My giftload.click problem woops

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-31 20:30:21
-----------------------------
20:30:21.505 OS Version: Windows 6.0.6001 Service Pack 1
20:30:21.505 Number of processors: 4 586 0x203
20:30:21.505 ComputerName: DAVESBIGMACHINE UserName: 1
20:30:23.268 Initialize success
20:30:27.761 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
20:30:27.761 Disk 0 Vendor: WDC_WD1600AAJS-00B4A0 01.03A01 Size: 152627MB BusType: 3
20:30:27.776 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SI3114r1Port4Path0Target0Lun0
20:30:27.776 Disk 1 Vendor: SiI_____ 1100 Size: 476939MB BusType: 1
20:30:27.776 Device \Device\Ide\IdeDeviceP0T1L0-2 -> \??\IDE#DiskWDC_WD1600AAJS-00B4A0___________________01.03A01#5&2e153c89&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
20:30:29.804 Disk 0 MBR read successfully
20:30:29.804 Disk 0 MBR scan
20:30:29.804 Disk 0 TDL4@MBR code has been found
20:30:29.820 Disk 0 MBR hidden
20:30:29.820 Disk 0 MBR [TDL4] **ROOTKIT**
20:30:29.835 Disk 0 trace - called modules:
20:30:29.835 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x86216439]<<
20:30:29.851 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852a85d8]
20:30:29.851 3 CLASSPNP.SYS[881a9745] -> nt!IofCallDriver -> [0x852a8e40]
20:30:29.867 5 PCTCore.sys[8079f099] -> nt!IofCallDriver -> [0x852a4878]
20:30:29.882 7 acpi.sys[8060f6a0] -> nt!IofCallDriver -> [0x85293ba0]
20:30:29.882 \Driver\atapi[0x85c6c908] -> IRP_MJ_CREATE -> 0x86216439
20:30:29.898 Scan finished successfully
 
Your system is infected with the TDL4 Rootkit, it didn't show up on the other scanners,


Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button
aswmbrtdl4.gif




Save the log as before and post in your next reply
 
Last edited:
OK here it is. I am also getting a hard disk error now which will require some tending. I think it is in my raid. Can I make the repair before a failure?
Dave
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-31 21:00:23
-----------------------------
21:00:23.476 OS Version: Windows 6.0.6001 Service Pack 1
21:00:23.476 Number of processors: 4 586 0x203
21:00:23.476 ComputerName: DAVESBIGMACHINE UserName: 1
21:00:23.757 Initialize success
21:00:25.956 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-2
21:00:25.956 Disk 0 Vendor: WDC_WD1600AAJS-00B4A0 01.03A01 Size: 152627MB BusType: 3
21:00:25.956 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\SI3114r1Port4Path0Target0Lun0
21:00:25.972 Disk 1 Vendor: SiI_____ 1100 Size: 476939MB BusType: 1
21:00:28.000 Disk 0 MBR read successfully
21:00:28.000 Disk 0 MBR scan
21:00:30.012 Disk 0 scanning sectors +312578048
21:00:30.028 Disk 0 scanning C:\Windows\system32\drivers
21:00:33.398 Service scanning
21:00:36.440 Disk 0 trace - called modules:
21:00:36.455 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
21:00:36.471 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852a0030]
21:00:36.471 3 CLASSPNP.SYS[881a5745] -> nt!IofCallDriver -> [0x852a6658]
21:00:36.486 5 PCTCore.sys[8079a099] -> nt!IofCallDriver -> [0x8529b780]
21:00:36.486 7 acpi.sys[8060a6a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-2[0x8529bba0]
21:00:36.502 Scan finished successfully
 
Hi Ken.
Ran combofix just fine. Here is the log...

