View Full Version : Cannot remove conduit
I have read "BEFORE you POST" instructions.
I have tried everything to remove Conduit. So now I am here.
1). Here is the DDS Log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Rob Caldwell at 15:43:56 on 2012-07-26
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3573.1589 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Users\Rob Caldwell\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\HMA! Pro VPN\bin\HMA! Pro VPN.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Tweet Adder 3\TweetAdder3.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\FileZilla FTP Client\filezilla.exe
C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe
C:\Program Files\HMA! Pro VPN\bin\openvpn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {9D0F7EB2-452D-4766-B535-8D23E36C300E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_Plugin.exe -update plugin
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MS Word Extract Email Addresses From Documents Software.exe]
StartupFolder: c:\users\robcal~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\rob caldwell\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\robcal~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\robcal~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\hmapro~1.lnk - c:\program files\hma! pro vpn\bin\HMA! Pro VPN.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{198900CA-A070-4EDA-8188-257334FEFBBE} : DhcpNameServer = 216.136.95.2 64.132.94.250 8.8.8.8
TCP: Interfaces\{2EA65902-CA22-4DE2-8E45-5E441FE41949} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{873AD3DD-6988-42D0-977C-742927A8EE92} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{FE0B6538-7289-4A7B-A423-6DC932A236D7} : DhcpNameServer = 208.67.222.222 208.67.220.220
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rob caldwell\appdata\roaming\mozilla\firefox\profiles\jhvud1s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://drudgereport.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\rob caldwell\appdata\roaming\mozilla\firefox\profiles\jhvud1s7.default\extensions\{9d0f7eb2-452d-4766-b535-8d23e36c300e}\plugins\np-mswmp.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=2912_4
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.hardId - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15541
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1716:00:44
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-7-10 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-7-10 353688]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-7-10 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-7-10 57656]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-7-10 44808]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-23 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-8-12 1153368]
R3 BackLogAFK;BackLogA Keyboard Class Upper Filter Driver;c:\windows\system32\drivers\BackLogAFK.sys [2010-3-22 12800]
R3 BackLogAFM;BackLogA Mouse Class Upper Filter Driver;c:\windows\system32\drivers\BackLogAFM.sys [2010-3-22 12288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-21 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-21 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 113120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-23 16896]
.
=============== Created Last 30 ================
.
2012-07-26 19:09:47 -------- d-----w- c:\users\rob caldwell\appdata\roaming\DriverCure
2012-07-26 19:09:46 -------- d-----w- c:\users\rob caldwell\appdata\roaming\ParetoLogic
2012-07-26 19:09:33 -------- d-----w- c:\programdata\ParetoLogic
2012-07-26 19:09:33 -------- d-----w- c:\program files\ParetoLogic
2012-07-26 05:58:21 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e24d655-f31e-4aa0-8227-cfc945ed8b85}\offreg.dll
2012-07-25 18:43:18 -------- d-----w- c:\users\rob caldwell\appdata\local\Conduit
2012-07-24 12:07:47 -------- d-----w- c:\program files\HMA! Pro VPN
2012-07-24 05:59:26 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e24d655-f31e-4aa0-8227-cfc945ed8b85}\mpengine.dll
2012-07-20 20:03:14 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2012-07-20 20:03:14 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2012-07-20 20:03:12 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2012-07-20 20:03:12 -------- d-----w- c:\program files\PDFCreator
2012-07-20 14:44:22 -------- d-----w- c:\users\rob caldwell\appdata\roaming\Nvu
2012-07-18 18:20:24 -------- d-----w- c:\programdata\Magic Submitter
2012-07-18 18:20:24 -------- d-----w- c:\program files\Alexandr Krulik
2012-07-15 19:17:12 -------- d-----w- c:\program files\Tweet Adder 3
2012-07-11 17:08:14 -------- d-----w- c:\program files\OnlyWire
2012-07-11 13:02:05 -------- d-----w- c:\users\rob caldwell\appdata\local\Seesmic
2012-07-11 13:01:05 -------- d-----w- c:\program files\Seesmic Ping
2012-07-11 07:08:07 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 23:05:23 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-07-10 23:05:22 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-10 23:05:22 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-10 23:05:14 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-10 23:04:15 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 23:04:14 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 23:04:13 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 23:04:13 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 23:04:13 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-08 19:02:21 -------- d-----w- c:\users\rob caldwell\appdata\roaming\TweetAdder3
2012-07-05 16:53:46 -------- d-----w- c:\program files\MS Word Extract Email Addresses From Documents Software
.
==================== Find3M ====================
.
2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:53 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr
2012-06-23 14:44:09 286720 ------w- c:\windows\Setup1.exe
2012-06-08 14:58:52 1110476 ----a-w- c:\users\rob caldwell\7z920.exe
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-31 16:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-01 14:03:49 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 15:44:31.11 ===============
2). I am not sure why I have to Zip the ATTACH file as it is only 9kb and I do not have a ZIP program.
3). Here is the aswMBR Log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-26 15:52:23
-----------------------------
15:52:23.316 OS Version: Windows 6.0.6002 Service Pack 2
15:52:23.316 Number of processors: 2 586 0xF0D
15:52:23.318 ComputerName: ROBCALDWELL-PC UserName: Rob Caldwell
15:52:33.352 Initialize success
15:52:33.437 AVAST engine defs: 12072601
15:53:02.022 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:53:02.025 Disk 0 Vendor: Hitachi_ SB2O Size: 76319MB BusType: 3
15:53:02.050 Disk 0 MBR read successfully
15:53:02.053 Disk 0 MBR scan
15:53:02.058 Disk 0 Windows VISTA default MBR code
15:53:02.063 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 78 MB offset 63
15:53:02.076 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 161792
15:53:02.094 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 63439 MB offset 21133312
15:53:02.099 Disk 0 Partition - 00 0F Extended LBA 2560 MB offset 151056384
15:53:02.136 Disk 0 Partition 4 00 DD MSDOS5.0 2559 MB offset 151058432
15:53:02.144 Disk 0 scanning sectors +156299264
15:53:02.207 Disk 0 scanning C:\Windows\system32\drivers
15:53:14.734 Service scanning
15:53:39.875 Modules scanning
15:53:49.505 Disk 0 trace - called modules:
15:53:49.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
15:53:49.585 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f98780]
15:53:49.592 3 CLASSPNP.SYS[8c7a68b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86495030]
15:53:50.120 AVAST engine scan C:\Windows
15:53:52.801 AVAST engine scan C:\Windows\system32
15:56:24.670 AVAST engine scan C:\Windows\system32\drivers
15:56:45.545 AVAST engine scan C:\Users\Rob Caldwell
16:03:56.010 AVAST engine scan C:\ProgramData
16:06:49.729 Scan finished successfully
16:09:32.179 Disk 0 MBR has been saved successfully to "C:\Users\Rob Caldwell\Desktop\Utility Programs\Virus Files\MBR.dat"
16:09:32.186 The log file has been saved successfully to "C:\Users\Rob Caldwell\Desktop\Utility Programs\Virus Files\aswMBR.txt"
Thank you in advance for your help!
Rob Caldwell
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR
You should be able to right click on any file or folder and use the Send To Zip option.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Hi Ken545,
I ran the malwarebytes scan. It found one infection. I restarted my PC. Conduit is still in my browser.
