Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans found & deleted by Kaspersky but can only work in safe mode


  • This topic is locked This topic is locked
14 replies to this topic

#1 MyrtleVale

MyrtleVale

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 08 January 2011 - 06:02 AM

28th December 2010 my yahoo email account was hacked and sent out seven spam messags to my contacts.

No virus found when AVG ran.

7 January 2011 lots of AntiVirus popups trying to run program and asking to buy full product. Pop-ups don't respond to the x close button only respond to No button (which I'm worried could continue the infection). Any attempt to run any program comes up with dialogue box saying file is infected. Branding of the boxes/messages/pop-ups looks like Microsoft, but I run AVG and besides, they're not quite right. No idea of which software it is. Therefore presume it's a Trojan.

Rebooted in safe mode. Downloaded Kaspersky's Virus Removal Toolkit. It finds the following trojans: Ransom.Win32.PinkBlocker,
Downloader.Java.OpenConnection.cg,
Downloader.Java.OpenConnection.cf,
Downloader.Java.Agent.al
Downloader.Java.Agent.al
Exploit.Java.Agent.f
Exploit.Java.Agent.f

Yes - two instances each of Java.Agent.f and .al not a mistake in posting.

Prompted to delete Trojans by Kaspersky which I did.

Restart to normal mode and pop-ups are still there.

Restart in safe mode, Re-run Kaspersky brt nothing found.

All attempts to start in normal mode result in pop-ups. Screen shots can be provided if required (and if it's possible to take the screenshot...).

Came here, followed your guide.
Unintalled BitLord and Vuze (Yes, I know, my bad).
All passwords for online programs changed using a different laptop so any Trojan can't now access my data/programs etc.
Ran the programs as specified. DDS Log included as requested. Attach.txt and ark.txt attached as requested.

All help gratefully received. Can be profusely grateful, gracious and unctuous if necessary.

DDS log:

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Elizabeth at 10:05:47.70 on 08/01/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3070.2544 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Elizabeth\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://news.bbc.co.uk/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=2090106
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet

explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google

toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [feedreader.exe] "c:\program files\feedreader30\feedreader.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [jeaeqjee] c:\users\elizab~1\appdata\local\temp\rjmxleuoq\tiqfwbblajb.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles
mRun: [NokiaMusic FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows

live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program

files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12

\REFIEBAR.DLL
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google

toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet

explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~3\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\elizab~1\appdata\roaming\mozilla\firefox\profiles\mywhswvp.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}

\components\SkypeFfComponent.dll
FF - component: c:\users\elizabeth\appdata\roaming\mozilla\firefox\profiles\mywhswvp.default\extensions\{463f6ca5-ee3c-4be1-

b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-

a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-

6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-

0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-

0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-

0000-0015-ABCDEFFEDCBA}
FF - Ext: LoremIpsum Content Generator: {10CF5A7A-2959-4ab3-B0D9-9DE2A7772D47} - %profile%\extensions\{10CF5A7A-2959-4ab3-

B0D9-9DE2A7772D47}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 37653152;37653152 Boot Guard Driver;c:\windows\system32\drivers\37653152.sys [2011-1-8 37392]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-1-6 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-1-6 43608]
S1 37653151;37653151;c:\windows\system32\drivers\37653151.sys [2011-1-8 128016]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-1-6 77824]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-4-15 1737464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319

\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-26 135664]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop

search\GoogleDesktop.exe [2009-1-6 30192]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-4-15 101120]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-11-21 103040]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-3-19 8320]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-1-6 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-1-6 235840]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper

Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319

\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-8-17 16640]

=============== Created Last 30 ================

2011-01-08 00:25:32 -------- d-----w- c:\progra~2\Kaspersky Lab
2011-01-08 00:24:55 37392 ----a-w- c:\windows\system32\drivers\37653152.sys
2011-01-08 00:24:55 311312 ----a-w- c:\windows\system32\drivers\3765315.sys
2011-01-08 00:24:55 128016 ----a-w- c:\windows\system32\drivers\37653151.sys
2011-01-08 00:11:25 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2011-01-03 17:59:27 -------- d-----w- c:\program files\AVCWare
2011-01-03 03:18:43 -------- d-----w- c:\users\elizab~1\appdata\roaming\WindSolutions
2011-01-03 03:18:43 -------- d-----w- c:\progra~2\WindSolutions
2010-12-31 12:35:12 -------- d-----w- c:\users\elizab~1\appdata\roaming\L211 DVD-ROM 1
2010-12-31 12:33:33 -------- d-----w- c:\users\elizab~1\appdata\roaming\L211 DVD-ROM 2
2010-12-29 15:43:19 -------- d-----w- c:\program files\iPod
2010-12-28 16:58:28 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{56993163-3b44-

4597-b040-d23b36650c36}\mpengine.dll
2010-12-15 19:40:44 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-12-15 19:40:44 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

==================== Find3M ====================

2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:05:56.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:16 AM

Posted 13 January 2011 - 03:29 PM

Hello, and :welcome: to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Watch Topic. By clicking this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :)

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold


    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

  • Push the Posted Image button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 MyrtleVale

MyrtleVale
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 13 January 2011 - 04:32 PM

Hi Blade,

Many thanks for your help and support.

I haven't used my laptop since I reported the problems because I didn't want to mess it up any further.

Please note that currently I'm running in Safe Mode with Networking. If you want me to run anything in Normal mode, let me know and that's what I will do.

I ran OTL as requested. The scan generated OTL.Txt but not Extras.Txt

OTL.txt follows.

--Myrtle

OTL logfile created on: 13/01/2011 21:08:26 - Run 2
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Users\Elizabeth\Desktop
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 83.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 287.97 Gb Total Space | 110.09 Gb Free Space | 38.23% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.89 Gb Free Space | 48.93% Space Free | Partition Type: NTFS

Computer Name: ELIZABETH-PC | User Name: Elizabeth | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/13 21:06:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Elizabeth\Desktop\OTL.exe
PRC - [2010/12/10 21:56:54 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/04/11 06:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/01/13 21:06:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Elizabeth\Desktop\OTL.exe
MOD - [2010/08/31 15:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2010/11/23 13:34:14 | 006,128,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/22 04:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/08/08 13:01:50 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-051210-111108)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/28 12:47:44 | 001,737,464 | ---- | M] () [Auto | Stopped] -- C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe -- (BecHelperService)
SRV - [2009/09/25 01:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/06/02 09:10:08 | 000,637,952 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/11/05 10:50:58 | 000,071,512 | ---- | M] (O2Micro International) [Auto | Stopped] -- C:\Windows\System32\drivers\o2flash.exe -- (O2FLASH)
SRV - [2008/02/22 05:14:18 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Stopped] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2008/01/21 02:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/31 08:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 08:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/01/30 02:34:30 | 000,538,096 | ---- | M] ( ) [Auto | Stopped] -- C:\Windows\System32\dlcccoms.exe -- (dlcc_device)


========== Driver Services (SafeList) ==========

DRV - [2010/12/08 04:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/18 00:36:02 | 000,021,744 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- c:\Program Files\Dell Support Center\pcdsrvc.pkms -- (PCDSRVC{E9D79540-57D5953E-06020101}_0)
DRV - [2010/11/12 13:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/13 15:27:40 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 02:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 02:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 20:42:38 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 20:42:38 | 000,027,216 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/08/19 20:42:36 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/06/23 09:21:32 | 000,259,176 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2010/01/28 12:34:32 | 000,102,912 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2010/01/28 12:34:32 | 000,101,120 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/10/22 12:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\37653152.sys -- (37653152)
DRV - [2009/09/25 16:59:42 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\37653151.sys -- (37653151)
DRV - [2009/06/16 14:59:00 | 009,768,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/04/23 15:51:18 | 000,016,640 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1)) WsAudio_DeviceS(1)
DRV - [2009/03/20 06:37:42 | 000,208,688 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/03/19 13:48:18 | 000,136,704 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nmwcdnsu.sys -- (nmwcdnsu)
DRV - [2009/03/19 13:48:12 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc)
DRV - [2009/02/09 07:37:56 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/02/09 07:37:48 | 000,007,808 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/02/09 07:37:46 | 000,022,016 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/02/09 07:37:46 | 000,017,664 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/12/30 10:57:54 | 000,103,040 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2008/11/05 10:51:02 | 000,043,608 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\o2sd.sys -- (O2SDRDR)
DRV - [2008/11/05 10:51:00 | 000,051,288 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\o2media.sys -- (O2MDRDR)
DRV - [2008/10/27 09:07:54 | 001,207,288 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2008/10/27 09:07:04 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/07/17 05:32:12 | 000,235,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\OEM13Vid.sys -- (OEM13Vid)
DRV - [2008/07/17 05:32:10 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\OEM13Vfx.sys -- (OEM13Vfx)
DRV - [2008/03/18 13:59:36 | 000,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
DRV - [2008/02/22 05:24:52 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/02/22 05:14:22 | 002,054,872 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/21 02:23:51 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/21 02:23:51 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/21 02:23:51 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/21 02:23:51 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/21 02:23:51 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/21 02:23:50 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/21 02:23:50 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2008/01/21 02:23:50 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/21 02:23:50 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/21 02:23:49 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/21 02:23:49 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2008/01/21 02:23:49 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/21 02:23:48 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/21 02:23:48 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/21 02:23:48 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/21 02:23:47 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/21 02:23:47 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/21 02:23:47 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/21 02:23:46 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/21 02:23:45 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/21 02:23:45 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/21 02:23:45 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/21 02:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/21 02:23:26 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/21 02:23:26 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/21 02:23:26 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 09:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 09:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 09:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 09:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 09:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 09:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 09:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 09:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 09:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 09:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 09:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 08:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 08:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 08:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 08:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 08:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 08:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 07:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 07:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=2090106
IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://news.bbc.co.uk/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {aff87fa2-a58e-4edd-b852-0a20203c1e17}:0.8
FF - prefs.js..extensions.enabledItems: {10CF5A7A-2959-4ab3-B0D9-9DE2A7772D47}:0.4.3
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/12/28 17:03:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/29 15:37:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/29 15:37:33 | 000,000,000 | ---D | M]

[2009/01/09 17:34:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Extensions
[2011/01/08 09:14:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions
[2009/01/19 17:05:09 | 000,000,000 | ---D | M] ("LoremIpsum Content Generator") -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{10CF5A7A-2959-4ab3-B0D9-9DE2A7772D47}
[2010/10/14 16:26:55 | 000,000,000 | ---D | M] (TwitterBar) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}
[2010/05/05 20:18:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/11 18:46:11 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/01/19 17:05:10 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}(2)
[2010/09/19 11:10:59 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2009/01/19 17:05:10 | 000,000,000 | ---D | M] ("Translate") -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{4E38B095-A1A0-46cd-9BA2-B3708444965A}
[2009/01/19 17:05:10 | 000,000,000 | ---D | M] (IE View) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}(2)
[2010/09/17 11:12:23 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/09/17 11:12:24 | 000,000,000 | ---D | M] (gTranslate) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
[2009/01/19 17:05:10 | 000,000,000 | ---D | M] (Password Exporter) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}(2)
[2009/01/19 17:05:10 | 000,000,000 | ---D | M] (Web Developer) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2010/12/28 17:38:39 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/10/21 20:26:50 | 000,000,000 | ---D | M] ("MultirowBookmarksToolbar") -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}(97)
[2009/09/14 16:48:01 | 000,000,000 | ---D | M] (IE View Lite) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\{FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3}
[2010/09/17 11:12:21 | 000,000,000 | ---D | M] (TACO 3.0 with Abine) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\optout@dubfire.net
[2010/08/08 21:55:58 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\piclens@cooliris.com
[2009/01/19 17:05:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\extensions\temp
[2009/09/17 17:19:01 | 000,002,160 | ---- | M] () -- C:\Users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\searchplugins\seedpeer-torrent-search.xml
[2011/01/07 18:52:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/28 17:37:07 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/12/28 17:03:48 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG10\FIREFOX
[2010/10/26 09:05:38 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/10/26 09:05:38 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/10/26 09:05:38 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/10/26 09:05:38 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 21:41:30 | 000,000,736 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DellSupportCenter] File not found
O4 - HKLM..\Run: [DLCCCATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.DLL ()
O4 - HKLM..\Run: [dlccmon.exe] C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe (Dell)
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Dell PC Fax\fm3032.exe ()
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [NokiaMusic FastStart] C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe (Nokia)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [OEM13Mon.exe] C:\Windows\OEM13Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000..\Run: [DellSupportCenter] File not found
O4 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000..\Run: [feedreader.exe] C:\Program Files\FeedReader30\feedreader.exe ()
O4 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000..\Run: [jeaeqjee] C:\Users\Elizabeth\AppData\Local\Temp\rjmxleuoq\tiqfwbblajb.exe ()
O4 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O9 - Extra Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-2115268780-955084833-3038432234-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 194.168.4.100 194.168.8.100
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - AppInit_DLLs: (AVGRSSTX.DLL) - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\GOOGLE\GOOGLE~3\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Elizabeth\Pictures\The Boy\Archie & Teddy.jpg
O24 - Desktop BackupWallPaper: C:\Users\Elizabeth\Pictures\The Boy\Archie & Teddy.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{1aa64e91-e822-11de-b8b9-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{1aa64e91-e822-11de-b8b9-002170cdaacc}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{1e6bb35f-493c-11df-8567-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{1e6bb35f-493c-11df-8567-002170cdaacc}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{44100687-d6ca-11de-8dd3-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{44100687-d6ca-11de-8dd3-002170cdaacc}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{441006d1-d6ca-11de-8dd3-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{441006d1-d6ca-11de-8dd3-002170cdaacc}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{5a073367-0b26-11df-bf87-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{5a073367-0b26-11df-bf87-002170cdaacc}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{85c2cc6b-4882-11df-8d6d-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{85c2cc6b-4882-11df-8d6d-002170cdaacc}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{8ad1158f-6d54-11de-9cec-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{8ad1158f-6d54-11de-9cec-002170cdaacc}\Shell\AutoRun\command - "" = G:\PC_user.exe
O33 - MountPoints2\{d01d9b2f-fec9-11de-b0ee-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{d01d9b2f-fec9-11de-b0ee-002170cdaacc}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{f426538a-d74c-11de-8ee6-002170cdaacc}\Shell - "" = AutoRun
O33 - MountPoints2\{f426538a-d74c-11de-8ee6-002170cdaacc}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2011/01/13 21:06:53 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Elizabeth\Desktop\OTL.exe
[2011/01/08 10:11:38 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\Desktop\gmer
[2011/01/08 00:25:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2011/01/08 00:24:55 | 000,311,312 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\3765315.sys
[2011/01/08 00:24:55 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\37653151.sys
[2011/01/08 00:24:55 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\37653152.sys
[2011/01/08 00:24:55 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\Desktop\Virus Removal Tool
