My giftload.click problem woops

[cycleex]

Hello- I seem to have gotten this terrible infection yesterday. I think I picked it up from a google image result page when I visited a wallpapers page but didnt download anything intentionally. I saw a pop-up and tried to click No but I think I clicked the wrong button when going too quickly. I aborted the install process I thought, but not fast enough.

I have a C drive with opsys and regular files but I also use 2 other internal drives in RAID1

Windows Vista Business SP1
I use only firefox for browsing- no IE
I used IOLO System mechanic pro 10 on startup with all features enabled.
I have SpybotSD
I have Spyware doctor.

I checked the FAQs and downloaded Erunt and DDS
Erunt seems to have made a backup OK but after trying to run DDS, the txt I see is just full of garbled characters.

I have my laptop running also but they do not share drives and I have not used a thumbdrive at all this week.

Any help is appreciated.

Here is my Spybot log file from my last run an hour ago.
I am on Eastern time US

--- Search result list ---
Click.GiftLoad: [SBI $89783858] User settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-03-29 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows Vista (Build: 6001) Service Pack 1 (6.0.6001)


--- Startup entries list ---
Located: HK_LM:Run, Conime
command: %windir%\system32\conime.exe
file: C:\Windows\system32\conime.exe
size: 69120
MD5: F96EBC5A624349D81DCC7600A3C5DC43

Located: HK_LM:Run, Corel File Shell Monitor
command: C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
file: C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
size: 16712
MD5: B4A8BA5ABF4BDBE0171ED23F7535654A

Located: HK_LM:Run, EKIJ5000StatusMonitor
command: C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
file: C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
size: 1638400
MD5: A3CF6E5E3AF52AEC92551A6D4F011C3D

Located: HK_LM:Run, HDAudDeck
command: C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
file: C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
size: 15519744
MD5: 01BE90D0E016D674D1DD4A26387EDECE

Located: HK_LM:Run, iolo Startup
command: "C:\Program Files\iolo\Common\Lib\ioloLManager.exe"
file: C:\Program Files\iolo\Common\Lib\ioloLManager.exe
size: 434360
MD5: 48536B1B118F6AFD39DB547947AE83AD

Located: HK_LM:Run, ISTray
command: "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI
file: C:\Program Files\PC Tools Security\pctsGui.exe
size: 1589208
MD5: 79F731182BB91E6BEE76803BF968C4AA

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 421160
MD5: 2DFCB2393528446AEB9FB861A8FC39AB

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
file: C:\Windows\system32\NvCpl.dll
size: 13535776
MD5: 7522597DD61F651A95A471D798E08304

Located: HK_LM:Run, Windows Defender
command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E

Located: HK_CU:Run, Irocamodetak
where: S-1-5-21-522819725-4015885625-1306769688-1000...
command: rundll32.exe "C:\Users\1\AppData\Local\mscluay.dll",Startup
file: "C:\Users\1\AppData\Local\mscluay.dll"
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{D4027C7F-154A-4066-A1AD-4243D8127440} (Ask Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Ask Toolbar BHO
CLSID name:

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 9/15/2010 7:20:48 AM
Date (last access): 11/19/2010 1:16:04 PM
Date (last write): 9/15/2010 7:20:48 AM
Filesize: 41760
Attributes: archive
MD5: 3F59EDE1444C14CFBAA15C7EBBFE6196
CRC32: 847C94E6
Version: 6.0.220.4



--- ActiveX list ---
{483EB14D-AF1C-4951-81B0-4E2B41829FF6} ()
DPF name:
CLSID name:
Installer:
Codebase: https://www.select2perform.com/cabs/QOLCheck.ocx

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_22
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/18/2010 4:16:58 PM
Date (last access): 9/15/2074 5:52:30 AM
Date (last write): 9/15/2010 5:50:40 AM
Filesize: 108320
Attributes: archive
MD5: 6A25F175BC9D7709ABEA66086489121D
CRC32: 3BFA8F9A
Version: 6.0.220.4