Here are the results of the scan:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.01.04
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Rob Caldwell :: ROBCALDWELL-PC [administrator]
8/1/2012 9:38:00 AM
mbam-log-2012-08-01 (09-38-00).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202610
Time elapsed: 8 minute(s), 15 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Rob Caldwell\Downloads\PaintSetup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
(end)
--------------------------------------------
Here is the OTL Scan
----------------------------------------------
OTL logfile created on: 8/1/2012 10:03:08 AM - Run 3
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Rob Caldwell\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.49 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 64.32% Memory free
6.41 Gb Paging File | 5.34 Gb Available in Paging File | 83.21% Paging File free
Paging file location(s): c:\pagefile.sys 3112 3112 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 61.95 Gb Total Space | 13.56 Gb Free Space | 21.89% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.56 Gb Free Space | 65.59% Space Free | Partition Type: NTFS
Drive E: | 33.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: ROBCALDWELL-PC | User Name: Rob Caldwell | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\Rob Caldwell\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
PRC - C:\Users\Rob Caldwell\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\HMA! Pro VPN\bin\HMA! Pro VPN.exe (NetcoSolutions)
PRC - C:\Program Files\HMA! Pro VPN\bin\openvpn.exe ()
PRC - C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
PRC - C:\Windows\System32\stacsv.exe (SigmaTel, Inc.)
========== Modules (No Company Name) ==========
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8bbcd31ecc8edc7d1f9cdd83ef2bb2d3\System.ServiceProcess.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\1b337cf9a031145849bc48c11b2cfe58\Accessibility.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\0f2b877ed16daa577f95be735a63d19c\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll ()
MOD - C:\Windows\System32\igfxTMM.dll ()
MOD - C:\Windows\System32\bcmwlrmt.dll ()
========== Win32 Services (SafeList) ==========
SRV - (SBSDWSCService) -- C:\Program Files\Spybot File not found
SRV - (RoxLiveShare9) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (OpenVPNService) -- C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (SigmaTel, Inc.)
========== Driver Services (SafeList) ==========
DRV - (slabser) -- system32\DRIVERS\slabser.sys File not found
DRV - (slabbus) -- system32\DRIVERS\slabbus.sys File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (KAPFA) -- C:\Windows\system32\drivers\KAPFA.SYS File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (cpuz132) -- C:\Users\ROBCAL~1\AppData\Local\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\Users\ROBCAL~1\AppData\Local\Temp\catchme.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (tap0901) -- C:\Windows\System32\drivers\tap0901.sys (The OpenVPN Project)
DRV - (BackLogAFK) -- C:\Windows\System32\drivers\BackLogAFK.sys (Envoy)
DRV - (BackLogAFM) -- C:\Windows\System32\drivers\BackLogAFM.sys (Envoy)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV - (OEM02Vfx) -- C:\Windows\System32\drivers\OEM02Vfx.sys (EyePower Games Pte. Ltd.)
DRV - (OEM02Dev) -- C:\Windows\System32\drivers\OEM02Dev.sys (Creative Technology Ltd.)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (SigmaTel, Inc.)
DRV - (BT) -- C:\Windows\System32\drivers\btnetdrv.sys (IVT Corporation.)
DRV - (Btcsrusb) -- C:\Windows\System32\drivers\btcusb.sys (IVT Corporation.)
DRV - (BlueletAudio) -- C:\Windows\System32\drivers\blueletaudio.sys (IVT Corporation.)
DRV - (BlueletSCOAudio) -- C:\Windows\System32\drivers\BlueletSCOAudio.sys (IVT Corporation.)
DRV - (BTHidMgr) -- C:\Windows\System32\drivers\BtHidMgr.sys (IVT Corporation.)
DRV - (BTHidEnum) -- C:\Windows\System32\drivers\VBTEnum.sys (IVT Corporation.)
DRV - (VcommMgr) -- C:\Windows\System32\drivers\VCommMgr.sys (IVT Corporation.)
DRV - (VComm) -- C:\Windows\System32\drivers\VComm.sys (IVT Corporation.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (Afc) -- C:\Windows\System32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (ser2plms) -- C:\Windows\System32\drivers\ser2plms.sys (Prolific Technology Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{54011589-DBDC-4249-82F5-E9CC1C81C981}: "URL" = http://search.avg.com/route/?d=4e14e0f6&v=7.5.30.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-atty
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\Yahoo!: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.4: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/09 17:02:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/18 14:41:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/15 14:29:21 | 000,000,000 | ---D | M]
[2010/10/26 08:11:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Extensions
[2010/10/26 08:11:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/07/25 14:42:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions
[2011/09/25 15:39:28 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/05/11 08:50:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/06/18 23:03:16 | 000,000,000 | ---D | M] (AddThis) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2012/07/25 14:42:30 | 000,000,000 | ---D | M] (InternetHelper Community Toolbar) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{9d0f7eb2-452d-4766-b535-8d23e36c300e}
[2012/01/10 23:21:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/09/22 18:59:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\inspector@mozilla.org
[2007/11/08 19:01:14 | 000,000,000 | ---D | M] (Mozilla Settings for November 2007) -- C:\Program Files\Mozilla Firefox\extensions\mozilla02@partners.mozilla.com
[2012/07/18 14:41:03 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/30 15:13:20 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/09 11:02:54 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
O1 HOSTS File: ([2012/07/27 22:30:45 | 000,443,125 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15246 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\Toolbar\WebBrowser: (no name) - {9D0F7EB2-452D-4766-B535-8D23E36C300E} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [MS Word Extract Email Addresses From Documents Software.exe] File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000..\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Rob Caldwell\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMA Pro VPN 2.0.lnk = C:\Program Files\HMA! Pro VPN\bin\HMA! Pro VPN.exe (NetcoSolutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = [binary data]
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{198900CA-A070-4EDA-8188-257334FEFBBE}: DhcpNameServer = 216.136.95.2 64.132.94.250 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2EA65902-CA22-4DE2-8E45-5E441FE41949}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{873AD3DD-6988-42D0-977C-742927A8EE92}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FE0B6538-7289-4A7B-A423-6DC932A236D7}: DhcpNameServer = 208.67.222.222 208.67.220.220
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2007/06/06 18:55:56 | 000,000,027 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{2e148f11-7fed-11dc-8416-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2e148f11-7fed-11dc-8416-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup.exe -- [2007/06/06 18:58:40 | 000,260,880 | R--- | M] (IVT Corporation )
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/08/01 09:35:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/01 09:35:41 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/08/01 09:35:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/07/31 16:29:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweet Adder 3
[2012/07/31 16:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\Tweet Adder 3
[2012/07/26 15:34:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/07/26 15:34:29 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/07/26 15:09:47 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\DriverCure
[2012/07/26 15:09:46 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\ParetoLogic
[2012/07/26 15:09:33 | 000,000,000 | ---D | C] -- C:\ProgramData\ParetoLogic
[2012/07/26 15:09:33 | 000,000,000 | ---D | C] -- C:\Program Files\ParetoLogic
[2012/07/25 14:43:18 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Local\Conduit