[2011/01/08 00:11:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2011/01/04 17:15:53 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\Documents\Humanism
[2011/01/03 17:59:29 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVCWare
[2011/01/03 17:59:27 | 000,000,000 | ---D | C] -- C:\Program Files\AVCWare
[2011/01/03 03:18:47 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CopyTrans Suite
[2011/01/03 03:18:43 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\AppData\Roaming\WindSolutions
[2011/01/03 03:18:43 | 000,000,000 | ---D | C] -- C:\ProgramData\WindSolutions
[2010/12/31 12:35:12 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\AppData\Roaming\L211 DVD-ROM 1
[2010/12/31 12:33:47 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\L211 DVD-ROM
[2010/12/31 12:33:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\L211 DVD-ROM
[2010/12/31 12:33:33 | 000,000,000 | ---D | C] -- C:\Users\Elizabeth\AppData\Roaming\L211 DVD-ROM 2
[2010/12/29 15:43:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2010/12/29 15:43:19 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/12/29 15:37:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2010/12/29 15:37:11 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/12/15 19:44:35 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live
[2010/12/15 19:15:56 | 002,038,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2010/12/15 19:15:38 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2010/12/15 19:15:27 | 000,352,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskschd.dll
[2010/12/15 19:15:27 | 000,345,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmicmiplugin.dll
[2010/12/15 19:15:27 | 000,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskcomp.dll
[2010/12/15 19:15:25 | 000,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\consent.exe
[2010/12/15 19:15:23 | 000,292,352 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2010/12/15 19:15:23 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/12/15 19:15:23 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2010/12/15 19:15:19 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/12/15 19:15:18 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/12/15 19:15:18 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/12/15 19:15:18 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2010/12/15 19:15:18 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2010/12/15 19:15:17 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2010/12/15 19:15:17 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2010/12/15 19:15:17 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/12/15 19:15:17 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/12/15 19:15:17 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2010/12/15 19:15:17 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/12/15 19:15:17 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2010/12/15 19:15:17 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2010/12/15 19:15:17 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2010/12/15 19:15:17 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2010/12/15 19:15:17 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2010/12/15 19:15:17 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/03/19 12:03:01 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\dlccinpa.dll
[2010/03/19 12:03:01 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\dlcciesc.dll
[2010/03/19 12:03:01 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\dlcchcp.dll
[2010/03/19 12:03:00 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\dlccserv.dll
[2010/03/19 12:03:00 | 000,991,232 | ---- | C] ( ) -- C:\Windows\System32\dlccusb1.dll
[2010/03/19 12:03:00 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\dlcchbn3.dll
[2010/03/19 12:03:00 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\dlccpmui.dll
[2010/03/19 12:03:00 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\dlcclmpm.dll
[2010/03/19 12:03:00 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\dlccprox.dll
[2010/03/19 12:03:00 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\dlccpplc.dll
[2010/03/19 12:02:59 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\dlcccomc.dll
[2010/03/19 12:02:59 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\dlcccomm.dll
[4 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[4 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/13 21:06:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Elizabeth\Desktop\OTL.exe
[2011/01/13 21:04:06 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/08 10:10:33 | 000,288,107 | ---- | M] () -- C:\Users\Elizabeth\Desktop\gmer.zip
[2011/01/08 09:58:26 | 000,624,128 | ---- | M] () -- C:\Users\Elizabeth\Desktop\dds.scr
[2011/01/08 09:57:11 | 000,000,000 | ---- | M] () -- C:\Users\Elizabeth\defogger_reenable
[2011/01/08 09:56:40 | 000,050,477 | ---- | M] () -- C:\Users\Elizabeth\Desktop\Defogger.exe
[2011/01/08 09:22:57 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/01/08 09:22:57 | 000,003,744 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/01/08 09:22:57 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/01/08 09:18:19 | 000,032,251 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/01/08 09:18:02 | 000,032,251 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/01/08 09:17:59 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/01/08 09:14:33 | 000,008,484 | ---- | M] () -- C:\Users\Elizabeth\AppData\Local\d3d9caps.dat
[2011/01/07 23:56:38 | 000,002,281 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2011/01/07 21:52:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/01/07 17:42:24 | 103,672,065 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2011/01/07 17:41:49 | 000,234,496 | ---- | M] () -- C:\Users\Elizabeth\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/07 10:54:04 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/01/03 03:18:48 | 000,001,336 | ---- | M] () -- C:\Users\Elizabeth\Desktop\CopyTrans Control Center.lnk
[2010/12/31 12:28:48 | 000,620,426 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/12/31 12:28:48 | 000,112,908 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/12/30 00:10:49 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2010/12/29 15:43:55 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/12/28 17:04:07 | 000,000,832 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[2010/12/17 15:52:38 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/12/17 15:18:33 | 000,399,920 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[4 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[4 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/08 10:10:40 | 000,288,107 | ---- | C] () -- C:\Users\Elizabeth\Desktop\gmer.zip
[2011/01/08 09:58:28 | 000,624,128 | ---- | C] () -- C:\Users\Elizabeth\Desktop\dds.scr
[2011/01/08 09:57:11 | 000,000,000 | ---- | C] () -- C:\Users\Elizabeth\defogger_reenable
[2011/01/08 09:56:49 | 000,050,477 | ---- | C] () -- C:\Users\Elizabeth\Desktop\Defogger.exe
[2011/01/03 03:18:48 | 000,001,336 | ---- | C] () -- C:\Users\Elizabeth\Desktop\CopyTrans Control Center.lnk
[2010/12/29 15:43:55 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/10/10 19:38:41 | 000,404,506 | ---- | C] () -- C:\Users\Elizabeth\AppData\Local\blinkboxDesktopInstall.log
[2010/03/19 12:03:01 | 000,434,176 | ---- | C] () -- C:\Windows\System32\dlccutil.dll
[2010/03/19 12:03:01 | 000,274,432 | ---- | C] () -- C:\Windows\System32\dlccinst.dll
[2010/03/19 12:03:00 | 000,176,128 | ---- | C] () -- C:\Windows\System32\dlccinsb.dll
[2010/03/19 12:03:00 | 000,159,744 | ---- | C] () -- C:\Windows\System32\dlccins.dll
[2010/03/19 12:03:00 | 000,135,168 | ---- | C] () -- C:\Windows\System32\dlccjswr.dll
[2010/03/19 12:03:00 | 000,106,496 | ---- | C] () -- C:\Windows\System32\dlccinsr.dll
[2010/03/19 12:02:59 | 000,086,016 | ---- | C] () -- C:\Windows\System32\dlcccub.dll
[2010/03/19 12:02:59 | 000,073,728 | ---- | C] () -- C:\Windows\System32\dlcccu.dll
[2010/03/19 12:02:59 | 000,069,632 | ---- | C] () -- C:\Windows\System32\dlcccfg.dll
[2010/03/19 12:02:59 | 000,036,864 | ---- | C] () -- C:\Windows\System32\dlcccur.dll
[2010/03/19 11:53:40 | 000,045,056 | ---- | C] () -- C:\Windows\System32\DLPRMON.DLL
[2010/03/19 11:53:40 | 000,032,768 | ---- | C] () -- C:\Windows\System32\DLPMONUI.DLL
[2009/12/03 09:27:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/09/09 14:48:30 | 000,008,484 | ---- | C] () -- C:\Users\Elizabeth\AppData\Local\d3d9caps.dat
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/07 10:06:05 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/02/27 07:19:32 | 000,006,790 | ---- | C] () -- C:\Users\Elizabeth\AppData\Roaming\PrimoPDFSet.xml
[2009/02/27 07:18:16 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/02/26 19:43:58 | 000,036,489 | ---- | C] () -- C:\Users\Elizabeth\AppData\Roaming\Comma Separated Values (Windows).ADR
[2009/02/10 19:23:17 | 000,061,440 | ---- | C] () -- C:\Windows\System32\dlcccnv4.dll
[2009/02/10 19:23:17 | 000,040,960 | ---- | C] () -- C:\Windows\System32\dlccvs.dll
[2009/01/19 18:59:06 | 000,234,496 | ---- | C] () -- C:\Users\Elizabeth\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/17 15:13:57 | 000,002,528 | ---- | C] () -- C:\Windows\FCIC.INI
[2009/01/09 16:57:42 | 000,032,251 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/01/09 16:56:53 | 000,032,251 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/01/06 12:31:32 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2008/04/28 17:13:33 | 000,000,310 | ---- | C] () -- C:\Windows\primopdf.ini
[2007/02/07 11:57:16 | 000,344,064 | ---- | C] () -- C:\Windows\System32\dlcccoin.dll
[2006/11/02 10:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 00:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2009/05/04 15:00:05 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Anabel
[2010/10/26 09:22:16 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\AVG
[2010/10/25 23:57:49 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\AVG10
[2011/01/07 22:51:13 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Azureus
[2010/03/06 12:10:03 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2009/11/21 18:30:40 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Birdstep Technology
[2009/08/26 22:03:38 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Bloom RU
[2009/09/06 13:43:28 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/01/21 10:30:40 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\CopyTrans
[2010/08/08 21:56:42 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Feedreader
[2009/05/27 09:57:31 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\FloodLightGames
[2010/03/03 22:49:06 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\GetRightToGo
[2009/08/18 22:57:34 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\IronCode
[2010/12/31 12:35:18 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\L211 DVD-ROM 1
[2010/12/31 12:33:47 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\L211 DVD-ROM 2
[2009/05/26 16:23:45 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Magic Academy
[2009/01/21 20:53:32 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\MysteryStudio
[2009/09/05 22:49:03 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Nokia
[2009/09/06 12:03:14 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Nseries
[2009/05/03 19:15:45 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Oberon Games
[2009/05/01 23:00:17 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Oberon Media
[2009/02/08 18:43:04 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\OpenOffice.org
[2009/06/20 22:02:48 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\panoramik
[2009/09/06 12:00:53 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\PC Suite
[2010/11/20 21:41:56 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\PCDr
[2009/08/22 21:41:54 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Peace Craft
[2009/08/24 21:04:00 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\PlayFirst
[2009/01/20 22:25:35 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Pogo Games
[2009/08/18 20:46:09 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Super-Cow
[2010/02/05 21:55:37 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\Ubisoft
[2009/08/26 20:59:10 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\UClick
[2009/01/20 17:36:33 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\ViquaSoft
[2011/01/03 17:38:12 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\WindSolutions
[2009/08/18 23:20:34 | 000,000,000 | ---D | M] -- C:\Users\Elizabeth\AppData\Roaming\YoudaGames
[2010/12/30 00:10:49 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2011/01/08 09:22:57 | 000,032,624 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/01/07 10:54:04 | 000,000,422 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