{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_05
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_05.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/18/2010 4:16:58 PM
Date (last access): 9/15/2074 5:52:30 AM
Date (last write): 9/15/2010 5:50:40 AM
Filesize: 108320
Attributes: archive
MD5: 6A25F175BC9D7709ABEA66086489121D
CRC32: 3BFA8F9A
Version: 6.0.220.4

{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_22
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/18/2010 4:16:58 PM
Date (last access): 9/15/2074 5:52:30 AM
Date (last write): 9/15/2010 5:50:40 AM
Filesize: 108320
Attributes: archive
MD5: 6A25F175BC9D7709ABEA66086489121D
CRC32: 3BFA8F9A
Version: 6.0.220.4

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_22
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_22.dll
Short name: NPJPI1~1.DLL
Date (created): 9/15/2010 3:29:52 AM
Date (last access): 9/15/2074 5:52:42 AM
Date (last write): 9/15/2010 5:50:46 AM
Filesize: 141088
Attributes: archive
MD5: AFB7EFCDE5277F6514EF0E9FF8D8D862
CRC32: 2A43B8CC
Version: 6.0.220.4



--- Process list ---
PID: 2128 (2076) C:\Program Files\PC Tools Security\pctsGui.exe
size: 1589208
MD5: 79F731182BB91E6BEE76803BF968C4AA
PID: 2816 (1120) C:\Windows\system32\Dwm.exe
size: 81920
MD5: 59903071D7ACE6A02093C47E9E38AF97
PID: 4040 (2136) C:\Windows\Explorer.EXE
size: 2927104
MD5: 4F554999D7D5F05DAAEBBA7B5BA1089D
PID: 2668 (1140) C:\Windows\system32\wuauclt.exe
size: 53472
MD5: 62BB79160F86CD962F312C68C6239BFD
PID: 2900 (4040) C:\Program Files\Windows Defender\MSASCui.exe
size: 1008184
MD5: 0D392EDE3B97E0B3131B2F63EF1DB94E
PID: 4084 (4040) C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
size: 15519744
MD5: 01BE90D0E016D674D1DD4A26387EDECE
PID: 3540 (4040) C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
size: 16712
MD5: B4A8BA5ABF4BDBE0171ED23F7535654A
PID: 3204 (4040) C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
size: 1638400
MD5: A3CF6E5E3AF52AEC92551A6D4F011C3D
PID: 3848 (4040) C:\Program Files\iTunes\iTunesHelper.exe
size: 421160
MD5: 2DFCB2393528446AEB9FB861A8FC39AB
PID: 3168 (4040) C:\Windows\System32\rundll32.exe
size: 44544
MD5: 4B555106290BD117334E9A08761C035A
PID: 3712 (4040) C:\Program Files\Mozilla Firefox\firefox.exe
size: 912344
MD5: 0F3FA9FDB976C567EC0491685CF4FDF7
PID: 4056 (2904) C:\Windows\system32\taskeng.exe
size: 171520
MD5: EAFB5897AC9CD84890171AC38862320F
PID: 5440 (2904) C:\Windows\system32\wuauclt.exe
size: 53472
MD5: 62BB79160F86CD962F312C68C6239BFD
PID: 5248 (4040) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 468 ( 4) smss.exe
size: 64000
PID: 560 ( 548) csrss.exe
size: 6144
PID: 608 ( 548) wininit.exe
size: 96768
PID: 616 ( 600) csrss.exe
size: 6144
PID: 652 ( 608) services.exe
size: 279040
PID: 664 ( 608) lsass.exe
size: 9728
PID: 672 ( 608) lsm.exe
size: 229888
PID: 700 ( 600) winlogon.exe
size: 314880
PID: 860 ( 652) svchost.exe
size: 21504
PID: 912 ( 652) nvvsvc.exe
size: 118784
PID: 940 ( 652) svchost.exe
size: 21504
PID: 1016 ( 652) svchost.exe
size: 21504
PID: 1088 ( 652) svchost.exe
size: 21504
PID: 1120 ( 652) svchost.exe
size: 21504
PID: 1288 (1088) audiodg.exe
size: 88064
PID: 1316 ( 652) svchost.exe
size: 21504
PID: 1380 ( 652) SLsvc.exe
size: 2623488
PID: 1440 ( 652) svchost.exe
size: 21504
PID: 1528 ( 912) rundll32.exe
size: 44544
PID: 1592 ( 652) svchost.exe
size: 21504
PID: 1864 ( 652) spoolsv.exe
size: 126464
PID: 1904 ( 652) svchost.exe
size: 21504
PID: 528 ( 652) AppleMobileDeviceService.exe
PID: 524 ( 652) mDNSResponder.exe
PID: 1516 ( 652) ekdiscovery.exe
PID: 1408 ( 652) svchost.exe
size: 21504
PID: 1644 ( 652) PsiService_2.exe
PID: 2060 ( 652) pctsAuxs.exe
PID: 2076 ( 652) pctsSvc.exe
PID: 2168 ( 652) svchost.exe
size: 21504
PID: 2196 ( 652) vsedsps.exe
PID: 2252 ( 652) svchost.exe
size: 21504
PID: 2312 ( 652) SearchIndexer.exe
size: 302080
PID: 2344 ( 652) vseamps.exe
PID: 2448 ( 652) SDWinSec.exe
MD5: 794D4B48DFB6E999537C7C3947863463
PID: 2548 (1120) WUDFHost.exe
size: 142336
PID: 2528 ( 652) iPodService.exe
PID: 2904 ( 652) svchost.exe
size: 21504
PID: 4504 (2904) taskeng.exe
size: 171520
PID: 5688 (2904) taskeng.exe
size: 171520
PID: 4460 (4040) C:\Program Files\Mozilla Firefox\firefox.exe
size: 912344
MD5: 0F3FA9FDB976C567EC0491685CF4FDF7
PID: 5168 (2312) SearchProtocolHost.exe
size: 179200
PID: 4224 (2312) SearchFilterHost.exe
size: 76800