ComboFix 11-03-31.01 - 1 03/31/2011 21:29:56.1.4 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2046.1401 [GMT -4:00]
Running from: c:\users\1\Desktop\ComboFix.exe
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFRD143.tmp
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13\enemies-names.txt
c:\users\1\AppData\Roaming\A73E968968A3CE87240B6191056A7C13\local.ini
c:\users\1\AppData\Roaming\Adobe\plugs
c:\users\1\AppData\Roaming\Adobe\shed
.
----- BITS: Possible infected sites -----
.
hxxp://download.iolo.net
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-04-01 01:39 . 2011-04-01 01:39 -------- d-----w- c:\users\1\AppData\Local\temp
2011-04-01 01:39 . 2011-04-01 01:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-30 11:22 . 2011-03-31 01:15 -------- d-----w- c:\windows\Sun
2011-03-30 03:04 . 2011-03-30 03:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-03-30 03:04 . 2011-03-30 03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-30 00:34 . 2010-07-16 18:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-03-30 00:34 . 2010-07-16 18:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-03-30 00:34 . 2011-01-17 13:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-03-30 00:34 . 2010-12-16 12:38 103232 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-03-30 00:34 . 2010-12-10 20:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-03-30 00:34 . 2010-12-10 17:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-03-30 00:34 . 2010-12-16 12:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-03-30 00:34 . 2011-03-31 23:27 -------- d-----w- c:\program files\PC Tools Security
2011-03-30 00:34 . 2011-03-30 00:36 -------- d-----w- c:\program files\Common Files\PC Tools
2011-03-29 12:34 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC0945D2-7124-4CCE-943B-1E0BBBB8CA97}\mpengine.dll
2011-03-16 22:26 . 2010-02-09 02:59 56200 ----a-w- c:\windows\system32\offreg.dll
2011-03-09 14:06 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 14:06 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 14:06 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 14:06 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 14:06 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 14:06 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-08 20:09 . 2011-03-08 20:09 -------- d-----w- c:\program files\Auslogics
2011-03-08 03:04 . 2011-03-08 03:04 -------- d-----w- c:\users\1\AppData\Roaming\Greyfirst
2011-03-08 03:04 . 2011-03-08 03:04 -------- d-----w- c:\users\1\AppData\Local\Greyfirst
2011-03-08 03:03 . 2011-03-08 03:04 -------- d-----w- c:\program files\Celtx
2011-03-02 21:53 . 2011-03-30 16:11 -------- d-----w- c:\programdata\eMule
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-30 21:28 . 2010-11-18 21:35 848 --sha-w- c:\programdata\KGyGaAvL.sys
2011-03-15 19:24 . 2010-11-18 15:41 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-03-15 19:23 . 2010-11-18 15:41 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-03-15 19:23 . 2010-11-18 15:41 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-03-15 19:21 . 2010-11-18 15:41 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-02-02 22:11 . 2010-11-19 00:03 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50 . 2011-02-09 22:42 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-09 22:42 292352 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2008-05-21 15519744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13535776]
"iolo Startup"="c:\program files\iolo\Common\Lib\ioloLManager.exe" [2011-03-15 434360]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"Conime"="c:\windows\system32\conime.exe" [2008-01-21 69120]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 136176]
R3 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2011-03-15 724152]
R3 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [2011-03-15 724152]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
R3 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2010-01-19 158248]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-12-10 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2008-12-09 20392]
S2 AMP;AMP;c:\windows\system32\DRIVERS\amp.sys [2010-01-19 127016]
S2 AMPSE;AMPSE;c:\windows\system32\DRIVERS\ampse.sys [2010-01-19 1118248]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [2010-01-19 121384]
S2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2010-01-19 117288]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-05-08 269824]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:07]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-22 19:07]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\iavlsp.dll
FF - ProfilePath - c:\users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: Map This: {05f6a7ea-896b-11da-8bde-f66bad1e3f3a} - %profile%\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Screen Capture Elite: screencaptureelite@plugin - %profile%\extensions\screencaptureelite@plugin
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: printpdf: printpdf@pavlov.net - %profile%\extensions\printpdf@pavlov.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 21:39
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\VDeck\VDeck.exe -r???????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-31 21:44:13
ComboFix-quarantined-files.txt 2011-04-01 01:44
.
Pre-Run: 52,054,032,384 bytes free
Post-Run: 51,981,864,960 bytes free
.
- - End Of File - - 153D20A5F9BEB0E23D6894EB829B4D38
 
Great, go ahead and run OTL and run a new scan ( not the fix as it may have changed ) and post the log
 
Here it is. Same settings as before, just a scan...

OTL logfile created on: 3/31/2011 9:53:32 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 48.47 Gb Free Space | 32.52% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 282.31 Gb Free Space | 60.73% Space Free | Partition Type: NTFS

Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
PRC - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - C:\Windows\System32\DFDWiz.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Modules (SafeList) ==========

MOD - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (ioloSystemService) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (vseqrts) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (pctEFA) -- C:\Windows\system32\drivers\pctEFA.sys (PC Tools)
DRV - (pctDS) -- C:\Windows\system32\drivers\pctDS.sys (PC Tools)
DRV - (FileDisk) -- C:\Windows\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (AMP) -- C:\Windows\System32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- C:\Windows\System32\drivers\ampse.sys (Authentium, Inc)
DRV - (ElRawDisk) -- C:\Windows\System32\drivers\ElRawDsk.sys (EldoS Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (VIAHdAudAddService) -- C:\Windows\System32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (nsiproxy) -- C:\Windows\System32\drivers\nsiproxy.sys ()
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SI3114r) -- C:\Windows\system32\DRIVERS\SI3114r.sys (Silicon Image, Inc)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C EB 20 59 84 C8 CB 01 [binary data]
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/02/18 16:17:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions
[2011/02/18 16:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2011/03/31 16:24:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions
[2010/11/18 00:14:03 | 000,000,000 | ---D | M] (Map This) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
[2010/11/21 01:04:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/08 00:10:40 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/03/29 19:19:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/12 14:20:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/11/18 00:16:51 | 000,000,000 | ---D | M] (Zoom toolbar) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
[2011/03/29 19:19:41 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\foxmarks@kei.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com-trash
[2011/01/26 13:54:53 | 000,000,000 | ---D | M] (printpdf) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\printpdf@pavlov.net
[2011/03/22 09:59:34 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\screencaptureelite@plugin
[2011/02/09 14:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/18 16:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/19 13:17:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/03/31 21:39:20 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [iolo Startup] C:\Program Files\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} https://www.select2perform.com/cabs/QOLCheck.ocx (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O24 - Desktop BackupWallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O35 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/31 21:44:25 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\temp
[2011/03/31 21:28:07 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/03/31 21:28:07 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/03/31 21:28:07 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/03/31 21:27:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/31 21:27:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/03/31 20:29:50 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 18:11:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\erunt
[2011/03/31 16:06:40 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/30 21:04:30 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Malwarebytes
[2011/03/30 21:04:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/30 21:04:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 21:04:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/30 21:04:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/30 21:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/30 20:54:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\insightdesk
[2011/03/30 20:47:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:24 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 15:55:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/30 07:22:44 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/03/29 23:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/29 20:34:56 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/03/29 20:34:56 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/03/29 20:34:55 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/03/29 20:34:55 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/03/29 20:34:52 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/03/29 20:34:52 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/03/29 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/03/29 20:34:43 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/03/16 18:26:56 | 000,056,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\offreg.dll
[2011/03/09 10:06:14 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:06:14 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:06:13 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:06:13 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2011/03/08 16:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/03/08 16:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/03/08 16:07:46 | 004,537,088 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Greyfirst
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\Greyfirst
[2011/03/07 23:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celtx
[2011/03/07 23:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Celtx
[2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule

========== Files - Modified Within 30 Days ==========

[2011/03/31 21:39:20 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/03/31 21:12:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/31 21:04:13 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/03/31 21:04:13 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/03/31 21:00:46 | 000,000,512 | ---- | M] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 21:00:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/31 20:59:58 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 20:59:58 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/03/31 20:59:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/03/31 20:59:45 | 2146,549,760 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/31 20:33:35 | 000,078,157 | ---- | M] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:29:56 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 19:55:07 | 000,017,744 | ---- | M] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:37:15 | 326,147,063 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/31 19:25:36 | 004,310,832 | R--- | M] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 18:09:30 | 000,513,320 | ---- | M] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 15:58:01 | 000,170,887 | ---- | M] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | M] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | M] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:29 | 000,102,988 | ---- | M] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:21:12 | 000,230,285 | ---- | M] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | M] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:47 | 000,009,946 | -HS- | M] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 21:04:25 | 000,000,938 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:53:29 | 000,009,954 | -HS- | M] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 20:47:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:25 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 20:43:36 | 000,001,356 | ---- | M] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2011/03/30 17:28:04 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2011/03/30 15:23:08 | 000,625,664 | ---- | M] () -- C:\Users\1\Desktop\dds.scr
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
[2011/03/29 20:35:15 | 001,772,938 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/03/25 18:05:16 | 000,002,121 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 15:24:20 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\IncContxMenu.dll
[2011/03/15 15:23:32 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2011/03/15 15:23:26 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2011/03/15 15:21:16 | 002,234,552 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator.dll
[2011/03/15 12:10:27 | 002,503,745 | ---- | M] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/08 16:07:49 | 004,537,088 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:10 | 000,001,670 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk

========== Files Created - No Company Name ==========

[2011/03/31 21:28:07 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/03/31 21:28:07 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/03/31 21:28:07 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/03/31 21:28:07 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/03/31 21:28:07 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/03/31 20:33:35 | 000,078,157 | ---- | C] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:30:47 | 000,000,512 | ---- | C] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 19:55:07 | 000,017,744 | ---- | C] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:25:34 | 004,310,832 | R--- | C] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 18:09:28 | 000,513,320 | ---- | C] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 16:06:07 | 326,147,063 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/31 15:58:00 | 000,170,887 | ---- | C] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | C] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | C] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:28 | 000,102,988 | ---- | C] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:38:02 | 2146,549,760 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/31 13:21:12 | 000,230,285 | ---- | C] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | C] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:25 | 000,000,938 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:43:09 | 000,009,946 | -HS- | C] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 16:33:41 | 000,009,954 | -HS- | C] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 15:23:04 | 000,625,664 | ---- | C] () -- C:\Users\1\Desktop\dds.scr
[2011/03/25 18:05:16 | 000,002,121 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 12:10:25 | 002,503,745 | ---- | C] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/07 23:04:10 | 000,001,670 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[2011/02/09 17:18:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 14:16:25 | 000,000,094 | ---- | C] () -- C:\Windows\awshkwv.ini
[2011/02/04 20:33:09 | 000,000,010 | ---- | C] () -- C:\Windows\Wininit.ini
[2010/12/17 20:24:26 | 000,009,216 | ---- | C] () -- C:\Users\1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/21 00:45:52 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/11/18 18:07:41 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2010/11/18 17:35:19 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/17 23:54:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/11/17 22:13:09 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010/11/17 22:13:01 | 000,030,434 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/11/17 22:09:26 | 000,001,356 | ---- | C] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/01/20 22:25:51 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/01/20 22:25:11 | 000,016,384 | ---- | C] () -- C:\Windows\System32\drivers\nsiproxy.sys
[2008/01/20 22:24:41 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2007/12/28 03:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2006/11/02 08:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:43 | 000,251,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

========== LOP Check ==========

[2011/03/30 12:15:46 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\BitTorrent
[2010/11/18 12:22:06 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Foxit Software
[2011/03/07 23:04:22 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Greyfirst
[2010/12/16 16:11:16 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\iolo
[2010/11/20 20:54:01 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\NeatImage PS
[2010/11/23 10:29:19 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\OpenOffice.org
[2011/01/26 13:42:45 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\PrimoPDF
[2011/03/01 15:19:38 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Temp
[2011/02/18 16:18:09 | 000,000,000 | ---D | M] -- C:\Users\1\AppData\Roaming\Thunderbird
[2011/03/31 20:58:27 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84

< End of report >
 
Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe







Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: 
    :processes
killallprocesses

:OTL
2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule
[2011/03/29 23:29:36 | 000,431,419 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup
@Alternate Data Stream - 208 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84


:Services

:Reg

:Files
ipconfig /flushdns /c



:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces.
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
 
By the way, I havent said thank you for all the help your're giving so far. I appreciate it a bunch. If I can get through this and not lose all the images in my raid (HD1) I'll be real happy. I'm a photographer, so they are important to me.
Thank you.
Dave
 
Hello Dave,

I am sure you will be ok. Bypass ERUNT and go ahead and run the fix, where really not removing anything registry related
 
Here is the results if the fix log from OLT

All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\Windows\System32\drivers\etc\hosts.20110329-233054.backup moved successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:430C6D84 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\1\Desktop\cmd.bat deleted successfully.
C:\Users\1\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: 1
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 17954373 bytes
->Java cache emptied: 17501 bytes
->FireFox cache emptied: 52381960 bytes
->Flash cache emptied: 122632 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 1102047 bytes

Total Files Cleaned = 68.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04012011_165433

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Hi Ken. Here is the scan log run after the custom fix...

OTL logfile created on: 4/1/2011 5:00:10 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\1\Desktop
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 51.26 Gb Free Space | 34.39% Space Free | Partition Type: NTFS
Drive J: | 464.84 Gb Total Space | 282.31 Gb Free Space | 60.73% Space Free | Partition Type: NTFS

Computer Name: DAVESBIGMACHINE | User Name: 1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
PRC - C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
PRC - C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
PRC - C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Modules (SafeList) ==========

MOD - C:\Users\1\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (ioloSystemService) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (ioloFileInfoList) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe (iolo technologies, LLC)
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (vseqrts) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe (Authentium, Inc)
SRV - (vsedsps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe (Authentium, Inc)
SRV - (vseamps) -- C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe (Authentium, Inc)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Driver Services (SafeList) ==========

DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (pctEFA) -- C:\Windows\system32\drivers\pctEFA.sys (PC Tools)
DRV - (pctDS) -- C:\Windows\system32\drivers\pctDS.sys (PC Tools)
DRV - (FileDisk) -- C:\Windows\System32\drivers\filedisk.sys (iolo technologies, LLC (based on original work by Bo Brantén))
DRV - (AMP) -- C:\Windows\System32\drivers\amp.sys (Authentium, Inc)
DRV - (AMPSE) -- C:\Windows\System32\drivers\ampse.sys (Authentium, Inc)
DRV - (ElRawDisk) -- C:\Windows\System32\drivers\ElRawDsk.sys (EldoS Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (VIAHdAudAddService) -- C:\Windows\System32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (nsiproxy) -- C:\Windows\System32\drivers\nsiproxy.sys ()
DRV - (SiFilter) -- C:\Windows\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc)
DRV - (SI3114r) -- C:\Windows\system32\DRIVERS\SI3114r.sys (Silicon Image, Inc)
DRV - (MTsensor) -- C:\Windows\System32\drivers\ASACPI.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C EB 20 59 84 C8 CB 01 [binary data]
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: calendar-timezones@mozilla.org:0.1.2008d
FF - prefs.js..extensions.enabledItems: default-palette@celtx.com:1.0
FF - prefs.js..extensions.enabledItems: emoticons-msn-smileys@m513901.de:0.1
FF - prefs.js..extensions.enabledItems: inspector@mozilla.org:2.0.0
FF - prefs.js..extensions.enabledItems: messagestyle-blackened@addons.instantbird.org:0.9
FF - prefs.js..extensions.enabledItems: messagestyle-depth@addons.instantbird.org:1.1
FF - prefs.js..extensions.enabledItems: messagestyle-minimal20@addons.instantbird.org:1.5