[2012/07/24 08:07:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HMA! Pro VPN
[2012/07/24 08:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\HMA! Pro VPN
[2012/07/20 16:03:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[2012/07/20 16:03:14 | 000,137,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSMAPI32.OCX
[2012/07/20 16:03:12 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSMPIDE.DLL
[2012/07/20 16:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator
[2012/07/20 10:44:22 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\Nvu
[2012/07/18 14:20:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magic Submitter
[2012/07/18 14:20:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Magic Submitter
[2012/07/18 14:20:24 | 000,000,000 | ---D | C] -- C:\Program Files\Alexandr Krulik
[2012/07/13 09:40:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/07/13 09:40:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012/07/11 13:08:14 | 000,000,000 | ---D | C] -- C:\Program Files\OnlyWire
[2012/07/11 09:02:05 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Local\Seesmic
[2012/07/11 09:01:13 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\Documents\Seesmic
[2012/07/11 09:01:05 | 000,000,000 | ---D | C] -- C:\Program Files\Seesmic Ping
[2012/07/11 03:08:07 | 002,047,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/07/11 03:01:49 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/07/11 03:01:47 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/07/11 03:01:47 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/07/11 03:01:46 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/07/11 03:01:45 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/07/11 03:01:45 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/07/11 03:01:43 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/07/10 19:04:13 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll
[2012/07/08 15:02:21 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\TweetAdder3
[2012/07/08 14:59:01 | 005,343,523 | ---- | C] (TweetAdder.com) -- C:\Users\Rob Caldwell\Documents\tweetadder3.exe
[2012/07/07 10:53:21 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\Desktop\Head Shot
[2012/07/05 12:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MS Word Extract Email Addresses From Documents Software
[2012/07/05 12:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\MS Word Extract Email Addresses From Documents Software
[2011/11/08 08:49:53 | 002,013,344 | ---- | C] (Rex Ventrue Group LLC) -- C:\Users\Rob Caldwell\ShoppingDaisy_Setup.exe
[3 C:\Users\Rob Caldwell\*.tmp files -> C:\Users\Rob Caldwell\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/08/01 09:51:04 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/08/01 09:50:58 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/01 09:50:58 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/01 09:50:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/01 09:22:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/08/01 09:21:19 | 000,000,328 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2012/07/31 16:29:40 | 000,000,850 | ---- | M] () -- C:\Users\Public\Desktop\TweetAdder3.lnk
[2012/07/30 15:11:20 | 000,034,703 | ---- | M] () -- C:\Users\Rob Caldwell\Desktop\ACH Delay.jpg
[2012/07/28 06:55:30 | 000,000,302 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2012/07/27 22:30:45 | 000,443,125 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/07/26 15:34:47 | 000,000,875 | ---- | M] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/26 10:19:33 | 000,006,363 | ---- | M] () -- C:\Users\Rob Caldwell\.recently-used.xbel
[2012/07/24 17:10:21 | 000,001,818 | ---- | M] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMA Pro VPN 2.0.lnk
[2012/07/24 08:07:49 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\HMA! Pro VPN.lnk
[2012/07/22 12:15:32 | 000,000,083 | ---- | M] () -- C:\Users\Rob Caldwell\Desktop\How Does Empower Network Work My Expert Review Empower Network TheEmpowerNetwork.Co.URL
[2012/07/20 16:00:51 | 000,000,484 | ---- | M] () -- C:\user.js
[2012/07/19 21:19:01 | 000,442,822 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120727-223045.backup
[2012/07/18 22:11:15 | 000,442,766 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120719-211901.backup
[2012/07/18 14:23:22 | 000,001,021 | ---- | M] () -- C:\Users\Rob Caldwell\Desktop\Magic Submitter.lnk
[2012/07/12 21:51:47 | 000,442,766 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120718-221115.backup
[2012/07/11 07:45:37 | 000,000,900 | ---- | M] () -- C:\Users\Rob Caldwell\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/07/11 03:27:42 | 000,408,176 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/07/09 17:02:05 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/07/09 13:14:44 | 000,442,292 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120712-215147.backup
[2012/07/08 14:59:05 | 005,343,523 | ---- | M] (TweetAdder.com) -- C:\Users\Rob Caldwell\Documents\tweetadder3.exe
[2012/07/05 12:53:48 | 000,001,330 | ---- | M] () -- C:\Users\Public\Desktop\MS Word Extract Email Addresses From Documents Software.lnk
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/07/03 12:21:53 | 000,057,656 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/07/03 12:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/07/03 12:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[3 C:\Users\Rob Caldwell\*.tmp files -> C:\Users\Rob Caldwell\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/07/30 15:11:20 | 000,034,703 | ---- | C] () -- C:\Users\Rob Caldwell\Desktop\ACH Delay.jpg
[2012/07/26 15:34:47 | 000,000,875 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/26 10:19:33 | 000,006,363 | ---- | C] () -- C:\Users\Rob Caldwell\.recently-used.xbel
[2012/07/24 17:10:21 | 000,001,818 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMA Pro VPN 2.0.lnk
[2012/07/24 08:07:49 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\HMA! Pro VPN.lnk
[2012/07/22 12:15:32 | 000,000,083 | ---- | C] () -- C:\Users\Rob Caldwell\Desktop\How Does Empower Network Work My Expert Review Empower Network TheEmpowerNetwork.Co.URL
[2012/07/20 16:03:14 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2012/07/18 14:20:37 | 000,001,021 | ---- | C] () -- C:\Users\Rob Caldwell\Desktop\Magic Submitter.lnk
[2012/07/15 15:17:17 | 000,000,850 | ---- | C] () -- C:\Users\Public\Desktop\TweetAdder3.lnk
[2012/07/05 12:53:48 | 000,001,330 | ---- | C] () -- C:\Users\Public\Desktop\MS Word Extract Email Addresses From Documents Software.lnk
[2012/06/08 10:58:52 | 001,110,476 | ---- | C] () -- C:\Users\Rob Caldwell\7z920.exe
[2012/02/28 17:57:27 | 000,072,080 | ---- | C] () -- C:\Users\Rob Caldwell\g2mdlhlpx.exe
[2012/02/17 18:27:52 | 000,156,392 | ---- | C] () -- C:\Users\Rob Caldwell\R159805.EXE
[2012/02/08 15:11:58 | 000,098,304 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2011/11/04 05:31:01 | 000,000,000 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\{576B3797-478E-4ED4-864E-DCF36AD48201}
[2011/07/08 11:54:59 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/07/08 11:54:59 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/07/08 11:54:59 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/07/08 11:54:59 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/07/08 11:54:59 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/17 15:30:02 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/06/15 19:50:31 | 000,001,300 | -HS- | C] () -- C:\Users\Rob Caldwell\AppData\Local\jrfome35tf08ah35e4cqfgv7wigo7r
[2011/06/15 19:50:31 | 000,001,300 | -HS- | C] () -- C:\ProgramData\jrfome35tf08ah35e4cqfgv7wigo7r
[2011/02/02 14:17:41 | 000,038,487 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Comma Separated Values (Windows).ADR
[2011/01/22 22:35:30 | 000,001,026 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\My Checkbook Preferences
[2011/01/01 10:45:00 | 000,000,281 | ---- | C] () -- C:\Users\Rob Caldwell\SciTE.session
[2010/11/08 13:55:29 | 000,000,016 | ---- | C] () -- C:\Users\Rob Caldwell\persistent_state
[2010/11/02 17:24:39 | 000,032,768 | ---- | C] () -- C:\Windows\System32\ktdll.dll
[2010/10/06 15:45:55 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/09/21 10:41:11 | 000,000,600 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\PUTTY.RND
[2010/09/13 17:13:52 | 000,000,108 | -HS- | C] () -- C:\Windows\WSYS049.SYS
