also @ TechSpot: Intel says Haswell will improve battery life by 50 percent

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Hi - TrojanZeroAccessinf - please bail me out!

Discussion in 'Virus and Malware Removal' started by Tobydog, Sep 9, 2012.

Post New Reply

Page 3 of 4

Tobydog Newcomer, in training Posts: 44

Thanks Broni

I am booting to System Recovery Options via the F8 button - I will try a different flash drive

Tobydog, Sep 16, 2012

#41
Tobydog Newcomer, in training Posts: 44

Hi Broni

I've tried two different flashdrives, three in all - same result - 'No fixlist.txt found' - I can definitely see FRST and the fixlist on the flashdrive in System Recovery Operations - it's the same flashdrive I used for the previous scans and logs

Tobydog, Sep 16, 2012

#42
Broni Malware Annihilator Posts: 39,398 +177

Make sure the file is named "fixlist.txt" and nothing else like having double extension.
Look at FRST file. Do you see "FRST.exe or just "FRST"?

Broni, Sep 16, 2012

#43
Tobydog Newcomer, in training Posts: 44

Hi Broni

The fixlist.txt ran!

Here's the log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 16-09-2012 01
Ran by SYSTEM at 2012-09-16 21:40:12 Run:2
Running from K:\

==============================================

BCD not restored.
DEFAULT restored successfuly.
SAM restored successfuly.
SECURITY restored successfuly.
SOFTWARE restored successfuly.
hiv-backup\BCD not found.
SYSTEM restored successfuly.

==== End of Fixlog ====

Tobydog, Sep 16, 2012

#44
Tobydog Newcomer, in training Posts: 44

Hi Broni

Internet connection restored! Excellent - Thank you, thank you

I'm sending this using the problem computer

I'm getting a message that I'm 'viewing pages over a secure connection - Any information I exchange with this site cannot be viewed by anyone else on the web', or, I'm 'leaving a secure connection and that any information I exchange may be viewed by others'

Tobydog, Sep 16, 2012

#45

Broni Malware Annihilator Posts: 39,398 +177

Good news

The above message is a standard IE warning. See here: http://forums.techguy.org/general-security/975873-solved-security-alert-when-starting.html

Any current issues?

===============================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Broni, Sep 16, 2012

#46

Tobydog Newcomer, in training Posts: 44

Hi Broni

Thanks for your continued support

No other apparent issues to report - although the computer appears to be running a little quicker

Here's the OTL log

OTL logfile created on: 16/09/2012 22:24:14 - Run 1
OTL by OldTimer - Version 3.2.61.5 Folder = C:\Users\Mark\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.25 Gb Total Physical Memory | 2.22 Gb Available Physical Memory | 68.42% Memory free
6.71 Gb Paging File | 5.68 Gb Available in Paging File | 84.63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.51 Gb Total Space | 183.73 Gb Free Space | 40.33% Space Free | Partition Type: NTFS
Drive D: | 10.25 Gb Total Space | 1.08 Gb Free Space | 10.57% Space Free | Partition Type: NTFS
Drive K: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.84% Space Free | Partition Type: FAT

Computer Name: MARK-PC | User Name: Mark | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/16 22:13:25 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Mark\Downloads\OTL.exe
PRC - [2012/08/27 12:10:29 | 000,690,888 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
PRC - [2012/07/27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/07/05 06:58:58 | 001,988,608 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
PRC - [2012/05/14 14:47:48 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2012/03/28 00:14:06 | 000,138,232 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe
PRC - [2012/03/02 22:34:26 | 000,361,472 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\pcCMService.exe
PRC - [2012/02/23 13:30:40 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
PRC - [2012/02/23 13:22:56 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
PRC - [2011/11/02 02:00:44 | 000,090,448 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
PRC - [2011/03/09 13:30:08 | 000,247,728 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2011/03/09 13:30:08 | 000,092,592 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/21 18:15:40 | 000,033,792 | ---- | M] (EasyBits Software Corp.) -- C:\Windows\System32\ezntsvc.exe
PRC - [2008/07/03 12:27:12 | 006,266,880 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/06/24 19:34:50 | 000,041,824 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\aol\1219316984\ee\aolsoftware.exe
PRC - [2008/06/02 19:50:34 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/06/02 19:50:32 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/01/19 08:33:27 | 000,151,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\schtasks.exe
PRC - [2007/04/18 16:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe
PRC - [2007/02/15 12:59:00 | 000,118,784 | ---- | M] (OsdMaestro) -- C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