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 23:09:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/02/18 16:17:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions
[2011/02/18 16:18:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/07 23:04:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2011/04/01 14:29:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions
[2010/11/18 00:14:03 | 000,000,000 | ---D | M] (Map This) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{05f6a7ea-896b-11da-8bde-f66bad1e3f3a}
[2010/11/21 01:04:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/08 00:10:40 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/03/29 19:19:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011/03/12 14:20:17 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/11/18 00:16:51 | 000,000,000 | ---D | M] (Zoom toolbar) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
[2011/03/29 19:19:41 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\foxmarks@kei.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com
[2011/03/25 16:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\piclens@cooliris.com-trash
[2011/01/26 13:54:53 | 000,000,000 | ---D | M] (printpdf) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\printpdf@pavlov.net
[2011/03/22 09:59:34 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\1\AppData\Roaming\Mozilla\Firefox\Profiles\6bl6f5bf.default\extensions\screencaptureelite@plugin
[2011/02/09 14:38:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/18 16:17:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/11/19 13:17:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Timezone Definitions for Mozilla Calendar) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\CALENDAR-TIMEZONES@MOZILLA.ORG
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (Default Shot Palette) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\DEFAULT-PALETTE@CELTX.COM
[2011/03/07 23:04:02 | 000,000,000 | ---D | M] (MSN-Smileys) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\EMOTICONS-MSN-SMILEYS@M513901.DE
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\INSPECTOR@MOZILLA.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Blackened) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-BLACKENED@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Depth) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-DEPTH@ADDONS.INSTANTBIRD.ORG
[2011/03/07 23:04:01 | 000,000,000 | ---D | M] (Minimal) -- C:\PROGRAM FILES\CELTX\EXTENSIONS\MESSAGESTYLE-MINIMAL20@ADDONS.INSTANTBIRD.ORG
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/04/01 16:54:34 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe ()
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [iolo Startup] C:\Program Files\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Windows\System32\iavlsp.dll (iolo technologies, LLC)
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} https://www.select2perform.com/cabs/QOLCheck.ocx (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Java Plug-in 1.5.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O24 - Desktop BackupWallPaper: C:\Users\1\Desktop\November bike inner harbor\IMG_1788.JPG
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O35 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\eba.exe" -a "%1" %*
O37 - HKU\S-1-5-21-522819725-4015885625-1306769688-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/01 16:54:33 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/01 13:34:41 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\erunt
[2011/03/31 21:44:25 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/03/31 21:44:21 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\temp
[2011/03/31 21:28:07 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/03/31 21:28:07 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/03/31 21:28:07 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/03/31 21:27:44 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/31 21:27:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/03/31 20:29:50 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 16:06:40 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/30 21:04:30 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Malwarebytes
[2011/03/30 21:04:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/03/30 21:04:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 21:04:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/03/30 21:04:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/03/30 21:04:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/30 20:54:51 | 000,000,000 | ---D | C] -- C:\Users\1\Desktop\insightdesk
[2011/03/30 20:47:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:24 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 15:55:47 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/03/30 07:22:44 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/03/29 23:04:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/03/29 23:04:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/03/29 20:34:56 | 000,656,320 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctEFA.sys
[2011/03/29 20:34:56 | 000,338,880 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctDS.sys
[2011/03/29 20:34:55 | 000,251,560 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2011/03/29 20:34:55 | 000,103,232 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2011/03/29 20:34:52 | 000,239,168 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2011/03/29 20:34:52 | 000,160,448 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2011/03/29 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Tools Security
[2011/03/29 20:34:43 | 000,070,536 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/03/29 20:34:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/03/16 18:26:56 | 000,056,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\offreg.dll
[2011/03/09 10:06:14 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2011/03/09 10:06:14 | 000,323,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbe.dll
[2011/03/09 10:06:13 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2011/03/09 10:06:13 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sbeio.dll
[2011/03/08 16:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
[2011/03/08 16:09:42 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/03/08 16:07:46 | 004,537,088 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Roaming\Greyfirst
[2011/03/07 23:04:22 | 000,000,000 | ---D | C] -- C:\Users\1\AppData\Local\Greyfirst
[2011/03/07 23:04:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Celtx
[2011/03/07 23:03:56 | 000,000,000 | ---D | C] -- C:\Program Files\Celtx
[2011/03/02 17:53:48 | 000,000,000 | ---D | C] -- C:\ProgramData\eMule