[2010/09/05 05:11:44 | 000,000,032 | ---- | C] () -- C:\Windows\RBuilder.ini
[2010/01/21 15:23:25 | 000,000,000 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\prvlcl.dat
[2009/11/04 14:42:42 | 000,481,118 | ---- | C] () -- C:\Users\Rob Caldwell\dtlk110309.jpg
[2009/11/04 14:37:21 | 009,715,734 | ---- | C] () -- C:\Users\Rob Caldwell\dtlk110309.bmp
[2009/09/18 13:01:53 | 000,019,968 | ---- | C] () -- C:\Users\Rob Caldwell\06206275.xlt
[2009/08/09 10:55:08 | 000,000,552 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\d3d8caps.dat
[2009/05/09 16:30:04 | 000,038,275 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft Excel 97-2003.ADR
[2009/01/08 16:46:23 | 000,006,324 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\d3d9caps.dat
[2008/11/01 18:51:41 | 000,026,340 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\UserTile.png
[2007/11/24 20:06:50 | 000,000,275 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\DarkAdapted Preferences
[2007/11/17 16:29:43 | 000,114,688 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/08 13:04:14 | 000,000,848 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\wklnhst.dat
========== LOP Check ==========
[2012/02/11 17:55:33 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\4Media
[2011/11/09 00:29:04 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AppKeys
[2010/12/05 16:55:50 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AutoHideIP
[2010/10/21 19:01:57 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AVG
[2010/10/17 11:09:21 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AVG10
[2010/09/20 15:58:54 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Buddi
[2010/09/13 17:10:04 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\CoffeeCup Software
[2010/11/02 17:24:38 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\CompuCram
[2009/09/23 16:21:09 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\CoreFTP
[2012/07/26 15:09:47 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\DriverCure
[2012/08/01 09:53:02 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Dropbox
[2009/10/27 12:28:35 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\DTLink Software
[2012/07/27 22:29:21 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\FileZilla
[2009/07/28 16:05:23 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\GARMIN
[2011/09/25 19:20:31 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\GianPaoloSaliola
[2010/12/18 18:25:35 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Good Deal Software
[2012/07/26 10:19:33 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\gtk-2.0
[2009/10/25 10:11:02 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\IObit
[2010/09/05 05:11:43 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Jade Tools
[2010/11/16 19:09:05 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\KompoZer
[2010/08/02 17:29:48 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Lanmisoft
[2011/08/03 19:41:18 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\MechCAD
[2009/08/23 11:35:57 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\net.twitterlocal.onair.A589D10E991C524019173F7ADEB73C85B538C40C.1
[2012/07/20 10:44:23 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Nvu
[2009/03/20 23:12:44 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\OpenOffice.org
[2012/07/26 15:09:46 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\ParetoLogic
[2008/11/01 18:51:40 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\PeerNetworking
[2010/11/02 17:02:40 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Performance Programs Company
[2012/02/11 15:49:54 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\RoboForm
[2011/10/14 09:48:34 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Serif
[2011/06/16 17:49:53 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Simply Super Software
[2009/10/27 12:10:47 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\SlimBrowser
[2011/09/25 12:59:26 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\SmartDraw
[2010/02/05 13:14:12 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Smith Micro
[2007/11/08 13:04:15 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Template
[2011/12/16 16:12:54 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Thunderbird
[2012/07/31 20:38:31 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\TweetAdder3
[2009/10/10 11:00:38 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
[2011/09/27 17:39:10 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\UltimateMapsDownloader
[2012/07/18 22:10:01 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\uTorrent
[2010/10/14 11:05:21 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\webex
[2011/10/10 16:20:46 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\WinBatch
[2012/08/01 09:49:39 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
< End of report >
----------------------------------------------
The "EXTRAS.txt" file did not open. I did search on my c:/ directory and it did not locate "EXTRAS.txt"
Thank you,
Rob Caldwell
Hi,
1.Click "Start" and select "Control Panel."
2.Click the "Uninstall a Program" link under the Programs section.
3.Select "Conduit Toolbar" from the list of currently installed programs, and click "Uninstall." Click "Yes" to confirm your choice.
4.If you are using Mozilla Firefox, click the "Firefox" menu, select "Add-Ons" and choose the "Extensions" tab.
5.Click "Conduit Toolbar" and select "Remove." Restart your Web browser.
Read more: How to Remove the Conduit Toolbar | eHow.com http://www.ehow.com/how_5104414_remove-conduit-toolbar.html#ixzz22JR8ZcyX
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
[2012/07/25 14:42:30 | 000,000,000 | ---D | M] (InternetHelper Community Toolbar) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{9d0f7eb2-452d-4766-b535-8d23e36c300e}
O3 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\Toolbar\WebBrowser: (no name) - {9D0F7EB2-452D-4766-B535-8D23E36C300E} - No CLSID value found.
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CLEARALLRESTOREPOINTS]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
I ran the OTL scan and copied the log successfully.
However when I ran the ESET scan the program crashed at 48% and would not restart. It did tell me that it found 4 threats and I was able to get a log from the partial scan.
(BTW... The ESET Smart Installer is no longer located at the link you provided. I had to do a separate search for it).
Here is the OTL Log:
OTL logfile created on: 8/1/2012 10:03:08 AM - Run 3
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Rob Caldwell\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.49 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 64.32% Memory free
6.41 Gb Paging File | 5.34 Gb Available in Paging File | 83.21% Paging File free
Paging file location(s): c:\pagefile.sys 3112 3112 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 61.95 Gb Total Space | 13.56 Gb Free Space | 21.89% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.56 Gb Free Space | 65.59% Space Free | Partition Type: NTFS
Drive E: | 33.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Computer Name: ROBCALDWELL-PC | User Name: Rob Caldwell | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Users\Rob Caldwell\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
PRC - C:\Users\Rob Caldwell\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
PRC - C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\HMA! Pro VPN\bin\HMA! Pro VPN.exe (NetcoSolutions)
PRC - C:\Program Files\HMA! Pro VPN\bin\openvpn.exe ()
PRC - C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
PRC - C:\Windows\System32\stacsv.exe (SigmaTel, Inc.)
========== Modules (No Company Name) ==========
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8bbcd31ecc8edc7d1f9cdd83ef2bb2d3\System.ServiceProcess.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\1b337cf9a031145849bc48c11b2cfe58\Accessibility.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\0f2b877ed16daa577f95be735a63d19c\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll ()
MOD - C:\Windows\System32\igfxTMM.dll ()
MOD - C:\Windows\System32\bcmwlrmt.dll ()
========== Win32 Services (SafeList) ==========
SRV - (SBSDWSCService) -- C:\Program Files\Spybot File not found
SRV - (RoxLiveShare9) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (OpenVPNService) -- C:\Program Files\HMA! Pro VPN\bin\openvpnserv.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (SigmaTel, Inc.)
