Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.ZeroAccess, ComboFix issues


  • This topic is locked This topic is locked
12 replies to this topic

#1 mpfetz

mpfetz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 24 January 2012 - 09:39 PM

My computer has been sending us to ads and popups and fake news websites such as NewsDaily7 for the past couple of days. Our AVG virus program has been warning us of about 7 threats per day and flashing warning screens but do not allow us to quarantine the threats, only ignore them. Today, when I turned on the computer, I discovered the virus had emptied all of our folders and deleted all of our programs, but we still could access the internet. I've been trying for hours to disinfect the computer but when I run MBAM, it gets two hours into it and then crashes unexpectedly. AVG found 15 infections and claims to have fixed them but nothing's improved. I ran the TDLSRootKiller thing offered by this website and am now running ComboFix as I saw it advised on somebody's post who was experiencing the same problem. However, my computer went through ComboFix, installed Microsoft Recovery, rebooted, and has now been stuck on the ComboFix is preparing to run screen for about twenty minutes. ComboFix also alerted me that I was infected with Rootkit.Zeroaccess. What should I do? Please help.

-M

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 29 January 2012 - 02:49 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mpfetz

mpfetz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 30 January 2012 - 05:00 PM

QUICK QUESTION BEFORE I DO ANY OF THIS:
I dont think I mentioned that the virus whatever it was completely deleted every single program from my computer, including iTunes, Picasa, etc. Is there anyway to get these back?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 30 January 2012 - 06:31 PM

The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mpfetz

mpfetz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 30 January 2012 - 09:26 PM

OTL.Txt:
OTL logfile created on: 1/30/2012 8:19:26 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Margo\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.37 Gb Available Physical Memory | 79.21% Memory free
4.84 Gb Paging File | 4.29 Gb Available in Paging File | 88.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.13 Gb Total Space | 79.51 Gb Free Space | 34.85% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: PFETZER | User Name: Margo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Margo\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe (Apple Inc.)
PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll ()
MOD - C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll ()
MOD - C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll ()
MOD - C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll ()
MOD - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - C:\WINDOWS\system32\quartz.dll ()
MOD - C:\WINDOWS\system32\qdvd.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\3.1.26.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll ()
MOD - C:\WINDOWS\system32\sbe.dll ()
MOD - C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.445.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
MOD - C:\Program Files\Cucusoft\iPod to Computer\Filter\ffdshow.ax ()
MOD - C:\WINDOWS\system32\qedit.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (MotoHelper) -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
SRV - (WMZuneComm) -- c:\Program Files\Zune\WMZuneComm.exe (Microsoft Corporation)
SRV - (ZuneWlanCfgSvc) -- c:\Program Files\Zune\ZuneWlanCfgSvc.exe (Microsoft Corporation)
SRV - (ZuneNetworkSvc) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)
SRV - (ZuneBusEnum) -- c:\Program Files\Zune\ZuneBusEnum.exe (Microsoft Corporation)
SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (Sony SCSI Helper Service) -- C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe (Sony Corporation)
SRV - (getPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (WDDMService) -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe (WDC)
SRV - (LVPrcSrv) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV - (WDSmartWareBackgroundService) -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe (Memeo)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (TPkd) -- C:\WINDOWS\System32\drivers\TPkd.sys (PACE Anti-Piracy, Inc.)
DRV - (FilterService) -- C:\WINDOWS\system32\drivers\lvuvcflt.sys (Logitech Inc.)
DRV - (LVUVC) QuickCam Communicate Deluxe(UVC) -- C:\WINDOWS\system32\drivers\lvuvc.sys (Logitech Inc.)
DRV - (LVRS) -- C:\WINDOWS\system32\drivers\lvrs.sys (Logitech Inc.)
DRV - (LVPr2Mon) -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys ()
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (TRENDware International, Inc )
DRV - (WDC_SAM) -- C:\WINDOWS\system32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (LVUSBSta) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (lvpopflt) -- C:\WINDOWS\system32\drivers\lvpopflt.sys (Logitech Inc.)
DRV - (FETNDISB) -- C:\WINDOWS\system32\drivers\dlkfet5b.sys (D-Link )
DRV - (WinUSB) -- C:\WINDOWS\system32\drivers\winusb.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = EF 43 EB 13 19 CA C4 4E 98 F8 67 DF 11 C0 2A 1F [binary data]
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = EF 43 EB 13 19 CA C4 4E 98 F8 67 DF 11 C0 2A 1F [binary data]
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = EF 43 EB 13 19 CA C4 4E 98 F8 67 DF 11 C0 2A 1F [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = EF 43 EB 13 19 CA C4 4E 98 F8 67 DF 11 C0 2A 1F [binary data]

IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;192.168.*.*;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.facebook.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4dcdf401&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q="
FF - prefs.js..network.proxy.type: 1


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@sony.com/eBookLibrary: C:\Program Files\Sony\Reader\Data\bin\npebldetectmoz.dll (Sony Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/12/23 08:51:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/26 16:35:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/26 17:37:37 | 000,000,000 | ---D | M]

[2010/01/10 18:25:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Margo\Application Data\Mozilla\Extensions
[2012/01/21 09:41:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Margo\Application Data\Mozilla\Firefox\Profiles\wyjvffv0.default\extensions
[2010/04/27 15:21:11 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Margo\Application Data\Mozilla\Firefox\Profiles\wyjvffv0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/12 16:51:17 | 000,009,977 | ---- | M] () -- C:\Documents and Settings\Margo\Application Data\Mozilla\Firefox\Profiles\wyjvffv0.default\searchplugins\mywebsearch.xml
[2011/10/03 06:49:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/26 14:19:49 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/01/26 16:35:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/01/26 16:35:06 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/01/31 09:57:01 | 000,289,592 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2011/01/31 09:56:39 | 000,171,832 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2012/01/23 21:08:13 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/23 21:08:13 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2010/10/04 10:41:29 | 000,420,575 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14506 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKU\.DEFAULT..\Run: [winupd] C:\WINDOWS\TEMP [2012/01/30 20:05:49 | 000,000,000 | ---D | M]
O4 - HKU\S-1-5-18..\Run: [winupd] C:\WINDOWS\TEMP [2012/01/30 20:05:49 | 000,000,000 | ---D | M]
O4 - HKU\S-1-5-21-1482476501-1604221776-839522115-1004..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode File not found
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Search - ?p=ZUfox000 File not found
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0825DEA7-6A95-4D60-8209-E82EC568AF47}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D62D2420-846E-4E81-BD9E-47E416AEB970}: NameServer = 10.0.0.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\cryptnet32: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Margo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Margo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/10 13:41:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2fbe91ac-5ab7-11df-a8d9-0019d10070c7}\Shell - "" = AutoRun
O33 - MountPoints2\{2fbe91ac-5ab7-11df-a8d9-0019d10070c7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{2fbe91ac-5ab7-11df-a8d9-0019d10070c7}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/30 16:00:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/01/30 16:00:23 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/01/24 20:47:02 | 000,309,320 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2012/01/24 20:19:02 | 000,162,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\netbt.svs
[2012/01/24 20:09:56 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/01/24 20:04:21 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/24 20:04:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/24 20:04:21 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/24 20:04:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/24 20:04:13 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/01/24 20:04:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/24 19:16:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2012/01/24 19:06:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/01/24 19:01:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2012/01/24 16:03:35 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/01/24 13:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2012/01/23 20:04:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/01/23 20:04:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/01/23 11:37:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2012/01/07 19:11:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Margo\Application Data\redsn0w
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/30 20:18:20 | 000,000,878 | ---- | M] () -- C:\Documents and Settings\Margo\Desktop\Shortcut to OTL.lnk
[2012/01/30 20:18:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/30 20:05:50 | 000,039,472 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/01/30 20:05:39 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/30 19:23:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/30 19:23:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2012/01/30 19:23:00 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2012/01/30 18:26:25 | 087,817,706 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/01/30 18:25:46 | 000,163,536 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/01/30 16:01:00 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/01/30 12:58:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/28 18:05:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/01/28 11:26:06 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\MotoHelper Routing.job
[2012/01/25 16:25:49 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/01/24 21:27:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/24 21:20:26 | 000,444,456 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/24 21:20:26 | 000,072,332 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/24 20:47:13 | 000,309,320 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
[2012/01/24 20:42:04 | 000,000,000 | ---- | M] () -- C:\WINDOWS\SWSC.exe
[2012/01/24 20:10:00 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2012/01/24 19:50:25 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/24 19:07:20 | 000,645,730 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/01/24 15:57:52 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/23 11:26:04 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\MotoHelper MUM.job
[2012/01/23 11:26:03 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\MotoHelper Update.job
[2012/01/23 00:16:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/01/20 15:47:38 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Margo\Desktop\Microsoft Office Word 2003.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/30 20:18:20 | 000,000,878 | ---- | C] () -- C:\Documents and Settings\Margo\Desktop\Shortcut to OTL.lnk
[2012/01/30 16:01:00 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/01/24 20:10:00 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2012/01/24 20:09:58 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/01/24 20:04:21 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/24 20:04:21 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/24 20:04:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/24 20:04:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/24 20:04:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/24 20:04:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SWSC.exe
[2012/01/24 19:06:33 | 000,645,730 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/01/24 15:57:52 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/31 10:22:45 | 000,001,410 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\rjj34xm10mi0vbeogdoi371720k4dla245j01mfwxe7
[2011/12/31 10:22:45 | 000,001,410 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\rjj34xm10mi0vbeogdoi371720k4dla245j01mfwxe7
[2011/12/27 15:22:34 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\1c88538840wsc747
[2011/12/27 15:22:34 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1c88538840wsc747
[2011/12/21 22:21:34 | 000,001,298 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\707007m0n800p846g213h4tqw3n0
[2011/12/21 22:21:34 | 000,001,298 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\707007m0n800p846g213h4tqw3n0
[2011/12/09 16:50:13 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2011/11/22 22:19:56 | 000,001,209 | ---- | C] () -- C:\Documents and Settings\Margo\Application Data\ldr.ini
[2011/05/26 16:48:50 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/05/19 12:36:55 | 000,104,253 | ---- | C] () -- C:\WINDOWS\hpoins04.dat.temp
[2011/05/19 12:36:55 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat.temp
[2011/05/13 20:37:22 | 000,001,602 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\l1mt4nci68jk2ni176
[2011/05/13 20:37:22 | 000,001,602 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176
[2010/12/11 22:33:11 | 000,295,554 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll
[2010/05/12 20:15:57 | 000,004,540 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/04/07 14:17:11 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/05 20:59:44 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/01/22 21:01:17 | 000,104,253 | ---- | C] () -- C:\WINDOWS\hpoins04.dat
[2010/01/22 21:01:17 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat
[2010/01/12 17:39:41 | 000,142,336 | ---- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/12 17:26:51 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\fusioncache.dat
[2010/01/11 16:08:17 | 000,118,044 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/01/10 22:43:30 | 000,082,289 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/01/10 17:50:31 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/10 17:40:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/10 16:20:32 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2010/01/10 13:43:23 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/01/10 13:38:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/01/10 07:07:29 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/01/10 07:06:46 | 000,544,016 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/07 00:46:36 | 000,025,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/10/07 00:23:08 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2006/10/27 16:26:56 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2005/08/05 14:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/03/22 16:38:24 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 16:38:24 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 05:00:00 | 000,444,456 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 05:00:00 | 000,072,332 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/10 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 09:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %TEMP%\smtmp\*.* /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 1200 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:m4gsrNPi9Jjv5PZgVQ0NIbFq8
@Alternate Data Stream - 1126 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:F6TfGKqOP2zEIJrF5vg87Ijg
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >




Extras.Txt



OTL Extras logfile created on: 1/30/2012 8:19:26 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Margo\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.37 Gb Available Physical Memory | 79.21% Memory free
4.84 Gb Paging File | 4.29 Gb Available in Paging File | 88.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.13 Gb Total Space | 79.51 Gb Free Space | 34.85% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: PFETZER | User Name: Margo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1482476501-1604221776-839522115-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"443:UDP" = 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP" = 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP" = 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP" = 37675:UDP:*:Disabled:ooVoo UDP port 37675
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Disabled:Google Earth -- (Google)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Logitech\Vid HD\Vid.exe" = C:\Program Files\Logitech\Vid HD\Vid.exe:*:Enabled:Logitech Vid HD -- (Logitech Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{1D76A52C-87A6-4AB0-A7B0-08C8D5DF1D75}" = Motorola Mobile Drivers Installation 5.2.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{20ACB2F8-3BCA-45A8-80A2-9D3CB5C25F43}" = Safari
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{25613C10-27D2-410B-942B-D922D5C3A7BE}" = Interlok driver setup x32
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 19
"{2BBC9458-07CA-4843-848B-5C8146E5EFA8}" = CreativeProjects
"{2C4E2E4E-A7C9-4CCB-BF03-FE6EBD5D4AB7}" = Windows Mobile Device Updater Component
"{2F71F2BA-B513-4113-969C-18A84D238E27}" = 1310
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{37EBB600-EAA2-012B-AD89-000000000000}" = TurboTax 2009 wiliper
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{457791C5-D702-4143-A7B2-2744BE9573F2}" = HP Software Update
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{595D0DE8-C38A-4432-B851-47DECC1A99BD}" = HP Unload DLL Patch
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}" = ProductContext
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{70632C41-BDAC-4128-9FBF-287F9FF53DE5}" = TurboTax 2010 wiliper
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{80413011-029C-4D6B-B3AD-725DDE60B81C}" = 1310Trb
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{8398852A-7B61-4808-8F58-D0A40D1B2CB6}" = AVG 2012
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981FB376-8418-4EA8-BBED-9DE5AA63E7D5}" = SkinsHP1
"{98E3252E-3CE5-4B15-929D-D18F7BE6EED4}" = D-Link DFE-530TX+
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A1DCC235-DACC-4E1F-8D11-D630634B4AEF}" = PhotoGallery
"{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}" = PRS-500 USB driver
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.7
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = TEG-PCITXR 32bit Gigabit PCI Adatper
"{AEBBFC67-7A03-4DF3-9E71-BA5C9EB4FBEF}" = MobileMe Control Panel
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}" = Director
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B45D9FEE-1AF4-46F3-9A83-2545F81547F5}" = CreativeProjectsTemplates
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B70E5793-F912-4C62-AFE2-C4F0B078FD31}" = Reader Library by Sony
"{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD0DC280-2489-4464-A2FC-16104676394A}" = WD SmartWare
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4AFC7AD-F637-4EDD-BC76-767E4AF78CE1}" = OverDrive Media Console
"{E171F5DA-6F17-472D-A223-92468142C5E8}" = AVG 2012
"{E21658D0-8C83-4ADD-937B-6ED07F335ABA}" = 1310Tour
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E90BEB5B-CFA0-418E-9ABB-4C4A7B0D9483}" = 1310_Help
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}" = Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}" = WebReg
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"{FF26F7EA-BCEE-478C-9A1B-6B4F88717D73}" = CueTour
"{FFF74EC9-1FF4-4456-99E3-4F05129F4FAB}" = Antares Auto-Tune Evo VST
"75070B1806113224B16C70296B90DD1AD8A53479" = Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVG" = AVG 2012
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Cucusoft iPad/iPhone/iPod to Computer Transfer_is1" = iPad/iPhone/iPod to Computer Transfer 7.5.10
"Digital Editions" = Adobe Digital Editions
"HP Photo & Imaging" = HP Image Zone 4.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{98E3252E-3CE5-4B15-929D-D18F7BE6EED4}" = D-Link DFE-530TX+
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"legacyqcam_11.10" = Logitech Legacy USB Camera Driver Package
"Logitech Vid" = Logitech Vid HD
"lvdrivers_12.10" = Logitech Webcam Software Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MotoHelper" = MotoHelper 2.0.51 Driver 5.2.0
"Mozilla Firefox 10.0 (x86 en-US)" = Mozilla Firefox 10.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Connections Drivers
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"TurboTax 2009" = TurboTax 2009
"TurboTax 2010" = TurboTax 2010
"VN_VUIns_Rhine_D-Link" = D-Link PCI Fast Ethernet Adapter
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinRAR archiver" = WinRAR 4.01 (32-bit)
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Zune" = Zune

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/23/2012 7:12:48 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/8782C6C304353BCFD29692D2593E7D44D934FF11.crt>
with error: This network connection does not exist.

Error - 1/23/2012 7:12:48 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/8782C6C304353BCFD29692D2593E7D44D934FF11.crt>
with error: This network connection does not exist.

Error - 1/23/2012 9:08:33 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/91C6D6EE3E8AC86384E548C299295C756C817B81.crt>
with error: The connection with the server was terminated abnormally

Error - 1/23/2012 9:08:33 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/91C6D6EE3E8AC86384E548C299295C756C817B81.crt>
with error: This network connection does not exist.

Error - 1/23/2012 9:54:21 PM | Computer Name = PFETZER | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/23/2012 11:05:46 PM | Computer Name = PFETZER | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/24/2012 2:18:39 PM | Computer Name = PFETZER | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/24/2012 5:00:19 PM | Computer Name = PFETZER | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/24/2012 5:00:56 PM | Computer Name = PFETZER | Source = Application Error | ID = 1001
Description = Fault bucket 00536409.

Error - 1/24/2012 8:38:27 PM | Computer Name = PFETZER | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.60.0.59, faulting module
ntdll.dll, version 5.1.2600.6055, fault address 0x00011295.

[ Application Events ]
Error - 1/23/2012 7:12:48 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/8782C6C304353BCFD29692D2593E7D44D934FF11.crt>
with error: This network connection does not exist.

Error - 1/23/2012 7:12:48 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/8782C6C304353BCFD29692D2593E7D44D934FF11.crt>
with error: This network connection does not exist.