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/30/2011 4:22:06 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\System32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896


--- Winsock Layered Service Provider list ---
Protocol 0: iolo System Shield over [MSAFD Tcpip [TCP/IP]]
GUID: {675963A8-C019-4E5C-B384-3311400E063C}
Filename: C:\Windows\system32\iavlsp.dll

Protocol 1: iolo System Shield over [MSAFD Tcpip [UDP/IP]]
GUID: {2E3F279E-FE22-4166-A228-DAF44EB32487}
Filename: C:\Windows\system32\iavlsp.dll

Protocol 2: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 4: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 5: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 6: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 7: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 8: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 10: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 11: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 12: iolo System Shield
GUID: {4BBEB896-088E-44CB-A88F-193AD0CCABEC}
Filename: C:\Windows\system32\iavlsp.dll

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{44E983D2-22F1-4957-80A8-3D098BC11B18}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{44E983D2-22F1-4957-80A8-3D098BC11B18}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8140FCBC-F926-41EB-BE7F-D03644C5AC3B}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8140FCBC-F926-41EB-BE7F-D03644C5AC3B}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{9591D242-AFC1-4FB2-804F-63B35A98AE69}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Network Location Awareness Legacy (NLAv1) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename:
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:

Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 6: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

 

[ken545]

:snwelcome:


Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



Please download ATF Cleaner by Atribune to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please







OTL by OldTimer

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Click the "Scan All Users" checkbox.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

 

[cycleex]

Hi Ken! Thanks for helping.
I ran ATF cleaner like you asked.

I ran Malwarebytes after that. Here is the results log from that scan...
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6221

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19019

3/30/2011 9:12:13 PM
mbam-log-2011-03-30 (21-12-13).txt

Scan type: Quick scan
Objects scanned: 141146
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\eba.exe (Trojan.Agent) -> 2088 -> Unloaded process successfully.
c:\Windows\System32\config\systemprofile\AppData\Local\eba.exe (Trojan.Agent) -> 4116 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Irocamodetak (Trojan.Hiloti.Gen) -> Value: Irocamodetak -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\eba.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\1\AppData\Local\mscluay.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\Users\1\local settings\application data\mscluay.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.


I am going to run OLT now since you asked that I post this log result and then mentioned the OLD scan in your instructions.

 

[cycleex]

Hi Ken, here is my OLT log...standing by.