========== Driver Services (SafeList) ==========
DRV - (slabser) -- system32\DRIVERS\slabser.sys File not found
DRV - (slabbus) -- system32\DRIVERS\slabbus.sys File not found
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (KAPFA) -- C:\Windows\system32\drivers\KAPFA.SYS File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (cpuz132) -- C:\Users\ROBCAL~1\AppData\Local\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (catchme) -- C:\Users\ROBCAL~1\AppData\Local\Temp\catchme.sys File not found
DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\Windows\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (tap0901) -- C:\Windows\System32\drivers\tap0901.sys (The OpenVPN Project)
DRV - (BackLogAFK) -- C:\Windows\System32\drivers\BackLogAFK.sys (Envoy)
DRV - (BackLogAFM) -- C:\Windows\System32\drivers\BackLogAFM.sys (Envoy)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (WSDPrintDevice) -- C:\Windows\System32\drivers\WSDPrint.sys (Microsoft Corporation)
DRV - (OEM02Vfx) -- C:\Windows\System32\drivers\OEM02Vfx.sys (EyePower Games Pte. Ltd.)
DRV - (OEM02Dev) -- C:\Windows\System32\drivers\OEM02Dev.sys (Creative Technology Ltd.)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (SigmaTel, Inc.)
DRV - (BT) -- C:\Windows\System32\drivers\btnetdrv.sys (IVT Corporation.)
DRV - (Btcsrusb) -- C:\Windows\System32\drivers\btcusb.sys (IVT Corporation.)
DRV - (BlueletAudio) -- C:\Windows\System32\drivers\blueletaudio.sys (IVT Corporation.)
DRV - (BlueletSCOAudio) -- C:\Windows\System32\drivers\BlueletSCOAudio.sys (IVT Corporation.)
DRV - (BTHidMgr) -- C:\Windows\System32\drivers\BtHidMgr.sys (IVT Corporation.)
DRV - (BTHidEnum) -- C:\Windows\System32\drivers\VBTEnum.sys (IVT Corporation.)
DRV - (VcommMgr) -- C:\Windows\System32\drivers\VCommMgr.sys (IVT Corporation.)
DRV - (VComm) -- C:\Windows\System32\drivers\VComm.sys (IVT Corporation.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (bcm4sbxp) -- C:\Windows\System32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (Afc) -- C:\Windows\System32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (e1express) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (ser2plms) -- C:\Windows\System32\drivers\ser2plms.sys (Prolific Technology Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 9E 86 54 0F 5D B6 02 49 BD 43 B6 D3 32 57 25 05 [binary data]
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{54011589-DBDC-4249-82F5-E9CC1C81C981}: "URL" = http://search.avg.com/route/?d=4e14e0f6&v=7.5.30.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-atty
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\SearchScopes\Yahoo!: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
IE - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.4: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/09 17:02:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/18 14:41:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/15 14:29:21 | 000,000,000 | ---D | M]
[2010/10/26 08:11:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Extensions
[2010/10/26 08:11:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/07/25 14:42:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions
[2011/09/25 15:39:28 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/05/11 08:50:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/06/18 23:03:16 | 000,000,000 | ---D | M] (AddThis) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2012/07/25 14:42:30 | 000,000,000 | ---D | M] (InternetHelper Community Toolbar) -- C:\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{9d0f7eb2-452d-4766-b535-8d23e36c300e}
[2012/01/10 23:21:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/09/22 18:59:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\inspector@mozilla.org
[2007/11/08 19:01:14 | 000,000,000 | ---D | M] (Mozilla Settings for November 2007) -- C:\Program Files\Mozilla Firefox\extensions\mozilla02@partners.mozilla.com
[2012/07/18 14:41:03 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/30 15:13:20 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/09 11:02:54 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
O1 HOSTS File: ([2012/07/27 22:30:45 | 000,443,125 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15246 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\..\Toolbar\WebBrowser: (no name) - {9D0F7EB2-452D-4766-B535-8D23E36C300E} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [MS Word Extract Email Addresses From Documents Software.exe] File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000..\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Rob Caldwell\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMA Pro VPN 2.0.lnk = C:\Program Files\HMA! Pro VPN\bin\HMA! Pro VPN.exe (NetcoSolutions)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3294347943-1937636801-923172872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = [binary data]
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{198900CA-A070-4EDA-8188-257334FEFBBE}: DhcpNameServer = 216.136.95.2 64.132.94.250 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2EA65902-CA22-4DE2-8E45-5E441FE41949}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{873AD3DD-6988-42D0-977C-742927A8EE92}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FE0B6538-7289-4A7B-A423-6DC932A236D7}: DhcpNameServer = 208.67.222.222 208.67.220.220
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2007/06/06 18:55:56 | 000,000,027 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{2e148f11-7fed-11dc-8416-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2e148f11-7fed-11dc-8416-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup.exe -- [2007/06/06 18:58:40 | 000,260,880 | R--- | M] (IVT Corporation )
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/08/01 09:35:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/01 09:35:41 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/08/01 09:35:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/07/31 16:29:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweet Adder 3
[2012/07/31 16:29:38 | 000,000,000 | ---D | C] -- C:\Program Files\Tweet Adder 3
[2012/07/26 15:34:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/07/26 15:34:29 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/07/26 15:09:47 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\DriverCure
[2012/07/26 15:09:46 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\ParetoLogic
[2012/07/26 15:09:33 | 000,000,000 | ---D | C] -- C:\ProgramData\ParetoLogic
[2012/07/26 15:09:33 | 000,000,000 | ---D | C] -- C:\Program Files\ParetoLogic
[2012/07/25 14:43:18 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Local\Conduit
[2012/07/24 08:07:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HMA! Pro VPN
[2012/07/24 08:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\HMA! Pro VPN
[2012/07/20 16:03:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
[2012/07/20 16:03:14 | 000,137,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSMAPI32.OCX
[2012/07/20 16:03:12 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSMPIDE.DLL
[2012/07/20 16:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator
[2012/07/20 10:44:22 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\Nvu
[2012/07/18 14:20:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magic Submitter
[2012/07/18 14:20:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Magic Submitter
[2012/07/18 14:20:24 | 000,000,000 | ---D | C] -- C:\Program Files\Alexandr Krulik
[2012/07/13 09:40:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/07/13 09:40:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012/07/11 13:08:14 | 000,000,000 | ---D | C] -- C:\Program Files\OnlyWire
[2012/07/11 09:02:05 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Local\Seesmic
[2012/07/11 09:01:13 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\Documents\Seesmic
[2012/07/11 09:01:05 | 000,000,000 | ---D | C] -- C:\Program Files\Seesmic Ping
[2012/07/11 03:08:07 | 002,047,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/07/11 03:01:49 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/07/11 03:01:47 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/07/11 03:01:47 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/07/11 03:01:46 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/07/11 03:01:45 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/07/11 03:01:45 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/07/11 03:01:43 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/07/10 19:04:13 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll
[2012/07/08 15:02:21 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\AppData\Roaming\TweetAdder3
[2012/07/08 14:59:01 | 005,343,523 | ---- | C] (TweetAdder.com) -- C:\Users\Rob Caldwell\Documents\tweetadder3.exe
[2012/07/07 10:53:21 | 000,000,000 | ---D | C] -- C:\Users\Rob Caldwell\Desktop\Head Shot