========== Purity Check ==========



========== Custom Scans ==========


< netsvc >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/01/21 02:23:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/21 02:23:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/21 02:23:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/21 02:23:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/21 02:23:26 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/01/06 20:55:02 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[2009/01/06 20:55:02 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219e87cb\atapi.sys
[2009/04/11 06:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 06:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 06:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/21 02:23:26 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/21 02:23:26 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 09:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2009/01/06 20:55:02 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=96DC4E1A9F90CCD489950A8935425C59 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_dda556493abc2795\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTOR.SYS >
[2008/03/18 13:59:36 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Drivers\storage\R179638\iastor.sys
[2008/03/18 13:59:36 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\drivers\iaStor.sys
[2008/03/18 13:59:36 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_cfa1dde4\iaStor.sys
[2008/03/18 13:59:36 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_ec8a8d1b\iaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/21 02:23:47 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/21 02:23:47 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/21 02:23:47 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 06:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 06:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/21 02:24:31 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/21 02:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/21 02:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/21 02:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/21 02:25:18 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 06:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 06:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/21 03:20:25 | 017,223,680 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/21 03:20:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/21 03:20:25 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 10:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 10:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

========== Alternate Data Streams ==========

@Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:C24B973A
@Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:93C494CA
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:D3930F74
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:AAB23F74
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:FDAF118C
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:570D13DC
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:478FEFC3
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:437B9941
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:84499DA6
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:5856B2C0
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:93DE1838
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:70CB0237
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:5425B7F5
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:B17C9C5E
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:8AB6C1D7
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:0AE6CC6C
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:3CD562B4
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:2085D07D
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:11201333
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:F791B5EF
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:71F96743
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:23FA878E
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:CCF42AF8
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:8643C5BE
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:B8B102B9
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:940ECC98
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:37C8DB03
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:18FCA3F2
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:79F970BE
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:59D05D9A
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:55CC8080
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:4CD2D817
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:7C8950EF
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:F82297CD
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:965253AF
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:8E60033F
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:4C509008
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:3857ABB7
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:D282699C
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:E06AC882
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:8F925134
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:77846FFE
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:444C53BA
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:052A05A1
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:049ACE7A
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:C25C9263
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:588B60C7
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:3064D21D
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:54F1BE9B

< End of report >

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:16 AM

Posted 13 January 2011 - 04:35 PM

Hi MyrtleVale.

Please note that currently I'm running in Safe Mode with Networking. If you want me to run anything in Normal mode, let me know and that's what I will do.


I understand that you're getting a number of popups in Normal Mode. Is Normal Mode usable at all, or do the popups completely bog down your computer and keep it from running?

I would like all our fixes to be run in Normal Mode if possible, unless I specifically mention otherwise. If this is not possible please let me know now.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 MyrtleVale

MyrtleVale
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 13 January 2011 - 05:36 PM

Hi Blade

Thanks for the fast response.

I opened up in Normal mode and received a Microsoft Windows pop-up saying that Printer Communication had stopped. It asked to check online for a solution or to close. I closed it by clicking on the x in the corner. It looked like a genuine Windows alert.

I then received an AVG Identity Protection alert which also looked genuine.
Dialogue box contains the following:
<!—Begins -->
Malware detected
File name: C:\USERS\ELIZABETH\APPDATA\LOCAL\TEMP\RJMXLEUOQ\TIQFWBBLAJB.EXE
Threat name: Win32.FakeAV.zup
Severity level: [graphic of four red squares]
Category: Trojan
Description: This is a known Trojan/Backdoor. It is recommended that you quarantine this threat.

Then another section with green arrows:

Move to Vault
Will safely quarantine the infected file to Virus Vault until further decision.

Allow
Will leave the file as it is now.
<!-- Ends -->

(html comments inserted by me for your information.)

I couldn’t close this by clicking on the x in the corner, or by pressing Alt-F4.

Clicked on Allow to leave it.

I clicked on Firefox to open it and was asked about two Firefox add-ons:
TACO 3.0 with Abine 3.20
Version 3.50 is available.

Web Developer 1.1.6
Version 1.1.9 is available.

I closed this by clicking on the x in the corner.

There is also a Security Alert that says:
Revocation information for the security certificate for this site is not available. Do you want to proceed?

Yes, No, View Certificate

It took 3 or 4 clicks on the x to make it go away.

Please note none of these are the pop-ups I was receiving before.

Please also note that before I was able to post my original message to Bleeping Computer on Saturday, the malware had changed my proxy settings and I had to manually uncheck the proxy settings box in Firefox.

Do you want me to rerun OTL.exe?

~Myrtle

#6 MyrtleVale

MyrtleVale
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 13 January 2011 - 06:01 PM

Hi Blade

An addition - My AVG ran a complete scan with the following result:

Scan "Scheduled scan" completed.
Infections;"2";"2";"0"
Warnings;"1";"1";"0"
Folders selected for scanning:;"Whole computer scan"
Scan started:;"13 January 2011, 22:33:29"
Scan finished:;"13 January 2011, 22:55:27 (21 minute(s) 57 second(s))"
Total object scanned:;"1636227"
User who launched the scan:;"SYSTEM"

Infections
;"File";"Infection";"Result"
;"C:\Users\ELIZAB~1\AppData\Local\Temp\rjmxleuoq\tiqfwbblajb.exe";"Trojan horse Generic20.BPNO";"Moved to Virus Vault"
;"C:\Users\Elizabeth\AppData\Local\Temp\0.09884287800044789.exe";"Trojan horse Generic20.BPNO";"Moved to Virus Vault"

Warnings
;"File";"Infection";"Result"
;"HKU\S-1-5-21-2115268780-955084833-3038432234-1000\Software\Microsoft\Windows\CurrentVersion\Run\\jeaeqjee";"Found registry key with reference to infected file C:\Users\ELIZAB~1\AppData\Local\Temp\rjmxleuoq\tiqfwbblajb.exe";"Moved to Virus Vault"

~Myrtle

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:16 AM

Posted 13 January 2011 - 10:45 PM

Shouldn't be necessary to rerun OTL at this point. Please perform the following in normal mode.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 MyrtleVale

MyrtleVale
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 14 January 2011 - 04:59 AM

Hi Blade

A little difficulty at first as ComboFix wanted me to remove AVG and AVG didn't want to be removed. However I managed it in the end.

I have pasted the log into this reply.

I am a little concerned. When I opened up Firefox (my browser of choice), I received a message saying that Firefox was not my default browser. Is this something that ComboFix has done or a result of the infection?

~Myrtle

ComboFix 11-01-10.04 - Elizabeth 14/01/2011 9:43.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3070.1944 [GMT 0:00]
Running from: c:\users\Elizabeth\Desktop\Renamed.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\PCDr\5744\Downloads\d242df42-c817-4c92-8e27-a770772ec980.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-14 09:49 . 2011-01-14 09:49 -------- d-----w- c:\users\Elizabeth\AppData\Local\temp
2011-01-14 09:49 . 2011-01-14 09:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-08 00:25 . 2011-01-08 10:45 -------- d-----w- c:\programdata\Kaspersky Lab
2011-01-08 00:24 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\37653152.sys
2011-01-08 00:24 . 2009-10-09 22:31 311312 ----a-w- c:\windows\system32\drivers\3765315.sys
2011-01-08 00:24 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\37653151.sys
2011-01-08 00:11 . 2011-01-08 00:20 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-01-03 17:59 . 2011-01-03 17:59 -------- d-----w- c:\program files\AVCWare
2011-01-03 03:18 . 2011-01-03 17:38 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\WindSolutions
2011-01-03 03:18 . 2011-01-03 17:38 -------- d-----w- c:\programdata\WindSolutions
2010-12-31 12:35 . 2010-12-31 12:35 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\L211 DVD-ROM 1
2010-12-31 12:33 . 2010-12-31 12:33 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\L211 DVD-ROM 2
2010-12-29 15:43 . 2010-12-29 15:43 -------- d-----w- c:\program files\iPod
2010-12-28 16:58 . 2010-11-16 12:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{56993163-3B44-4597-B040-D23B36650C36}\mpengine.dll
2010-12-15 19:40 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-15 19:40 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-10-19 10:41 . 2009-10-04 10:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-08-08 13:01 . 2009-01-17 14:19 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-06 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"feedreader.exe"="c:\program files\FeedReader30\feedreader.exe" [2009-03-29 2058240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-22 159744]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-22 4907008]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-17 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-27 3563520]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-08 30192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NokiaMusic FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-22 2331936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"DLCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2007-01-30 431600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 135664]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-08 30192]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2010-01-28 101120]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 103040]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-04-23 16640]
S0 37653152;37653152 Boot Guard Driver;c:\windows\system32\DRIVERS\37653152.sys [2009-10-22 37392]
S1 37653151;37653151;c:\windows\system32\DRIVERS\37653151.sys [2009-09-25 128016]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-22 77824]
S2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [2010-01-28 1737464]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-11-05 51288]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-11-05 43608]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2008-07-17 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-07-17 235840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 12:04]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 12:04]

2010-12-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]

2011-01-13 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: LoremIpsum Content Generator: {10CF5A7A-2959-4ab3-B0D9-9DE2A7772D47} - %profile%\extensions\{10CF5A7A-2959-4ab3-B0D9-9DE2A7772D47}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 09:49
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,41,d8,40,b6,d7,46,4a,b5,ec,15,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,41,d8,40,b6,d7,46,4a,b5,ec,15,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-14 09:51:32
ComboFix-quarantined-files.txt 2011-01-14 09:51

Pre-Run: 114,080,030,720 bytes free
Post-Run: 113,515,110,400 bytes free

- - End Of File - - 576966D381D25B301F33CC0682946DAC

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:16 AM

Posted 16 January 2011 - 12:38 AM

Hello.

I am a little concerned. When I opened up Firefox (my browser of choice), I received a message saying that Firefox was not my default browser. Is this something that ComboFix has done or a result of the infection?


Probably a result of the infection. . . nothing to be overly concerned about.

1. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-

DDS::
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer =



Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 MyrtleVale

MyrtleVale
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 16 January 2011 - 07:36 AM

Hi Blade,

When I ran ComboFix it asked me if I wanted the newer version. I said No. Then it said that it had expired and it would run on reduced functionality. So I closed it down, reopened it, and when it asked me again if I wanted the newer version I said Yes. Newer version was downloaded then it ran. Log is below.

I haven't been using the laptop (I have a work laptop that I've been using), so I'm not completely sure how it's running. I don't have any pop-ups any more and once I'd run ComboFix again the default warning for Mozilla didn't show up again.

I don't want to download email or do much more than surf the net till I know it's clean. I've just installed Kaspersky trial version to cover my browsing.

Thanks for all the help. It's very much appreciated.

~Myrtle

ComboFix 11-01-15.01 - Elizabeth 16/01/2011 10:44:22.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3070.1888 [GMT 0:00]
Running from: c:\users\Elizabeth\Desktop\Renamed.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\PCDr\5744\Downloads\3f27aeb4-f0e2-4006-92ee-e1f5a49cf45f.dll
c:\programdata\PCDr\5744\Downloads\69282cc9-4087-49e4-b903-9638b4f63ccc.dll
c:\programdata\PCDr\5744\Downloads\ace5304d-f4d3-4e03-9b43-c1113c682910.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-16 to 2011-01-16 )))))))))))))))))))))))))))))))
.