OTL logfile created on: 3/30/2011 9:28:53 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 49.44 Gb Free Space | 33.17% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 283.30 Gb Free Space | 60.95% Space Free | Partition Type: NTFS

Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe ()
PRC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
PRC - C:\Program Files\PC Tools Security\pctsGui.exe (PC Tools)
PRC - C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
PRC - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Modules (SafeList) ==========

MOD - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\PC Tools Security\PCTGMhk.dll (PC Tools)


========== Win32 Services (SafeList) ==========

SRV - (ioloSystemService) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (vseqrts) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (pctEFA) -- C:\Windows\system32\drivers\pctEFA.sys (PC Tools)
DRV - (pctDS) -- C:\Windows\system32\drivers\pctDS.sys (PC Tools)
DRV - (FileDisk) -- C:\Windows\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (AMP) -- C:\Windows\System32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- C:\Windows\System32\drivers\ampse.sys (Authentium, Inc)
DRV - (ElRawDisk) -- C:\Windows\System32\drivers\ElRawDsk.sys (EldoS Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (VIAHdAudAddService) -- C:\Windows\System32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (nsiproxy) -- C:\Windows\System32\drivers\nsiproxy.sys ()
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SI3114r) -- C:\Windows\system32\DRIVERS\SI3114r.sys (Silicon Image, Inc)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C EB 20 59 84 C8 CB 01 [binary data]
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/02/18 16:17:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions
[2011/02/18 16:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2011/03/30 14:00:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions
[2010/11/18 00:14:03 | 000,000,000 | ---D | M] (Map This) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
[2010/11/21 01:04:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/08 00:10:40 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/02/09 14:38:50 | 000,000,000 | ---D | M] ("Gmail Checker") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}
[2011/03/29 19:19:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/12 14:20:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/11/18 00:16:51 | 000,000,000 | ---D | M] (Zoom toolbar) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
[2011/03/29 19:19:41 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\foxmarks@kei.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com-trash
[2011/01/26 13:54:53 | 000,000,000 | ---D | M] (printpdf) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\printpdf@pavlov.net
[2011/03/22 09:59:34 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\screencaptureelite@plugin
[2011/02/09 14:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/18 16:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/19 13:17:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/03/29 23:30:54 | 000,431,419 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14852 more lines...
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [iolo Startup] C:\Program Files\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [ISTray] C:\Program Files\PC Tools Security\pctsGui.exe (PC Tools)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O13 - gopher Prefix: missing
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} https://www.select2perform.com/cabs/QOLCheck.ocx (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O35 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/30 21:04:30 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Malwarebytes
[2011/03/30 21:04:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/30 21:04:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 21:04:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/30 21:04:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/30 21:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/30 20:54:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\insightdesk
[2011/03/30 20:47:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:24 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 15:55:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/30 15:18:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/03/30 15:18:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/03/30 07:22:44 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/03/29 23:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/29 20:34:56 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/03/29 20:34:56 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/03/29 20:34:55 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/03/29 20:34:55 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/03/29 20:34:52 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/03/29 20:34:52 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/03/29 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/03/29 20:34:43 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/03/29 20:15:36 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13