========== Files - Modified Within 30 Days ==========

[2011/04/01 16:57:10 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/01 16:57:04 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/01 16:57:04 | 000,003,712 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/01 16:57:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/01 16:56:55 | 2144,485,376 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/01 16:54:34 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/04/01 16:53:56 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/01 16:53:56 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/01 15:12:04 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/01 13:34:17 | 000,513,320 | ---- | M] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 21:00:46 | 000,000,512 | ---- | M] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 20:33:35 | 000,078,157 | ---- | M] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:29:56 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Users\1\Desktop\aswMBR.exe
[2011/03/31 19:55:07 | 000,017,744 | ---- | M] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:37:15 | 326,147,063 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/03/31 19:25:36 | 004,310,832 | R--- | M] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 15:58:01 | 000,170,887 | ---- | M] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | M] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | M] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:29 | 000,102,988 | ---- | M] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:21:12 | 000,230,285 | ---- | M] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | M] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:47 | 000,009,946 | -HS- | M] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 21:04:25 | 000,000,938 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:53:29 | 000,009,954 | -HS- | M] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 20:47:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\1\Desktop\OTL.exe
[2011/03/30 20:45:25 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\1\Desktop\ATF-Cleaner.exe
[2011/03/30 20:43:36 | 000,001,356 | ---- | M] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2011/03/30 17:28:04 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2011/03/30 15:23:08 | 000,625,664 | ---- | M] () -- C:\Users\1\Desktop\dds.scr
[2011/03/29 20:35:15 | 001,772,938 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2011/03/25 18:05:16 | 000,002,121 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 15:24:20 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\IncContxMenu.dll
[2011/03/15 15:23:32 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
[2011/03/15 15:23:26 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
[2011/03/15 15:21:16 | 002,234,552 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator.dll
[2011/03/15 12:10:27 | 002,503,745 | ---- | M] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/08 16:07:49 | 004,537,088 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Users\1\Desktop\duplicate-file-finder-setup.exe
[2011/03/07 23:04:10 | 000,001,670 | ---- | M] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk

========== Files Created - No Company Name ==========

[2011/04/01 13:34:15 | 000,513,320 | ---- | C] () -- C:\Users\1\Desktop\erunt.zip
[2011/03/31 21:28:07 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/03/31 21:28:07 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/03/31 21:28:07 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/03/31 21:28:07 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/03/31 21:28:07 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/03/31 20:33:35 | 000,078,157 | ---- | C] () -- C:\Users\1\Desktop\aswmbrlogshot.jpg
[2011/03/31 20:30:47 | 000,000,512 | ---- | C] () -- C:\Users\1\Desktop\MBR.dat
[2011/03/31 19:55:07 | 000,017,744 | ---- | C] () -- C:\Users\1\Desktop\malwarebytes blocked on startup in tray msg.jpg
[2011/03/31 19:25:34 | 004,310,832 | R--- | C] () -- C:\Users\1\Desktop\ComboFix.exe
[2011/03/31 16:06:07 | 326,147,063 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/31 15:58:00 | 000,170,887 | ---- | C] () -- C:\Users\1\Desktop\erunt error 2.jpg
[2011/03/31 15:57:14 | 000,178,348 | ---- | C] () -- C:\Users\1\Desktop\erunt error.jpg
[2011/03/31 14:29:40 | 000,133,413 | ---- | C] () -- C:\Users\1\Desktop\junk error.jpg
[2011/03/31 13:44:28 | 000,102,988 | ---- | C] () -- C:\Users\1\Desktop\startup error.jpg
[2011/03/31 13:38:02 | 2144,485,376 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/31 13:21:12 | 000,230,285 | ---- | C] () -- C:\Users\1\Desktop\host error.jpg
[2011/03/31 13:11:29 | 000,220,544 | ---- | C] () -- C:\Users\1\Desktop\askerror.jpg
[2011/03/30 21:04:25 | 000,000,938 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 20:43:09 | 000,009,946 | -HS- | C] () -- C:\Users\1\AppData\Local\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 16:33:41 | 000,009,954 | -HS- | C] () -- C:\ProgramData\2ffiof2es346vo2713f7u80b4q5alajxki8nutmnjc
[2011/03/30 15:23:04 | 000,625,664 | ---- | C] () -- C:\Users\1\Desktop\dds.scr
[2011/03/25 18:05:16 | 000,002,121 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Earth.lnk
[2011/03/15 12:10:25 | 002,503,745 | ---- | C] () -- C:\Users\1\Desktop\Amy Ernst greatest person of the day Huffington.jpeg
[2011/03/07 23:04:10 | 000,001,670 | ---- | C] () -- C:\Users\1\Application Data\Microsoft\Internet Explorer\Quick Launch\Celtx.lnk
[2011/02/09 17:18:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/02/09 14:16:25 | 000,000,094 | ---- | C] () -- C:\Windows\awshkwv.ini
[2011/02/04 20:33:09 | 000,000,010 | ---- | C] () -- C:\Windows\Wininit.ini
[2010/12/17 20:24:26 | 000,009,216 | ---- | C] () -- C:\Users\1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/21 00:45:52 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2010/11/18 18:07:41 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2010/11/18 17:35:19 | 000,000,848 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/17 23:54:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
[2010/11/17 22:13:09 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
[2010/11/17 22:13:01 | 000,030,434 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
[2010/11/17 22:09:26 | 000,001,356 | ---- | C] () -- C:\Users\1\AppData\Local\d3d9caps.dat
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/01/20 22:25:51 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2008/01/20 22:25:11 | 000,016,384 | ---- | C] () -- C:\Windows\System32\drivers\nsiproxy.sys
[2008/01/20 22:24:41 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2007/12/28 03:22:02 | 000,010,296 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
[2006/11/02 08:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:43 | 000,251,672 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:33:01 | 000,595,446 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,101,144 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 03:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

< End of report >
 
Hi Ken. It seems much better now. Is there more to do? Were you able to determine exactly how the infection occurred or what site I got it from?

Also...is there any way to prevent it in the future except for the usual; update, firewall, AV programs, no p2p? I mean a patch or fix beyond the usual advise?

Lastly, do you have software recommendations for malware, adware and AV software?
Dave
 
Hello Dave,

Not sure how you got infected, P2P, an email attachment, wandered unknowingly into a bad site, there are many ways.



Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups



Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...



  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • WinPatrol Keep this fine program activated to block a lot of threats
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
Hi Ken-
Here is what I use currently. Are the tools you are recommending better than these?

iolo system mechanic 10 professional (if you aren't familiar, check it out)
spybot s+d (you do recommend this one don't ya?)
Spyware doctor

Also, wont running all these together cause conflicts or is that just for AV softwares?

Dave
 
Well,

Antivirus runs in the background and if you have more than one they will conflict, same with a fire wall, but with Antispyware you can have more than one just as long as they all dont monitor in the background. I really cant recommend what programs you should and should not have as some react differently on some systems , so using what you have running is not causing any problems you can let them be. Outside of AVs, there is not need to purchase anything as all the tools we recommend are free and there also are free AVs if you wanted to go that route.

Myself, I use Norton Internet Security, Malwarebytes Pro, WinPatrol and Spybot, really dont have any need for much more

Ken :)
 
Thanks Ken! You have been a real pal! I see that you use malwarebytes pro. I also see all over the forums that people recommend that malwarebytes only be used by professionals or with professional supervision. Would you say that I should not keep it on my system. I'm happy to dump it if you agree with the other people about this powerful software.

One more question, Firewalls. Should I use an alternate to the windows firewall because some viruses are written to bypass or manipulate the windows firewall? If so, which would you recommend?

Dave
P.S.
If I can ever be of help, just ask. My specialty is physical security design and project management, and my lifelong hobby has been photography (26 years).
 
You must log in or register to reply here.
Back
Top