2011 8:41:48 PM | Computer Name = davesbigmachine | Source = EventSystem | ID = 4609
Description =
Error - 3/30/2011 8:50:48 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =
Error - 3/30/2011 9:16:44 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =
[ iolo Applications Events ]
Error - 3/30/2011 1:16:35 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =
Error - 3/30/2011 1:17:08 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =
Error - 3/30/2011 1:42:52 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =
Error - 3/30/2011 4:18:09 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =
Error - 3/30/2011 7:18:09 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =
Error - 3/30/2011 10:19:09 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =
[ System Events ]
Error - 3/16/2011 6:29:23 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/16/2011 7:12:47 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/17/2011 12:48:38 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/18/2011 7:57:22 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/22/2011 9:55:06 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/22/2011 11:18:21 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/23/2011 11:52:53 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/24/2011 9:47:29 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/25/2011 12:12:54 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
Error - 3/25/2011 11:39:47 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =
< End of report >
Good Morning,
Ask Toolbar
* It promotes its toolbars on sites targeted at kids.
* It promotes its toolbars through ads that appear to be part of other companies' sites.
* It promotes its toolbars through other companies' spyware.
* It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
* It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
* It makes confusing changes to user's browsers - increasing Ask's revenues while taking users to pages they didn't intend to visit.
eMule
Any form of P2P ( File Sharing ) is dangerous, your downloading that file from an unknown source, malware writers are in tune to this and have been using P2P as one of the latest ways of spreading there wares. You never know whats attached to that file, its like playing Russian Roulette malwarewise.
You should be able to uninstall them both via Programs and features in the Control Panel.
Then.....
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
:Services
:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Hi Ken, I uninstalled Emule yesterday before we started talking. I used it one about a month ago. I screened the file I needed with my AV program and haven't used Emule since.
The Ask toolbar seems to be a problem. It is associated with my PDF program. It is an optional install item. I opted to not install as I hate tool bars, and it doesn't show up in my PDF or browser bars. I am not able to uninstall it though.
See my attached jpeg screen shot for the error uninstall generates. I am the administrator and I operate at the top level. I continually get this host message too. here is the screen shot of that as well.
I'll wait for your response before I backup the reg. Also know that I have the ERUNT already, do I really need to Dl again?
Dave
As long as ERUNT is fairly current you can use the one you downloaded if not you can drag it to the trash and redownload it, whatever, just make sure you back up your registry before you proceed with the fix
I have tried to remove that ASK entry with no success. I even restarted in safe mode and tried to uninstall that way but no luck. Should I still proceed with reg backup?
I also have been getting this message on startup after the desktop loads, see attached.
Windows defender
Application failed to initialize
Dave
Hey Ken,
I also just had this tab spawn by itself while I was away from my machine
See attached
Back up with ERUNT and run the OTL fix and we will go from there
Ken, Erunt wont run correctly.
see attached.
Maybe IOLO system mechanic is blocking?
Lets do this, it looks like you have a rogue program causing you problems
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
i also just set iolo services to manual start-up instead of automatic. OK?
Big problem Ken. I saved combofix.exe to desktop as requested. Doubleclicked to start program, green status bar gets almost all the way across and then ....bluescreen and dump restart. First bluescreen ever on this machine (3 years old).
What now?
here is what the "Windows has recovered from an unexpected shutdown" info on the next startup said....
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.256.6
Locale ID: 1033
Additional information about the problem:
BCCode: a
BCP1: 00000016
BCP2: 0000001B
BCP3: 00000000
BCP4: 81EFBBEF
OS Version: 6_0_6001
Service Pack: 1_0
Product: 256_1
Files that help describe the problem:
C:\Windows\Minidump\Mini033111-05.dmp
C:\Users\1\AppData\Local\Temp\WER-115768-0.sysdata.xml
C:\Users\1\AppData\Local\Temp\WER672B.tmp.version.txt
Also I just noticed this. Is this normal? I didnt intentionally block this.
Malwarebytes blocked on startup.
attached screenshot
Lets back up a bit and do this
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the "Scan" button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-31 20:30:21
-----------------------------
20:30:21.505 OS Version: Windows 6.0.6001 Service Pack 1
20:30:21.505 Number of processors: 4 586 0x203
20:30:21.505 ComputerName: DAVESBIGMACHINE UserName: 1
20:30:23.268 Initialize success
20:30:27.761 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
20:30:27.761 Disk 0 Vendor: WDC_WD1600AAJS-00B4A0 01.03A01 Size: 152627MB BusType: 3
20:30:27.776 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SI3114r1Port4Path0Target0Lun0
20:30:27.776 Disk 1 Vendor: SiI_____ 1100 Size: 476939MB BusType: 1
20:30:27.776 Device \Device\Ide\IdeDeviceP0T1L0-2 -> \??\IDE#DiskWDC_WD1600AAJS-00B4A0___________________01.03A01#5&2e153c89&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
20:30:29.804 Disk 0 MBR read successfully
20:30:29.804 Disk 0 MBR scan
20:30:29.804 Disk 0 TDL4@MBR code has been found
20:30:29.820 Disk 0 MBR hidden
20:30:29.820 Disk 0 MBR [TDL4] **ROOTKIT**
20:30:29.835 Disk 0 trace - called modules:
20:30:29.835 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x86216439]<<
20:30:29.851 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852a85d8]
20:30:29.851 3 CLASSPNP.SYS[881a9745] -> nt!IofCallDriver -> [0x852a8e40]
20:30:29.867 5 PCTCore.sys[8079f099] -> nt!IofCallDriver -> [0x852a4878]
20:30:29.882 7 acpi.sys[8060f6a0] -> nt!IofCallDriver -> [0x85293ba0]
20:30:29.882 \Driver\atapi[0x85c6c908] -> IRP_MJ_CREATE -> 0x86216439
20:30:29.898 Scan finished successfully
Your system is infected with the TDL4 Rootkit, it didn't show up on the other scanners,
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrtdl4.gif
Save the log as before and post in your next reply
OK here it is. I am also getting a hard disk error now which will require some tending. I think it is in my raid. Can I make the repair before a failure?
Dave
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-31 21:00:23
-----------------------------
21:00:23.476 OS Version: Windows 6.0.6001 Service Pack 1
21:00:23.476 Number of processors: 4 586 0x203
21:00:23.476 ComputerName: DAVESBIGMACHINE UserName: 1
21:00:23.757 Initialize success
21:00:25.956 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-2
21:00:25.956 Disk 0 Vendor: WDC_WD1600AAJS-00B4A0 01.03A01 Size: 152627MB BusType: 3
21:00:25.956 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SI3114r1Port4Path0Target0Lun0
21:00:25.972 Disk 1 Vendor: SiI_____ 1100 Size: 476939MB BusType: 1
21:00:28.000 Disk 0 MBR read successfully
21:00:28.000 Disk 0 MBR scan
21:00:30.012 Disk 0 scanning sectors +312578048
21:00:30.028 Disk 0 scanning C:\Windows\system32\drivers
21:00:33.398 Service scanning
21:00:36.440 Disk 0 trace - called modules:
21:00:36.455 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
21:00:36.471 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852a0030]
21:00:36.471 3 CLASSPNP.SYS[881a5745] -> nt!IofCallDriver -> [0x852a6658]
21:00:36.486 5 PCTCore.sys[8079a099] -> nt!IofCallDriver -> [0x8529b780]
21:00:36.486 7 acpi.sys[8060a6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-2[0x8529bba0]
21:00:36.502 Scan finished successfully
Not sure about your raid, run Combofix, it should run with no problems now
Hi Ken.
Ran combofix just fine. Here is the log...
ComboFix 11-03-31.01 - 1 03/31/2011 21:29:56.1.4 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2046.1401 [GMT -4:00]
Running from: c:\users\1\Desktop\ComboFix.exe
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFRD143.tmp
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13\enemies-names.txt
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13\local.ini
c:\users\1\AppData\Roaming\Adobe\plugs
c:\users\1\AppData\Roaming\Adobe\shed
.