[2011/03/16 18:26:56 | 000,056,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\offreg.dll
[2011/03/09 10:06:14 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:06:14 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:06:13 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:06:13 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2011/03/08 16:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/03/08 16:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/03/08 16:07:46 | 004,537,088 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Greyfirst
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\Greyfirst
[2011/03/07 23:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celtx
[2011/03/07 23:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Celtx
[2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/30 21:21:14 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/30 21:21:14 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/30 21:16:48 | 000,000,448 | ---- | M] () -- C:\Windows\System32\iolo.ini
[2011/03/30 21:16:27 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/30 21:16:20 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/30 21:16:20 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/30 21:16:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/30 21:15:59 | 2144,493,568 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/30 21:12:04 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/30 21:04:47 | 000,009,946 | -HS- | M] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 21:04:25 | 000,000,938 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:53:29 | 000,009,954 | -HS- | M] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 20:47:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:25 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 20:43:36 | 000,001,356 | ---- | M] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2011/03/30 17:28:04 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2011/03/30 15:55:32 | 000,000,746 | ---- | M] () -- C:\Users\1\Desktop\ERUNT.lnk
[2011/03/30 15:23:08 | 000,625,664 | ---- | M] () -- C:\Users\1\Desktop\dds.scr
[2011/03/29 23:30:54 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
[2011/03/29 20:35:15 | 001,772,938 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/03/25 18:05:16 | 000,002,121 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 15:24:20 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\IncContxMenu.dll
[2011/03/15 15:23:32 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2011/03/15 15:23:26 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2011/03/15 15:21:16 | 002,234,552 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator.dll
[2011/03/15 12:10:27 | 002,503,745 | ---- | M] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/08 16:07:49 | 004,537,088 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:10 | 000,001,670 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/30 21:16:48 | 000,000,448 | ---- | C] () -- C:\Windows\System32\iolo.ini
[2011/03/30 21:04:25 | 000,000,938 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:50:06 | 2144,493,568 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/30 20:43:09 | 000,009,946 | -HS- | C] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 16:33:41 | 000,009,954 | -HS- | C] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 15:55:32 | 000,000,746 | ---- | C] () -- C:\Users\1\Desktop\ERUNT.lnk
[2011/03/30 15:23:04 | 000,625,664 | ---- | C] () -- C:\Users\1\Desktop\dds.scr
[2011/03/25 18:05:16 | 000,002,121 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 12:10:25 | 002,503,745 | ---- | C] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/07 23:04:10 | 000,001,670 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[2011/02/09 17:18:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 14:16:25 | 000,000,094 | ---- | C] () -- C:\Windows\awshkwv.ini
[2011/02/04 20:33:09 | 000,000,010 | ---- | C] () -- C:\Windows\Wininit.ini
[2010/12/17 20:24:26 | 000,009,216 | ---- | C] () -- C:\Users\1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/21 00:45:52 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/11/18 18:07:41 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2010/11/18 17:35:19 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/17 23:54:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/11/17 22:13:09 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010/11/17 22:13:01 | 000,030,434 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/11/17 22:09:26 | 000,001,356 | ---- | C] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/01/20 22:25:51 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/01/20 22:25:11 | 000,016,384 | ---- | C] () -- C:\Windows\System32\drivers\nsiproxy.sys
[2008/01/20 22:24:41 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2007/12/28 03:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2006/11/02 08:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:43 | 000,251,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== LOP Check ==========