[2012/07/05 12:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MS Word Extract Email Addresses From Documents Software
[2012/07/05 12:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\MS Word Extract Email Addresses From Documents Software
[2011/11/08 08:49:53 | 002,013,344 | ---- | C] (Rex Ventrue Group LLC) -- C:\Users\Rob Caldwell\ShoppingDaisy_Setup.exe
[3 C:\Users\Rob Caldwell\*.tmp files -> C:\Users\Rob Caldwell\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/08/01 09:51:04 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/08/01 09:50:58 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/01 09:50:58 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/01 09:50:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/08/01 09:22:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/08/01 09:21:19 | 000,000,328 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2012/07/31 16:29:40 | 000,000,850 | ---- | M] () -- C:\Users\Public\Desktop\TweetAdder3.lnk
[2012/07/30 15:11:20 | 000,034,703 | ---- | M] () -- C:\Users\Rob Caldwell\Desktop\ACH Delay.jpg
[2012/07/28 06:55:30 | 000,000,302 | ---- | M] () -- C:\Windows\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2012/07/27 22:30:45 | 000,443,125 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/07/26 15:34:47 | 000,000,875 | ---- | M] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/26 10:19:33 | 000,006,363 | ---- | M] () -- C:\Users\Rob Caldwell\.recently-used.xbel
[2012/07/24 17:10:21 | 000,001,818 | ---- | M] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMA Pro VPN 2.0.lnk
[2012/07/24 08:07:49 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\HMA! Pro VPN.lnk
[2012/07/22 12:15:32 | 000,000,083 | ---- | M] () -- C:\Users\Rob Caldwell\Desktop\How Does Empower Network Work My Expert Review Empower Network TheEmpowerNetwork.Co.URL
[2012/07/20 16:00:51 | 000,000,484 | ---- | M] () -- C:\user.js
[2012/07/19 21:19:01 | 000,442,822 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120727-223045.backup
[2012/07/18 22:11:15 | 000,442,766 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120719-211901.backup
[2012/07/18 14:23:22 | 000,001,021 | ---- | M] () -- C:\Users\Rob Caldwell\Desktop\Magic Submitter.lnk
[2012/07/12 21:51:47 | 000,442,766 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120718-221115.backup
[2012/07/11 07:45:37 | 000,000,900 | ---- | M] () -- C:\Users\Rob Caldwell\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/07/11 03:27:42 | 000,408,176 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/07/09 17:02:05 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/07/09 13:14:44 | 000,442,292 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20120712-215147.backup
[2012/07/08 14:59:05 | 005,343,523 | ---- | M] (TweetAdder.com) -- C:\Users\Rob Caldwell\Documents\tweetadder3.exe
[2012/07/05 12:53:48 | 000,001,330 | ---- | M] () -- C:\Users\Public\Desktop\MS Word Extract Email Addresses From Documents Software.lnk
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
[2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2012/07/03 12:21:53 | 000,057,656 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2012/07/03 12:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/07/03 12:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[3 C:\Users\Rob Caldwell\*.tmp files -> C:\Users\Rob Caldwell\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/07/30 15:11:20 | 000,034,703 | ---- | C] () -- C:\Users\Rob Caldwell\Desktop\ACH Delay.jpg
[2012/07/26 15:34:47 | 000,000,875 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/26 10:19:33 | 000,006,363 | ---- | C] () -- C:\Users\Rob Caldwell\.recently-used.xbel
[2012/07/24 17:10:21 | 000,001,818 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HMA Pro VPN 2.0.lnk
[2012/07/24 08:07:49 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\HMA! Pro VPN.lnk
[2012/07/22 12:15:32 | 000,000,083 | ---- | C] () -- C:\Users\Rob Caldwell\Desktop\How Does Empower Network Work My Expert Review Empower Network TheEmpowerNetwork.Co.URL
[2012/07/20 16:03:14 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2012/07/18 14:20:37 | 000,001,021 | ---- | C] () -- C:\Users\Rob Caldwell\Desktop\Magic Submitter.lnk
[2012/07/15 15:17:17 | 000,000,850 | ---- | C] () -- C:\Users\Public\Desktop\TweetAdder3.lnk
[2012/07/05 12:53:48 | 000,001,330 | ---- | C] () -- C:\Users\Public\Desktop\MS Word Extract Email Addresses From Documents Software.lnk
[2012/06/08 10:58:52 | 001,110,476 | ---- | C] () -- C:\Users\Rob Caldwell\7z920.exe
[2012/02/28 17:57:27 | 000,072,080 | ---- | C] () -- C:\Users\Rob Caldwell\g2mdlhlpx.exe
[2012/02/17 18:27:52 | 000,156,392 | ---- | C] () -- C:\Users\Rob Caldwell\R159805.EXE
[2012/02/08 15:11:58 | 000,098,304 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2011/11/04 05:31:01 | 000,000,000 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\{576B3797-478E-4ED4-864E-DCF36AD48201}
[2011/07/08 11:54:59 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/07/08 11:54:59 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/07/08 11:54:59 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/07/08 11:54:59 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/07/08 11:54:59 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/06/17 15:30:02 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/06/15 19:50:31 | 000,001,300 | -HS- | C] () -- C:\Users\Rob Caldwell\AppData\Local\jrfome35tf08ah35e4cqfgv7wigo7r
[2011/06/15 19:50:31 | 000,001,300 | -HS- | C] () -- C:\ProgramData\jrfome35tf08ah35e4cqfgv7wigo7r
[2011/02/02 14:17:41 | 000,038,487 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Comma Separated Values (Windows).ADR
[2011/01/22 22:35:30 | 000,001,026 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\My Checkbook Preferences
[2011/01/01 10:45:00 | 000,000,281 | ---- | C] () -- C:\Users\Rob Caldwell\SciTE.session
[2010/11/08 13:55:29 | 000,000,016 | ---- | C] () -- C:\Users\Rob Caldwell\persistent_state
[2010/11/02 17:24:39 | 000,032,768 | ---- | C] () -- C:\Windows\System32\ktdll.dll
[2010/10/06 15:45:55 | 000,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2010/09/21 10:41:11 | 000,000,600 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\PUTTY.RND
[2010/09/13 17:13:52 | 000,000,108 | -HS- | C] () -- C:\Windows\WSYS049.SYS
[2010/09/05 05:11:44 | 000,000,032 | ---- | C] () -- C:\Windows\RBuilder.ini
[2010/01/21 15:23:25 | 000,000,000 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\prvlcl.dat
[2009/11/04 14:42:42 | 000,481,118 | ---- | C] () -- C:\Users\Rob Caldwell\dtlk110309.jpg
[2009/11/04 14:37:21 | 009,715,734 | ---- | C] () -- C:\Users\Rob Caldwell\dtlk110309.bmp
[2009/09/18 13:01:53 | 000,019,968 | ---- | C] () -- C:\Users\Rob Caldwell\06206275.xlt
[2009/08/09 10:55:08 | 000,000,552 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\d3d8caps.dat
[2009/05/09 16:30:04 | 000,038,275 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\Microsoft Excel 97-2003.ADR
[2009/01/08 16:46:23 | 000,006,324 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\d3d9caps.dat
[2008/11/01 18:51:41 | 000,026,340 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\UserTile.png
[2007/11/24 20:06:50 | 000,000,275 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\DarkAdapted Preferences
[2007/11/17 16:29:43 | 000,114,688 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/08 13:04:14 | 000,000,848 | ---- | C] () -- C:\Users\Rob Caldwell\AppData\Roaming\wklnhst.dat
========== LOP Check ==========
[2012/02/11 17:55:33 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\4Media
[2011/11/09 00:29:04 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AppKeys
[2010/12/05 16:55:50 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AutoHideIP
[2010/10/21 19:01:57 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AVG
[2010/10/17 11:09:21 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\AVG10
[2010/09/20 15:58:54 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Buddi
[2010/09/13 17:10:04 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\CoffeeCup Software
[2010/11/02 17:24:38 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\CompuCram
[2009/09/23 16:21:09 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\CoreFTP
[2012/07/26 15:09:47 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\DriverCure
[2012/08/01 09:53:02 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Dropbox
[2009/10/27 12:28:35 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\DTLink Software
[2012/07/27 22:29:21 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\FileZilla
[2009/07/28 16:05:23 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\GARMIN
[2011/09/25 19:20:31 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\GianPaoloSaliola
[2010/12/18 18:25:35 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Good Deal Software
[2012/07/26 10:19:33 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\gtk-2.0
[2009/10/25 10:11:02 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\IObit