----- BITS: Possible infected sites -----
.
hxxp://download.iolo.net
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-04-01 01:39 . 2011-04-01 01:39 -------- d-----w- c:\users\1\AppData\Local\temp
2011-04-01 01:39 . 2011-04-01 01:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-30 11:22 . 2011-03-31 01:15 -------- d-----w- c:\windows\Sun
2011-03-30 03:04 . 2011-03-30 03:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-03-30 03:04 . 2011-03-30 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-30 00:34 . 2010-07-16 18:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-03-30 00:34 . 2010-07-16 18:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-03-30 00:34 . 2011-01-17 13:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-03-30 00:34 . 2010-12-16 12:38 103232 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-03-30 00:34 . 2010-12-10 20:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-03-30 00:34 . 2010-12-10 17:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-03-30 00:34 . 2010-12-16 12:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-03-30 00:34 . 2011-03-31 23:27 -------- d-----w- c:\program files\PC Tools Security
2011-03-30 00:34 . 2011-03-30 00:36 -------- d-----w- c:\program files\Common Files\PC Tools
2011-03-29 12:34 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC0945D2-7124-4CCE-943B-1E0BBBB8CA97}\mpengine.dll
2011-03-16 22:26 . 2010-02-09 02:59 56200 ----a-w- c:\windows\system32\offreg.dll
2011-03-09 14:06 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 14:06 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 14:06 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 14:06 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 14:06 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 14:06 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 20:09 . 2011-03-08 20:09 -------- d-----w- c:\program files\Auslogics
2011-03-08 03:04 . 2011-03-08 03:04 -------- d-----w- c:\users\1\AppData\Roaming\Greyfirst
2011-03-08 03:04 . 2011-03-08 03:04 -------- d-----w- c:\users\1\AppData\Local\Greyfirst
2011-03-08 03:03 . 2011-03-08 03:04 -------- d-----w- c:\program files\Celtx
2011-03-02 21:53 . 2011-03-30 16:11 -------- d-----w- c:\programdata\eMule
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-30 21:28 . 2010-11-18 21:35 848 --sha-w- c:\programdata\KGyGaAvL.sys
2011-03-15 19:24 . 2010-11-18 15:41 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-03-15 19:23 . 2010-11-18 15:41 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-03-15 19:23 . 2010-11-18 15:41 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-03-15 19:21 . 2010-11-18 15:41 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-02-02 22:11 . 2010-11-19 00:03 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50 . 2011-02-09 22:42 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-09 22:42 292352 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2008-05-21 15519744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13535776]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2011-03-15 434360]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"Conime"="c:\windows\system32\conime.exe" [2008-01-21 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 136176]
R3 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2011-03-15 724152]
R3 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2011-03-15 724152]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
R3 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2010-01-19 158248]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-12-10 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2008-12-09 20392]
S2 AMP;AMP;c:\windows\system32\DRIVERS\amp.sys [2010-01-19 127016]
S2 AMPSE;AMPSE;c:\windows\system32\DRIVERS\ampse.sys [2010-01-19 1118248]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2010-01-19 121384]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2010-01-19 117288]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-05-08 269824]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:07]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\iavlsp.dll
FF - ProfilePath - c:\users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Map This: {05f6a7ea-896b-11da-8bde-f66bad1e3f3a} - %profile%\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Screen Capture Elite: screencaptureelite@plugin - %profile%\extensions\screencaptureelite@plugin
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: printpdf: printpdf@pavlov.net - %profile%\extensions\printpdf@pavlov.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 21:39
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\VDeck\VDeck.exe -r???????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-31 21:44:13
ComboFix-quarantined-files.txt 2011-04-01 01:44
.
Pre-Run: 52,054,032,384 bytes free
Post-Run: 51,981,864,960 bytes free
.
- - End Of File - - 153D20A5F9BEB0E23D6894EB829B4D38
Great, go ahead and run OTL and run a new scan ( not the fix as it may have changed ) and post the log
Here it is. Same settings as before, just a scan...
