Unidentified virus. random restarts and rediredting.

Hello,

My computer is infected with some sort of malware or virus. I will try to recall all the issues it has causes and things i have done to rid myself of it.

It started out as antispyware 2009. It also placed several shortcuts on my desktop to porn related websites. I did not install any advertised spyware or click any of the shortcuts. It is causing all sorts of issues. I am experiencing very sluggish cpu performance with times 100% of cpu usage in task manager. i found that a process named svchost was running and using approx 70% of cpu usage. I terminated have terminated that process and have not seen it back since. I deleted a svchost.exe from a prefetch in my windows folder and have not seen that process back yet. I am also getting random redirects in firefox.

I have been unable to get gmer to succesfully scan after 3 attempts. the first simply froze, the second scan completed but froze when i was attempting to save the log and the third attempt simply restarted my cpu. Every time i do restart my comp the windows startup utilty tells me that i have changed startup settings. I have attempted to use Mbam full scan in normal mode and safe mode. I have also attempted to do a windows system restore from safe mode to no avail.

Like i said i have scanned with Mbam and Advanced sytemcare in normal and safe mode and those scans always have several infected results that are supposedly removed. I also downloaded and installed avast antivirus to use the rootscan option on start up. I have so far only seen limited or temporary results.

i think that about sums it up. thank you for the website and all you do for people here. I have read several threads here in the past that have helped my greatly. Thank you in advance for any help.

DDS files below...


DDS (Ver_10-03-17.01) - NTFSx86
Run by Savola at 20:32:02.14 on Wed 07/07/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1388 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vsnpstd.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SpyZooka\spyzooka.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Savola\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: musicmatch.com\online
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\savola\applic~1\mozilla\firefox\profiles\yv31gbt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users.windows\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\savola\application data\mozilla\firefox\profiles\yv31gbt0.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-6 165456]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-6 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-3-12 33792]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\L6TPortB.sys [2009-1-1 530560]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys --> c:\windows\system32\drivers\cccp106.sys [?]

=============== Created Last 30 ================

2010-07-06 22:06:35 38848 ----a-w- c:\windows\avastSS.scr
2010-07-06 22:06:27 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-07-06 22:00:44 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-06 22:00:44 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-06 22:00:39 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-07-06 22:00:39 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-06 21:58:22 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-06 21:56:47 0 d-----w- c:\program files\GE
2010-07-06 21:55:43 0 d-----w- c:\windows\PRAGMAxnlpcwostb
2010-07-06 21:55:27 0 d-----w- c:\windows\PRAGMAyyqxtccxnn
2010-07-06 02:34:10 0 d-----w- c:\program files\Yahoo!
2010-07-06 01:58:38 0 d-----w- c:\program files\Defense Center
2010-07-06 01:58:20 0 d-----w- C:\sh4ldr
2010-07-06 01:58:20 0 d-----w- c:\program files\Enigma Software Group
2010-07-06 01:57:13 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-07-06 00:46:12 1172 ----a-w- c:\docume~1\alluse~1.win\applic~1\pragmamfeklnmal.dll
2010-07-05 23:45:06 120 ----a-w- c:\windows\Qjekilomini.dat
2010-07-05 23:45:06 0 ----a-w- c:\windows\Tginepoza.bin

==================== Find3M ====================


============= FINISH: 20:32:37.14 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Hello again,

Just wanted to add that i did end up with avsecuritysuite on my computer since the first post. I ran rkill then mbam in safe mode and that seems to be gone however i am still experiencing redirects in firefox. Also like earlier gmer would not complete a scan, this time it simply said the program XXXXXXXXXX.exe experianced a problem and must close.

dds results below..........

DDS (Ver_10-03-17.01) - NTFSx86
Run by Savola at 17:01:36.07 on Tue 07/13/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1474 [GMT -4:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vsnpstd.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Savola\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Hwuduqotiwuvu] rundll32.exe "c:\windows\ksrecb.dll",Startup
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Bjigiquloyaraqe] rundll32.exe "c:\windows\udabakam.dll",Startup
dRun: [ukbluqqa] c:\documents and settings\networkservice.nt authority\local settings\application data\vhapwysew\wgxndudtssd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: musicmatch.com\online
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\savola\applic~1\mozilla\firefox\profiles\yv31gbt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users.windows\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\savola\application data\mozilla\firefox\profiles\yv31gbt0.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: XULRunner: {93404310-E845-4DEE-9406-0C9CE765275D} - c:\documents and settings\savola\local settings\application data\{93404310-e845-4dee-9406-0c9ce765275d}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-6 165456]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-6 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2009-3-12 33792]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\L6TPortB.sys [2009-1-1 530560]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys --> c:\windows\system32\drivers\cccp106.sys [?]

=============== Created Last 30 ================

2010-07-11 16:49:33 0 d-----w- c:\program files\XBCD
2010-07-09 06:55:21 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-06 22:06:35 38848 ----a-w- c:\windows\avastSS.scr
2010-07-06 22:06:27 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-07-06 22:00:44 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-06 22:00:44 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-06 22:00:39 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-07-06 22:00:39 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-06 21:58:22 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-06 21:56:47 0 d-----w- c:\program files\GE
2010-07-06 02:34:10 0 d-----w- c:\program files\Yahoo!
2010-07-06 01:58:38 0 d-----w- c:\program files\Defense Center
2010-07-06 01:58:20 0 d-----w- C:\sh4ldr
2010-07-06 01:58:20 0 d-----w- c:\program files\Enigma Software Group
2010-07-06 01:57:13 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-07-05 23:45:06 120 ----a-w- c:\windows\Qjekilomini.dat
2010-07-05 23:45:06 0 ----a-w- c:\windows\Tginepoza.bin

==================== Find3M ====================


============= FINISH: 17:02:19.89 ===============

Hello, Savola
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
• Please set your system to show all files.
  Click Start, open My Computer, select the Tools menu and click Folder Options.
  Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
  Uncheck: Hide file extensions for known file types
  Uncheck the Hide protected operating system files (recommended) option.
  Click Yes to confirm.

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.

When finished, it will produce a report for you.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thank you for your time tom it is much appreciated.

Okay ran combo fix (it would not let me rename it for some reason). the log is below.

probably should mention that since the dds logs i have some new issues.

There are two new buttons just to the right of the firefox home buttopn they are advertisements for shopping and travel sites, i have not clicked them.

Before i ran combofix there was a program in the system tray called click potato (you will see it in the logs im sure).

thanks again for your help combofix log below....

ComboFix 10-07-15.01 - Savola 07/15/2010 23:13:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1659 [GMT -4:00]
Running from: c:\documents and settings\Savola\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\program files\Defense Center
c:\program files\driver
c:\windows\ksrecb.dll
c:\windows\udabakam.dll

Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-15 05:39 . 2010-07-15 05:39 -------- d-----w- c:\documents and settings\Savola\Application Data\dvdcss
2010-07-15 05:39 . 2010-07-15 08:29 -------- d-----w- c:\documents and settings\Savola\Application Data\vlc
2010-07-15 05:37 . 2010-07-15 05:37 -------- d-----w- c:\program files\VideoLAN
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\program files\QuestDns
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\QuestDns
2010-07-15 05:36 . 2010-07-14 21:39 57608 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\QuestDns\questdns110.exe
2010-07-15 05:36 . 2010-07-15 12:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\program files\ClickPotatoLite
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\documents and settings\Savola\Application Data\ClickPotatoLite
2010-07-15 05:35 . 2010-07-16 02:46 -------- d-----w- c:\documents and settings\Savola\Application Data\ShopperReports3
2010-07-15 05:35 . 2010-07-15 05:35 -------- d-----w- c:\program files\ShopperReports3
2010-07-13 02:05 . 2010-07-13 02:05 -------- d-----w- c:\documents and settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}
2010-07-11 16:49 . 2010-07-11 16:49 -------- d-----w- c:\program files\XBCD
2010-07-11 00:55 . 2010-07-11 00:55 -------- d-s---w- c:\documents and settings\Administrator.APRIL.000\UserData
2010-07-11 00:54 . 2010-07-11 00:54 -------- d-----w- c:\documents and settings\Administrator.APRIL.000\Local Settings\Application Data\Musicmatch
2010-07-10 02:10 . 2010-07-11 02:34 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vhapwysew
2010-07-09 06:55 . 2010-07-09 06:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 23:08 . 2010-07-07 23:08 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData
2010-07-07 01:46 . 2010-07-07 01:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-07 01:46 . 2010-04-20 20:45 607472 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-07-06 22:06 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-06 22:06 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-06 22:06 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-06 22:06 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-06 22:06 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-06 22:06 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-06 22:06 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-06 22:06 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-06 22:06 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-06 22:06 . 2010-07-06 22:06 -------- d-----w- c:\program files\Alwil Software
2010-07-06 22:06 . 2010-07-06 22:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-06 22:00 . 2004-08-04 06:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-06 22:00 . 2004-08-04 06:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-06 22:00 . 2004-08-04 04:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-07-06 22:00 . 2004-08-04 04:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-06 21:58 . 2010-07-06 21:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-06 21:56 . 2010-07-06 21:56 -------- d-----w- c:\program files\GE
2010-07-06 21:10 . 2010-07-06 21:10 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-06 16:23 . 2010-07-06 16:23 -------- d-----w- c:\documents and settings\Administrator.APRIL.000\Local Settings\Application Data\Mozilla
2010-07-06 02:36 . 2010-07-06 02:36 -------- d-----w- c:\documents and settings\Savola\Local Settings\Application Data\Yahoo
2010-07-06 02:36 . 2010-07-06 02:36 -------- d-----w- c:\documents and settings\Savola\Application Data\Yahoo!
2010-07-06 02:34 . 2010-07-07 01:46 -------- d-----w- c:\program files\Yahoo!
2010-07-06 01:58 . 2010-07-06 01:58 110080 ----a-r- c:\documents and settings\Savola\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2010-07-06 01:58 . 2010-07-06 01:58 110080 ----a-r- c:\documents and settings\Savola\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2010-07-06 01:58 . 2010-07-06 01:58 -------- d-----w- C:\sh4ldr
2010-07-06 01:58 . 2010-07-06 01:58 -------- d-----w- c:\program files\Enigma Software Group
2010-07-06 01:57 . 2010-07-06 01:58 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-07-06 00:00 . 2010-07-07 21:25 -------- d-----w- c:\documents and settings\Savola\Local Settings\Application Data\rvxpwsrhl
2010-07-05 23:45 . 2010-07-15 15:15 120 ----a-w- c:\windows\Qjekilomini.dat
2010-07-05 23:45 . 2010-07-15 05:38 0 ----a-w- c:\windows\Tginepoza.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 15:14 . 2008-07-27 18:21 -------- d-----w- c:\documents and settings\Savola\Application Data\uTorrent
2010-07-10 02:07 . 2009-01-04 04:25 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 21:34 . 2010-04-19 00:01 -------- d-----w- c:\program files\SpyZooka
2010-07-06 21:56 . 2009-02-25 04:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-06 01:57 . 2008-05-15 07:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-06 00:47 . 2009-10-28 06:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-06-16 05:24 . 2005-06-07 17:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-27 05:32 . 2005-06-12 16:54 -------- d-----w- c:\program files\PokerStars
2010-04-24 22:04 . 2010-04-24 22:04 388096 ----a-r- c:\documents and settings\Savola\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-07-18 257440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd"="c:\windows\vsnpstd.exe" [2003-12-31 40960]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
"ClickPotatoLiteSA"="c:\program files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSA.exe" [2010-07-09 739632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-03-29 18:54 2343120 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/6/2010 6:06 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/6/2010 6:06 PM 17744]
R2 QuestDns Service;QuestDns Service;c:\documents and settings\All Users.WINDOWS\Application Data\QuestDns\questdns110.exe [7/15/2010 1:36 AM 57608]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [3/12/2009 3:55 PM 33792]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\L6TPortB.sys [1/1/2009 12:24 AM 530560]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\DRIVERS\cccp106.sys --> c:\windows\system32\DRIVERS\cccp106.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: {{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSABHO.dll
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.dll
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: XULRunner: {93404310-E845-4DEE-9406-0C9CE765275D} - c:\documents and settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Hwuduqotiwuvu - c:\windows\ksrecb.dll
HKLM-Run-Bjigiquloyaraqe - c:\windows\udabakam.dll
HKU-Default-Run-ukbluqqa - c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vhapwysew\wgxndudtssd.exe
MSConfigStartUp-SpyZooka - c:\program files\SpyZooka\SpyZookaLdr.exe
AddRemove-Steinberg Cubase SX v3.1.1.944 - d:\cubase sx 3\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 23:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-15 23:22:37
ComboFix-quarantined-files.txt 2010-07-16 03:22

Pre-Run: 2,222,354,432 bytes free
Post-Run: 2,320,502,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 6ED8374634AB7959F8D038F75F6DA69A

Hi


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
2. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Under the Custom Scan box paste this in
   netsvcs
   %SYSTEMDRIVE%\*.exe
   /md5start
   eventlog.dll
   scecli.dll
   netlogon.dll
   cngaudit.dll
   sceclt.dll
   ntelogon.dll
   logevent.dll
   iaStor.sys
   nvstor.sys
   atapi.sys
   IdeChnDr.sys
   viasraid.sys
   AGP440.sys
   vaxscsi.sys
   nvatabus.sys
   viamraid.sys
   nvata.sys
   nvgts.sys
   iastorv.sys
   ViPrt.sys
   eNetHook.dll
   ahcix86.sys
   KR10N.sys
   nvstor32.sys
   ahcix86s.sys
   nvrd32.sys
   symmpi.sys
   adp3132.sys
   mv61xx.sys
   /md5stop
   %systemroot%\*. /mp /s
   CREATERESTOREPOINT
   %systemroot%\system32\*.dll /lockedfiles
   %systemroot%\Tasks\*.job /lockedfiles
   %systemroot%\system32\drivers\*.sys /lockedfiles
   %systemroot%\System32\config\*.sav
   %systemdrive%\*.sys /90 /md5
   
5. Push the Quick Scan button.
6. Two reports will open, copy and paste them in a reply here:
   • OTL.txt <-- Will be opened
   • Extra.txt <-- Will be minimized

Tom,

Here are the logs of the scans as requested...

ComboFix 10-07-16.01 - Savola 07/17/2010 21:41:24.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1499 [GMT -4:00]
Running from: c:\documents and settings\Savola\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\Savola\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\windows\Qjekilomini.dat"
"c:\windows\Tginepoza.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\vhapwysew
c:\documents and settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}
c:\documents and settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}\chrome.manifest
c:\documents and settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}\chrome\content\_cfg.js
c:\documents and settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}\chrome\content\overlay.xul
c:\documents and settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}\install.rdf
c:\documents and settings\Savola\Local Settings\Application Data\rvxpwsrhl
c:\windows\Qjekilomini.dat
c:\windows\Tginepoza.bin

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-15 05:39 . 2010-07-16 04:45 -------- d-----w- c:\documents and settings\Savola\Application Data\dvdcss
2010-07-15 05:39 . 2010-07-16 06:46 -------- d-----w- c:\documents and settings\Savola\Application Data\vlc
2010-07-15 05:37 . 2010-07-15 05:37 -------- d-----w- c:\program files\VideoLAN
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\program files\QuestDns
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\QuestDns
2010-07-15 05:36 . 2010-07-14 21:39 57608 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\QuestDns\questdns110.exe
2010-07-15 05:36 . 2010-07-15 12:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\program files\ClickPotatoLite
2010-07-15 05:36 . 2010-07-15 05:36 -------- d-----w- c:\documents and settings\Savola\Application Data\ClickPotatoLite
2010-07-15 05:35 . 2010-07-18 01:29 -------- d-----w- c:\documents and settings\Savola\Application Data\ShopperReports3
2010-07-15 05:35 . 2010-07-15 05:35 -------- d-----w- c:\program files\ShopperReports3
2010-07-11 16:49 . 2010-07-11 16:49 -------- d-----w- c:\program files\XBCD
2010-07-11 00:55 . 2010-07-11 00:55 -------- d-s---w- c:\documents and settings\Administrator.APRIL.000\UserData
2010-07-11 00:54 . 2010-07-11 00:54 -------- d-----w- c:\documents and settings\Administrator.APRIL.000\Local Settings\Application Data\Musicmatch
2010-07-09 06:55 . 2010-07-09 06:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-07 23:08 . 2010-07-07 23:08 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData
2010-07-07 01:46 . 2010-07-07 01:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-07 01:46 . 2010-04-20 20:45 607472 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!\YUpdater\yupdater.exe
2010-07-06 22:06 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-06 22:06 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-06 22:06 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-06 22:06 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-06 22:06 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-06 22:06 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-06 22:06 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-06 22:06 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-06 22:06 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-06 22:06 . 2010-07-06 22:06 -------- d-----w- c:\program files\Alwil Software
2010-07-06 22:06 . 2010-07-06 22:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-06 22:00 . 2004-08-04 06:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-06 22:00 . 2004-08-04 06:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-06 22:00 . 2004-08-04 04:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-07-06 22:00 . 2004-08-04 04:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-06 21:58 . 2010-07-06 21:58 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-06 21:56 . 2010-07-06 21:56 -------- d-----w- c:\program files\GE
2010-07-06 21:10 . 2010-07-06 21:10 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-07-06 16:23 . 2010-07-06 16:23 -------- d-----w- c:\documents and settings\Administrator.APRIL.000\Local Settings\Application Data\Mozilla
2010-07-06 02:36 . 2010-07-06 02:36 -------- d-----w- c:\documents and settings\Savola\Local Settings\Application Data\Yahoo
2010-07-06 02:36 . 2010-07-06 02:36 -------- d-----w- c:\documents and settings\Savola\Application Data\Yahoo!
2010-07-06 02:34 . 2010-07-07 01:46 -------- d-----w- c:\program files\Yahoo!
2010-07-06 01:58 . 2010-07-06 01:58 110080 ----a-r- c:\documents and settings\Savola\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2010-07-06 01:58 . 2010-07-06 01:58 110080 ----a-r- c:\documents and settings\Savola\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2010-07-06 01:58 . 2010-07-06 01:58 -------- d-----w- C:\sh4ldr
2010-07-06 01:58 . 2010-07-06 01:58 -------- d-----w- c:\program files\Enigma Software Group
2010-07-06 01:57 . 2010-07-06 01:58 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 15:14 . 2008-07-27 18:21 -------- d-----w- c:\documents and settings\Savola\Application Data\uTorrent
2010-07-10 02:07 . 2009-01-04 04:25 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-07 21:34 . 2010-04-19 00:01 -------- d-----w- c:\program files\SpyZooka
2010-07-06 21:56 . 2009-02-25 04:59 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-06 01:57 . 2008-05-15 07:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-06 00:47 . 2009-10-28 06:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2010-06-16 05:24 . 2005-06-07 17:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-27 05:32 . 2005-06-12 16:54 -------- d-----w- c:\program files\PokerStars
2010-04-24 22:04 . 2010-04-24 22:04 388096 ----a-r- c:\documents and settings\Savola\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd"="c:\windows\vsnpstd.exe" [2003-12-31 40960]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
"ClickPotatoLiteSA"="c:\program files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSA.exe" [2010-07-09 739632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-03-29 18:54 2343120 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/6/2010 6:06 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/6/2010 6:06 PM 17744]
R2 QuestDns Service;QuestDns Service;c:\documents and settings\All Users.WINDOWS\Application Data\QuestDns\questdns110.exe [7/15/2010 1:36 AM 57608]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [3/12/2009 3:55 PM 33792]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\system32\drivers\L6TPortB.sys [1/1/2009 12:24 AM 530560]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\DRIVERS\cccp106.sys --> c:\windows\system32\DRIVERS\cccp106.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\Office12\EXCEL.EXE/3000
IE: {{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSABHO.dll
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.dll
FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 21:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-17 21:45:54
ComboFix-quarantined-files.txt 2010-07-18 01:45
ComboFix2.txt 2010-07-16 03:22

Pre-Run: 2,302,291,968 bytes free
Post-Run: 2,292,133,888 bytes free

- - End Of File - - 1D5451738883ADDFC28619391BEB8B4C


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4322

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/17/2010 10:11:30 PM
mbam-log-2010-07-17 (22-11-30).txt

Scan type: Quick scan
Objects scanned: 213113
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 5
Registry Keys Infected: 113
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 37
Files Infected: 57

Memory Processes Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\QuestDns\questdns110.exe (Adware.QuestDns) -> Unloaded process successfully.
C:\Program Files\QuestDns\questdns.exe (Adware.QuestDns) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\QuestDns\questdns.dll (Adware.QuestDns) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.dll (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\CmndFF.dll (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\Pltfrm.dll (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\mozillaps.dll (Adware.ShopperReports) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{573f4abb-a1a2-44ed-9ba9-a8dad40aac46} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{71e02280-5212-45c3-b174-4d5a35da254f} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{396cfc12-932d-496b-a0a8-5d7201e105e1} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{60da826c-b1c6-4358-bdec-4837ced45470} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{74c22317-5b90-471f-9ad2-fec049870a16} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c1089f63-7afc-4538-b0eb-bea0f4225a57} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{f1a1892c-2a6c-4817-98b4-ff81443cba20} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e25da6d6-c365-46cf-abaf-dc5893135d7a} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{09325003-167c-483d-a4ba-8b3122abb432} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6dd76b7b-6423-4df0-9a07-84a6cad973a0} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7f6cfb6a-9227-4bb8-b941-f2b067e76f51} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ab0ee208-df60-4fa7-a617-c4269760033e} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e12aeab6-7d12-4c07-8e36-5892efb4dafb} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e2f2c137-a782-4fb5-81af-086156f5eb0a} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f1d06c9f-51f0-4476-bede-5ddf91be304e} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f3a32df2-7413-4fb1-b575-1ac920a17b76} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{5fe0ceae-cb69-40af-a323-40f94257dacb} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{65a16874-2ed0-460e-a547-5fe2ec3a13a7} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2721a8e5-bfdb-4562-9912-9e0531ca616c} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clickpotatoliteax.info (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c55ca95c-324b-451c-b2d2-6e895aa75fec} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{30b15818-e110-4527-9c05-46ace5a3460d} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{618aad04-921f-44c2-be38-c0818af69861} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5d2ed96-62f9-4c2c-956d-e425b1f67337} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d3a412e8-1e4b-47d2-9b12-f88291f5afbb} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1602f07d-8bf3-4c08-bdd6-dddb1c48aedc} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1602f07d-8bf3-4c08-bdd6-dddb1c48aedc} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ac6d819e-aa8f-4418-a3bb-d165c1b18bb5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{ac6d819e-aa8f-4418-a3bb-d165c1b18bb5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clickpotatoliteax.info.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clickpotatoliteax.userprofiles (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clickpotatoliteax.userprofiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\menubuttonie.buttonie (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{814baa91-dc22-4350-87d6-0c86e93f7f08} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{419eda30-6dff-432c-b534-e15d899abee4} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7a3d6d17-9dd5-4c60-8076-d1784dabaf8c} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\menubuttonie.buttonie.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21ba420e-161c-413a-b21e-4e42ae1f4226} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{453db0c5-f41c-4d97-8dd6-cc72ecd5f699} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4afc07d0-59bb-46b8-b097-1a46e88eef71} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6511ce4c-4722-40d0-ad3d-4afa2f50978a} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9bec9b38-bf39-4899-806e-a1c5dfeb60a2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b86d82bf-d39f-439a-a07c-43eddc6f6ea6} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da6305b9-0869-4235-8c1d-533a65e639e5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e6961c59-cfce-4ccd-b794-bc78db98413a} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f8b4ec8a-2407-4be0-aee2-0f430d65a90d} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{0d82acd6-a652-4496-a298-2bde705f4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{11c27351-716b-4052-9361-e3b0a3f8221c} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025e484-d4b0-441a-9f0b-69063bd679ce} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258b35c-05b8-4c0e-9525-9bccc70f8f2d} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a89256ad-ec17-4a83-bef5-4b8bc4f39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{acc62306-9a63-4864-bd2f-c8825d2d7ea6} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b58926d6-cfb0-45d2-9c28-4b5a0f0368ae} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{b58926d6-cfb0-45d2-9c28-4b5a0f0368ae} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a078f691-9c07-4af2-bf43-35e79eecf8b7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{b58926d6-cfb0-45d2-9c28-4b5a0f0368ae} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dee758b4-c3fb-4a5b-9939-848b9c77a2fb} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{02aed140-2b62-4b49-8b3b-179020cc39b9} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17bf1e05-c0e8-413c-bd1f-a481eea3b8e9} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{83b2fe06-ba20-4f7d-96c6-6fc3a4e877d3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b32966a2-f7c2-4362-a6cf-399ec8b44110} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc7bd6f1-565c-47ce-a5bb-9c935e77b59d} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cfc16189-8a92-4a29-a940-60248385f426} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\questdns (Adware.QuestDns) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\QuestDns (Adware.QuestDns) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QUESTDNS_SERVICE (Adware.QuestDns) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QuestDns Service (Adware.QuestDns) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BRNstIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CmndFF.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\mozillaps.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Pltfrm.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.asyncreporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.asyncreporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdic (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdic.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdisp (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdisp.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.dwnldr (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.dwnldr.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.hbguru (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.hbguru.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.kopff (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.kopff.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillanvgtntrpr (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillanvgtntrpr.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillapsexecuter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillapsexecuter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reportdata (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reportdata.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.scopes (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.scopes.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.stock (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.stock.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiate (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiate.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiateorrandomts (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiateorrandomts.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggeronceinday (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggeronceinday.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShopperReports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperReportsSA (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShopperReports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{b58926d6-cfb0-45d2-9c28-4b5a0f0368ae} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\shopperreports@shopperreports.com (ShopperReports) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\res1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\res1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3 (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0 (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\chrome (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\components (Adware.ShopperReports) -> Delete on reboot.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ClickPotato (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ShopperReports (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\QuestDns (Adware.QuestDns) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97} (Adware.QuestDns) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\chrome (Adware.QuestDns) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\defaults (Adware.QuestDns) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\defaults\preferences (Adware.QuestDns) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\QuestDns (Adware.QuestDns) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\QuestDns\questdns.dll (Adware.QuestDns) -> Delete on reboot.
C:\Documents and Settings\All Users.WINDOWS\Application Data\QuestDns\questdns110.exe (Adware.QuestDns) -> Quarantined and deleted successfully.
C:\Program Files\QuestDns\questdns.exe (Adware.QuestDns) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.dll (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\CmndFF.dll (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\Pltfrm.dll (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\mozillaps.dll (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSA.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSAAX.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSABHO.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\My Documents\downloads\VLCSetup.exe (Adware.HotBar) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAau.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA_hpk.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\dwld\WhiteList.xip (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\Firefox\cs\res1\WhiteList.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\dwld\WhiteList.xip (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Savola\Application Data\ShopperReports3\IE\cs\res1\WhiteList.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteSAHook.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\ClickPotatoLiteUninstaller.exe (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\firefox\extensions\chrome.manifest (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.518.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\BRNstIE.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\CntntCntr.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\link.ico (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\ShopperReports.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\ShopperReportsUninstaller.exe (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\chrome.manifest (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\install.rdf (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\chrome\firefoxtoolbar.jar (Adware.ShopperReports) -> Delete on reboot.
C:\Program Files\ShopperReports3\bin\3.0.485.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.xpt (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ClickPotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ShopperReports\About Us.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ShopperReports\Customer Support.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\ShopperReports\ShopperReports Uninstall Instructions.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\QuestDns\uninstall.exe (Adware.QuestDns) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\chrome.manifest (Adware.QuestDns) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\install.rdf (Adware.QuestDns) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\chrome\questdns.jar (Adware.QuestDns) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\extensions\{C91E1C68-B60A-4C9F-B53B-AAAEF0E7EF97}\defaults\preferences\prefs.js (Adware.QuestDns) -> Quarantined and deleted successfully.


C:\Documents and Settings\Chad\Local Settings\Temp\Temporary Internet Files\Content.IE5\96WT7I1A\1[2] Win32/Adware.SpyShredder application cleaned by deleting - quarantined
C:\Documents and Settings\Chad\Local Settings\Temp\Temporary Internet Files\Content.IE5\IH0N9WLX\3[1] Win32/Adware.SpyShredder application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Savola\Local Settings\Application Data\{93404310-E845-4DEE-9406-0C9CE765275D}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\ksrecb.dll.vir a variant of Win32/Cimag.CW trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\udabakam.dll.vir a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D965C089-640D-4E26-B8CA-06E50E642B36}\RP25\A0001352.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{D965C089-640D-4E26-B8CA-06E50E642B36}\RP25\A0002203.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{D965C089-640D-4E26-B8CA-06E50E642B36}\RP25\A0003207.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FE24002F-EE96-4ED3-BE66-F547F962020F}\RP804\A0025167.dll a variant of Win32/Cimag.CU trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FE24002F-EE96-4ED3-BE66-F547F962020F}\RP808\A0032871.exe Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FE24002F-EE96-4ED3-BE66-F547F962020F}\RP813\A0034042.sys Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{FE24002F-EE96-4ED3-BE66-F547F962020F}\RP813\A0034088.dll a variant of Win32/Cimag.CW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{FE24002F-EE96-4ED3-BE66-F547F962020F}\RP813\A0034089.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
D:\VST Plugins\Baxxpander\SOFTDIST.SEP probably a variant of Win32/PSW.IM trojan cleaned by deleting - quarantined
D:\VST Plugins\Elottronix XL v1.4\SOFTDIST.SEP probably a variant of Win32/PSW.IM trojan cleaned by deleting - quarantined
D:\VST Plugins\X-cita\SOFTDIST.SEP probably a variant of Win32/PSW.IM trojan cleaned by deleting - quarantined


OTL logfile created on: 7/18/2010 1:34:13 AM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Savola\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 2.19 Gb Free Space | 5.89% Space Free | Partition Type: NTFS
Drive D: | 93.16 Gb Total Space | 0.33 Gb Free Space | 0.35% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: APRIL
Current User Name: Savola
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/18 00:34:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Savola\Desktop\OTL.exe
PRC - [2010/07/07 17:30:14 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/06/28 16:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/07/28 18:51:12 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2007/06/11 12:15:40 | 000,176,128 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\S3Trayp.exe
PRC - [2005/10/23 01:00:00 | 000,385,024 | ---- | M] (Team H2O) -- C:\Program Files\Syncrosoft\POS\H2O\cledx.exe
PRC - [2004/08/04 03:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/12/31 17:39:04 | 000,040,960 | ---- | M] () -- C:\WINDOWS\vsnpstd.exe


========== Modules (SafeList) ==========

MOD - [2010/07/18 00:34:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Savola\Desktop\OTL.exe
MOD - [2004/08/04 03:57:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 02:01:17 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/07/28 18:51:12 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\delta.sys -- (DELTA) Service for Delta Driver (WDM)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\cccp106.sys -- (CCCP106) CIF USB Camera (2110A)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Savola\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/12/11 19:33:00 | 000,530,560 | ---- | M] (Line 6) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L6TPortB.sys -- (L6TPortB)
DRV - [2008/07/17 23:20:53 | 000,028,352 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2007/07/11 14:08:46 | 000,714,240 | ---- | M] (S3 Graphics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\S3gIGPm.sys -- (S3GIGP)
DRV - [2005/05/09 21:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cledx.sys -- (CLEDX)
DRV - [2004/10/12 04:23:14 | 000,017,988 | ---- | M] (Redcl0ud) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xbcd.sys -- (XBCD)
DRV - [2004/02/19 15:12:34 | 000,299,776 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\snpstd.sys -- (snpstd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.64
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 5
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 2

FF - HKLM\software\mozilla\Firefox\extensions\\ClickPotatoLite@ClickPotatoLite.com: C:\Program Files\ClickPotatoLite\bin\10.0.518.0\firefox\extensions
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/14 23:02:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/15 01:36:09 | 000,000,000 | ---D | M]

[2009/08/09 22:00:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Mozilla\Extensions
[2009/08/09 22:00:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Mozilla\Extensions\songbird@songbirdnest.com
[2010/07/18 01:20:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions
[2009/04/29 23:35:59 | 000,000,000 | ---D | M] (Just Black (A Cylence theme for Firefox 3)) -- C:\Documents and Settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\{1a45a8a0-3278-11dd-bd11-0800200c9a66}
[2010/04/18 23:04:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/04/18 18:45:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}(2)
[2010/07/11 04:52:23 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/24 23:25:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\firefox@tvunetworks.com
[2010/07/06 17:55:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Mozilla\Firefox\Profiles\yv31gbt0.default\extensions\smarterwiki@wikiatic(2).com
[2010/07/18 01:20:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/07/17 21:44:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [H2O] C:\Program Files\Syncrosoft\POS\H2O\cledx.exe (Team H2O)
O4 - HKLM..\Run: [S3Trayp] C:\WINDOWS\System32\S3Trayp.exe (S3 Graphics Co., Ltd.)
O4 - HKLM..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Savola\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Savola\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/07 13:42:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/18 00:34:37 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Savola\Desktop\OTL.exe
[2010/07/17 22:32:46 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/07/17 22:13:06 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/07/17 21:48:33 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Savola\Desktop\mbam-setup-1.46.exe
[2010/07/17 21:21:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Savola\Desktop\Virus 1
[2010/07/15 23:10:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/15 22:42:59 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/15 22:42:59 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/15 22:42:59 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/15 22:42:59 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/15 22:42:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/15 22:42:29 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/15 01:39:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Savola\Application Data\dvdcss
[2010/07/15 01:39:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Savola\Application Data\vlc
[2010/07/15 01:37:00 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/07/11 12:49:33 | 000,000,000 | ---D | C] -- C:\Program Files\XBCD
[2010/07/06 21:46:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!
[2010/07/06 18:06:54 | 000,165,456 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/07/06 18:06:54 | 000,017,744 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/07/06 18:06:53 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/07/06 18:06:52 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/07/06 18:06:50 | 000,100,176 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/07/06 18:06:50 | 000,094,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/07/06 18:06:49 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/07/06 18:06:35 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/07/06 18:06:34 | 000,165,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/07/06 18:06:27 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/07/06 18:06:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2010/07/06 17:56:47 | 000,000,000 | ---D | C] -- C:\Program Files\GE
[2010/07/06 17:56:06 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/07/05 22:36:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Savola\Application Data\Yahoo!
[2010/07/05 22:36:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Savola\Local Settings\Application Data\Yahoo
[2010/07/05 22:34:10 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/07/05 21:58:20 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2010/07/05 21:58:20 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/07/05 21:57:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
[2010/04/24 23:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Savola\Local Settings\Application Data\TVU Networks
[2010/04/24 23:26:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TVU Networks
[2010/04/24 23:26:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Savola\LocalLow
[2010/04/24 23:25:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\TVUAx
[2010/04/24 18:04:06 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/08/24 22:09:25 | 000,057,344 | ---- | C] ( ) -- C:\WINDOWS\System32\csnpstd.dll
[2008/08/24 22:09:25 | 000,036,864 | ---- | C] ( ) -- C:\WINDOWS\System32\vsnpstd.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/18 00:34:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Savola\Desktop\OTL.exe
[2010/07/17 22:32:34 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Savola\Desktop\esetsmartinstaller_enu.exe
[2010/07/17 22:13:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/17 22:13:34 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/17 22:13:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/17 22:12:41 | 004,194,304 | ---- | M] () -- C:\Documents and Settings\Savola\ntuser.dat
[2010/07/17 22:12:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Savola\ntuser.ini
[2010/07/17 22:12:29 | 004,851,778 | -H-- | M] () -- C:\Documents and Settings\Savola\Local Settings\Application Data\IconCache.db
[2010/07/17 21:49:48 | 000,000,723 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/17 21:48:38 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Savola\Desktop\mbam-setup-1.46.exe
[2010/07/17 21:44:32 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/17 21:44:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/17 21:37:21 | 003,738,205 | R--- | M] () -- C:\Documents and Settings\Savola\Desktop\schrauber.exe
[2010/07/15 23:10:09 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/15 01:37:31 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\VLC media player.lnk
[2010/07/10 22:17:43 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Savola\Desktop\iExplore.exe
[2010/07/10 16:44:35 | 000,000,638 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/10 16:44:35 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/07/09 22:07:48 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/09 02:55:21 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/07/06 18:06:50 | 000,002,639 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/28 16:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/06/28 16:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/06/28 16:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/17 22:32:30 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Savola\Desktop\esetsmartinstaller_enu.exe
[2010/07/17 21:49:48 | 000,000,723 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/17 21:37:21 | 003,738,205 | R--- | C] () -- C:\Documents and Settings\Savola\Desktop\schrauber.exe
[2010/07/15 23:10:09 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/15 23:10:04 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/15 22:42:59 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/15 22:42:59 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/15 22:42:59 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/15 22:42:59 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/15 22:42:59 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/15 01:37:31 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\VLC media player.lnk
[2010/07/10 22:17:38 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Savola\Desktop\iExplore.exe
[2010/07/09 02:55:21 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/20 02:06:33 | 004,194,304 | ---- | C] () -- C:\Documents and Settings\Savola\ntuser.dat
[2009/09/06 23:33:58 | 000,000,372 | ---- | C] () -- C:\WINDOWS\GearBox.ini
[2009/09/05 02:26:09 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\msvcsv60.dll
[2009/03/21 16:57:48 | 000,138,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/01/02 23:12:36 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/17 02:11:17 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/08/24 22:09:26 | 000,299,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\snpstd.sys
[2008/08/24 22:09:25 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\dsnpstd.dll
[2008/08/24 22:09:25 | 000,015,541 | ---- | C] () -- C:\WINDOWS\snpstd.ini
[2008/08/24 21:57:18 | 000,000,804 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2008/08/24 21:57:13 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2008/08/24 21:57:03 | 000,000,021 | ---- | C] () -- C:\WINDOWS\VI_setup.ini
[2008/08/24 21:55:45 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2008/08/24 21:54:24 | 000,036,864 | ---- | C] () -- C:\WINDOWS\JPGL.DLL
[2008/08/24 21:54:24 | 000,032,768 | ---- | C] () -- C:\WINDOWS\DIV_IYUV.DLL
[2008/08/24 21:42:08 | 000,061,440 | R--- | C] () -- C:\WINDOWS\System32\dcccp106.dll
[2008/08/24 21:42:08 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\vcccp106.dll
[2008/07/28 04:30:01 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/07/28 04:30:01 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/06/10 20:07:20 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/06/10 20:03:26 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2004/08/04 03:56:42 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2003/03/31 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== LOP Check ==========

[2010/07/06 18:06:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2009/04/03 02:06:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\id Software
[2008/07/13 00:45:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Line 6
[2009/08/19 01:11:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sonoma Wire Works
[2008/07/13 00:09:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Ableton
[2009/05/20 22:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\AviDvdBurner
[2009/09/29 19:30:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\GetRightToGo
[2009/03/21 16:59:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\id Software
[2009/05/20 22:56:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\ImgBurn
[2009/11/08 23:51:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\IObit
[2008/12/04 14:20:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Line 6
[2008/07/17 23:18:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Musicmatch
[2009/08/09 22:00:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Songbird2
[2009/03/12 16:00:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\Steinberg
[2010/07/15 11:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Savola\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2008/08/29 09:12:28 | 000,932,864 | ---- | M] () -- C:\Xpadder.exe


< MD5 for: AGP440.SYS >
[2009/01/03 00:20:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/03 00:20:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2003/03/31 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2009/01/03 00:20:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/03 00:20:13 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2003/03/31 08:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2003/03/31 08:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2003/03/31 08:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2003/03/31 08:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/07/12 10:53:23 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/07/12 10:53:22 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/07/12 10:53:22 | 000,425,984 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemdrive%\*.sys /90 /md5 >
[2010/07/17 22:13:26 | 2145,386,496 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys
< End of report >


OTL Extras logfile created on: 7/18/2010 1:34:13 AM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Savola\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 2.19 Gb Free Space | 5.89% Space Free | Partition Type: NTFS
Drive D: | 93.16 Gb Total Space | 0.33 Gb Free Space | 0.35% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: APRIL
Current User Name: Savola
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- ()
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3898934B-05AE-41CD-96BE-70DA9BFBCE1F}" = Microsoft XNA Framework Redistributable 3.0
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CADD3F6-E808-4D48-893D-797B4849DE72}" = Quake Live Mozilla Plugin
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E142615E-5ED8-4511-9BF0-0284BFA25766}" = ArcSoft PhotoImpression
"{ED10343F-D30A-4200-9B00-665FC45F52B4}" = ArcSoft VideoImpression 1.6
"Ableton Live_is1" = Ableton Live v7.0.1
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"avast5" = avast! Free Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ESET Online Scanner" = ESET Online Scanner v3
"FLAC" = FLAC 1.2.1b (remove only)
"GE 98063 EasyCam" = GE 98063 EasyCam
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ImgBurn" = ImgBurn
"Line 6 Uninstaller" = Line 6 Uninstaller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Mozilla Firefox (3.5.10)" = Mozilla Firefox (3.5.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PunkBusterSvc" = PunkBuster Services
"Revo Uninstaller" = Revo Uninstaller 1.83
"RiffWorks T4" = RiffWorks T4
"Songbird-release-1146" = Songbird 1.2.0 (Build 1146)
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft's License Control" = Syncrosoft's License Control
"VIA Chrome9 HC IGP Family Display" = VIA Display Driver 6.14.10.0099
"VLC media player" = VLC media player 1.0.1
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XBCD" = XBCD 1.03
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/30/2009 3:20:03 PM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3474, faulting module
xul.dll, version 1.9.0.3474, fault address 0x00321172.

Error - 8/15/2009 5:11:53 AM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application gearbox.exe, version 3.50.0.0, faulting module
gearbox.exe, version 3.50.0.0, fault address 0x00164ac4.

Error - 8/16/2009 3:28:56 AM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application gearbox.exe, version 3.50.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x76206572.

Error - 8/30/2009 11:57:48 PM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3498, faulting module
xul.dll, version 1.9.0.3498, fault address 0x005e8824.

Error - 9/5/2009 2:25:43 AM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3498, faulting module
xul.dll, version 1.9.0.3498, fault address 0x0035c4b6.

Error - 9/6/2009 11:31:55 PM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application gearbox.exe, version 3.50.0.0, faulting module
gearbox.exe, version 3.50.0.0, fault address 0x00164ac4.

Error - 1/24/2010 8:25:34 PM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3642, faulting module
xul.dll, version 1.9.1.3642, fault address 0x00178ef4.

Error - 2/24/2010 2:18:32 AM | Computer Name = APRIL | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 3/30/2010 11:18:57 PM | Computer Name = APRIL | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 4/18/2010 2:36:09 PM | Computer Name = APRIL | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2180, fault address 0x00055594.

[ System Events ]
Error - 1/26/2009 1:21:25 PM | Computer Name = APRIL | Source = ipnathlp | ID = 32003
Description = The Network Address Translator (NAT) was unable to request an operation
of
the kernel-mode translation module. This may indicate misconfiguration, insufficient
resources, or an internal error. The data is the error code.

Error - 3/1/2009 10:55:38 PM | Computer Name = APRIL | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.33
on the Network Card with network address 00E04D623DC0.

Error - 3/2/2009 3:08:24 PM | Computer Name = APRIL | Source = Dhcp | ID = 1002
Description = The IP address lease 97.83.148.209 for the Network Card with network
address 00E04D623DC0 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 3/6/2009 10:24:09 PM | Computer Name = APRIL | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.33
on the Network Card with network address 00E04D623DC0.

Error - 3/6/2009 10:27:20 PM | Computer Name = APRIL | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.33
on the Network Card with network address 00E04D623DC0.

Error - 3/6/2009 10:29:34 PM | Computer Name = APRIL | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.33
on the Network Card with network address 00E04D623DC0.

Error - 3/6/2009 10:35:01 PM | Computer Name = APRIL | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.33
on the Network Card with network address 00E04D623DC0.

Error - 3/7/2009 2:27:40 PM | Computer Name = APRIL | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.33
on the Network Card with network address 00E04D623DC0.

Error - 4/28/2009 4:05:51 PM | Computer Name = APRIL | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.0.101 on
the Network Card with network address 00E04D623DC0.

Error - 4/28/2009 4:06:11 PM | Computer Name = APRIL | Source = W32Time | ID = 39452706
Description = The time service has detected that the system time needs to be changed
by -2678398 seconds. The time service will not change the system time by more than
-54000 seconds. Verify that your time and time zone are correct, and that the time
source time.windows.com (ntp.m|0x1|192.168.0.101:123->207.46.197.32:123) is working
properly.


< End of report >

Had an issue after running the 4 scans last night. while surfing the web my comp just shut off. Several attempts resulted in the machine trying to start but only getting to the black windows recovery console option screen then shutting back off. After about 10 attempts to start up it just finally worked and here i am. its been running for about 10 minutes with no issues.

I realize it could be a hardware issue and you would not be able to help me there but i just thought you should know about it... I will keep replying back either from this machine or another. would really like to know your thoughts.

Thanks

Edited by Savola, 18 July 2010 - 10:35 PM.

Hi,

Let's check something:


Download MBRCheck.exe to your desktop
XP users > double click on MBRCheck.exe to run it
Vista and Windows 7 users > right click on MBRCheck.exe and select Run as Administrator
It will show a black screen with some data on it
Click on the black C:\ in the upper left hand corner of the black screen
Choose Edit > Select All > Press Enter to copy the data to your clip board
Press Enter again to close MBRCheck
Now open up notepad or wordpad and paste the data in (press Control+V)

Post the results in your reply





Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please post back with a fresh OTL logfile and tell me how the system is running now.

Any problems?

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.