Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaning Up Mom's Computer Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 thaiguy

thaiguy

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 06 May 2012 - 01:15 PM

Hi Guys !

Happy to report that one computer in this house has been virus free a couple months now thanks to your help. However it seems that sometime in the last couple months my mom has clicked on something that's got her computer infected. It runs a bit slower than usual, sometimes the browser will redirect to an undesired page, and passwords are often disabled when trying to get into certain websites.

Malwarebytes isn't detecting anything. It also won't update anymore - the virus has blocked it.

I tried a rollback, but the computer (virus) won't let me roll back any more than a month ago, and I don't think that's back into safe territory. I'd rather sweep/detect, clean, and then have the machine back running right again.

What should I download to start diagnosing and cleaning ?

As ever, thank in advance for your help.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:51 PM

Posted 06 May 2012 - 04:11 PM

Hi,

Please do the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs


NEXT


Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 07 May 2012 - 02:19 AM

Hi Catbyte.... Here's what I've got:


OTL.txt

OTL logfile created on: 5/6/2012 11:11:04 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Users\DSW\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.95 Gb Available Physical Memory | 67.75% Memory free
5.74 Gb Paging File | 4.76 Gb Available in Paging File | 82.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 91.76 Gb Free Space | 71.69% Space Free | Partition Type: NTFS
Drive F: | 232.88 Gb Total Space | 128.40 Gb Free Space | 55.13% Space Free | Partition Type: NTFS

Computer Name: DSW-PC | User Name: DSW | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/06 23:04:22 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\DSW\Downloads\OTL.exe
PRC - [2012/02/14 16:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Users\DSW\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012/02/06 18:00:14 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/02/06 17:59:59 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/01/24 18:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 02:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/15 17:32:30 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/05/31 11:31:10 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2009/05/11 12:10:00 | 000,525,640 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2009/02/24 16:47:08 | 000,143,360 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
PRC - [2007/12/10 15:55:26 | 000,323,584 | ---- | M] (PixArt Imaging Incorporation) -- C:\Windows\Pixart\Pac7302\Monitor.exe
PRC - [2006/10/04 19:38:33 | 001,818,624 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\Windows\mixer.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/05 04:52:30 | 000,756,048 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL
MOD - [2009/02/27 17:38:20 | 000,139,264 | R--- | M] () -- C:\Program Files\Brother\BrUtilities\BrLogAPI.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/02/06 18:00:14 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/02/06 17:59:59 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/12/15 17:32:30 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/11/20 05:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/20 05:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/20 05:18:03 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - File not found [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B829593A-EAF9-4FBA-A566-FDCFD1343593}\MpKsl8865ed6d.sys -- (MpKsl8865ed6d)
DRV - File not found [Kernel | Auto | Stopped] -- -- (adfs)
DRV - [2012/02/06 18:00:00 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:28 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:14 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:12 | 000,134,736 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/07/11 01:14:12 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2010/11/20 05:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 05:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 05:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 03:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 02:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 02:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 02:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/05/31 11:31:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/31 11:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/05/27 16:08:49 | 000,007,296 | ---- | M] (OSA Technologies, An Avocent Company) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\osaio.sys -- (osaio)
DRV - [2009/09/28 09:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/13 15:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/04/28 10:08:40 | 000,461,824 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2006/10/04 19:38:33 | 000,379,854 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 D6 7C 33 21 F7 CA 01 [binary data]
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - No CLSID value found
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{74AB0C0A-1D70-4DAB-B82B-DA9E751A82EF}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20110313,6901,0,8,0
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={B0C1089A-D52C-4AC0-BC38-6D1DB470AD28}&mid=093e35774e0347d6866fd1585785e198-34d1a57f78b48e50589d0322d821e003e64f4ed9&lang=en&ds=AVG&pr=fr&d=&v=&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{C672D804-82AC-4684-9245-45E663A788B1}: "URL" = http://www.twitbar.net/go/search?q={searchTerms}
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{DF84B0FA-C034-4896-BD42-4128A10B76CB}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=DD9B3BF3-33CA-4250-B615-845FF2084BEF&apn_sauid=615F83E1-81AB-4025-B226-3CD42BA094AC&
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@funwebproducts.com/Plugin: C:\Program Files\FunWebProducts\Installr\2.bin\NPFunWeb.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\2.bin\NPMyWebS.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/01 09:49:15 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Facebook (Enabled)
CHR - default_search_provider: search_url = http://www.facebook.com/search/?src=os&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U32 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.320.5 (Enabled) = C:\Windows\system32\npdeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - Extension: Entanglement = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.9_0\
CHR - Extension: AVG Safe Search = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\
CHR - Extension: Poppit = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2010/05/19 12:37:40 | 000,000,863 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.
O3 - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [C-Media Mixer] C:\Windows\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [C-Media Speaker Configuration] C:\Program Files\C-Media\WIN_ME\Setup.exe ()
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [PAC7302_Monitor] C:\Windows\Pixart\Pac7302\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: C:\Users\DSW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\DSW\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (SysInfo Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7672918B-C99A-424C-9AFF-B0A4C0667C4B}: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/05/01 21:43:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[1 F:\*.tmp files -> F:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/06 23:01:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/06 18:23:12 | 097,345,664 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/05/06 18:22:45 | 000,320,015 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2012/05/06 16:06:04 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/06 11:09:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/06 11:09:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/06 11:04:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/06 11:04:28 | 2313,523,200 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/06 10:51:23 | 000,000,017 | ---- | M] () -- C:\Users\DSW\AppData\Local\resmon.resmoncfg
[2012/05/02 04:13:22 | 000,002,286 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/04/12 03:27:21 | 000,681,636 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/12 03:27:21 | 000,125,548 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[1 F:\*.tmp files -> F:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/06 10:51:23 | 000,000,017 | ---- | C] () -- C:\Users\DSW\AppData\Local\resmon.resmoncfg
[2012/01/25 22:08:19 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BrMuSNMP.dll
[2011/03/26 18:12:21 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/03/26 18:10:41 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/07/06 21:44:44 | 000,000,880 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2010/07/06 21:44:44 | 000,000,158 | ---- | C] () -- C:\Windows\brpcfx.ini
[2010/07/06 21:43:58 | 000,000,419 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2010/07/06 21:41:04 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf08c.dat
[2010/07/06 21:40:55 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2010/07/06 21:40:54 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat
[2010/07/06 21:38:15 | 000,031,767 | ---- | C] () -- C:\Windows\maxlink.ini
[2010/05/27 18:02:23 | 000,000,850 | ---- | C] () -- C:\Windows\System32\SP7302.INI
[2010/05/27 17:56:56 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2010/05/27 17:56:53 | 000,004,333 | ---- | C] () -- C:\Windows\mixerdef.ini
[2010/05/27 17:55:43 | 000,038,999 | ---- | C] () -- C:\Windows\cmijack.dat
[2010/05/27 17:55:43 | 000,028,165 | ---- | C] () -- C:\Windows\cmijack.ini
[2010/05/27 17:55:43 | 000,018,264 | ---- | C] () -- C:\Windows\cmaudio.ini
[2010/05/27 17:55:42 | 000,022,122 | ---- | C] () -- C:\Windows\cmaudio.dat
[2010/05/27 17:55:21 | 000,000,450 | ---- | C] () -- C:\Windows\CMISETUP.INI
[2010/05/27 17:55:21 | 000,000,026 | ---- | C] () -- C:\Windows\CMCDPLAY.INI
[2010/05/19 13:16:16 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/05/18 19:10:58 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/05/18 19:10:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