2011-01-16 10:50 . 2011-01-16 10:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-08 00:25 . 2011-01-08 10:45 -------- d-----w- c:\programdata\Kaspersky Lab
2011-01-08 00:24 . 2009-10-22 12:54 37392 ----a-w- c:\windows\system32\drivers\37653152.sys
2011-01-08 00:24 . 2009-10-09 22:31 311312 ----a-w- c:\windows\system32\drivers\3765315.sys
2011-01-08 00:24 . 2009-09-25 16:59 128016 ----a-w- c:\windows\system32\drivers\37653151.sys
2011-01-08 00:11 . 2011-01-08 00:20 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-01-03 17:59 . 2011-01-03 17:59 -------- d-----w- c:\program files\AVCWare
2011-01-03 03:18 . 2011-01-03 17:38 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\WindSolutions
2011-01-03 03:18 . 2011-01-03 17:38 -------- d-----w- c:\programdata\WindSolutions
2010-12-31 12:35 . 2010-12-31 12:35 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\L211 DVD-ROM 1
2010-12-31 12:33 . 2010-12-31 12:33 -------- d-----w- c:\users\Elizabeth\AppData\Roaming\L211 DVD-ROM 2
2010-12-29 15:43 . 2010-12-29 15:43 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 18:56 . 2010-12-15 19:15 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55 . 2010-12-15 19:15 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55 . 2010-12-15 19:15 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55 . 2010-12-15 19:15 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34 . 2010-12-15 19:15 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01 . 2010-12-15 19:15 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57 . 2010-12-15 19:15 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57 . 2010-12-15 19:15 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57 . 2010-12-15 19:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57 . 2010-12-15 19:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01 . 2010-12-15 19:15 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26 . 2010-12-15 19:15 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24 . 2010-12-15 19:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44 . 2010-12-15 19:15 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27 . 2010-12-15 19:15 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20 . 2010-12-15 19:15 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 10:41 . 2009-10-04 10:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37 . 2010-12-15 19:15 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31 . 2010-12-15 19:15 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-08 13:01 . 2009-01-17 14:19 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-06 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"feedreader.exe"="c:\program files\FeedReader30\feedreader.exe" [2009-03-29 2058240]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-22 159744]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-22 4907008]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-17 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-27 3563520]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-08 30192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NokiaMusic FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-22 2331936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
"DLCCCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2007-01-30 431600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 135664]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-08 30192]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2010-01-28 101120]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2008-12-30 103040]
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-04-23 16640]
S0 37653152;37653152 Boot Guard Driver;c:\windows\system32\DRIVERS\37653152.sys [2009-10-22 37392]
S1 37653151;37653151;c:\windows\system32\DRIVERS\37653151.sys [2009-09-25 128016]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-22 77824]
S2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [2010-01-28 1737464]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-11-05 51288]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-11-05 43608]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2008-07-17 7424]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-07-17 235840]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 12:04]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-26 12:04]

2010-12-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]

2011-01-16 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Elizabeth\AppData\Roaming\Mozilla\Firefox\Profiles\mywhswvp.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: LoremIpsum Content Generator: {10CF5A7A-2959-4ab3-B0D9-9DE2A7772D47} - %profile%\extensions\{10CF5A7A-2959-4ab3-B0D9-9DE2A7772D47}
FF - Ext: FoxyTunes: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374} - %profile%\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-16 10:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,41,d8,40,b6,d7,46,4a,b5,ec,15,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,76,41,d8,40,b6,d7,46,4a,b5,ec,15,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-01-16 10:52:13
ComboFix-quarantined-files.txt 2011-01-16 10:51

Pre-Run: 116,113,276,928 bytes free
Post-Run: 116,084,318,208 bytes free

- - End Of File - - 1F670BB5A7E21D562A971E652A562C70

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:16 AM

Posted 16 January 2011 - 08:10 AM

In all appearances the machine appears to be clean. I would like you to test it out a bit. Once you've tried using it, let me know how it's working and I will give you some finishing steps if all is good. :)

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 MyrtleVale

MyrtleVale
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 18 January 2011 - 01:22 PM

Hi Blade

There was an error message concerning the printer communication system that kept appearing. I plugged in the printer and sent a document to print. This confirmed the communication error. I then clicked on the "Check online for a solution" option and it is now fixed.

All seems well. No pop-ups, no trying to alter Firefox and no virus reported by Kaspersky.

Thanks for your help.

~Myrtle

#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:16 AM

Posted 18 January 2011 - 01:51 PM

Hello.

Great!

Now, let's clean up our mess.
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************
  • Please double click on the Posted Image icon on your desktop.
  • Click the large button marked "Cleanup"
***************************************************

Your machine appears to be clean!

If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfectionI recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.[list=a]
  • Click "Hosts" in the menu
  • Click "Manage Updates" in the submenu
  • Out of the choices available, select at least one of them (I have MVPS Host as my main one)
  • Click "Add Update." After that you will only need to click on the Update button to retrieve updates:
  • Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 MyrtleVale

MyrtleVale
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 18 January 2011 - 07:33 PM

Thanks, Blade.

I can't tell you how much you've helped. It's been very much appreciated.

Many thanks

~Myrtle

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:16 AM

Posted 18 January 2011 - 09:11 PM

It was my pleasure. :thumbup2:

Since this issue appears to be resolved ... this Topic has been closed.

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Edited by Blade Zephon, 18 January 2011 - 09:12 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users