[2011/03/29 20:44:30 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13
[2011/03/30 12:15:46 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\BitTorrent
[2010/11/18 12:22:06 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Foxit Software
[2011/03/07 23:04:22 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Greyfirst
[2010/12/16 16:11:16 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\iolo
[2010/11/20 20:54:01 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\NeatImage PS
[2010/11/23 10:29:19 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\OpenOffice.org
[2011/01/26 13:42:45 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\PrimoPDF
[2011/03/01 15:19:38 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Temp
[2011/02/18 16:18:09 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Thunderbird
[2011/03/30 21:13:29 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMPFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84

< End of report >

 

[cycleex]

OTL Extras logfile created on: 3/30/2011 9:28:54 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 49.44 Gb Free Space | 33.17% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 283.30 Gb Free Space | 60.95% Space Free | Partition Type: NTFS

Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*

[HKEY_USERS\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with Corel Paint Shop Pro Photo X2] -- "C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe" "%L" (Corel, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0A8A8058-DA51-4421-BF54-E9202790A6A4}" = lport=9322 | protocol=6 | dir=in | name=ekdiscovery |
"{B1D1F633-0246-4A4D-AA6C-86E0C8F51405}" = lport=5353 | protocol=17 | dir=in | name=bonjour port 5353 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0138D0BB-7F4B-455E-A0E4-53C0422709BE}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{5EDD8C94-953B-4137-82B9-C39602BE05D2}" = protocol=6 | dir=in | app=c:\program files\iolo\system mechanic professional\sysmech.exe |
"{A9718FA5-33F8-4437-807A-6B7345DA789A}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{E262BA75-18B5-4246-8238-D689FDF01014}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{FB253B2B-5A03-420D-8793-6FD6948F98A2}" = protocol=17 | dir=in | app=c:\program files\iolo\system mechanic professional\sysmech.exe |
"TCP Query User{6A683606-2861-454E-AD38-84A8C8AD1EF5}C:\program files\google\google earth\client\googleearth.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"TCP Query User{C6EE8DEF-E2CB-43D4-9B38-C0C4B9395A04}C:\program files\emule\emule.exe" = protocol=6 | dir=in | app=c:\program files\emule\emule.exe |
"TCP Query User{E75502DE-1F00-48F0-8DF2-D1ACAFF6ABF8}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=6 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |
"UDP Query User{1D671F8C-9446-4B65-8257-C4AAE1940031}C:\program files\google\google earth\client\googleearth.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\client\googleearth.exe |
"UDP Query User{510AD074-BB5F-422F-9A58-3D5EA0D34C43}C:\program files\emule\emule.exe" = protocol=17 | dir=in | app=c:\program files\emule\emule.exe |
"UDP Query User{FE43DC31-A168-415D-8531-40C2543D7C91}C:\program files\google\google earth\plugin\geplugin.exe" = protocol=17 | dir=in | app=c:\program files\google\google earth\plugin\geplugin.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 22
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{30DBAD4A-BA6D-4F9D-8AB0-2F6C7B0612A4}" = AVSDK5
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{64E72FB1-2343-4977-B4A8-262CD53D0BD3}" = Corel Paint Shop Pro Photo X2
"{6845255F-15CC-4DD1-94D5-D38F370118B3}_is1" = Auslogics Duplicate File Finder
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BBD3F66B-1180-4785-B679-3F91572CD3B4}_is1" = iolo technologies' System Mechanic Professional
"{C158BAF3-D76F-FE96-2934-A5940020A971}" = ATI Catalyst Install Manager
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C768790F-04FB-11E0-9B2C-001AA037B01E}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Celtx (2.9)" = Celtx (2.9)
"ERUNT_is1" = ERUNT 1.1j
"Eye Candy 3" = Eye Candy 3
"Eye Candy 4000" = Eye Candy 4000 Demo
"Foxit PDF Editor" = Foxit PDF Editor
"Foxit Reader" = Foxit Reader
"Google Chrome" = Google Chrome
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"Mozilla Thunderbird (3.1.7)" = Mozilla Thunderbird (3.1.7)
"Neat Image_is1" = Neat Image v6 Demo (with plug-in)
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"Spyware Doctor" = Spyware Doctor 8.0
"virtualPhotographer_is1" = virtualPhotographer 1.5.6
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/30/2011 6:03:45 PM | Computer Name = davesbigmachine | Source = SPP | ID = 16387
Description =

Error - 3/30/2011 6:03:45 PM | Computer Name = davesbigmachine | Source = System Restore | ID = 8193
Description =

Error - 3/30/2011 7:13:10 PM | Computer Name = davesbigmachine | Source = SPP | ID = 16387
Description =

Error - 3/30/2011 7:13:10 PM | Computer Name = davesbigmachine | Source = System Restore | ID = 8193
Description =

Error - 3/30/2011 7:13:10 PM | Computer Name = davesbigmachine | Source = System Restore | ID = 8210
Description =

Error - 3/30/2011 8:24:29 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =

Error - 3/30/2011 8:41:33 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =

Error - 3/30/2011 8:41:48 PM | Computer Name = davesbigmachine | Source = EventSystem | ID = 4609
Description =

Error - 3/30/2011 8:50:48 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =

Error - 3/30/2011 9:16:44 PM | Computer Name = davesbigmachine | Source = WinMgmt | ID = 10
Description =

[ iolo Applications Events ]
Error - 3/30/2011 1:16:35 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =

Error - 3/30/2011 1:17:08 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =

Error - 3/30/2011 1:42:52 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =

Error - 3/30/2011 4:18:09 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =

Error - 3/30/2011 7:18:09 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =

Error - 3/30/2011 10:19:09 AM | Computer Name = davesbigmachine | Source = System Shield | ID = 17
Description =

[ System Events ]
Error - 3/16/2011 6:29:23 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/16/2011 7:12:47 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/17/2011 12:48:38 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/18/2011 7:57:22 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/22/2011 9:55:06 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/22/2011 11:18:21 PM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/23/2011 11:52:53 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/24/2011 9:47:29 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/25/2011 12:12:54 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =

Error - 3/25/2011 11:39:47 AM | Computer Name = davesbigmachine | Source = HTTP | ID = 15016
Description =


< End of report >

 

[ken545]

Good Morning,

Ask Toolbar
* It promotes its toolbars on sites targeted at kids.
* It promotes its toolbars through ads that appear to be part of other companies' sites.
* It promotes its toolbars through other companies' spyware.
* It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
* It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
* It makes confusing changes to user's browsers - increasing Ask's revenues while taking users to pages they didn't intend to visit.




eMule
Any form of P2P ( File Sharing ) is dangerous, your downloading that file from an unknown source, malware writers are in tune to this and have been using P2P as one of the latest ways of spreading there wares. You never know whats attached to that file, its like playing Russian Roulette malwarewise.


You should be able to uninstall them both via Programs and features in the Control Panel.


Then.....

Backup Your Registry with ERUNT:

• Download erunt.zip to your Desktop from here:
  http://aumha.org/downloads/erunt.zip
• Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
• Inside the new folder, double-click ERUNT.exe to start the program
• OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe







Open OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

  :processes
  killallprocesses
  
  :OTL
  O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O3 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  [2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
  @Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
  @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
  
  
  :Services
  
  :Reg
  [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION] 
  "svchost.exe"=-
  
  :Files
  ipconfig /flushdns /c
  
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top. <--Not run Scan
• Let the program run unhindered, reboot when it is done
• Then post the results of the log it produces.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

 

[cycleex]

Hi Ken, I uninstalled Emule yesterday before we started talking. I used it one about a month ago. I screened the file I needed with my AV program and haven't used Emule since.
The Ask toolbar seems to be a problem. It is associated with my PDF program. It is an optional install item. I opted to not install as I hate tool bars, and it doesn't show up in my PDF or browser bars. I am not able to uninstall it though.
See my attached jpeg screen shot for the error uninstall generates. I am the administrator and I operate at the top level. I continually get this host message too. here is the screen shot of that as well.

I'll wait for your response before I backup the reg. Also know that I have the ERUNT already, do I really need to Dl again?

Dave

 

[ken545]

As long as ERUNT is fairly current you can use the one you downloaded if not you can drag it to the trash and redownload it, whatever, just make sure you back up your registry before you proceed with the fix

 

[cycleex]

I have tried to remove that ASK entry with no success. I even restarted in safe mode and tried to uninstall that way but no luck. Should I still proceed with reg backup?

 

[cycleex]

I also have been getting this message on startup after the desktop loads, see attached.

Windows defender
Application failed to initialize
Dave

 

[cycleex]

Hey Ken,
I also just had this tab spawn by itself while I was away from my machine
See attached

 

[ken545]

Back up with ERUNT and run the OTL fix and we will go from there

 

[cycleex]

Ken, Erunt wont run correctly.
see attached.

Maybe IOLO system mechanic is blocking?

 

[ken545]

Lets do this, it looks like you have a rogue program causing you problems

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

 

[cycleex]

i also just set iolo services to manual start-up instead of automatic. OK?

 

[ken545]

:bigthumb:

 

[cycleex]

Big problem Ken. I saved combofix.exe to desktop as requested. Doubleclicked to start program, green status bar gets almost all the way across and then ....bluescreen and dump restart. First bluescreen ever on this machine (3 years old).
What now?

 

[cycleex]

here is what the "Windows has recovered from an unexpected shutdown" info on the next startup said....

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.256.6
Locale ID: 1033

Additional information about the problem:
BCCode: a
BCP1: 00000016
BCP2: 0000001B
BCP3: 00000000
BCP4: 81EFBBEF
OS Version: 6_0_6001
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\Mini033111-05.dmp
C:\Users\1\AppData\Local\Temp\WER-115768-0.sysdata.xml
C:\Users\1\AppData\Local\Temp\WER672B.tmp.version.txt

 

[cycleex]

Also I just noticed this. Is this normal? I didnt intentionally block this.
Malwarebytes blocked on startup.

attached screenshot

 

[ken545]

Lets back up a bit and do this

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply