Hi - TrojanZeroAccessinf - please bail me out!

Solved
By Tobydog
Sep 9, 2012
  1. Broni

    Broni Malware Annihilator Posts: 46,182   +251

  2. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Thanks Broni

    I've followed the instructions on how to create a restore point but keep getting an error message to say the restore point cannot be created due to the writer experiencing a transient error - 0x800423F3
    I can see in System Properties / System Protection that the last restore point was 1 hour 15 minutes ago - do I still need to create one before I run Combofix ?
  3. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    That's fine. Go ahead with Combofix.
  4. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    Have run Combofix - here's the log

    I cannot reconnect to the Internet - have tried several restarts - will attempt a few more ?



    ComboFix 12-09-15.02 - Mark 15/09/2012 21:22:59.1.4 - x86
    Running from: c:\users\Mark\Downloads\ComboFix.exe
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    C:\restore
    c:\users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc12E9.tmp
    c:\users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1BF.tmp
    c:\users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4972.tmp
    c:\users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc50DE.tmp
    c:\users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8A74.tmp
    c:\users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8B10.tmp
    c:\users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF3D1.tmp
    c:\users\Mark\AppData\Roaming\.#
    c:\users\Mark\AppData\Roaming\inst.exe
    c:\users\Mark\AppData\Roaming\system32
    c:\users\Mark\AppData\Roaming\vso_ts_preview.xml
    c:\windows\jestertb.dll
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\jucheck.exe
    c:\windows\system32\jusched.exe
    C:\winntse.bin
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-15 to 2012-09-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-15 08:51 . 2012-09-15 18:03--------d-----w-C:\FRST
    2012-09-13 19:50 . 2012-09-13 19:50--------d-----w-c:\windows\system32\drivers\NST
    2012-09-13 19:50 . 2012-09-13 19:50--------d-----w-c:\program files\Norton Identity Safe
    2012-09-13 18:51 . 2012-09-13 22:02--------d-----w-C:\NBRT
    2012-09-09 18:44 . 2012-09-11 15:17--------d-----w-c:\users\Mark\AppData\Local\CrashDumps
    2012-09-09 16:11 . 2012-09-09 16:11--------d-----w-c:\users\Mark\AppData\Roaming\Malwarebytes
    2012-09-09 16:11 . 2012-09-09 16:11--------d-----w-c:\programdata\Malwarebytes
    2012-09-09 08:11 . 2012-09-09 08:11--------d-----w-c:\programdata\SMR310
    2012-09-09 08:11 . 2012-09-09 08:1197440----a-w-c:\windows\system32\drivers\SMR310.SYS
    2012-09-08 16:16 . 2012-09-08 16:16--------d-----w-C:\TDSSKiller_Quarantine
    2012-09-08 14:29 . 2012-07-26 05:3226840----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
    2012-09-08 14:29 . 2012-09-08 14:29--------d-----w-c:\windows\system32\drivers\NBRTWizard
    2012-09-08 14:29 . 2012-09-08 14:29--------d-----w-c:\program files\Norton Bootable Recovery Tool Wizard
    2012-09-07 21:04 . 2012-09-07 21:04--------d-----w-c:\windows\system32\N360_BACKUP
    2012-09-07 19:02 . 2012-09-09 08:10--------d-----w-c:\users\Mark\AppData\Local\NPE
    2012-09-07 18:26 . 2012-09-13 19:52--------d-----w-c:\program files\NortonInstaller
    2012-09-07 18:26 . 2012-09-13 19:51--------d-----w-c:\programdata\NortonInstaller
    2012-09-07 17:31 . 2012-09-07 18:47--------d-----w-c:\users\Mark\Sources
    2012-09-07 17:09 . 2012-09-07 17:09--------d-----w-c:\users\Mark\AppData\Local\NokiaAccount
    2012-08-23 09:29 . 2012-08-23 09:29--------d-----w-c:\users\Mark\AppData\Local\MediaShow
    2012-08-23 08:03 . 2012-08-23 08:03--------d-----w-c:\users\Mark\AppData\Local\Power2Go8
    2012-08-22 16:04 . 2012-08-22 16:04--------d-----w-c:\users\Mark\AppData\Local\MediaServer
    2012-08-22 16:04 . 2012-08-22 16:04--------d-----w-c:\programdata\PDVD
    2012-08-22 15:58 . 2012-08-22 15:58--------d-----w-c:\program files\Common Files\CyberLink
    2012-08-22 15:54 . 2012-09-13 20:24--------d-----w-c:\users\Mark\AppData\Local\Cyberlink
    2012-08-22 15:51 . 2012-08-22 16:07--------d-----w-c:\programdata\install_clap
    2012-08-22 15:47 . 2012-09-13 20:27--------d-----w-c:\programdata\CLSK
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-27 11:10 . 2012-03-31 07:50696520----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-08-27 11:10 . 2011-06-18 07:5573416----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-07-26 05:32 . 2010-11-16 20:17106928----a-w-c:\windows\system32\GEARAspi.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB4C7833-A6EC-433f-B9FE-6B14B1A2F836}]
    2012-08-10 20:45516576----a-r-c:\program files\Norton Identity Safe\Engine\2012.6.3.2\CoIEPlg.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{A13C2648-91D4-4bf3-BC6D-0079707C4389}"= "c:\program files\Norton Identity Safe\Engine\2012.6.3.2\coIEPlg.dll" [2012-08-10 516576]
    .
    [HKEY_CLASSES_ROOT\clsid\{a13c2648-91d4-4bf3-bc6d-0079707c4389}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-19 39408]
    "iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-02-23 59240]
    "MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
    "HostManager"="c:\program files\Common Files\AOL\1219316984\ee\AOLSoftware.exe" [2008-06-24 41824]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
    "NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
    "btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2012-07-05 1988608]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    "Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-10-02 161336]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
    "Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
    "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2012-05-14 296056]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Shell"=hex(0):
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2011-06-17 08:4216680----a-w-c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
    LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2011-04-16 11:07451872----a-w-c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-15 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 11:10]
    .
    2012-09-12 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-19 20:41]
    .
    2012-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 20:14]
    .
    2012-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 20:14]
    .
    2012-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000Core.job
    - c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-24 15:20]
    .
    2012-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000UA.job
    - c:\users\Mark\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-24 15:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.voover.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
    IE: &AOL Toolbar Search - c:\program files\aol\aol broadband toolbar 5.0\resources\en-GB\local\search.html
    TCP: DhcpNameServer = 192.168.1.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    HKCU-Run-Power2GoExpress - (no file)
    HKCU-Run-GameXN GO - c:\programdata\GameXN\GameXNGO.exe
    HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    SafeBoot-39681871.sys
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NCO]
    "ImagePath"="\"c:\program files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe\" /s \"NCO\" /m \"c:\program files\Norton Identity Safe\Engine\2012.6.3.2\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msiserver]
    "ImagePath"="%systemroot%\system32\msiexec /V"
    "ImagePath"="System32\drivers\SMR310.SYS"
    "ImagePath"="c:\program files\CyberLink\PowerDVD12\Common\NavFilter\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3716)
    c:\programdata\Ad-Aware Browsing Protection\adawarebp.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\ezNTSvc.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe
    c:\program files\Common Files\Motive\pcCMService.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\program files\TomTom HOME 2\TomTomHOMEService.exe
    c:\windows\system32\vssvc.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\System32\rundll32.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\windows\System32\rundll32.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\hp\kbd\kbd.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-15 21:54:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-15 20:53
    .
    Pre-Run: 193,439,764,480 bytes free
    Post-Run: 193,828,491,264 bytes free
    .
    - - End Of File - - 09CF607C59CBD86DF71A0CB7F64F2804
  5. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    Use that restore point from before running Combofix and see if you get your connection back.
  6. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    Unable to get Internet connection back - during restore from a restore point I get the message 'System Restore did not complete successfully - The writer has experienced a transient error - 0x800423F3' - I have tried several restore points
  7. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    Please post fresh FRST log.
  8. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni - thanks for your help - much appreciated

    Here's a fresh FRST log - FRST.txt and Search.txt

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2012
    Ran by SYSTEM at 16-09-2012 17:49:23
    Running from F:\
    Windows Vista (TM) Home Premium (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
    HKLM\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
    HKLM\...\Run: [KBD] C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
    HKLM\...\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [118784 2007-02-15] (OsdMaestro)
    HKLM\...\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe" [54936 2007-04-07] (Sun Microsystems, Inc.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.)
    HKLM\...\Run: [HostManager] C:\Program Files\Common Files\AOL\1219316984\ee\AOLSoftware.exe [41824 2008-06-24] (AOL LLC)
    HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [178712 2008-06-02] (Intel Corporation)
    HKLM\...\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart [92704 2008-01-10] (NVIDIA Corporation)
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [8530464 2008-01-10] (NVIDIA Corporation)
    HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [88608 2008-01-10] (NVIDIA Corporation)
    HKLM\...\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [1988608 2012-07-04] (Alcatel-Lucent)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKLM\...\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -check_deprecation [161336 2011-10-02] (Google)
    HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-01] (Research In Motion Limited)
    HKLM\...\Run: [TkBellExe] "c:\program files\real\realplayer\Update\realsched.exe" -osboot [296056 2012-05-14] (RealNetworks, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-08-05] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1644088 2009-08-05] (Hewlett-Packard)
    HKU\Mark\...\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY [1644088 2009-08-05] (Hewlett-Packard)
    HKU\Mark\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
    HKU\Mark\...\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" [247728 2011-03-09] (TomTom)
    HKU\Mark\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2008-11-19] (Google Inc.)
    HKU\Mark\...\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2012-02-23] (Apple Inc.)
    HKU\Mark\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
    HKU\Mark\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
    HKU\Mark\...\Policies\system: [DisableLockWorkstation] 0
    HKU\Mark\...\Policies\system: [DisableChangePassword] 0
    Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [X]
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