OTL logfile created on: 3/31/2011 9:53:32 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 48.47 Gb Free Space | 32.52% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 282.31 Gb Free Space | 60.73% Space Free | Partition Type: NTFS
Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
PRC - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - C:\Windows\System32\DFDWiz.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
========== Modules (SafeList) ==========
MOD - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (ioloSystemService) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (vseqrts) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
========== Driver Services (SafeList) ==========
DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (pctEFA) -- C:\Windows\system32\drivers\pctEFA.sys (PC Tools)
DRV - (pctDS) -- C:\Windows\system32\drivers\pctDS.sys (PC Tools)
DRV - (FileDisk) -- C:\Windows\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (AMP) -- C:\Windows\System32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- C:\Windows\System32\drivers\ampse.sys (Authentium, Inc)
DRV - (ElRawDisk) -- C:\Windows\System32\drivers\ElRawDsk.sys (EldoS Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (VIAHdAudAddService) -- C:\Windows\System32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (nsiproxy) -- C:\Windows\System32\drivers\nsiproxy.sys ()
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SI3114r) -- C:\Windows\system32\DRIVERS\SI3114r.sys (Silicon Image, Inc)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C EB 20 59 84 C8 CB 01 [binary data]
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/02/18 16:17:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions
[2011/02/18 16:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2011/03/31 16:24:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions
[2010/11/18 00:14:03 | 000,000,000 | ---D | M] (Map This) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
[2010/11/21 01:04:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/08 00:10:40 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/03/29 19:19:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/12 14:20:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/11/18 00:16:51 | 000,000,000 | ---D | M] (Zoom toolbar) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
[2011/03/29 19:19:41 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\foxmarks@kei.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com-trash
[2011/01/26 13:54:53 | 000,000,000 | ---D | M] (printpdf) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\printpdf@pavlov.net
[2011/03/22 09:59:34 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\screencaptureelite@plugin
[2011/02/09 14:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/18 16:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/19 13:17:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
O1 HOSTS File: ([2011/03/31 21:39:20 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [iolo Startup] C:\Program Files\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} https://www.select2perform.com/cabs/QOLCheck.ocx (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O24 - Desktop BackupWallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O35 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/03/31 21:44:25 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\temp
[2011/03/31 21:28:07 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/03/31 21:28:07 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/03/31 21:28:07 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/03/31 21:27:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/31 21:27:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/03/31 20:29:50 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 18:11:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\erunt
[2011/03/31 16:06:40 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/30 21:04:30 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Malwarebytes
[2011/03/30 21:04:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/30 21:04:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 21:04:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/30 21:04:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/30 21:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/30 20:54:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\insightdesk
[2011/03/30 20:47:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:24 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 15:55:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/30 07:22:44 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/03/29 23:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/29 20:34:56 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/03/29 20:34:56 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/03/29 20:34:55 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/03/29 20:34:55 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/03/29 20:34:52 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/03/29 20:34:52 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/03/29 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/03/29 20:34:43 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/03/16 18:26:56 | 000,056,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\offreg.dll
[2011/03/09 10:06:14 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:06:14 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:06:13 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:06:13 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2011/03/08 16:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/03/08 16:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/03/08 16:07:46 | 004,537,088 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Greyfirst
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\Greyfirst
[2011/03/07 23:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celtx
[2011/03/07 23:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Celtx
[2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule
========== Files - Modified Within 30 Days ==========
[2011/03/31 21:39:20 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/03/31 21:12:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/31 21:04:13 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/31 21:04:13 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/31 21:00:46 | 000,000,512 | ---- | M] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 21:00:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/31 20:59:58 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 20:59:58 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 20:59:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/31 20:59:45 | 2146,549,760 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/31 20:33:35 | 000,078,157 | ---- | M] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:29:56 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 19:55:07 | 000,017,744 | ---- | M] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:37:15 | 326,147,063 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/31 19:25:36 | 004,310,832 | R--- | M] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 18:09:30 | 000,513,320 | ---- | M] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 15:58:01 | 000,170,887 | ---- | M] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | M] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | M] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:29 | 000,102,988 | ---- | M] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:21:12 | 000,230,285 | ---- | M] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | M] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:47 | 000,009,946 | -HS- | M] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 21:04:25 | 000,000,938 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:53:29 | 000,009,954 | -HS- | M] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 20:47:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:25 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 20:43:36 | 000,001,356 | ---- | M] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2011/03/30 17:28:04 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2011/03/30 15:23:08 | 000,625,664 | ---- | M] () -- C:\Users\1\Desktop\dds.scr