========== LOP Check ==========

[2011/10/12 15:53:22 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\AVG2012
[2012/05/06 11:05:23 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\Dropbox
[2010/05/19 20:05:41 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\Leadertech
[2012/02/11 18:17:12 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\PC-FAX TX
[2010/07/06 22:05:08 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\ScanSoft
[2010/07/06 22:05:16 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\Zeon
[2009/07/13 21:53:46 | 000,029,162 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2011/02/25 22:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\Windows.old\Windows\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\Windows.old\Windows\ServicePackFiles\i386\explorer.exe
[2009/07/13 18:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2011/02/25 22:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2011/02/25 22:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2010/11/20 05:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2009/08/02 22:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\Windows.old\Windows\$NtServicePackUninstall$\explorer.exe
[2009/08/02 22:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009/10/30 23:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

< MD5 for: SVCHOST.EXE >
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\Windows.old\Windows\ServicePackFiles\i386\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\Windows.old\Windows\system32\svchost.exe
[2009/07/13 18:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe
[2009/07/13 18:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2004/08/04 00:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\Windows.old\Windows\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 00:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\Windows.old\Windows\$NtServicePackUninstall$\userinit.exe
[2010/11/20 05:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010/11/20 05:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009/07/13 18:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\Windows.old\Windows\ServicePackFiles\i386\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\Windows.old\Windows\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 00:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\Windows.old\Windows\$NtServicePackUninstall$\winlogon.exe
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/10/27 23:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/27 22:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010/11/20 05:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010/11/20 05:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009/07/13 18:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\Windows.old\Windows\ServicePackFiles\i386\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\Windows.old\Windows\system32\winlogon.exe

< %systemroot%\*. /rp /s >

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: WDC WD1600AAJS-00WAA0 ATA Device
Partitions: 1
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: SAMSUNG SP2504C ATA Device
Partitions: 1
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE2 -
Interface type: USB
Media Type:
Model: Y-E DATA CF Card Reader USB Device
Partitions: 0
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE3 -
Interface type: USB
Media Type:
Model: Y-E DATA SM Card Reader USB Device
Partitions: 0
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE4 -
Interface type: USB
Media Type:
Model: Y-E DATA MS Card Reader USB Device
Partitions: 0
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE5 -
Interface type: USB
Media Type:
Model: Y-E DATA SD Card Reader USB Device
Partitions: 0
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 128.00GB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 233.00GB
Starting Offset: 32256
Hidden sectors: 0


========== Alternate Data Streams ==========

@Alternate Data Stream - 669 bytes -> F:\Hi Bubbie!.eml:OECustomProperty

< End of report >


Extras.txt

OTL Extras logfile created on: 5/6/2012 11:11:04 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Users\DSW\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.95 Gb Available Physical Memory | 67.75% Memory free
5.74 Gb Paging File | 4.76 Gb Available in Paging File | 82.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 91.76 Gb Free Space | 71.69% Space Free | Partition Type: NTFS
Drive F: | 232.88 Gb Total Space | 128.40 Gb Free Space | 55.13% Space Free | Partition Type: NTFS

Computer Name: DSW-PC | User Name: DSW | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01C6D7B6-30E3-4AB8-A7B4-0FFF76118B0E}" = lport=54925 | protocol=17 | dir=in | name=brothernetwork scanner |
"{0698B1FA-4498-4DBC-B7FB-09A9D9F43A48}" = rport=139 | protocol=6 | dir=out | app=system |
"{18B4504B-D74F-4D9A-8296-6901EFB579A8}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{51E23284-2368-47FF-AE6C-17BFA32842FD}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{533011A7-778E-4466-BD04-5EF33CD60A29}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{5813DCCA-3F40-4D75-8374-45FF87108BE4}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{5AB4C12D-1D8D-4A4E-A149-28E0C4E4CE19}" = rport=445 | protocol=6 | dir=out | app=system |
"{5EACFDE3-033E-4408-AAC1-2D5FF6AF4E1C}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{88293621-A1E7-4FBB-88AB-F9D54FB8CA5D}" = rport=137 | protocol=17 | dir=out | app=system |
"{8CCBC835-19CB-4C6A-9A58-2DDD9E1A1266}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{9E6F8364-CA3C-4451-8785-392159D9B6DD}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{ACDB762D-28B6-4DF4-AA8E-F42E9CC11198}" = lport=2869 | protocol=6 | dir=in | app=system |
"{ADC1AA4B-C781-49E6-AC4D-CF22AF826914}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{B0EDDA05-DDF6-4FC2-AD2F-B5629969F1EC}" = rport=138 | protocol=17 | dir=out | app=system |
"{B9A593E2-45C9-4CC2-91E8-D1908007BAED}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{BA2ED0C5-28BE-4851-83DE-B3B8527C903B}" = lport=10243 | protocol=6 | dir=in | app=system |
"{BB3B05B6-95E6-4DAA-9D99-7E6C3B79EBFF}" = lport=445 | protocol=6 | dir=in | app=system |
"{C00BCDF1-5ED5-412A-B501-AEF489C434F2}" = lport=137 | protocol=17 | dir=in | app=system |
"{C3628A2C-8A85-43FE-BACA-7CB289D3ECAA}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CE25BE04-CD03-48C0-AB6D-384EB07FABA1}" = rport=10243 | protocol=6 | dir=out | app=system |
"{D78D6B97-EECA-4367-96F4-757B594B3586}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{E345BD83-4E81-4A9D-B383-9E5F2D1C5C2A}" = lport=139 | protocol=6 | dir=in | app=system |
"{EF5F125A-A10E-4375-8A0F-8A3400C05C29}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{EFCD42F9-3725-4FED-B2B8-44767DC199B7}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F72271E0-99B1-4202-8159-6D69B9109360}" = lport=138 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{048D70D9-FBDC-44E4-8430-639638DFE5FA}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{06427F27-2008-4435-877D-A9F396BF86F5}" = protocol=6 | dir=in | app=c:\program files\brother\brmfl08l\faxrx.exe |
"{0B4288E9-55F6-4951-A19F-147EE2B0E089}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{0B6CC45C-A233-4D0F-AA12-0EA2FA5A39BF}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1473A477-6FDB-4830-BE1E-9208FAF23B2E}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{14B8B988-1692-4C97-A26E-C3C0961B50A9}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{2813B3A4-8C65-43B8-B16C-605E19AF4A70}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2DA14866-5F1B-435D-B68F-C4A4B4F54237}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{42AC0DAD-E5DC-490F-8097-257E303155C7}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{574A0C64-2BAC-4494-B36D-3F3DE8ABD713}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{5DC4CB7E-0B4F-4CEF-966C-3E9FF3FFD314}" = protocol=6 | dir=out | app=system |
"{602C872F-116B-4F07-B45E-1703C1214503}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{66A61293-9D38-44BC-851D-AF173A58B0B8}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{71934201-CD05-417B-8E13-73BFA34F3A2C}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{7504E551-D863-47F8-BA88-05B21053BE19}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{76757008-1594-4440-AAD0-33A5AFC52AF9}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{84A072A6-B556-487B-BE9A-17003F8D77F2}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{87043AE8-7DA8-4E13-92BD-48FF6CF48595}" = protocol=6 | dir=in | app=c:\users\dsw\appdata\roaming\dropbox\bin\dropbox.exe |
"{9139ED45-99AD-4A2C-92C2-7C804220616A}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{938F6111-DE40-434E-9B8C-FBC6094FA85A}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{9C822F9D-8361-47FA-B9FA-EF993BF7304D}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{AA7DDB26-B51D-4DA1-9DD4-27826135CD83}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgemcx.exe |
"{AEEF20C1-B4C0-43DD-9A8B-D338B4084BEC}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AF5C68F0-10A6-4BEF-994A-0F5D6701D591}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AFF32BA8-570F-4D94-9F41-BDF7D8E6AE7E}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{BBB13A21-D2EF-420E-AEAA-8E31599B6F11}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{C61142EF-1127-4CB6-AA77-4642B694EF89}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{CAAFBBF6-3090-4155-8C1D-AC8512F9F42E}" = protocol=6 | dir=in | app=c:\program files\sightspeed\sightspeed.exe |
"{CB12BFE2-3F03-445D-B2D1-2F78A58540C5}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{D948A7CD-062A-4FB7-B21B-FDE15B06346E}" = protocol=17 | dir=in | app=c:\program files\brother\brmfl08l\faxrx.exe |
"{E25E81ED-B89C-4CAC-992F-CC80AA913DF4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E4BB7940-B78B-491D-A3A7-111938E63121}" = protocol=17 | dir=in | app=c:\program files\sightspeed\sightspeed.exe |
"{EFAC7527-FDFA-4DE6-84FB-00FF8DC0FF42}" = protocol=17 | dir=in | app=c:\users\dsw\appdata\roaming\dropbox\bin\dropbox.exe |
"{F0E9C266-6858-4DAA-864C-37060A0CE3B3}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgemcx.exe |
"{FE8BD386-C8A2-41AD-8D5C-E4BA687DA616}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{FFD0E66E-8251-4FDD-9FE6-197E18F17A21}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"TCP Query User{B467E7CB-C6EB-4D90-BD0F-956808AB76B0}C:\program files\itibiti soft phone\itibiti.exe" = protocol=6 | dir=in | app=c:\program files\itibiti soft phone\itibiti.exe |
"UDP Query User{0EB747F1-67B1-401D-87A7-9E4FC987109C}C:\program files\itibiti soft phone\itibiti.exe" = protocol=17 | dir=in | app=c:\program files\itibiti soft phone\itibiti.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}" = ScanSoft PaperPort 11
"{0A02D347-5E53-48A5-BC49-1469393103FA}" = Brother MFL-Pro Suite MFC-495CW
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 32
"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{5D112C61-C8D0-4718-8DD7-B9115EB9AF90}" = LogMeIn
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{730E03E4-350E-48E5-9D3E-4329903D454D}" = Itibiti RTC
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{779DECD7-E072-4B56-9B6B-BEB5973EEEB5}" = MobileMe Control Panel
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A7836FF5-7293-40A4-B86E-E2038F82E8F3}" = AVG 2012
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{F0B2D11F-E4D9-4C17-A195-B8BADEAE9C40}" = VGA USB Camera
"{F7FC9307-374E-4017-8E9D-DE1154780480}" = System Requirements Lab for Intel
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG" = AVG 2012
"CCleaner" = CCleaner
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DVD Shrink_is1" = DVD Shrink 3.2
"DXTXTRA" = Microsoft DirectX Transform optional components
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Google Chrome" = Google Chrome
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"PCI Audio Applications" = PCI Audio Applications
"PCI Audio Driver" = PCI Audio Driver
"SightSpeed" = SightSpeed
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/7/2012 2:17:11 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:17:11.657]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:17:11 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:17:11.735]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:17:46 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:17:46.183]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:17:46 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:17:46.261]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:18:20 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:18:20.688]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:18:20 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:18:20.766]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:18:55 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:18:55.193]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:18:55 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:18:55.271]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:19:29 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:19:29.699]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

Error - 5/7/2012 2:19:29 AM | Computer Name = DSW-PC | Source = Brother BrLog | ID = 1001
Description = STI BrtSTI: [2012/05/06 23:19:29.777]: [00002696]: GetDeviceIpAddress:
GetAddressByName [BRWC417FEB4ABE5] Error

[ System Events ]
Error - 5/6/2012 1:49:57 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 1:49:57 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 1:49:57 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 1:49:57 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 1:49:57 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 1:49:57 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 1:49:57 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 1:52:16 PM | Computer Name = DSW-PC | Source = DCOM | ID = 10005
Description =

Error - 5/6/2012 2:02:45 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 5/6/2012 2:04:39 PM | Computer Name = DSW-PC | Source = Service Control Manager | ID = 7000
Description = The adfs service failed to start due to the following error: %%2


< End of report >




aswMBR.txt

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-06 23:38:07
-----------------------------
23:38:07.362 OS Version: Windows 6.1.7601 Service Pack 1
23:38:07.362 Number of processors: 2 586 0x304
23:38:07.362 ComputerName: DSW-PC UserName: DSW
23:38:08.160 Initialize success
23:39:00.457 AVAST engine defs: 12050601
23:46:45.144 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
23:46:45.144 Disk 0 Vendor: WDC_WD1600AAJS-00WAA0 58.01D58 Size: 152627MB BusType: 3
23:46:45.144 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-4
23:46:45.144 Disk 1 Vendor: SAMSUNG_SP2504C VT100-34 Size: 238475MB BusType: 3
23:46:45.160 Disk 0 MBR read successfully
23:46:45.175 Disk 0 MBR scan
23:46:45.175 Disk 0 Windows 7 default MBR code
23:46:45.175 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 131069 MB offset 63
23:46:45.191 Disk 0 scanning sectors +268430085
23:46:45.253 Disk 0 scanning C:\Windows\system32\drivers
23:46:55.807 Service scanning
23:47:18.980 Modules scanning
23:47:23.841 Disk 0 trace - called modules:
23:47:24.341 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
23:47:24.357 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85fb4030]
23:47:24.373 3 CLASSPNP.SYS[8be8559e] -> nt!IofCallDriver -> [0x85e7d890]
23:47:24.373 5 ACPI.sys[8b62a3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x851fc610]
23:47:25.014 AVAST engine scan C:\Windows
23:47:26.765 AVAST engine scan C:\Windows\system32
23:50:21.979 AVAST engine scan C:\Windows\system32\drivers
23:50:34.732 AVAST engine scan C:\Users\DSW
23:51:30.201 AVAST engine scan C:\ProgramData
23:52:17.022 Scan finished successfully
00:03:15.261 Disk 0 MBR has been saved successfully to "C:\Users\DSW\Desktop\Fix Mom's Computer\MBR.dat"
00:03:15.277 The log file has been saved successfully to "C:\Users\DSW\Desktop\Fix Mom's Computer\aswMBR.txt"




MBR.dat

--> attached as per your request

Attached Files

  • Attached File  MBR.zip   545bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:51 PM

Posted 07 May 2012 - 07:50 AM

Hi,

Please do the following:


Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 D6 7C 33 21 F7 CA 01 [binary data]
    IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - No CLSID value found
    FF - HKLM\Software\MozillaPlugins\@funwebproducts.com/Plugin: C:\Program Files\FunWebProducts\Installr\2.bin\NPFunWeb.dll File not found
    FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\2.bin\NPMyWebS.dll File not found
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.
    O3 - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    @Alternate Data Stream - 669 bytes -> F:\Hi Bubbie!.eml:OECustomProperty
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 07 May 2012 - 03:02 PM

Alright, here you go, Catbyte:


OTL

All processes killed
Error: Unable to interpret <• :OTL> in the current context!
Error: Unable to interpret <• IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 D6 7C 33 21 F7 CA 01 [binary data]> in the current context!
Error: Unable to interpret <• IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - No CLSID value found> in the current context!
Error: Unable to interpret <• FF - HKLM\Software\MozillaPlugins\@funwebproducts.com/Plugin: C:\Program Files\FunWebProducts\Installr\2.bin\NPFunWeb.dll File not found> in the current context!
Error: Unable to interpret <• FF - HKLM\Software\MozillaPlugins\@mywebsearch.com/Plugin: C:\Program Files\MyWebSearch\bar\2.bin\NPMyWebS.dll File not found> in the current context!
Error: Unable to interpret <• FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin> in the current context!
Error: Unable to interpret <• O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.> in the current context!
Error: Unable to interpret <• O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.> in the current context!
Error: Unable to interpret <• O3 - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.> in the current context!
Error: Unable to interpret <• O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)> in the current context!
Error: Unable to interpret <• @Alternate Data Stream - 669 bytes -> F:\Hi Bubbie!.eml:OECustomProperty> in the current context!
Error: Unable to interpret <• > in the current context!
Error: Unable to interpret <• :Files> in the current context!
Error: Unable to interpret <• ipconfig /flushdns /c> in the current context!
Error: Unable to interpret <• > in the current context!
Error: Unable to interpret <• :Commands> in the current context!
Error: Unable to interpret <• [resethosts]> in the current context!
Error: Unable to interpret <• [purity]> in the current context!
Error: Unable to interpret <• [emptytemp]> in the current context!

OTL by OldTimer - Version 3.2.42.3 log created on 05072012_115323

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




ComboFix

ComboFix 12-05-07.02 - DSW 05/07/2012 12:09:55.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2942.1978 [GMT -7:00]
Running from: c:\users\DSW\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\~WRL0005.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
.
.
2012-05-07 18:53 . 2012-05-07 18:53 -------- d-----w- C:\_OTL
2012-05-02 04:43 . 2012-05-02 04:43 -------- d-----w- c:\program files\Common Files\Java
2012-05-02 04:43 . 2012-05-02 04:43 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-04-12 10:00 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 10:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 10:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 10:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 10:00 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 10:00 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-02 04:43 . 2010-05-19 17:55 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 22:56 . 2011-12-29 03:34 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-17 05:34 . 2012-03-14 00:25 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34 . 2012-03-14 00:25 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-14 00:25 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-14 00:25 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 05:38 . 2012-03-14 00:26 1077248 ----a-w- c:\windows\system32\DWrite.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\DSW\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\DSW\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\DSW\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Speaker Configuration"="c:\progra~1\C-Media\WIN_ME\Setup.exe" [2006-10-05 864256]
"C-Media Mixer"="Mixer.exe" [2006-10-05 1818624]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2007-12-10 323584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-08-03 1167360]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-05-31 63048]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-25 2416480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\DSW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\DSW\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-04-20 19:48 58656 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 15:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 22:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
R1 MpKsl8865ed6d;MpKsl8865ed6d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B829593A-EAF9-4FBA-A566-FDCFD1343593}\MpKsl8865ed6d.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 136176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2012-02-07 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-05-31 12856]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 22:11]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-10 22:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
MSConfigStartUp-Adobe Acrobat Speed Launcher - c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
MSConfigStartUp-AdobeCS4ServiceManager - c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-07 12:19:28
ComboFix-quarantined-files.txt 2012-05-07 19:19
.
Pre-Run: 98,242,301,952 bytes free
Post-Run: 98,122,080,256 bytes free
.
- - End Of File - - F71EF7BD0EBAD40600EAB20C7B8CB2E9

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:51 PM

Posted 07 May 2012 - 05:43 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 08 May 2012 - 01:56 AM

MB came up clean, but ESET found three things....

Malwarebytes
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.08.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
DSW :: DSW-PC [administrator]

5/7/2012 6:59:18 PM
mbam-log-2012-05-07 (18-59-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207964
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



ESET
F:\dnload\My Pictures\Aaron\MyFunCards.rar a variant of Win32/AdInstaller application
F:\DSW-PC\Backup Set 2011-09-13 054846\Backup Files 2011-09-13 054846\Backup files 1.zip a variant of Win32/Toolbar.MyWebSearch.K application
F:\DSW-PC\Backup Set 2011-10-23 190007\Backup Files 2011-10-23 190007\Backup files 1.zip a variant of Win32/Toolbar.MyWebSearch.K application

So what's next ?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:51 PM

Posted 08 May 2012 - 04:53 PM

I would delete that set of Back up files and create a new set once we are done here. I would also delete this file that ESET alerted to:
F:\dnload\My Pictures\Aaron\MyFunCards.rar


How is the computer running now? Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 08 May 2012 - 06:04 PM

Hi Catbyte.

Seems we're almost there.

Computer seems to be working right. I just threw out those 3 files too. Do you think it's all cleaned up ?

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:51 PM

Posted 08 May 2012 - 07:07 PM

the OTL fix did not work, so could you please run a fresh OTL scan so I can make sure we have all the entries, we may need to run another fix with it

post the fresh log

(there wont be an extra's log this time)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 10 May 2012 - 12:23 AM

How does this look now, CatByte ?



OTL logfile created on: 5/8/2012 11:05:18 PM - Run 2
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Users\DSW\Desktop\Fix Mom's Computer
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.87 Gb Total Physical Memory | 1.82 Gb Available Physical Memory | 63.41% Memory free
5.74 Gb Paging File | 4.57 Gb Available in Paging File | 79.63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 90.74 Gb Free Space | 70.89% Space Free | Partition Type: NTFS
Drive F: | 232.88 Gb Total Space | 129.31 Gb Free Space | 55.53% Space Free | Partition Type: NTFS

Computer Name: DSW-PC | User Name: DSW | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/06 23:04:22 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\DSW\Desktop\Fix Mom's Computer\OTL.exe
PRC - [2012/04/27 19:07:02 | 001,224,176 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
PRC - [2012/02/14 16:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Users\DSW\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2012/02/06 18:00:14 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/02/06 17:59:59 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/01/24 18:24:26 | 004,200,800 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgui.exe
PRC - [2012/01/24 18:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/08/02 06:08:30 | 000,498,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcfgex.exe
PRC - [2011/02/24 22:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/15 17:32:30 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/11/20 05:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/05/31 11:31:10 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2009/05/11 12:10:00 | 000,525,640 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2009/02/24 16:47:08 | 000,143,360 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
PRC - [2007/12/10 15:55:26 | 000,323,584 | ---- | M] (PixArt Imaging Incorporation) -- C:\Windows\Pixart\Pac7302\Monitor.exe
PRC - [2006/10/04 19:38:33 | 001,818,624 | ---- | M] (C-Media Electronic Inc. (www.cmedia.com.tw)) -- C:\Windows\mixer.exe