    ==================== Services ================================

    2 AOL ACS; "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" [46640 2006-10-23] (AOL LLC)
    2 ezntsvc; C:\Windows\system32\ezNTSvc.exe [33792 2008-08-21] (EasyBits Software Corp.)
    2 NCO; "C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe" /s "NCO" /m "C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation)
    2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [247152 2010-08-19] ()
    2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]

    ==================== Drivers =================================

    1 ccSet_NST; C:\Windows\system32\drivers\NST\7DC06030.002\ccSetx86.sys [132744 2011-11-29] (Symantec Corporation)
    3 FsUsbExDisk; \??\C:\Windows\system32\FsUsbExDisk.SYS [36608 2009-03-31] ()
    3 pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [47360 2009-04-12] (VSO Software)
    0 SMR310; C:\Windows\System32\drivers\SMR310.SYS [97440 2012-09-09] (Symantec Corporation)
    1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2011-05-31] ()
    3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-29] (America Online, Inc.)
    4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
    3 catchme; \??\C:\ComboFix\catchme.sys [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    3 Lavasoft Kernexplorer; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
    3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [x]
    3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    3 RimUsb; C:\Windows\System32\Drivers\RimUsb.sys [x]
    0 TfFsMon; C:\Windows\System32\drivers\TfFsMon.sys [x]
    3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [x]
    0 TfSysMon; C:\Windows\System32\drivers\TfSysMon.sys [x]

    ==================== NetSvcs (Whitelisted) =================


    ============ One Month Created Files and Folders ==============

    2012-09-15 13:23 - 2012-09-15 13:23 - 00000452 ____A C:\Users\Mark\Desktop\log - Shortcut.lnk
    2012-09-15 13:22 - 2012-09-15 13:22 - 00000000 ____D C:\Users\Mark\My Documents\log
    2012-09-15 13:22 - 2012-09-15 13:22 - 00000000 ____D C:\Users\Mark\Documents\log
    2012-09-15 12:54 - 2012-09-15 12:54 - 00013696 ____A C:\ComboFix.txt
    2012-09-15 12:19 - 2012-09-15 12:54 - 00000000 ____D C:\Qoobox
    2012-09-15 12:19 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-09-15 12:19 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-09-15 12:19 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-09-15 12:19 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-09-15 12:19 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-09-15 12:19 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-09-15 12:19 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-09-15 12:19 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-09-15 12:18 - 2012-09-15 12:50 - 00000000 ____D C:\Windows\erdnt
    2012-09-15 12:11 - 2012-09-15 12:11 - 04754503 ____R (Swearware) C:\Users\Mark\Downloads\ComboFix.exe
    2012-09-15 00:51 - 2012-09-16 08:40 - 00000000 ____D C:\FRST
    2012-09-13 12:19 - 2012-09-13 12:19 - 00000032 ____A C:\Users\All Users\Temp.log
    2012-09-13 12:19 - 2012-09-13 12:19 - 00000032 ____A C:\Users\All Users\Application Data\Temp.log
    2012-09-13 11:50 - 2012-09-13 11:50 - 00000000 ____D C:\Windows\System32\Drivers\NST
    2012-09-13 11:50 - 2012-09-13 11:50 - 00000000 ____D C:\Program Files\Norton Identity Safe
    2012-09-13 10:54 - 2012-09-13 10:55 - 00145904 ____A C:\Windows\Minidump\Mini091312-23.dmp
    2012-09-13 10:51 - 2012-09-13 14:02 - 00000000 ____D C:\NBRT
    2012-09-13 10:47 - 2012-09-13 10:47 - 00145904 ____A C:\Windows\Minidump\Mini091312-22.dmp
    2012-09-13 10:40 - 2012-09-13 10:40 - 00145904 ____A C:\Windows\Minidump\Mini091312-21.dmp
    2012-09-13 10:33 - 2012-09-13 10:33 - 00145904 ____A C:\Windows\Minidump\Mini091312-20.dmp
    2012-09-13 10:24 - 2012-09-13 10:24 - 00145904 ____A C:\Windows\Minidump\Mini091312-19.dmp
    2012-09-13 10:16 - 2012-09-13 10:17 - 00145904 ____A C:\Windows\Minidump\Mini091312-18.dmp
    2012-09-13 09:50 - 2012-09-13 09:50 - 00145904 ____A C:\Windows\Minidump\Mini091312-17.dmp
    2012-09-13 09:40 - 2012-09-13 09:40 - 00145904 ____A C:\Windows\Minidump\Mini091312-16.dmp
    2012-09-13 09:33 - 2012-09-13 09:33 - 00145904 ____A C:\Windows\Minidump\Mini091312-15.dmp
    2012-09-13 08:19 - 2012-09-13 08:19 - 00145904 ____A C:\Windows\Minidump\Mini091312-14.dmp
    2012-09-13 07:57 - 2012-09-13 07:58 - 00145904 ____A C:\Windows\Minidump\Mini091312-13.dmp
    2012-09-13 06:59 - 2012-09-13 06:59 - 00145904 ____A C:\Windows\Minidump\Mini091312-12.dmp
    2012-09-13 06:23 - 2012-09-13 06:23 - 00145904 ____A C:\Windows\Minidump\Mini091312-11.dmp
    2012-09-13 06:13 - 2012-09-13 06:13 - 00145904 ____A C:\Windows\Minidump\Mini091312-10.dmp
    2012-09-13 05:46 - 2012-09-13 05:46 - 00145904 ____A C:\Windows\Minidump\Mini091312-09.dmp
    2012-09-13 05:36 - 2012-09-13 05:36 - 00145904 ____A C:\Windows\Minidump\Mini091312-08.dmp
    2012-09-13 05:18 - 2012-09-13 05:18 - 00145904 ____A C:\Windows\Minidump\Mini091312-07.dmp
    2012-09-13 05:04 - 2012-09-13 05:04 - 00145904 ____A C:\Windows\Minidump\Mini091312-06.dmp
    2012-09-13 01:39 - 2012-09-13 01:39 - 00145904 ____A C:\Windows\Minidump\Mini091312-05.dmp
    2012-09-13 01:31 - 2012-09-13 01:31 - 00145904 ____A C:\Windows\Minidump\Mini091312-04.dmp
    2012-09-13 01:23 - 2012-09-13 01:24 - 00145904 ____A C:\Windows\Minidump\Mini091312-03.dmp
    2012-09-13 01:16 - 2012-09-13 01:16 - 00145904 ____A C:\Windows\Minidump\Mini091312-02.dmp
    2012-09-13 00:20 - 2012-09-13 00:21 - 00145904 ____A C:\Windows\Minidump\Mini091312-01.dmp
    2012-09-11 07:29 - 2012-09-11 07:29 - 12888064 ____A C:\Users\Mark\My Documents\dan passport photo.wps
    2012-09-11 07:29 - 2012-09-11 07:29 - 12888064 ____A C:\Users\Mark\Documents\dan passport photo.wps
    2012-09-09 10:44 - 2012-09-11 07:17 - 00000000 ____D C:\Users\Mark\Local Settings\CrashDumps
    2012-09-09 10:44 - 2012-09-11 07:17 - 00000000 ____D C:\Users\Mark\Local Settings\Application Data\CrashDumps
    2012-09-09 10:44 - 2012-09-11 07:17 - 00000000 ____D C:\Users\Mark\AppData\Local\CrashDumps
    2012-09-09 09:51 - 2012-09-09 09:51 - 00064000 ____A C:\Users\Mark\My Documents\DDS log 1 and 2.wps
    2012-09-09 09:51 - 2012-09-09 09:51 - 00064000 ____A C:\Users\Mark\Documents\DDS log 1 and 2.wps
    2012-09-09 09:34 - 2012-09-09 09:34 - 00000740 ____A C:\Users\Mark\My Documents\gmer.log..log
    2012-09-09 09:34 - 2012-09-09 09:34 - 00000740 ____A C:\Users\Mark\Documents\gmer.log..log
    2012-09-09 08:11 - 2012-09-09 08:11 - 00000000 ____D C:\Users\Mark\Application Data\Malwarebytes
    2012-09-09 08:11 - 2012-09-09 08:11 - 00000000 ____D C:\Users\Mark\AppData\Roaming\Malwarebytes
    2012-09-09 08:11 - 2012-09-09 08:11 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-09-09 08:11 - 2012-09-09 08:11 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-09-09 08:07 - 2012-09-09 08:07 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Mark\Downloads\mbam-setup-1.62.0.1300.exe
    2012-09-09 00:11 - 2012-09-09 00:11 - 00097440 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SMR310.SYS
    2012-09-09 00:11 - 2012-09-09 00:11 - 00000000 ____D C:\Users\All Users\SMR310
    2012-09-09 00:11 - 2012-09-09 00:11 - 00000000 ____D C:\Users\All Users\Application Data\SMR310
    2012-09-08 23:51 - 2012-09-08 23:51 - 01805736 ____A (Symantec Corporation) C:\Users\Mark\Downloads\FixZeroAccess (2).exe
    2012-09-08 12:22 - 2012-09-08 12:22 - 01805736 ____A (Symantec Corporation) C:\Users\Mark\Downloads\FixZeroAccess (1).exe
    2012-09-08 09:52 - 2012-09-08 09:55 - 02416348 ____A C:\Windows\System32\Drivers\Cat.DB
    2012-09-08 08:16 - 2012-09-08 08:16 - 00000000 ____D C:\TDSSKiller_Quarantine
    2012-09-08 07:27 - 2012-09-08 07:27 - 01805736 ____A (Symantec Corporation) C:\Users\Mark\Downloads\FixZeroAccess.exe
    2012-09-08 06:29 - 2012-09-08 06:29 - 00000000 ____D C:\Windows\System32\Drivers\NBRTWizard
    2012-09-08 06:29 - 2012-09-08 06:29 - 00000000 ____D C:\Program Files\Norton Bootable Recovery Tool Wizard
    2012-09-08 06:29 - 2012-07-25 21:32 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
    2012-09-08 06:27 - 2012-09-08 06:27 - 00912040 ____A (Symantec Corporation) C:\Users\Mark\Downloads\NBRT-Retail-Downloader.exe
    2012-09-08 06:12 - 2012-09-09 00:11 - 00174504 ____A C:\Windows\ntbtlog.txt.bak
    2012-09-08 06:09 - 2012-09-08 06:09 - 02892816 ____A (Symantec Corporation) C:\Users\Mark\Downloads\NPE.exe
    2012-09-08 05:52 - 2012-09-13 10:36 - 00000873 ____A C:\Users\Mark\Desktop\Norton Installation Files.lnk
    2012-09-08 05:41 - 2012-09-08 05:41 - 00000040 ____A C:\Users\Public\Documents\_rgpl
    2012-09-08 05:41 - 2012-09-08 05:41 - 00000040 ____A C:\Users\All Users\Documents\_rgpl
    2012-09-08 04:00 - 2012-09-08 04:00 - 00145856 ____A C:\Windows\Minidump\Mini090812-01.dmp
    2012-09-07 13:04 - 2012-09-07 13:04 - 00000000 ____D C:\Windows\System32\N360_BACKUP
    2012-09-07 11:02 - 2012-09-09 00:10 - 00000000 ____D C:\Users\Mark\Local Settings\NPE
    2012-09-07 11:02 - 2012-09-09 00:10 - 00000000 ____D C:\Users\Mark\Local Settings\Application Data\NPE
    2012-09-07 11:02 - 2012-09-09 00:10 - 00000000 ____D C:\Users\Mark\AppData\Local\NPE
    2012-09-07 10:33 - 2012-09-07 10:33 - 00000000 ____D C:\Users\All Users\Mozilla
    2012-09-07 10:33 - 2012-09-07 10:33 - 00000000 ____D C:\Users\All Users\Application Data\Mozilla
    2012-09-07 10:30 - 2012-09-07 10:30 - 00000000 ____D C:\Users\Mark\My Documents\Symantec
    2012-09-07 10:30 - 2012-09-07 10:30 - 00000000 ____D C:\Users\Mark\Documents\Symantec
    2012-09-07 10:09 - 2012-09-08 06:27 - 00000000 ____D C:\Users\Public\Downloads\Norton
    2012-09-07 09:31 - 2012-09-07 10:47 - 00000000 ____D C:\Users\Mark\Sources
    2012-09-07 09:29 - 2012-09-07 09:29 - 00001537 ____A C:\Users\Mark\Desktop\Windows Explorer.lnk
    2012-09-07 09:09 - 2012-09-07 09:09 - 00000000 ____D C:\Users\Mark\Local Settings\NokiaAccount
    2012-09-07 09:09 - 2012-09-07 09:09 - 00000000 ____D C:\Users\Mark\Local Settings\Application Data\NokiaAccount
    2012-09-07 09:09 - 2012-09-07 09:09 - 00000000 ____D C:\Users\Mark\AppData\Local\NokiaAccount
    2012-09-07 08:47 - 2012-09-07 08:47 - 00000134 ____A C:\Users\Mark\Desktop\Programs.lnk
    2012-09-07 08:43 - 2012-09-07 08:43 - 00000000 ____D C:\Users\Mark\My Documents\NPS
    2012-09-07 08:43 - 2012-09-07 08:43 - 00000000 ____D C:\Users\Mark\Documents\NPS
    2012-09-05 05:18 - 2012-09-05 05:18 - 00854759 ____A C:\Users\Mark\Downloads\MTS46.rar
    2012-09-05 05:18 - 2012-09-05 05:18 - 00854759 ____A C:\Users\Mark\Downloads\MTS46 (1).rar
    2012-08-23 01:29 - 2012-08-23 01:29 - 00000000 ____D C:\Users\Mark\Local Settings\MediaShow
    2012-08-23 01:29 - 2012-08-23 01:29 - 00000000 ____D C:\Users\Mark\Local Settings\Application Data\MediaShow
    2012-08-23 01:29 - 2012-08-23 01:29 - 00000000 ____D C:\Users\Mark\AppData\Local\MediaShow
    2012-08-23 01:26 - 2012-08-23 01:26 - 00001095 ____A C:\Users\Public\Desktop\BT Desktop Help.lnk
    2012-08-23 01:26 - 2012-08-23 01:26 - 00001095 ____A C:\Users\All Users\Desktop\BT Desktop Help.lnk
    2012-08-23 00:03 - 2012-08-23 00:03 - 00000000 ____D C:\Users\Mark\Local Settings\Power2Go8
    2012-08-23 00:03 - 2012-08-23 00:03 - 00000000 ____D C:\Users\Mark\Local Settings\Application Data\Power2Go8
    2012-08-23 00:03 - 2012-08-23 00:03 - 00000000 ____D C:\Users\Mark\AppData\Local\Power2Go8
    2012-08-22 08:04 - 2012-08-22 08:04 - 00000000 ____D C:\Users\Public\Documents\CyberLink
    2012-08-22 08:04 - 2012-08-22 08:04 - 00000000 ____D C:\Users\Mark\Local Settings\MediaServer
    2012-08-22 08:04 - 2012-08-22 08:04 - 00000000 ____D C:\Users\Mark\Local Settings\Application Data\MediaServer
    2012-08-22 08:04 - 2012-08-22 08:04 - 00000000 ____D C:\Users\Mark\AppData\Local\MediaServer
    2012-08-22 08:04 - 2012-08-22 08:04 - 00000000 ____D C:\Users\All Users\PDVD
    2012-08-22 08:04 - 2012-08-22 08:04 - 00000000 ____D C:\Users\All Users\Documents\CyberLink
    2012-08-22 08:04 - 2012-08-22 08:04 - 00000000 ____D C:\Users\All Users\Application Data\PDVD
    2012-08-22 07:58 - 2012-08-22 07:58 - 00000000 ____D C:\Program Files\Common Files\CyberLink
    2012-08-22 07:54 - 2012-09-13 12:24 - 00000000 ____D C:\Users\Mark\Local Settings\Cyberlink
    2012-08-22 07:54 - 2012-09-13 12:24 - 00000000 ____D C:\Users\Mark\Local Settings\Application Data\Cyberlink
    2012-08-22 07:54 - 2012-09-13 12:24 - 00000000 ____D C:\Users\Mark\AppData\Local\Cyberlink
    2012-08-22 07:51 - 2012-08-22 08:07 - 00000000 ____D C:\Users\All Users\install_clap
    2012-08-22 07:51 - 2012-08-22 08:07 - 00000000 ____D C:\Users\All Users\Application Data\install_clap
    2012-08-22 07:47 - 2012-09-13 12:27 - 00000000 ____D C:\Users\All Users\CLSK
    2012-08-22 07:47 - 2012-09-13 12:27 - 00000000 ____D C:\Users\All Users\Application Data\CLSK
    2012-08-22 06:23 - 2012-08-22 06:37 - 1238864448 ____A C:\Users\Mark\My Documents\CyberLink_MES120105-04.exe
    2012-08-22 06:23 - 2012-08-22 06:37 - 1238864448 ____A C:\Users\Mark\Documents\CyberLink_MES120105-04.exe
    2012-08-21 02:51 - 2012-08-21 02:51 - 11912192 ____A C:\Users\Mark\My Documents\New @ Condado.wps
    2012-08-21 02:51 - 2012-08-21 02:51 - 11912192 ____A C:\Users\Mark\Documents\New @ Condado.wps


    ============ 3 Months Modified Files ========================

    2012-09-16 08:46 - 2006-11-02 05:01 - 00032600 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-09-16 08:46 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-16 08:46 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-16 08:46 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-16 08:35 - 2012-07-24 11:30 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000UA.job
    2012-09-16 08:25 - 2009-12-26 12:14 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-09-16 07:56 - 2012-03-30 23:50 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-09-16 07:28 - 2008-04-28 06:04 - 01232542 ____A C:\Windows\WindowsUpdate.log
    2012-09-16 07:25 - 2009-12-26 12:14 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-09-16 01:14 - 2009-02-22 12:11 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job
    2012-09-15 13:23 - 2012-09-15 13:23 - 00000452 ____A C:\Users\Mark\Desktop\log - Shortcut.lnk
    2012-09-15 12:54 - 2012-09-15 12:54 - 00013696 ____A C:\ComboFix.txt
    2012-09-15 12:40 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
    2012-09-15 12:37 - 2008-08-20 02:58 - 01637008 ____A C:\Windows\PFRO.log
    2012-09-15 12:11 - 2012-09-15 12:11 - 04754503 ____R (Swearware) C:\Users\Mark\Downloads\ComboFix.exe
    2012-09-15 11:42 - 2012-07-25 01:00 - 00024539 ____A C:\aaw7boot.log
    2012-09-15 11:35 - 2012-07-24 11:30 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000Core.job
    2012-09-15 10:28 - 2011-11-26 04:25 - 00000064 ____A C:\Windows\System32\rp_stats.dat
    2012-09-15 10:28 - 2011-11-26 04:25 - 00000044 ____A C:\Windows\System32\rp_rules.dat
    2012-09-13 12:19 - 2012-09-13 12:19 - 00000032 ____A C:\Users\All Users\Temp.log
    2012-09-13 12:19 - 2012-09-13 12:19 - 00000032 ____A C:\Users\All Users\Application Data\Temp.log
    2012-09-13 10:55 - 2012-09-13 10:54 - 00145904 ____A C:\Windows\Minidump\Mini091312-23.dmp
    2012-09-13 10:54 - 2008-09-17 10:15 - 271553641 ____A C:\Windows\MEMORY.DMP
    2012-09-13 10:47 - 2012-09-13 10:47 - 00145904 ____A C:\Windows\Minidump\Mini091312-22.dmp
    2012-09-13 10:40 - 2012-09-13 10:40 - 00145904 ____A C:\Windows\Minidump\Mini091312-21.dmp
    2012-09-13 10:36 - 2012-09-08 05:52 - 00000873 ____A C:\Users\Mark\Desktop\Norton Installation Files.lnk
    2012-09-13 10:33 - 2012-09-13 10:33 - 00145904 ____A C:\Windows\Minidump\Mini091312-20.dmp
    2012-09-13 10:24 - 2012-09-13 10:24 - 00145904 ____A C:\Windows\Minidump\Mini091312-19.dmp
    2012-09-13 10:17 - 2012-09-13 10:16 - 00145904 ____A C:\Windows\Minidump\Mini091312-18.dmp
    2012-09-13 09:50 - 2012-09-13 09:50 - 00145904 ____A C:\Windows\Minidump\Mini091312-17.dmp
    2012-09-13 09:50 - 2006-11-02 04:47 - 00070656 _____ C:\Windows\System32\umstartup.etl
    2012-09-13 09:40 - 2012-09-13 09:40 - 00145904 ____A C:\Windows\Minidump\Mini091312-16.dmp
    2012-09-13 09:33 - 2012-09-13 09:33 - 00145904 ____A C:\Windows\Minidump\Mini091312-15.dmp
    2012-09-13 08:19 - 2012-09-13 08:19 - 00145904 ____A C:\Windows\Minidump\Mini091312-14.dmp
    2012-09-13 07:58 - 2012-09-13 07:57 - 00145904 ____A C:\Windows\Minidump\Mini091312-13.dmp
    2012-09-13 06:59 - 2012-09-13 06:59 - 00145904 ____A C:\Windows\Minidump\Mini091312-12.dmp
    2012-09-13 06:23 - 2012-09-13 06:23 - 00145904 ____A C:\Windows\Minidump\Mini091312-11.dmp
    2012-09-13 06:13 - 2012-09-13 06:13 - 00145904 ____A C:\Windows\Minidump\Mini091312-10.dmp
    2012-09-13 05:46 - 2012-09-13 05:46 - 00145904 ____A C:\Windows\Minidump\Mini091312-09.dmp
    2012-09-13 05:36 - 2012-09-13 05:36 - 00145904 ____A C:\Windows\Minidump\Mini091312-08.dmp
    2012-09-13 05:18 - 2012-09-13 05:18 - 00145904 ____A C:\Windows\Minidump\Mini091312-07.dmp
    2012-09-13 05:04 - 2012-09-13 05:04 - 00145904 ____A C:\Windows\Minidump\Mini091312-06.dmp
    2012-09-13 01:39 - 2012-09-13 01:39 - 00145904 ____A C:\Windows\Minidump\Mini091312-05.dmp
    2012-09-13 01:31 - 2012-09-13 01:31 - 00145904 ____A C:\Windows\Minidump\Mini091312-04.dmp
    2012-09-13 01:24 - 2012-09-13 01:23 - 00145904 ____A C:\Windows\Minidump\Mini091312-03.dmp
    2012-09-13 01:16 - 2012-09-13 01:16 - 00145904 ____A C:\Windows\Minidump\Mini091312-02.dmp
    2012-09-13 00:21 - 2012-09-13 00:20 - 00145904 ____A C:\Windows\Minidump\Mini091312-01.dmp
    2012-09-12 01:22 - 2008-08-20 03:38 - 00033046 ____A C:\Users\Mark\Application Data\wklnhst.dat
    2012-09-12 01:22 - 2008-08-20 03:38 - 00033046 ____A C:\Users\Mark\AppData\Roaming\wklnhst.dat
    2012-09-11 07:29 - 2012-09-11 07:29 - 12888064 ____A C:\Users\Mark\My Documents\dan passport photo.wps
    2012-09-11 07:29 - 2012-09-11 07:29 - 12888064 ____A C:\Users\Mark\Documents\dan passport photo.wps
    2012-09-09 09:51 - 2012-09-09 09:51 - 00064000 ____A C:\Users\Mark\My Documents\DDS log 1 and 2.wps
    2012-09-09 09:51 - 2012-09-09 09:51 - 00064000 ____A C:\Users\Mark\Documents\DDS log 1 and 2.wps
    2012-09-09 09:34 - 2012-09-09 09:34 - 00000740 ____A C:\Users\Mark\My Documents\gmer.log..log
    2012-09-09 09:34 - 2012-09-09 09:34 - 00000740 ____A C:\Users\Mark\Documents\gmer.log..log
    2012-09-09 08:07 - 2012-09-09 08:07 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Mark\Downloads\mbam-setup-1.62.0.1300.exe
    2012-09-09 00:11 - 2012-09-09 00:11 - 00097440 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SMR310.SYS
    2012-09-09 00:11 - 2012-09-08 06:12 - 00174504 ____A C:\Windows\ntbtlog.txt.bak
    2012-09-08 23:52 - 2011-10-21 04:58 - 00009024 ____A C:\Windows\IE9_main.log
    2012-09-08 23:51 - 2012-09-08 23:51 - 01805736 ____A (Symantec Corporation) C:\Users\Mark\Downloads\FixZeroAccess (2).exe
    2012-09-08 23:30 - 2008-08-20 03:08 - 00072944 ____A C:\Users\Mark\Local Settings\GDIPFONTCACHEV1.DAT
    2012-09-08 23:30 - 2008-08-20 03:08 - 00072944 ____A C:\Users\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2012-09-08 23:30 - 2008-08-20 03:08 - 00072944 ____A C:\Users\Mark\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-09-08 23:28 - 2006-11-02 04:47 - 00285328 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-09-08 12:58 - 2006-11-02 02:22 - 59506688 ____A C:\Windows\System32\config\software_previous
    2012-09-08 12:58 - 2006-11-02 02:22 - 18874368 ____A C:\Windows\System32\config\system_previous
    2012-09-08 12:43 - 2006-11-02 02:22 - 42205184 ____A C:\Windows\System32\config\components_previous
    2012-09-08 12:43 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
    2012-09-08 12:22 - 2012-09-08 12:22 - 01805736 ____A (Symantec Corporation) C:\Users\Mark\Downloads\FixZeroAccess (1).exe
    2012-09-08 09:55 - 2012-09-08 09:52 - 02416348 ____A C:\Windows\System32\Drivers\Cat.DB
    2012-09-08 07:27 - 2012-09-08 07:27 - 01805736 ____A (Symantec Corporation) C:\Users\Mark\Downloads\FixZeroAccess.exe
    2012-09-08 06:27 - 2012-09-08 06:27 - 00912040 ____A (Symantec Corporation) C:\Users\Mark\Downloads\NBRT-Retail-Downloader.exe
    2012-09-08 06:09 - 2012-09-08 06:09 - 02892816 ____A (Symantec Corporation) C:\Users\Mark\Downloads\NPE.exe
    2012-09-08 05:51 - 2008-08-20 03:14 - 00095736 ____A C:\Windows\DPINST.LOG
    2012-09-08 05:50 - 2006-11-02 02:23 - 00000324 ____A C:\Windows\win.ini
    2012-09-08 05:41 - 2012-09-08 05:41 - 00000040 ____A C:\Users\Public\Documents\_rgpl
    2012-09-08 05:41 - 2012-09-08 05:41 - 00000040 ____A C:\Users\All Users\Documents\_rgpl
    2012-09-08 04:00 - 2012-09-08 04:00 - 00145856 ____A C:\Windows\Minidump\Mini090812-01.dmp
    2012-09-08 03:40 - 2006-11-02 02:22 - 00786432 ____A C:\Windows\System32\config\default_previous
    2012-09-08 03:40 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
    2012-09-07 09:29 - 2012-09-07 09:29 - 00001537 ____A C:\Users\Mark\Desktop\Windows Explorer.lnk
    2012-09-07 08:47 - 2012-09-07 08:47 - 00000134 ____A C:\Users\Mark\Desktop\Programs.lnk
    2012-09-05 05:18 - 2012-09-05 05:18 - 00854759 ____A C:\Users\Mark\Downloads\MTS46.rar
    2012-09-05 05:18 - 2012-09-05 05:18 - 00854759 ____A C:\Users\Mark\Downloads\MTS46 (1).rar
    2012-09-01 12:39 - 2008-10-06 07:38 - 00038400 ____A C:\Users\Mark\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-09-01 12:39 - 2008-10-06 07:38 - 00038400 ____A C:\Users\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-09-01 12:39 - 2008-10-06 07:38 - 00038400 ____A C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-08-27 03:10 - 2012-03-30 23:50 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-27 03:10 - 2011-06-17 23:55 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-08-23 01:26 - 2012-08-23 01:26 - 00001095 ____A C:\Users\Public\Desktop\BT Desktop Help.lnk
    2012-08-23 01:26 - 2012-08-23 01:26 - 00001095 ____A C:\Users\All Users\Desktop\BT Desktop Help.lnk
    2012-08-22 06:37 - 2012-08-22 06:23 - 1238864448 ____A C:\Users\Mark\My Documents\CyberLink_MES120105-04.exe
    2012-08-22 06:37 - 2012-08-22 06:23 - 1238864448 ____A C:\Users\Mark\Documents\CyberLink_MES120105-04.exe
    2012-08-21 02:51 - 2012-08-21 02:51 - 11912192 ____A C:\Users\Mark\My Documents\New @ Condado.wps
    2012-08-21 02:51 - 2012-08-21 02:51 - 11912192 ____A C:\Users\Mark\Documents\New @ Condado.wps
    2012-07-31 08:07 - 2006-11-02 04:52 - 00069228 ____A C:\Windows\setupact.log
    2012-07-31 08:06 - 2011-11-01 12:31 - 00003999 ____A C:\Users\Mark\Application Data\Rim.Desktop.HttpServerSetup.log
    2012-07-31 08:06 - 2011-11-01 12:31 - 00003999 ____A C:\Users\Mark\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
    2012-07-31 08:04 - 2011-11-01 12:31 - 00002058 ____A C:\Users\Public\Desktop\BlackBerry Desktop Software.lnk
    2012-07-31 08:04 - 2011-11-01 12:31 - 00002058 ____A C:\Users\All Users\Desktop\BlackBerry Desktop Software.lnk
    2012-07-31 07:59 - 2011-11-01 12:44 - 00001934 ____A C:\Users\Mark\Application Data\Rim.Desktop.Exception.log
    2012-07-31 07:59 - 2011-11-01 12:44 - 00001934 ____A C:\Users\Mark\AppData\Roaming\Rim.Desktop.Exception.log
    2012-07-31 07:59 - 2011-11-01 12:44 - 00000924 ____A C:\Users\Mark\Application Data\Rim.DesktopHelper.Exception.log
    2012-07-31 07:59 - 2011-11-01 12:44 - 00000924 ____A C:\Users\Mark\AppData\Roaming\Rim.DesktopHelper.Exception.log
    2012-07-31 03:29 - 2012-07-31 03:29 - 00518656 ____A C:\Users\Mark\My Documents\carpark cardiff.wps
    2012-07-31 03:29 - 2012-07-31 03:29 - 00518656 ____A C:\Users\Mark\Documents\carpark cardiff.wps
    2012-07-27 05:11 - 2012-07-27 05:11 - 00010752 ____A C:\Users\Mark\My Documents\sara 429.xlr
    2012-07-27 05:11 - 2012-07-27 05:11 - 00010752 ____A C:\Users\Mark\Documents\sara 429.xlr
    2012-07-27 03:15 - 2012-07-27 03:15 - 00014370 ____A C:\Users\Mark\My Documents\Nirvana.p2g
    2012-07-27 03:15 - 2012-07-27 03:15 - 00014370 ____A C:\Users\Mark\Documents\Nirvana.p2g
    2012-07-25 21:32 - 2012-09-08 06:29 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
    2012-07-25 21:32 - 2010-11-16 12:17 - 00106928 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
    2012-07-24 11:45 - 2012-07-24 11:22 - 00020969 ____A C:\INSTALLHELPER.LOG
    2012-07-24 11:45 - 2012-07-24 11:22 - 00003982 ____A C:\alotserviceruntime.log
    2012-07-12 22:54 - 2012-07-12 22:54 - 00485376 ____A C:\Users\Mark\My Documents\Asda socket set.wps
    2012-07-12 22:54 - 2012-07-12 22:54 - 00485376 ____A C:\Users\Mark\Documents\Asda socket set.wps
    2012-07-08 09:22 - 2012-07-08 09:22 - 00441344 ____A C:\Users\Mark\My Documents\Ryanair cancellation.wps
    2012-07-08 09:22 - 2012-07-08 09:22 - 00441344 ____A C:\Users\Mark\Documents\Ryanair cancellation.wps
    2012-07-08 05:50 - 2012-07-08 05:50 - 01670144 ____A C:\Users\Mark\My Documents\apodo flight.wps
    2012-07-08 05:50 - 2012-07-08 05:50 - 01670144 ____A C:\Users\Mark\Documents\apodo flight.wps
    2012-06-30 12:42 - 2012-06-30 12:42 - 04307456 ____A C:\Users\Mark\My Documents\Holiday Inn Kenilworth.wps
    2012-06-30 12:42 - 2012-06-30 12:42 - 04307456 ____A C:\Users\Mark\Documents\Holiday Inn Kenilworth.wps


    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-09-08 04:55:28
    Restore point made on: 2012-09-08 05:31:03
    Restore point made on: 2012-09-08 05:31:59
    Restore point made on: 2012-09-08 05:32:57
    Restore point made on: 2012-09-08 05:33:43
    Restore point made on: 2012-09-08 05:35:25
    Restore point made on: 2012-09-08 05:36:31
    Restore point made on: 2012-09-08 05:37:37
    Restore point made on: 2012-09-08 05:39:00
    Restore point made on: 2012-09-08 05:39:59
    Restore point made on: 2012-09-08 05:42:24
    Restore point made on: 2012-09-08 05:43:53
    Restore point made on: 2012-09-08 05:45:12
    Restore point made on: 2012-09-08 05:46:13
    Restore point made on: 2012-09-08 05:47:35
    Restore point made on: 2012-09-08 05:48:31
    Restore point made on: 2012-09-08 05:49:35
    Restore point made on: 2012-09-08 13:57:43
    Restore point made on: 2012-09-09 07:12:43
    Restore point made on: 2012-09-09 07:16:55
    Restore point made on: 2012-09-10 01:47:13
    Restore point made on: 2012-09-11 23:50:00
    Restore point made on: 2012-09-13 12:17:53
    Restore point made on: 2012-09-14 09:16:37
    Restore point made on: 2012-09-14 09:20:38
    Restore point made on: 2012-09-15 10:34:04
    Restore point made on: 2012-09-15 10:42:51
    Restore point made on: 2012-09-15 10:43:51
    Restore point made on: 2012-09-15 10:47:46
    Restore point made on: 2012-09-15 11:02:04
    Restore point made on: 2012-09-15 11:17:54
    Restore point made on: 2012-09-15 12:13:11
    Restore point made on: 2012-09-16 00:25:20
    Restore point made on: 2012-09-16 00:34:44
    Restore point made on: 2012-09-16 02:57:18
    Restore point made on: 2012-09-16 07:33:56

    ==================== Memory info ===========================

    Percentage of memory in use: 14%
    Total physical RAM: 4094.5 MB
    Available physical RAM: 3501.08 MB
    Total Pagefile: 3762.31 MB
    Available Pagefile: 3564.93 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1990.14 MB

    ==================== Partitions ============================

    1 Drive c: (HP) (Fixed) (Total:455.51 GB) (Free:181.98 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.25 GB) (Free:1.18 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive f: (Cruzer) (Removable) (Total:1.86 GB) (Free:1.84 GB) FAT
    10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 1528 KB
    Disk 1 Online 1912 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 456 GB 32 KB
    Partition 2 Primary 10 GB 456 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 C HP NTFS Partition 456 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 D FACTORY_IMA NTFS Partition 10 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1908 MB 65 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 F Cruzer FAT Removable 1908 MB Healthy

    ==================================================================================

    Last Boot: 2012-09-16 00:54

    ==================== End Of Log =============================






    Farbar Recovery Scan Tool (x86) Version: 12-09-2012
    Ran by SYSTEM at 2012-09-16 17:51:07
    Running from F:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-09-24 08:59] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-08-29 04:32] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
    [2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0

    C:\Windows\System32\services.exe
    [2009-09-24 08:59] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\erdnt\cache\services.exe
    [2012-09-15 12:50] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\FRST\Quarantine\services.exe
    [2009-09-24 08:59] - [2012-09-08 08:21] - 0282624 ____A (Microsoft Corporation) 1C5A8277AA91E44684772C950C892AE2

    === End Of Search ===
  9. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Restart normally and see if you can connect.

    Attached Files:

  10. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    I must be doing something wrong - the computer can not find fixlist.txt on my flashdrive even though I can see it there ?
  11. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi
    Broni

    The computer is telling me that the fixlist.txt should be made and saved in the same directory the tool is located - I'm saving it to the same flashdrive
     
  12. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    Delete everything from your flash drive, get new copy of FRST and try again.
  13. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Thanks Broni - will do immediatley
  14. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    Deleted everything on flashdrive, got new copy of FRST and fixlist.tx, but computer still can not see the fixlist - is it anything to do with the USB drive on my laptop ( which I'm communicating with you on now ) which I'm using to copy to my flashdrive and the USB drive I'm using on the problem PC ? When I drag the fixlist on to my flashdrive, do I need to drop it directly on top of the FRST file ?
  15. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    No.

    Are you booting to System Recovery Options?

    Try different flash drive.
  16. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Thanks Broni

    I am booting to System Recovery Options via the F8 button - I will try a different flash drive
  17. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    I've tried two different flashdrives, three in all - same result - 'No fixlist.txt found' - I can definitely see FRST and the fixlist on the flashdrive in System Recovery Operations - it's the same flashdrive I used for the previous scans and logs
  18. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    Make sure the file is named "fixlist.txt" and nothing else like having double extension.
    Look at FRST file. Do you see "FRST.exe or just "FRST"?
  19. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    The fixlist.txt ran!

    Here's the log

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 16-09-2012 01
    Ran by SYSTEM at 2012-09-16 21:40:12 Run:2
    Running from K:\

    ==============================================

    BCD not restored.
    DEFAULT restored successfuly.
    SAM restored successfuly.
    SECURITY restored successfuly.
    SOFTWARE restored successfuly.
    hiv-backup\BCD not found.
    SYSTEM restored successfuly.

    ==== End of Fixlog ====
  20. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    Internet connection restored! :) Excellent - Thank you, thank you

    I'm sending this using the problem computer

    I'm getting a message that I'm 'viewing pages over a secure connection - Any information I exchange with this site cannot be viewed by anyone else on the web', or, I'm 'leaving a secure connection and that any information I exchange may be viewed by others'
  21. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    Good news :)

    The above message is a standard IE warning. See here: http://forums.techguy.org/general-security/975873-solved-security-alert-when-starting.html

    Any current issues?

    ===============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  22. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    Thanks for your continued support

    No other apparent issues to report - although the computer appears to be running a little quicker

    Here's the OTL log

    OTL logfile created on: 16/09/2012 22:24:14 - Run 1
    OTL by OldTimer - Version 3.2.61.5 Folder = C:\Users\Mark\Downloads
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    3.25 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 68.42% Memory free
    6.71 Gb Paging File | 5.68 Gb Available in Paging File | 84.63% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 455.51 Gb Total Space | 183.73 Gb Free Space | 40.33% Space Free | Partition Type: NTFS
    Drive D: | 10.25 Gb Total Space | 1.08 Gb Free Space | 10.57% Space Free | Partition Type: NTFS
    Drive K: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.84% Space Free | Partition Type: FAT

    Computer Name: MARK-PC | User Name: Mark | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/09/16 22:13:25 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Mark\Downloads\OTL.exe
    PRC - [2012/08/27 12:10:29 | 000,690,888 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
    PRC - [2012/07/27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2012/07/05 06:58:58 | 001,988,608 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
    PRC - [2012/05/14 14:47:48 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
    PRC - [2012/03/28 00:14:06 | 000,138,232 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe
    PRC - [2012/03/02 22:34:26 | 000,361,472 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\pcCMService.exe
    PRC - [2012/02/23 13:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
    PRC - [2012/02/23 13:22:56 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
    PRC - [2011/11/02 02:00:44 | 000,090,448 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    PRC - [2011/03/09 13:30:08 | 000,247,728 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    PRC - [2011/03/09 13:30:08 | 000,092,592 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/08/21 18:15:40 | 000,033,792 | ---- | M] (EasyBits Software Corp.) -- C:\Windows\System32\ezntsvc.exe
    PRC - [2008/07/03 12:27:12 | 006,266,880 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
    PRC - [2008/06/24 19:34:50 | 000,041,824 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\aol\1219316984\ee\aolsoftware.exe
    PRC - [2008/06/02 19:50:34 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2008/06/02 19:50:32 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    PRC - [2008/01/19 08:33:27 | 000,151,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe
    PRC - [2007/04/18 16:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
    PRC - [2007/02/15 12:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/06/14 09:06:43 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll
    MOD - [2012/06/14 09:04:42 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll
    MOD - [2012/06/14 09:04:33 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll
    MOD - [2012/06/14 09:04:11 | 014,329,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7343fbab1ba137db2f8b284047ef3f3c\PresentationFramework.ni.dll
    MOD - [2012/06/14 09:01:36 | 012,219,392 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7b6293b0c23321c255c2530aea8e32bb\PresentationCore.ni.dll
    MOD - [2012/05/10 17:39:35 | 000,187,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\5ebaa15cccc356bc3afba0c8f56977f7\UIAutomationTypes.ni.dll
    MOD - [2012/05/10 17:39:21 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f3d4d5fe5ab848fbfcf91a49960dc8ae\System.Management.ni.dll
    MOD - [2012/05/10 17:37:23 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll
    MOD - [2012/05/10 17:36:54 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll
    MOD - [2012/05/10 17:35:22 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll
    MOD - [2012/05/10 17:34:44 | 006,621,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\bfdd10e0a0aacf46bac557ffc5d55ba5\System.Data.ni.dll
    MOD - [2012/05/10 17:34:34 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c8c3ab08933fef9fb6657da871395c46\PresentationFramework.Aero.ni.dll
    MOD - [2012/05/10 17:34:04 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\54426ee1881b42af5b090e223f43823c\WindowsBase.ni.dll
    MOD - [2012/05/10 17:33:57 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
    MOD - [2012/05/10 17:33:21 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
    MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
    MOD - [2009/08/05 11:26:14 | 000,061,440 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
    MOD - [2009/08/05 11:26:12 | 000,131,072 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\ECenter\ECLibrary.dll
    MOD - [2009/08/05 11:26:06 | 000,040,960 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
    MOD - [2009/08/05 11:26:06 | 000,007,680 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
    MOD - [2009/08/05 11:26:04 | 000,036,864 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
    MOD - [2009/08/05 11:26:04 | 000,005,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
    MOD - [2009/08/05 11:26:00 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll
    MOD - [2009/08/05 11:25:50 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll
    MOD - [2009/03/30 05:42:17 | 002,933,760 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    MOD - [2008/04/04 23:40:01 | 000,086,016 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll


    ========== Services (SafeList) ==========

    SRV - [2012/08/27 12:10:30 | 000,250,568 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/07/27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2012/03/28 00:14:06 | 000,138,232 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe -- (NCO)
    SRV - [2012/03/02 22:34:26 | 000,361,472 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\pcCMService.exe -- (pcCMService)
    SRV - [2011/06/17 09:42:27 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
    SRV - [2011/06/08 13:02:00 | 000,633,856 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2011/03/09 13:30:08 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
    SRV - [2010/10/12 18:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
    SRV - [2008/08/21 18:15:40 | 000,033,792 | ---- | M] (EasyBits Software Corp.) [Auto | Running] -- C:\Windows\System32\ezntsvc.exe -- (ezntsvc)
    SRV - [2008/06/02 19:50:34 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
    SRV - [2006/10/23 13:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Stopped] -- C:\Program Files\Common Files\aol\acs\AOLacsd.exe -- (AOL ACS)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfSysMon.sys -- (TfSysMon)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\TfNetMon.sys -- (TfNetMon)
    DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfFsMon.sys -- (TfFsMon)
    DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RimUsb.sys -- (RimUsb)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
    DRV - [2012/09/09 09:11:09 | 000,097,440 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SMR310.SYS -- (SMR310)
    DRV - [2012/07/05 06:58:02 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2012/07/05 06:57:44 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2011/11/30 00:44:14 | 000,132,744 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NST\7DC06030.002\ccSetx86.sys -- (ccSet_NST)
    DRV - [2011/05/31 17:52:57 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/03/31 09:39:36 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
    DRV - [2008/08/26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
    DRV - [2008/01/10 20:57:00 | 008,237,120 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2007/10/03 17:18:12 | 000,099,840 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
    DRV - [2006/11/29 23:24:57 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw)
    DRV - [2005/12/12 17:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.voover.com/
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.aol.co.uk/web?isinit=true&query=%s
    IE - HKLM\..\SearchScopes\{4E53DBE1-A5F3-49FF-859C-5E4264B40F17}: "URL" = http://uk.kelkoopartners.net/ctl/do...e&x=true&y=true&partner=hp&partnerId=96913936
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\..\SearchScopes\{6DE46C00-CFF9-4A0D-A5DD-E673D0317C87}: "URL" = http://slirsredirect.search.aol.com...archTerms}&invocationType=tb50hpcndtie7-en-gb
    IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}: "URL" = http://search.imesh.com/web?src=ieb&systemid=1&q={searchTerms}


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    IE - HKU\.DEFAULT\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.google.com/search?ie=utf-8&oe=utf-8&mssrc=ms_chr&mstb=adawaretb&q={searchTerms}
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
    IE - HKU\S-1-5-18\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.google.com/search?ie=utf-8&oe=utf-8&mssrc=ms_chr&mstb=adawaretb&q={searchTerms}
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 41 46 86 A5 D5 BF CA 01 [binary data]
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes,DefaultScope = {A531D99C-5A22-449b-83DA-872725C6D0ED}
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.aol.co.uk/web?isinit=true&query=%s
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=8BAF374B-748A-4EAB-8821-4AF7B70D7624
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{1DCA0845-D10E-4C2B-B949-1B4D1A1378AB}: "URL" = http://search.aol.co.uk/aolcom/search?query={searchTerms}&invocationType=msie70a
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.google.com/search?ie=utf-8&oe=utf-8&mssrc=ms_chr&mstb=adawaretb&q={searchTerms}
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{4E53DBE1-A5F3-49FF-859C-5E4264B40F17}: "URL" = http://uk.kelkoopartners.net/ctl/do...e&x=true&y=true&partner=hp&partnerId=96913936
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&sourceid=ie7&rlz=1I7GPEA_enGB302
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{6DE46C00-CFF9-4A0D-A5DD-E673D0317C87}: "URL" = http://slirsredirect.search.aol.com...archTerms}&invocationType=tb50hpcndtie7-en-gb
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}: "URL" = http://search.imesh.com/web?src=ieb&systemid=1&q={searchTerms}
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}: "URL" = http://search.alot.com/web?q={searc...id=31155&camp_id=5106&tb_version=1.2.2000.2(B)
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{CAD45A71-C81A-4209-B4B6-FF9EF797E590}: "URL" = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
  23. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Second part of OTL log:



    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
    FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
    FF - HKLM\Software\MozillaPlugins\@rim.com/npappworld: C:\Program Files\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll ()
    FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
    FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\3\NP_wtapp.dll ()
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Mark\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Mark\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/12 23:50:47 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2011/02/28 14:54:04 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/09/08 21:57:31 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F04D2D30-776C-4d02-8627-8E4385ECA58D}: C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2012.6.3.2\coFFPlgn\ [2012/09/16 21:47:29 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/12 23:50:47 | 000,000,000 | ---D | M]

    [2010/07/11 16:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mark\AppData\Roaming\Mozilla\Extensions
    [2010/07/11 16:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mark\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
    [2012/09/08 15:06:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/10/17 19:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml

    ========== Chrome ==========

    CHR - homepage:
    CHR - homepage:
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\Application\21.0.1180.89\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll
    CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\npSkypeChromePlugin.dll
    CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
    CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll
    CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
    CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll
    CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
    CHR - plugin: Musicnotes (Enabled) = C:\Program Files\Musicnotes\npmusicn.dll
    CHR - plugin: ScorchPlugin (Enabled) = C:\Program Files\Musicnotes\npsibelius.dll
    CHR - plugin: BlackBerry AppWorld (Enabled) = C:\Program Files\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll
    CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
    CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
    CHR - plugin: RealPlayer Download Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpplugin.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
    CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
    CHR - Extension: YouTube = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
    CHR - Extension: Google Search = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
    CHR - Extension: Motive Extension = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\edmgmpmklgfbohogafcfobonnkogchec\1.0_0\
    CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
    CHR - Extension: Norton Identity Protection = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2013.1.1.4_0\
    CHR - Extension: Gmail = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

    O1 HOSTS File: ([2012/09/15 21:40:33 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Broadband Toolbar 5.0\aoltb.dll (AOL LLC)
    O2 - BHO: (Norton Identity Protection) - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\CoIEPlg.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (Norton Identity Safe Toolbar) - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\CoIEPlg.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (AOL Broadband Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Broadband Toolbar 5.0\aoltb.dll (AOL LLC)
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\Toolbar\WebBrowser: (AOL Broadband Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Broadband Toolbar 5.0\aoltb.dll (AOL LLC)
    O4 - HKLM..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" File not found
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
    O4 - HKLM..\Run: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google)
    O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\aol\1219316984\ee\aolsoftware.exe (AOL LLC)
    O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe File not found
    O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
    O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
    O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
    O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
    O4 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000..\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
    O4 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
    O4 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
    O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0
    O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 0
    O8 - Extra context menu item: &AOL Toolbar Search - c:\Program Files\AOL\AOL Broadband Toolbar 5.0\resources\en-GB\local\search.html ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O13 - gopher Prefix: missing
    O15 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab (Reg Error: Value error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DF935B54-EE05-4BDB-BF19-E742BFB044C4}: DhcpNameServer = 192.168.1.254
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
    O24 - Desktop WallPaper: C:\Users\Mark\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O24 - Desktop BackupWallPaper: C:\Users\Mark\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O28 - HKLM ShellExecuteHooks: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\System32\ezUPBHook.dll (EasyBits Software Corp.)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/04/04 23:47:14 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/09/15 22:22:44 | 000,000,000 | ---D | C] -- C:\Users\Mark\Documents\log
    [2012/09/15 21:54:11 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/09/15 21:40:43 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/09/15 21:19:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/09/15 21:19:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/09/15 21:19:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/09/15 21:19:33 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/09/15 21:18:54 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
    [2012/09/15 09:51:56 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/09/13 20:51:00 | 000,132,744 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NST\7DC06030.002\ccSetx86.sys
    [2012/09/13 20:50:57 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Identity Safe
    [2012/09/13 20:50:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NST
    [2012/09/13 20:50:57 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Identity Safe
    [2012/09/13 20:50:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NST\7DC06030.002
    [2012/09/13 19:51:06 | 000,000,000 | ---D | C] -- C:\NBRT
    [2012/09/09 19:44:17 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\CrashDumps
    [2012/09/09 17:11:18 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\Malwarebytes
    [2012/09/09 17:11:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/09/09 09:11:27 | 000,000,000 | ---D | C] -- C:\ProgramData\SMR310
    [2012/09/09 09:11:09 | 000,097,440 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SMR310.SYS
    [2012/09/08 17:16:38 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/09/08 15:29:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NBRTWizard
    [2012/09/08 15:29:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NBRTWizard\0501000.01A
    [2012/09/08 15:29:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Bootable Recovery Tool Wizard
    [2012/09/08 15:29:10 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Bootable Recovery Tool Wizard
    [2012/09/08 14:52:28 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
    [2012/09/07 22:04:20 | 000,000,000 | ---D | C] -- C:\Windows\System32\N360_BACKUP
    [2012/09/07 20:02:06 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\NPE
    [2012/09/07 19:33:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
    [2012/09/07 19:30:24 | 000,000,000 | ---D | C] -- C:\Users\Mark\Documents\Symantec
    [2012/09/07 19:26:16 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
    [2012/09/07 19:26:16 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
    [2012/09/07 18:31:23 | 000,000,000 | ---D | C] -- C:\Users\Mark\Sources
    [2012/09/07 18:09:30 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\NokiaAccount
    [2012/09/07 17:43:02 | 000,000,000 | ---D | C] -- C:\Users\Mark\Documents\NPS
    [2012/08/23 10:29:59 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\MediaShow
    [2012/08/23 10:26:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BT Desktop Help
    [2012/08/23 09:03:17 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\Power2Go8
    [2012/08/22 17:04:14 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\MediaServer
    [2012/08/22 17:04:14 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\CyberLink
    [2012/08/22 17:04:11 | 000,000,000 | ---D | C] -- C:\ProgramData\PDVD
    [2012/08/22 17:02:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NewBlue
    [2012/08/22 16:58:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CyberLink
    [2012/08/22 16:54:16 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\Cyberlink
    [2012/08/22 16:51:42 | 000,000,000 | ---D | C] -- C:\ProgramData\install_clap
    [2012/08/22 16:47:38 | 000,000,000 | ---D | C] -- C:\ProgramData\CLSK
    [2009/04/10 16:47:51 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Mark\AppData\Roaming\pcouffin.sys
    [1 C:\*.tmp files -> C:\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/09/16 22:25:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/09/16 22:22:55 | 000,000,508 | ---- | M] () -- C:\Users\Mark\Desktop\OTL.exe - Shortcut.lnk
    [2012/09/16 21:56:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/09/16 21:45:23 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/09/16 21:45:22 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/09/16 21:45:22 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/09/16 21:45:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/09/16 21:45:15 | 3488,915,456 | -HS- | M] () -- C:\hiberfil.sys
    [2012/09/16 19:36:13 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000UA.job
    [2012/09/16 10:14:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
    [2012/09/15 21:40:33 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/09/15 20:35:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000Core.job
    [2012/09/15 19:28:17 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
    [2012/09/15 19:28:17 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
    [2012/09/13 19:54:27 | 271,553,641 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/09/13 19:36:20 | 000,000,873 | ---- | M] () -- C:\Users\Mark\Desktop\Norton Installation Files.lnk
    [2012/09/13 18:50:01 | 000,070,656 | ---- | M] () -- C:\Windows\System32\umstartup.etl
    [2012/09/12 10:22:20 | 000,033,046 | ---- | M] () -- C:\Users\Mark\AppData\Roaming\wklnhst.dat
    [2012/09/11 16:29:30 | 012,888,064 | ---- | M] () -- C:\Users\Mark\Documents\dan passport photo.wps
    [2012/09/09 18:51:46 | 000,064,000 | ---- | M] () -- C:\Users\Mark\Documents\DDS log 1 and 2.wps
    [2012/09/09 09:11:09 | 000,097,440 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SMR310.SYS
    [2012/09/09 08:28:18 | 000,285,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/09/08 18:55:25 | 002,416,348 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
    [2012/09/08 14:41:32 | 000,000,040 | ---- | M] () -- C:\Users\Public\Documents\_rgpl
    [2012/09/07 18:29:50 | 000,001,537 | ---- | M] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
    [2012/09/07 18:29:44 | 000,001,537 | ---- | M] () -- C:\Users\Mark\Desktop\Windows Explorer.lnk
    [2012/09/07 18:14:29 | 000,604,124 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/09/07 18:14:29 | 000,107,264 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/09/07 17:47:10 | 000,000,134 | ---- | M] () -- C:\Users\Mark\Desktop\Programs.lnk
    [2012/09/01 21:39:28 | 000,038,400 | ---- | M] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/08/27 12:39:38 | 001,483,597 | ---- | M] () -- C:\Users\Mark\Documents\scan0012.jpg
    [2012/08/25 11:46:19 | 001,122,273 | ---- | M] () -- C:\Users\Mark\Documents\Centauro.jpg
    [2012/08/23 10:26:46 | 000,001,095 | ---- | M] () -- C:\Users\Public\Desktop\BT Desktop Help.lnk
    [2012/08/22 17:38:01 | 000,001,046 | ---- | M] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\CyberLink DVD Suite Deluxe.lnk
    [2012/08/22 15:37:57 | 1238,864,448 | ---- | M] () -- C:\Users\Mark\Documents\CyberLink_MES120105-04.exe
    [2012/08/22 04:14:29 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NBRTWizard\0501000.01A\isolate.ini
    [2012/08/21 11:51:55 | 011,912,192 | ---- | M] () -- C:\Users\Mark\Documents\New @ Condado.wps
    [1 C:\*.tmp files -> C:\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/09/16 22:22:55 | 000,000,508 | ---- | C] () -- C:\Users\Mark\Desktop\OTL.exe - Shortcut.lnk
    [2012/09/15 21:19:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/09/15 21:19:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/09/15 21:19:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/09/15 21:19:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/09/15 21:19:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/09/15 20:42:41 | 3488,915,456 | -HS- | C] () -- C:\hiberfil.sys
    [2012/09/13 20:50:58 | 000,000,827 | R--- | C] () -- C:\Windows\System32\drivers\NST\7DC06030.002\ccSetx86.inf
    [2012/09/13 20:50:57 | 000,007,468 | R--- | C] () -- C:\Windows\System32\drivers\NST\7DC06030.002\ccsetx86.cat
    [2012/09/13 20:50:57 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NST\7DC06030.002\isolate.ini
    [2012/09/11 16:29:27 | 012,888,064 | ---- | C] () -- C:\Users\Mark\Documents\dan passport photo.wps
    [2012/09/09 18:51:45 | 000,064,000 | ---- | C] () -- C:\Users\Mark\Documents\DDS log 1 and 2.wps
    [2012/09/08 18:52:20 | 002,416,348 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
    [2012/09/08 15:29:12 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NBRTWizard\0501000.01A\isolate.ini
    [2012/09/08 14:52:28 | 000,000,873 | ---- | C] () -- C:\Users\Mark\Desktop\Norton Installation Files.lnk
    [2012/09/08 14:41:32 | 000,000,040 | ---- | C] () -- C:\Users\Public\Documents\_rgpl
    [2012/09/07 18:29:50 | 000,001,537 | ---- | C] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
    [2012/09/07 18:29:44 | 000,001,537 | ---- | C] () -- C:\Users\Mark\Desktop\Windows Explorer.lnk
    [2012/09/07 17:47:10 | 000,000,134 | ---- | C] () -- C:\Users\Mark\Desktop\Programs.lnk
    [2012/08/25 11:47:12 | 001,122,273 | ---- | C] () -- C:\Users\Mark\Documents\Centauro.jpg
    [2012/08/23 10:26:46 | 000,001,095 | ---- | C] () -- C:\Users\Public\Desktop\BT Desktop Help.lnk
    [2012/08/22 17:38:01 | 000,001,046 | ---- | C] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\CyberLink DVD Suite Deluxe.lnk
    [2012/08/22 15:23:29 | 1238,864,448 | ---- | C] () -- C:\Users\Mark\Documents\CyberLink_MES120105-04.exe
    [2012/08/21 11:51:55 | 011,912,192 | ---- | C] () -- C:\Users\Mark\Documents\New @ Condado.wps
    [2012/02/06 15:36:11 | 000,000,037 | ---- | C] () -- C:\Windows\Qtw.ini
    [2012/01/16 13:01:48 | 003,304,960 | ---- | C] () -- C:\Users\Mark\Dancard6.wps
    [2011/11/26 13:25:20 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
    [2011/11/26 13:25:20 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
    [2011/06/16 23:42:54 | 000,000,000 | ---- | C] () -- C:\Users\Mark\AppData\Local\{0F4A96EB-8BAE-4078-A0D4-DEF926CD6265}
    [2011/06/15 23:52:23 | 000,000,000 | ---- | C] () -- C:\Users\Mark\AppData\Local\{3B110506-E16A-4CEB-9457-D618758456B5}
    [2011/05/31 17:41:20 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
    [2011/05/31 17:41:20 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
    [2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
    [2010/06/03 10:13:04 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2009/10/20 07:28:56 | 000,000,680 | ---- | C] () -- C:\Users\Mark\AppData\Local\d3d9caps.dat
    [2009/04/10 16:47:51 | 000,007,887 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\pcouffin.cat
    [2009/04/10 16:47:51 | 000,001,144 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\pcouffin.inf
    [2009/02/17 11:09:36 | 000,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt
    [2008/10/06 16:38:15 | 000,038,400 | ---- | C] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/08/20 12:38:24 | 000,033,046 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\wklnhst.dat