Error - 1/23/2012 9:08:33 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/91C6D6EE3E8AC86384E548C299295C756C817B81.crt>
with error: The connection with the server was terminated abnormally

Error - 1/23/2012 9:08:33 AM | Computer Name = PFETZER | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/91C6D6EE3E8AC86384E548C299295C756C817B81.crt>
with error: This network connection does not exist.

Error - 1/23/2012 9:54:21 PM | Computer Name = PFETZER | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/23/2012 11:05:46 PM | Computer Name = PFETZER | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/24/2012 2:18:39 PM | Computer Name = PFETZER | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/24/2012 5:00:19 PM | Computer Name = PFETZER | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/24/2012 5:00:56 PM | Computer Name = PFETZER | Source = Application Error | ID = 1001
Description = Fault bucket 00536409.

Error - 1/24/2012 8:38:27 PM | Computer Name = PFETZER | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.60.0.59, faulting module
ntdll.dll, version 5.1.2600.6055, fault address 0x00011295.

[ System Events ]
Error - 1/28/2012 5:13:00 PM | Computer Name = PFETZER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error - 1/28/2012 10:13:00 PM | Computer Name = PFETZER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error - 1/29/2012 2:24:05 PM | Computer Name = PFETZER | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 1/29/2012 2:24:05 PM | Computer Name = PFETZER | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 1/30/2012 2:59:04 PM | Computer Name = PFETZER | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 1/30/2012 2:59:04 PM | Computer Name = PFETZER | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT

Error - 1/30/2012 3:13:00 PM | Computer Name = PFETZER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error - 1/30/2012 8:13:00 PM | Computer Name = PFETZER | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error - 1/30/2012 9:23:41 PM | Computer Name = PFETZER | Source = Service Control Manager | ID = 7003
Description = The DHCP Client service depends on the following nonexistent service:
NetBT

Error - 1/30/2012 9:23:41 PM | Computer Name = PFETZER | Source = Service Control Manager | ID = 7003
Description = The TCP/IP NetBIOS Helper service depends on the following nonexistent
service: NetBT


< End of report >

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 02 February 2012 - 10:10 AM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-1482476501-1604221776-839522115-1004\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKU\S-1-5-21-1482476501-1604221776-839522115-1004..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode File not found
    O8 - Extra context menu item: &Search - ?p=ZUfox000 File not found
    O20 - Winlogon\Notify\cryptnet32: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
    [2011/12/31 10:22:45 | 000,001,410 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\rjj34xm10mi0vbeogdoi371720k4dla245j01mfwxe7
    [2011/12/31 10:22:45 | 000,001,410 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\rjj34xm10mi0vbeogdoi371720k4dla245j01mfwxe7
    [2011/12/27 15:22:34 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\1c88538840wsc747
    [2011/12/27 15:22:34 | 000,013,676 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1c88538840wsc747
    [2011/12/21 22:21:34 | 000,001,298 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\707007m0n800p846g213h4tqw3n0
    [2011/12/21 22:21:34 | 000,001,298 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\707007m0n800p846g213h4tqw3n0
    [2011/05/13 20:37:22 | 000,001,602 | -HS- | C] () -- C:\Documents and Settings\Margo\Local Settings\Application Data\l1mt4nci68jk2ni176
    [2011/05/13 20:37:22 | 000,001,602 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176
    :Files
    C:\windows\tasks\At*.job
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [emptyjava]
    [EMPTYFLASH]
    [RESETHOSTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 04 February 2012 - 11:35 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 mpfetz

mpfetz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 05 February 2012 - 12:26 PM

Hi---sorry for the slow reply
I ran what you asked and the computer is running just fine but it didn't make any difference. I also ran unhide. I've discovered the programs are still in existence but the shortcuts have been deleted, making them incredibly inconvenient to access. Is there a way to replace the shortcuts?

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 05 February 2012 - 12:52 PM

Hello


we still have allot of work to do before I can say it is clean

for the shortcuts this is what needs to be done

using Avast as an example


In case, program's link shows as (empty):

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast




Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 09 February 2012 - 12:08 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mpfetz

mpfetz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 09 February 2012 - 04:45 PM

I had my computer savvy friend come in and he seems to believe the computer is okay, I ran a few anti rootkit programs and now the only issue is the messed up shortcuts but I will follow your advice on how to put them back, thank you!

I tried running ComboFix previously and it didnt seem to help, it couldnt even complete

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 09 February 2012 - 09:43 PM

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:14 PM

Posted 12 February 2012 - 02:57 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users