========== Modules (No Company Name) ==========

MOD - [2012/04/27 19:07:01 | 000,444,400 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\18.0.1025.168\ppgooglenaclpluginchrome.dll
MOD - [2012/04/27 19:06:59 | 003,915,248 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\18.0.1025.168\pdf.dll
MOD - [2012/04/27 19:05:34 | 000,122,880 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\18.0.1025.168\avutil-51.dll
MOD - [2012/04/27 19:05:33 | 000,220,672 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\18.0.1025.168\avformat-53.dll
MOD - [2012/04/27 19:05:32 | 001,747,456 | ---- | M] () -- C:\Program Files\Google\Chrome\Application\18.0.1025.168\avcodec-53.dll
MOD - [2009/02/27 17:38:20 | 000,139,264 | R--- | M] () -- C:\Program Files\Brother\BrUtilities\BrLogAPI.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/02/06 18:00:14 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/02/06 17:59:59 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/12/15 17:32:30 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/11/20 05:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/20 05:19:20 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/20 05:18:03 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - File not found [Kernel | System | Stopped] -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B829593A-EAF9-4FBA-A566-FDCFD1343593}\MpKsl8865ed6d.sys -- (MpKsl8865ed6d)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\DSW\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Auto | Stopped] -- -- (adfs)
DRV - [2012/02/06 18:00:00 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:28 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:14 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:12 | 000,134,736 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/07/11 01:14:12 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2010/11/20 05:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 05:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 05:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 03:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 03:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 02:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 02:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 02:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/05/31 11:31:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/31 11:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/05/27 16:08:49 | 000,007,296 | ---- | M] (OSA Technologies, An Avocent Company) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\osaio.sys -- (osaio)
DRV - [2009/09/28 09:22:00 | 000,315,392 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/07/13 15:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/04/28 10:08:40 | 000,461,824 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2006/10/04 19:38:33 | 000,379,854 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 62 D6 7C 33 21 F7 CA 01 [binary data]
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{74AB0C0A-1D70-4DAB-B82B-DA9E751A82EF}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20110313,6901,0,8,0
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={B0C1089A-D52C-4AC0-BC38-6D1DB470AD28}&mid=093e35774e0347d6866fd1585785e198-34d1a57f78b48e50589d0322d821e003e64f4ed9&lang=en&ds=AVG&pr=fr&d=&v=&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{C672D804-82AC-4684-9245-45E663A788B1}: "URL" = http://www.twitbar.net/go/search?q={searchTerms}
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\SearchScopes\{DF84B0FA-C034-4896-BD42-4128A10B76CB}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=DD9B3BF3-33CA-4250-B615-845FF2084BEF&apn_sauid=615F83E1-81AB-4025-B226-3CD42BA094AC&
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/01 09:49:15 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Facebook (Enabled)
CHR - default_search_provider: search_url = http://www.facebook.com/search/?src=os&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\18.0.1025.168\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 6 U32 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.320.5 (Enabled) = C:\Windows\system32\npdeployJava1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - Extension: Entanglement = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.9_0\
CHR - Extension: AVG Safe Search = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\
CHR - Extension: Poppit = C:\Users\DSW\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2012/05/07 12:16:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [C-Media Mixer] C:\Windows\mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
O4 - HKLM..\Run: [C-Media Speaker Configuration] C:\Program Files\C-Media\WIN_ME\Setup.exe ()
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [PAC7302_Monitor] C:\Windows\Pixart\Pac7302\Monitor.exe (PixArt Imaging Incorporation)
O4 - Startup: C:\Users\DSW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\DSW\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (SysInfo Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7672918B-C99A-424C-9AFF-B0A4C0667C4B}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/07 19:20:13 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/05/07 12:19:32 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/05/07 12:19:30 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/05/07 12:19:30 | 000,000,000 | ---D | C] -- C:\Users\DSW\AppData\Local\temp
[2012/05/07 12:08:51 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/05/07 12:08:51 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/05/07 12:08:51 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/05/07 11:53:23 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/05/07 11:49:45 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/05/07 11:49:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/06 23:34:50 | 000,000,000 | ---D | C] -- C:\Users\DSW\Desktop\Fix Mom's Computer
[2012/05/01 21:43:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