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
[2011/03/29 20:35:15 | 001,772,938 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/03/25 18:05:16 | 000,002,121 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 15:24:20 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\IncContxMenu.dll
[2011/03/15 15:23:32 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2011/03/15 15:23:26 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2011/03/15 15:21:16 | 002,234,552 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator.dll
[2011/03/15 12:10:27 | 002,503,745 | ---- | M] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/08 16:07:49 | 004,537,088 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:10 | 000,001,670 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
========== Files Created - No Company Name ==========
[2011/03/31 21:28:07 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/03/31 21:28:07 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/03/31 21:28:07 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/03/31 21:28:07 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/03/31 21:28:07 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/03/31 20:33:35 | 000,078,157 | ---- | C] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:30:47 | 000,000,512 | ---- | C] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 19:55:07 | 000,017,744 | ---- | C] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:25:34 | 004,310,832 | R--- | C] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 18:09:28 | 000,513,320 | ---- | C] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 16:06:07 | 326,147,063 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/31 15:58:00 | 000,170,887 | ---- | C] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | C] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | C] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:28 | 000,102,988 | ---- | C] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:38:02 | 2146,549,760 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/31 13:21:12 | 000,230,285 | ---- | C] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | C] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:25 | 000,000,938 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:43:09 | 000,009,946 | -HS- | C] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 16:33:41 | 000,009,954 | -HS- | C] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 15:23:04 | 000,625,664 | ---- | C] () -- C:\Users\1\Desktop\dds.scr
[2011/03/25 18:05:16 | 000,002,121 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 12:10:25 | 002,503,745 | ---- | C] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/07 23:04:10 | 000,001,670 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[2011/02/09 17:18:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 14:16:25 | 000,000,094 | ---- | C] () -- C:\Windows\awshkwv.ini
[2011/02/04 20:33:09 | 000,000,010 | ---- | C] () -- C:\Windows\Wininit.ini
[2010/12/17 20:24:26 | 000,009,216 | ---- | C] () -- C:\Users\1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/21 00:45:52 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/11/18 18:07:41 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2010/11/18 17:35:19 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/17 23:54:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/11/17 22:13:09 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010/11/17 22:13:01 | 000,030,434 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/11/17 22:09:26 | 000,001,356 | ---- | C] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/01/20 22:25:51 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/01/20 22:25:11 | 000,016,384 | ---- | C] () -- C:\Windows\System32\drivers\nsiproxy.sys
[2008/01/20 22:24:41 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2007/12/28 03:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2006/11/02 08:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:43 | 000,251,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
========== LOP Check ==========
[2011/03/30 12:15:46 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\BitTorrent
[2010/11/18 12:22:06 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Foxit Software
[2011/03/07 23:04:22 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Greyfirst
[2010/12/16 16:11:16 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\iolo
[2010/11/20 20:54:01 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\NeatImage PS
[2010/11/23 10:29:19 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\OpenOffice.org
[2011/01/26 13:42:45 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\PrimoPDF
[2011/03/01 15:19:38 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Temp
[2011/02/18 16:18:09 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Thunderbird
[2011/03/31 20:58:27 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
< End of report >
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Sorry Ken, but I'm still getting erunt problems like before. See the attached error screenshots.
By the way, I havent said thank you for all the help your're giving so far. I appreciate it a bunch. If I can get through this and not lose all the images in my raid (HD1) I'll be real happy. I'm a photographer, so they are important to me.
Thank you.
Dave
Hello Dave,
I am sure you will be ok. Bypass ERUNT and go ahead and run the fix, where really not removing anything registry related
Would it be ok to backup the registry with iolo system mechanic? It has that feature
Here is the results if the fix log from OLT
All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup moved successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:430C6D84 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\1\Desktop\cmd.bat deleted successfully.
C:\Users\1\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: 1
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 17954373 bytes
->Java cache emptied: 17501 bytes
->FireFox cache emptied: 52381960 bytes
->Flash cache emptied: 122632 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 1102047 bytes
Total Files Cleaned = 68.00 mb
OTL by OldTimer - Version 3.2.22.3 log created on 04012011_165433
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
Hi Ken. Here is the scan log run after the custom fix...