[2010/09/05 05:11:43 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Jade Tools
[2010/11/16 19:09:05 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\KompoZer
[2010/08/02 17:29:48 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Lanmisoft
[2011/08/03 19:41:18 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\MechCAD
[2009/08/23 11:35:57 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\net.twitterlocal.onair.A589D10E991C524019173F7ADEB73C85B538C40C.1
[2012/07/20 10:44:23 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Nvu
[2009/03/20 23:12:44 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\OpenOffice.org
[2012/07/26 15:09:46 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\ParetoLogic
[2008/11/01 18:51:40 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\PeerNetworking
[2010/11/02 17:02:40 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Performance Programs Company
[2012/02/11 15:49:54 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\RoboForm
[2011/10/14 09:48:34 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Serif
[2011/06/16 17:49:53 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Simply Super Software
[2009/10/27 12:10:47 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\SlimBrowser
[2011/09/25 12:59:26 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\SmartDraw
[2010/02/05 13:14:12 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Smith Micro
[2007/11/08 13:04:15 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Template
[2011/12/16 16:12:54 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\Thunderbird
[2012/07/31 20:38:31 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\TweetAdder3
[2009/10/10 11:00:38 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
[2011/09/27 17:39:10 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\UltimateMapsDownloader
[2012/07/18 22:10:01 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\uTorrent
[2010/10/14 11:05:21 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\webex
[2011/10/10 16:20:46 | 000,000,000 | ---D | M] -- C:\Users\Rob Caldwell\AppData\Roaming\WinBatch
[2012/08/01 09:49:39 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
< End of report >
-----------------------------------------
C:\ProgramData\YouTube Downloader\ytd_installer.exe a variant of Win32/Toolbar.Widgi application
C:\Qoobox\Quarantine\C\Users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\extensions\{ef25c562-8d21-4776-9414-be211a214e6d}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Support\unlocker1.9.0.exe Win32/Adware.ADON application
C:\Users\All Users\YouTube Downloader\ytd_installer.exe a variant of Win32/Toolbar.Widgi application
Hi,
This is where my link is taking me
http://www.eset.com/us/online-scanner/
Looks like you have run Combofix before, drag it to the trash and grab a fresh copy and rerun it
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Here is the log report from ComboFox:
ComboFix 12-07-31.03 - Rob Caldwell 08/01/2012 17:08:33.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3573.2089 [GMT -4:00]
Running from: c:\users\Rob Caldwell\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Rob Caldwell\7z920.exe
c:\users\Rob Caldwell\AppData\Local\assembly\tmp
c:\users\Rob Caldwell\g2mdlhlpx.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-08-01 21:16 . 2012-08-01 21:17 -------- d-----w- c:\users\Rob Caldwell\AppData\Local\temp
2012-08-01 21:16 . 2012-08-01 21:16 -------- d-----w- c:\users\Rob_Caldwell\AppData\Local\temp
2012-08-01 21:16 . 2012-08-01 21:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-01 21:16 . 2012-08-01 21:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-01 17:13 . 2012-08-01 17:13 -------- d-----w- c:\program files\ESET
2012-08-01 13:35 . 2012-08-01 13:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-01 13:35 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-31 20:29 . 2012-07-31 20:29 -------- d-----w- c:\program files\Tweet Adder 3
2012-07-26 19:34 . 2012-07-26 19:34 -------- d-----w- c:\program files\ERUNT
2012-07-26 19:09 . 2012-07-26 19:09 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\DriverCure
2012-07-26 19:09 . 2012-07-26 19:09 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\ParetoLogic
2012-07-26 19:09 . 2012-07-26 19:09 -------- d-----w- c:\program files\ParetoLogic
2012-07-25 18:43 . 2012-07-25 18:45 -------- d-----w- c:\users\Rob Caldwell\AppData\Local\Conduit
2012-07-24 12:07 . 2012-07-24 12:08 -------- d-----w- c:\program files\HMA! Pro VPN
2012-07-20 20:03 . 2001-10-28 20:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2012-07-20 20:03 . 1998-06-24 04:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2012-07-20 20:03 . 2012-07-20 20:03 -------- d-----w- c:\program files\PDFCreator
2012-07-20 20:03 . 1998-07-06 04:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2012-07-20 14:44 . 2012-07-20 14:44 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\Nvu
2012-07-18 18:20 . 2012-07-18 18:20 -------- d-----w- c:\program files\Alexandr Krulik
2012-07-13 13:40 . 2012-07-13 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2012-07-11 17:08 . 2012-07-19 02:11 -------- d-----w- c:\program files\OnlyWire
2012-07-11 13:02 . 2012-07-11 13:02 -------- d-----w- c:\users\Rob Caldwell\AppData\Local\Seesmic
2012-07-11 13:01 . 2012-07-11 13:08 -------- d-----w- c:\program files\Seesmic Ping
2012-07-11 07:08 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 23:05 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-07-10 23:05 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-10 23:05 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-10 23:05 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-10 23:04 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 23:04 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 23:04 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 23:04 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 23:04 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-08 19:02 . 2012-08-01 00:38 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\TweetAdder3
2012-07-05 16:53 . 2012-07-05 16:53 -------- d-----w- c:\program files\MS Word Extract Email Addresses From Documents Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2011-07-10 14:45 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2011-07-10 14:45 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2011-07-10 14:45 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2011-07-10 14:45 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2011-07-10 14:45 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-07-10 14:45 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21 . 2011-07-10 14:45 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2011-07-10 14:45 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-23 14:44 . 2009-11-03 17:20 286720 ------w- c:\windows\Setup1.exe
2012-06-02 22:19 . 2012-06-21 11:22 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 11:22 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 11:21 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 11:21 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 11:22 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 11:22 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 11:21 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 11:21 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 11:21 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 16:25 . 2009-10-03 04:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-07-18 18:41 . 2011-03-23 15:20 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
.
c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
HMA Pro VPN 2.0.lnk - c:\program files\HMA! Pro VPN\bin\HMA! Pro VPN.exe [2011-8-3 1694720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^VZAccess Manager.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZAccess Manager.lnk
backup=c:\windows\pss\VZAccess Manager.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-31 00:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ----a-w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-02 05:13 154392 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-02 05:14 138008 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 09:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-07-03 17:46 973488 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSCRM]
2007-12-07 07:10 62488 ----a-w- c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSCRMStartup]
c:\program files\Microsoft Dynamics CRM\Client\res\Web\bin\Microsoft.Crm.Application.Hoster.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
c:\program files\Dell\MediaDirect\PCMService.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-02 05:14 133912 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2006-11-02 09:45 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-22 01:29]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-22 01:29]
.