========== Files - Modified Within 30 Days ==========

[2012/05/08 23:01:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/08 17:10:52 | 097,535,941 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/05/08 16:01:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/08 12:33:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/08 12:33:54 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/08 05:02:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/07 18:50:26 | 2313,523,200 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/07 12:16:31 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/05/07 12:06:55 | 000,000,983 | ---- | M] () -- C:\Users\DSW\Desktop\DSW - Shortcut.lnk
[2012/05/07 11:59:09 | 000,000,767 | ---- | M] () -- C:\For Aaron - Shortcut.lnk
[2012/05/07 11:58:27 | 000,001,143 | ---- | M] () -- C:\Desktop - Shortcut.lnk
[2012/05/06 18:22:45 | 000,320,015 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2012/05/06 10:51:23 | 000,000,017 | ---- | M] () -- C:\Users\DSW\AppData\Local\resmon.resmoncfg
[2012/05/02 04:13:22 | 000,002,286 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/04/12 03:27:21 | 000,681,636 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/04/12 03:27:21 | 000,125,548 | ---- | M] () -- C:\Windows\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2012/05/07 12:08:51 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/05/07 12:08:51 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/05/07 12:08:51 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/05/07 12:08:51 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/05/07 12:08:51 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/05/07 12:06:55 | 000,000,983 | ---- | C] () -- C:\Users\DSW\Desktop\DSW - Shortcut.lnk
[2012/05/07 11:59:09 | 000,000,767 | ---- | C] () -- C:\For Aaron - Shortcut.lnk
[2012/05/07 11:58:27 | 000,001,143 | ---- | C] () -- C:\Desktop - Shortcut.lnk
[2012/05/06 10:51:23 | 000,000,017 | ---- | C] () -- C:\Users\DSW\AppData\Local\resmon.resmoncfg
[2012/01/25 22:08:19 | 000,106,496 | ---- | C] () -- C:\Windows\System32\BrMuSNMP.dll
[2011/03/26 18:12:21 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/03/26 18:10:41 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2010/07/06 21:44:44 | 000,000,880 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2010/07/06 21:44:44 | 000,000,158 | ---- | C] () -- C:\Windows\brpcfx.ini
[2010/07/06 21:43:58 | 000,000,419 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2010/07/06 21:41:04 | 000,000,050 | ---- | C] () -- C:\Windows\System32\bridf08c.dat
[2010/07/06 21:40:55 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2010/07/06 21:40:54 | 000,000,000 | ---- | C] () -- C:\Windows\brdfxspd.dat
[2010/07/06 21:38:15 | 000,031,767 | ---- | C] () -- C:\Windows\maxlink.ini
[2010/05/27 18:02:23 | 000,000,850 | ---- | C] () -- C:\Windows\System32\SP7302.INI
[2010/05/27 17:56:56 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2010/05/27 17:56:53 | 000,004,333 | ---- | C] () -- C:\Windows\mixerdef.ini
[2010/05/27 17:55:43 | 000,038,999 | ---- | C] () -- C:\Windows\cmijack.dat
[2010/05/27 17:55:43 | 000,028,165 | ---- | C] () -- C:\Windows\cmijack.ini
[2010/05/27 17:55:43 | 000,018,264 | ---- | C] () -- C:\Windows\cmaudio.ini
[2010/05/27 17:55:42 | 000,022,122 | ---- | C] () -- C:\Windows\cmaudio.dat
[2010/05/27 17:55:21 | 000,000,450 | ---- | C] () -- C:\Windows\CMISETUP.INI
[2010/05/27 17:55:21 | 000,000,026 | ---- | C] () -- C:\Windows\CMCDPLAY.INI
[2010/05/19 13:16:16 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/05/18 19:10:58 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2010/05/18 19:10:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat

========== LOP Check ==========

[2011/10/12 15:53:22 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\AVG2012
[2012/05/07 18:51:14 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\Dropbox
[2010/05/19 20:05:41 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\Leadertech
[2012/02/11 18:17:12 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\PC-FAX TX
[2010/07/06 22:05:08 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\ScanSoft
[2010/07/06 22:05:16 | 000,000,000 | ---D | M] -- C:\Users\DSW\AppData\Roaming\Zeon
[2009/07/13 21:53:46 | 000,029,660 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 669 bytes -> F:\Hi Bubbie!.eml:OECustomProperty

< End of report >

#12 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 10 May 2012 - 02:33 PM

And btw, I'm into learning how these different programs work, and understanding the analysis findings. Feel free to educate me a little bit each time so I can become more and more independent, and confident using these programs myself to maintain machine health.

I know you guys are the experts, but learning is key. I'd rather be challenged and move up, than have to burden others when it comes to keeping things running right.

Thanks.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:51 PM

Posted 10 May 2012 - 07:02 PM

Hi,

The tools that I use are not designed for home users to clean their own machines, they have numerous updates and are therefore out of date quickly. It requires months even years of training to learn how to remove malware and continual learning as malware is always evolving. There is a classroom available if you wanted to consider signing up to learn: http://www.bleepingcomputer.com/forums/topic86678.html

Our removal guides and tutorials are a place to start learning the different methods of malware removal available

http://www.bleepingcomputer.com/forums/forum55.html
http://www.bleepingcomputer.com/forums/forum84.html

Let's continue on

please do the following:

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Services
    
    :OTL
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\S-1-5-21-619228253-2837157588-2869899482-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log

Please advise if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 11 May 2012 - 05:29 PM

Here's the latest. Are we good ?

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
File HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-619228253-2837157588-2869899482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\DSW\Desktop\Fix Mom's Computer\cmd.bat deleted successfully.
C:\Users\DSW\Desktop\Fix Mom's Computer\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: DSW
->Temp folder emptied: 27008 bytes
->Temporary Internet Files folder emptied: 14897742 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 14791975 bytes
->Flash cache emptied: 665 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 25903151 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 53.00 mb


OTL by OldTimer - Version 3.2.42.3 log created on 05112012_151617

Files\Folders moved on Reboot...
C:\Users\DSW\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\DSW\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:51 PM

Posted 11 May 2012 - 06:00 PM

looks good, we just have some housekeeping to do now, please do the following:


You can delete the aswMBR log and program from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image



[NEXT]

Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users