OTL logfile created on: 4/1/2011 5:00:10 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 51.26 Gb Free Space | 34.39% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 282.31 Gb Free Space | 60.73% Space Free | Partition Type: NTFS
Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
PRC - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
========== Modules (SafeList) ==========
MOD - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (ioloSystemService) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (vseqrts) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
========== Driver Services (SafeList) ==========
DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (pctEFA) -- C:\Windows\system32\drivers\pctEFA.sys (PC Tools)
DRV - (pctDS) -- C:\Windows\system32\drivers\pctDS.sys (PC Tools)
DRV - (FileDisk) -- C:\Windows\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (AMP) -- C:\Windows\System32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- C:\Windows\System32\drivers\ampse.sys (Authentium, Inc)
DRV - (ElRawDisk) -- C:\Windows\System32\drivers\ElRawDsk.sys (EldoS Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (VIAHdAudAddService) -- C:\Windows\System32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (nsiproxy) -- C:\Windows\System32\drivers\nsiproxy.sys ()
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SI3114r) -- C:\Windows\system32\DRIVERS\SI3114r.sys (Silicon Image, Inc)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C EB 20 59 84 C8 CB 01 [binary data]
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/02/18 16:17:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions
[2011/02/18 16:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2011/04/01 14:29:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions
[2010/11/18 00:14:03 | 000,000,000 | ---D | M] (Map This) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
[2010/11/21 01:04:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/08 00:10:40 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/03/29 19:19:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/12 14:20:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/11/18 00:16:51 | 000,000,000 | ---D | M] (Zoom toolbar) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
[2011/03/29 19:19:41 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\foxmarks@kei.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com-trash
[2011/01/26 13:54:53 | 000,000,000 | ---D | M] (printpdf) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\printpdf@pavlov.net
[2011/03/22 09:59:34 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\screencaptureelite@plugin
[2011/02/09 14:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/18 16:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/19 13:17:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
O1 HOSTS File: ([2011/04/01 16:54:34 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [iolo Startup] C:\Program Files\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} https://www.select2perform.com/cabs/QOLCheck.ocx (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O24 - Desktop BackupWallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O35 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/01 16:54:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/01 13:34:41 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\erunt
[2011/03/31 21:44:25 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\temp
[2011/03/31 21:28:07 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/03/31 21:28:07 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/03/31 21:28:07 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/03/31 21:27:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/31 21:27:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/03/31 20:29:50 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 16:06:40 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/30 21:04:30 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Malwarebytes
[2011/03/30 21:04:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/30 21:04:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 21:04:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/30 21:04:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/30 21:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/30 20:54:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\insightdesk
[2011/03/30 20:47:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:24 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 15:55:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/30 07:22:44 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/03/29 23:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/29 20:34:56 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/03/29 20:34:56 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/03/29 20:34:55 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/03/29 20:34:55 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/03/29 20:34:52 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/03/29 20:34:52 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/03/29 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/03/29 20:34:43 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/03/16 18:26:56 | 000,056,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\offreg.dll
[2011/03/09 10:06:14 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:06:14 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:06:13 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:06:13 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2011/03/08 16:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/03/08 16:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/03/08 16:07:46 | 004,537,088 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Greyfirst
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\Greyfirst
[2011/03/07 23:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celtx
[2011/03/07 23:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Celtx
[2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule
========== Files - Modified Within 30 Days ==========