2012-07-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-08-13 20:31]
.
2012-08-01 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-13 20:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://drudgereport.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=2912_4
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.hardId - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15541
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1716:00
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{9D0F7EB2-452D-4766-B535-8D23E36C300E} - (no file)
HKLM-Run-MS Word Extract Email Addresses From Documents Software.exe - (no file)
SafeBoot-KAVY999939917379931912
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-CLSA - c:\program files\Good Deal Software\Craigs Search Agent\search_agent.exe
MSConfigStartUp-OM2_Monitor - c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe
MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-01 17:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-01 17:23:49
ComboFix-quarantined-files.txt 2012-08-01 21:23
ComboFix2.txt 2011-07-08 16:19
ComboFix3.txt 2011-07-05 19:47
.
Pre-Run: 14,757,036,032 bytes free
Post-Run: 14,606,741,504 bytes free
.
- - End Of File - - 6F74E92DAE0634DA86A09651D1ADFF5F
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\Setup1.exe
Folder::
c:\users\Rob Caldwell\AppData\Local\Conduit
Firefox::
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=2912_4
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.hardId - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15541
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1716:00:44
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
ComboFix 12-07-31.03 - Rob Caldwell 08/01/2012 20:23:20.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3573.2170 [GMT -4:00]
Running from: c:\users\Rob Caldwell\Desktop\ComboFix.exe
Command switches used :: c:\users\Rob Caldwell\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Setup1.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Rob Caldwell\AppData\Local\Conduit
c:\windows\Setup1.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))
.
.
2012-08-02 00:32 . 2012-08-02 00:32 -------- d-----w- c:\users\Rob Caldwell\AppData\Local\temp
2012-08-02 00:32 . 2012-08-02 00:32 -------- d-----w- c:\users\Rob_Caldwell\AppData\Local\temp
2012-08-02 00:32 . 2012-08-02 00:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-02 00:32 . 2012-08-02 00:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-01 17:13 . 2012-08-01 17:13 -------- d-----w- c:\program files\ESET
2012-08-01 13:35 . 2012-08-01 13:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-01 13:35 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-31 20:29 . 2012-07-31 20:29 -------- d-----w- c:\program files\Tweet Adder 3
2012-07-26 19:34 . 2012-07-26 19:34 -------- d-----w- c:\program files\ERUNT
2012-07-26 19:09 . 2012-07-26 19:09 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\DriverCure
2012-07-26 19:09 . 2012-07-26 19:09 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\ParetoLogic
2012-07-26 19:09 . 2012-07-26 19:09 -------- d-----w- c:\program files\ParetoLogic
2012-07-24 12:07 . 2012-07-24 12:08 -------- d-----w- c:\program files\HMA! Pro VPN
2012-07-20 20:03 . 2001-10-28 20:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2012-07-20 20:03 . 1998-06-24 04:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2012-07-20 20:03 . 2012-07-20 20:03 -------- d-----w- c:\program files\PDFCreator
2012-07-20 20:03 . 1998-07-06 04:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2012-07-20 14:44 . 2012-07-20 14:44 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\Nvu
2012-07-18 18:20 . 2012-07-18 18:20 -------- d-----w- c:\program files\Alexandr Krulik
2012-07-13 13:40 . 2012-07-13 13:40 -------- d-----w- c:\program files\Microsoft Silverlight
2012-07-11 17:08 . 2012-07-19 02:11 -------- d-----w- c:\program files\OnlyWire
2012-07-11 13:02 . 2012-07-11 13:02 -------- d-----w- c:\users\Rob Caldwell\AppData\Local\Seesmic
2012-07-11 13:01 . 2012-07-11 13:08 -------- d-----w- c:\program files\Seesmic Ping
2012-07-11 07:08 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 23:05 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-07-10 23:05 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-10 23:05 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-10 23:05 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-10 23:04 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-10 23:04 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-10 23:04 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-10 23:04 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-10 23:04 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-08 19:02 . 2012-08-01 00:38 -------- d-----w- c:\users\Rob Caldwell\AppData\Roaming\TweetAdder3
2012-07-05 16:53 . 2012-07-05 16:53 -------- d-----w- c:\program files\MS Word Extract Email Addresses From Documents Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 16:21 . 2011-07-10 14:45 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2011-07-10 14:45 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2011-07-10 14:45 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2011-07-10 14:45 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2011-07-10 14:45 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2011-07-10 14:45 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21 . 2011-07-10 14:45 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2011-07-10 14:45 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-02 22:19 . 2012-06-21 11:22 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 11:22 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 11:21 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 11:21 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 11:22 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 11:22 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 11:21 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 11:21 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 11:21 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 16:25 . 2009-10-03 04:44 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-07-18 18:41 . 2011-03-23 15:20 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 405504]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
.
c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Rob Caldwell\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
HMA Pro VPN 2.0.lnk - c:\program files\HMA! Pro VPN\bin\HMA! Pro VPN.exe [2011-8-3 1694720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Rob Caldwell^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^VZAccess Manager.lnk]
path=c:\users\Rob Caldwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VZAccess Manager.lnk
backup=c:\windows\pss\VZAccess Manager.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-31 00:06 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 21:43 118784 ----a-w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-02 05:13 154392 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-02 05:14 138008 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 09:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-07-03 17:46 973488 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSCRM]
2007-12-07 07:10 62488 ----a-w- c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSCRMStartup]
c:\program files\Microsoft Dynamics CRM\Client\res\Web\bin\Microsoft.Crm.Application.Hoster.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
c:\program files\Dell\MediaDirect\PCMService.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-02 05:14 133912 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2006-11-02 09:45 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-22 01:29]
.
2012-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-22 01:29]
.
2012-07-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-08-13 20:31]
.
2012-08-01 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-08-13 20:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\Rob Caldwell\AppData\Roaming\Mozilla\Firefox\Profiles\jhvud1s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://drudgereport.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113959&tt=2912_4
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.hardId - c041301e000000000000001a73afe439
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15541
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1716:00
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-01 20:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-01 20:38:38
ComboFix-quarantined-files.txt 2012-08-02 00:38
ComboFix2.txt 2012-08-01 21:23
ComboFix3.txt 2011-07-08 16:19
ComboFix4.txt 2011-07-05 19:47
.
Pre-Run: 14,647,848,960 bytes free
Post-Run: 14,490,431,488 bytes free
.
- - End Of File - - 57A0EF11D03F02BEB4F06B6B73CA0E03
Is it gone ? Let me know and we can dig deeper
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
It seems like it is gone. No more tool bar in mozilla!
Thanks!
Rob Caldwell
Great :bigthumb:
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.
Malwarebytes is the free version and yours to keep and will not be removed
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Your very welcome,
Take care,
Ken :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.