    ========== LOP Check ==========

    [2011/05/07 11:16:55 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\acccore
    [2009/09/06 20:34:15 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Alawar
    [2009/02/17 10:40:27 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Amazon
    [2009/06/30 21:38:18 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
    [2010/04/25 19:27:58 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\eGames
    [2010/04/09 10:13:04 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Farm Mania
    [2010/09/17 21:23:27 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Friday's games
    [2009/05/06 19:49:47 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Gamelab
    [2012/09/08 18:51:33 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\GetRightToGo
    [2010/03/21 13:47:36 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Home Sweet Home Christmas
    [2012/05/03 20:15:14 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\LEGO Company
    [2009/10/27 18:20:58 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Nokia
    [2009/09/09 18:44:51 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\PC Suite
    [2010/03/18 19:45:29 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\PlayFirst
    [2011/04/11 19:10:56 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Registry Mechanic
    [2011/11/01 21:45:06 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Research In Motion
    [2012/09/07 18:52:56 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Samsung
    [2009/03/26 08:21:14 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\SaveThePuppy
    [2010/02/21 10:53:27 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\SBTT
    [2010/10/19 17:13:52 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Template
    [2009/09/06 20:31:44 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\TikGames
    [2010/07/11 16:47:57 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\TomTom
    [2012/09/08 21:58:21 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\uTorrent
    [2012/09/01 22:35:53 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Vso
    [2009/12/28 13:58:24 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Wild Tangent
    [2011/03/29 18:29:31 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\WildTangent
    [2008/11/19 22:03:40 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\WinBatch
    [2012/09/16 20:18:41 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\snow angel.MOV:TOC.WMV
    @Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\sliding on snow.MOV:TOC.WMV
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:D1B5B4F1
    < End of report >
  24. Broni

    Broni Malware Annihilator Posts: 46,182   +251

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfSysMon.sys -- (TfSysMon)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\TfNetMon.sys -- (TfNetMon)
      DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfFsMon.sys -- (TfFsMon)
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
      O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
      O3 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
      O4 - HKLM..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" File not found
      O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe File not found
      O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab (Reg Error: Value error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2012/09/15 09:51:56 | 000,000,000 | ---D | C] -- C:\FRST
      [2011/04/11 19:10:56 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Registry Mechanic
      @Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\snow angel.MOV:TOC.WMV
      @Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\sliding on snow.MOV:TOC.WMV
      @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2
      @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:D1B5B4F1
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    ====================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Please download AdwCleaner by Xplode onto your desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[R1].txt as well.

    4. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    5. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  25. Tobydog

    Tobydog Newcomer, in training Topic Starter Posts: 44

    Hi Broni

    Thanks

    Here's the latest OTL log - OTL ran without stalling

    I will run the Security Check next and will post the checkup.txt asap


    All processes killed
    ========== OTL ==========
    Service TfSysMon stopped successfully!
    Service TfSysMon deleted successfully!
    File system32\drivers\TfSysMon.sys not found.
    Service TfNetMon stopped successfully!
    Service TfNetMon deleted successfully!
    File C:\Windows\system32\drivers\TfNetMon.sys not found.
    Service TfFsMon stopped successfully!
    Service TfFsMon deleted successfully!
    File system32\drivers\TfFsMon.sys not found.
    Service Lavasoft Kernexplorer stopped successfully!
    Service Lavasoft Kernexplorer deleted successfully!
    File C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
    Registry value HKEY_USERS\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Ad-Aware Browsing Protection deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HP Health Check Scheduler deleted successfully.
    Starting removal of ActiveX control {44990B00-3C9D-426D-81DF-AAB636FA4345}
    C:\Windows\Downloaded Program Files\tgctlcm.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\Windows\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Folder move failed. C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\{4a3e861e-894a-adb2-035b-695524750cd2} scheduled to be moved on reboot.
    C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\U folder moved successfully.
    C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2} folder moved successfully.
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    C:\Users\Mark\AppData\Roaming\Registry Mechanic folder moved successfully.
    ADS C:\Users\Mark\Documents\snow angel.MOV:TOC.WMV deleted successfully.
    ADS C:\Users\Mark\Documents\sliding on snow.MOV:TOC.WMV deleted successfully.
    ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
    ADS C:\ProgramData\TEMP:D1B5B4F1 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41085 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Mark
    ->Temp folder emptied: 1962363820 bytes
    ->Temporary Internet Files folder emptied: 259265986 bytes
    ->Java cache emptied: 15792062 bytes
    ->Google Chrome cache emptied: 300195929 bytes
    ->Apple Safari cache emptied: 1129472 bytes
    ->Flash cache emptied: 2142395 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 14648 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 57986 bytes
    RecycleBin emptied: 2718517 bytes

    Total Files Cleaned = 2,426.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Mark
    ->Java cache emptied: 0 bytes

    User: Public

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Mark
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.56.0 log created on 09172012_093723
    Files\Folders moved on Reboot...
    File\Folder C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\{4a3e861e-894a-adb2-035b-695524750cd2} not found!
    PendingFileRenameOperations files...
    File C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\{4a3e861e-894a-adb2-035b-695524750cd2} not found!
    Registry entries deleted on Reboot...


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.