[2011/04/01 16:57:10 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/01 16:57:04 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/01 16:57:04 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/01 16:57:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/01 16:56:55 | 2144,485,376 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/01 16:54:34 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/04/01 16:53:56 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/01 16:53:56 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/01 15:12:04 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/01 13:34:17 | 000,513,320 | ---- | M] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 21:00:46 | 000,000,512 | ---- | M] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 20:33:35 | 000,078,157 | ---- | M] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:29:56 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 19:55:07 | 000,017,744 | ---- | M] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:37:15 | 326,147,063 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/31 19:25:36 | 004,310,832 | R--- | M] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 15:58:01 | 000,170,887 | ---- | M] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | M] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | M] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:29 | 000,102,988 | ---- | M] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:21:12 | 000,230,285 | ---- | M] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | M] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:47 | 000,009,946 | -HS- | M] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 21:04:25 | 000,000,938 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:53:29 | 000,009,954 | -HS- | M] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 20:47:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:25 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 20:43:36 | 000,001,356 | ---- | M] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2011/03/30 17:28:04 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2011/03/30 15:23:08 | 000,625,664 | ---- | M] () -- C:\Users\1\Desktop\dds.scr
[2011/03/29 20:35:15 | 001,772,938 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/03/25 18:05:16 | 000,002,121 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 15:24:20 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\IncContxMenu.dll
[2011/03/15 15:23:32 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2011/03/15 15:23:26 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2011/03/15 15:21:16 | 002,234,552 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator.dll
[2011/03/15 12:10:27 | 002,503,745 | ---- | M] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/08 16:07:49 | 004,537,088 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:10 | 000,001,670 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
========== Files Created - No Company Name ==========
[2011/04/01 13:34:15 | 000,513,320 | ---- | C] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 21:28:07 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/03/31 21:28:07 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/03/31 21:28:07 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/03/31 21:28:07 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/03/31 21:28:07 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/03/31 20:33:35 | 000,078,157 | ---- | C] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:30:47 | 000,000,512 | ---- | C] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 19:55:07 | 000,017,744 | ---- | C] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:25:34 | 004,310,832 | R--- | C] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 16:06:07 | 326,147,063 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/31 15:58:00 | 000,170,887 | ---- | C] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | C] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | C] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:28 | 000,102,988 | ---- | C] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:38:02 | 2144,485,376 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/31 13:21:12 | 000,230,285 | ---- | C] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | C] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:25 | 000,000,938 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:43:09 | 000,009,946 | -HS- | C] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 16:33:41 | 000,009,954 | -HS- | C] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 15:23:04 | 000,625,664 | ---- | C] () -- C:\Users\1\Desktop\dds.scr
[2011/03/25 18:05:16 | 000,002,121 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 12:10:25 | 002,503,745 | ---- | C] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/07 23:04:10 | 000,001,670 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[2011/02/09 17:18:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 14:16:25 | 000,000,094 | ---- | C] () -- C:\Windows\awshkwv.ini
[2011/02/04 20:33:09 | 000,000,010 | ---- | C] () -- C:\Windows\Wininit.ini
[2010/12/17 20:24:26 | 000,009,216 | ---- | C] () -- C:\Users\1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/21 00:45:52 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/11/18 18:07:41 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2010/11/18 17:35:19 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/17 23:54:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/11/17 22:13:09 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010/11/17 22:13:01 | 000,030,434 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/11/17 22:09:26 | 000,001,356 | ---- | C] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/01/20 22:25:51 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/01/20 22:25:11 | 000,016,384 | ---- | C] () -- C:\Windows\System32\drivers\nsiproxy.sys
[2008/01/20 22:24:41 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2007/12/28 03:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2006/11/02 08:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:43 | 000,251,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
< End of report >
Great, how are things running now ?
Hi Ken. It seems much better now. Is there more to do? Were you able to determine exactly how the infection occurred or what site I got it from?
Also...is there any way to prevent it in the future except for the usual; update, firewall, AV programs, no p2p? I mean a patch or fix beyond the usual advise?
Lastly, do you have software recommendations for malware, adware and AV software?
Dave
Hello Dave,
Not sure how you got infected, P2P, an email attachment, wandered unknowingly into a bad site, there are many ways.
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Hi Ken-
Here is what I use currently. Are the tools you are recommending better than these?
iolo system mechanic 10 professional (if you aren't familiar, check it out)
spybot s+d (you do recommend this one don't ya?)
Spyware doctor
Also, wont running all these together cause conflicts or is that just for AV softwares?
Dave
Well,
Antivirus runs in the background and if you have more than one they will conflict, same with a fire wall, but with Antispyware you can have more than one just as long as they all dont monitor in the background. I really cant recommend what programs you should and should not have as some react differently on some systems , so using what you have running is not causing any problems you can let them be. Outside of AVs, there is not need to purchase anything as all the tools we recommend are free and there also are free AVs if you wanted to go that route.
Myself, I use Norton Internet Security, Malwarebytes Pro, WinPatrol and Spybot, really dont have any need for much more
Ken :)
Thanks Ken! You have been a real pal! I see that you use malwarebytes pro. I also see all over the forums that people recommend that malwarebytes only be used by professionals or with professional supervision. Would you say that I should not keep it on my system. I'm happy to dump it if you agree with the other people about this powerful software.
One more question, Firewalls. Should I use an alternate to the windows firewall because some viruses are written to bypass or manipulate the windows firewall? If so, which would you recommend?
Dave
P.S.
If I can ever be of help, just ask. My specialty is physical security design and project management, and my lifelong hobby has been photography (26 years).
Dave, one of the tools we recommend not to run without supervision is Combofix, all systems and infections are different and what this program can fix on one system can damage another.
As far as Malwarebytes, you have the free version, you can upgrade to the Pro version for around $20 or so, its just a one time fee and you get the license for it. What the Pro version has that the free version does not is a Protection Moduale, what this will do is that if you should wander into a bad website you will get a PAGE NOT FOUND and them a pop up from MBAM that it blocked a potentially bad site, I have this on all my systems and cant live without it, but to upgrade is totally your call.
Correct about the firewall, the windows firewall blocks just incoming , third party firewalls block both incoming and outgoing.
Free Firewalls, like AV, you just need one. Also wanted to point out depending on your router if you use one, most have a built in firewall, you would have to check if yours does or not. You can have one Software and One hardware firewall with no problems
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp)
Sygate Personal Firewall Free Edition (http://www.filehippo.com/download_sygate_personal_firewall/[/url])
Outpost Firewall Free (http://www.agnitum.com/products/outpostfree/index.php)
If you are into Physical Security , maybe you can help me get thru the darned Airport next time I fly :)
Hope this helps and answers your questions, by the way when you run the clean up with OTL it will not remove MBAM and ATF Cleaner, you can keep them both, use them
Thanks for all the help and info Ken.
I do have some tips that help me in airports. I fly a lot.
Fly southwest if you can. They have a program that allows A level members to bypass the lines at the ID check at many airports. It is just like being part of the crew. You walk up your own line with no queue, show your ID and go to the screening line. It saves me bunches of time.
I have clothes I wear on airplanes. All cotton or wool, and leave the sweatshirt in the backpack. I like slip on shoes like Merrells http://www.merrell.com/US/en/Men-Footwear-Shoes-SlipOns
I also have a travel belt, It is a black police nylon duty belt with Velcro instead of a buckle. Saves time.
Leave the watch, rings, change and necklace in the backpack until after you pass security.
When going through the x-ray area, put your backpack through before your shoes and coat so it is ready on the other end before your laptop goes through.
Above all- be early- be relaxed and chill. Enjoy the fun of an airport. Get a latte or green tea chai and a new, overpriced paperback. Lee Child is a favorite.
Thats it.
Happy travels and thanks again.
Your very welcome, thanks for the tips
Ken
Say Ken, One more thing...Everything seems great now except for one item...I have an igoogle homepage with several gadgets like news and weather. They no longer load and my igoogle home page only has the chosen custom color and the search box. I am running..
winpatrol
Spyware S+D without tea timer
Spyware Doctor
Spyware guard
Spyware Blaster
Comodo firewall free version
I also continually get this file type alert that continues about every 15 minutes despite choosing to ignore or accepting the change.
Any ideas?
That something that was removed earlier so deny the change . You can right click on Scotty and disable the notifications
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".
:Processes
explorer.exe
:Services
:Reg
:Files
C:\windows\system32\config\systemprofile\AppData\Local\eba.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Hey Ken-
Is this what you're wanting?
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\windows\system32\config\systemprofile\AppData\Local\eba.exe not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: 1
->Temp folder emptied: 36792 bytes
->Temporary Internet Files folder emptied: 1819294 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 101704926 bytes
->Flash cache emptied: 1851 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 311667 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 68262666 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 362453 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 165.00 mb
OTM by OldTimer - Version 3.1.17.2 log created on 04022011_195232
Files moved on Reboot...
File C:\Windows\temp\fb_2744.lck not found!
Registry entries deleted on Reboot...
I just got that Winpatrol message again. I denied it this time. I do have my igoogle gadgets back though. What is causing that message to reoccur...is it some google update thing?
This might be of interest. A screengrab of my scottylog and the alert
That file is no longer around , I would right click on Scotty and disable the background monitoring or uninstall the program. Its a great program but can drive you batty at times