========== Modules (No Company Name) ==========

MOD - [2012/06/14 09:06:43 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll
MOD - [2012/06/14 09:04:42 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll
MOD - [2012/06/14 09:04:33 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll
MOD - [2012/06/14 09:04:11 | 014,329,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7343fbab1ba137db2f8b284047ef3f3c\PresentationFramework.ni.dll
MOD - [2012/06/14 09:01:36 | 012,219,392 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7b6293b0c23321c255c2530aea8e32bb\PresentationCore.ni.dll
MOD - [2012/05/10 17:39:35 | 000,187,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\5ebaa15cccc356bc3afba0c8f56977f7\UIAutomationTypes.ni.dll
MOD - [2012/05/10 17:39:21 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f3d4d5fe5ab848fbfcf91a49960dc8ae\System.Management.ni.dll
MOD - [2012/05/10 17:37:23 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll
MOD - [2012/05/10 17:36:54 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll
MOD - [2012/05/10 17:35:22 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll
MOD - [2012/05/10 17:34:44 | 006,621,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\bfdd10e0a0aacf46bac557ffc5d55ba5\System.Data.ni.dll
MOD - [2012/05/10 17:34:34 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c8c3ab08933fef9fb6657da871395c46\PresentationFramework.Aero.ni.dll
MOD - [2012/05/10 17:34:04 | 003,325,952 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\54426ee1881b42af5b090e223f43823c\WindowsBase.ni.dll
MOD - [2012/05/10 17:33:57 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll
MOD - [2012/05/10 17:33:21 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/08/05 11:26:14 | 000,061,440 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
MOD - [2009/08/05 11:26:12 | 000,131,072 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\ECenter\ECLibrary.dll
MOD - [2009/08/05 11:26:06 | 000,040,960 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
MOD - [2009/08/05 11:26:06 | 000,007,680 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
MOD - [2009/08/05 11:26:04 | 000,036,864 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
MOD - [2009/08/05 11:26:04 | 000,005,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
MOD - [2009/08/05 11:26:00 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll
MOD - [2009/08/05 11:25:50 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll
MOD - [2009/03/30 05:42:17 | 002,933,760 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2008/04/04 23:40:01 | 000,086,016 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll

========== Services (SafeList) ==========

SRV - [2012/08/27 12:10:30 | 000,250,568 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/27 21:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/03/28 00:14:06 | 000,138,232 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\ccSvcHst.exe -- (NCO)
SRV - [2012/03/02 22:34:26 | 000,361,472 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\pcCMService.exe -- (pcCMService)
SRV - [2011/06/17 09:42:27 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe -- (GoToAssist)
SRV - [2011/06/08 13:02:00 | 000,633,856 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2011/03/09 13:30:08 | 000,092,592 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/10/12 18:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2008/08/21 18:15:40 | 000,033,792 | ---- | M] (EasyBits Software Corp.) [Auto | Running] -- C:\Windows\System32\ezntsvc.exe -- (ezntsvc)
SRV - [2008/06/02 19:50:34 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2006/10/23 13:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Stopped] -- C:\Program Files\Common Files\aol\acs\AOLacsd.exe -- (AOL ACS)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/09/09 09:11:09 | 000,097,440 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SMR310.SYS -- (SMR310)
DRV - [2012/07/05 06:58:02 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2012/07/05 06:57:44 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2011/11/30 00:44:14 | 000,132,744 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NST\7DC06030.002\ccSetx86.sys -- (ccSet_NST)
DRV - [2011/05/31 17:52:57 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/03/31 09:39:36 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2008/08/26 10:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/01/10 20:57:00 | 008,237,120 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/10/03 17:18:12 | 000,099,840 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006/11/29 23:24:57 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw)
DRV - [2005/12/12 17:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.voover.com/
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.aol.co.uk/web?isinit=true&query=%s
IE - HKLM\..\SearchScopes\{4E53DBE1-A5F3-49FF-859C-5E4264B40F17}: "URL" = http://uk.kelkoopartners.net/ctl/do...e&x=true&y=true&partner=hp&partnerId=96913936
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{6DE46C00-CFF9-4A0D-A5DD-E673D0317C87}: "URL" = http://slirsredirect.search.aol.com...archTerms}&invocationType=tb50hpcndtie7-en-gb
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}: "URL" = http://search.imesh.com/web?src=ieb&systemid=1&q={searchTerms}

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
IE - HKU\.DEFAULT\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.google.com/search?ie=utf-8&oe=utf-8&mssrc=ms_chr&mstb=adawaretb&q={searchTerms}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
IE - HKU\S-1-5-18\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.google.com/search?ie=utf-8&oe=utf-8&mssrc=ms_chr&mstb=adawaretb&q={searchTerms}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 41 46 86 A5 D5 BF CA 01 [binary data]
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes,DefaultScope = {A531D99C-5A22-449b-83DA-872725C6D0ED}
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.aol.co.uk/web?isinit=true&query=%s
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=8BAF374B-748A-4EAB-8821-4AF7B70D7624
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{1DCA0845-D10E-4C2B-B949-1B4D1A1378AB}: "URL" = http://search.aol.co.uk/aolcom/search?query={searchTerms}&invocationType=msie70a
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://www.google.com/search?ie=utf-8&oe=utf-8&mssrc=ms_chr&mstb=adawaretb&q={searchTerms}
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{4E53DBE1-A5F3-49FF-859C-5E4264B40F17}: "URL" = http://uk.kelkoopartners.net/ctl/do...e&x=true&y=true&partner=hp&partnerId=96913936
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&sourceid=ie7&rlz=1I7GPEA_enGB302
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{6DE46C00-CFF9-4A0D-A5DD-E673D0317C87}: "URL" = http://slirsredirect.search.aol.com...archTerms}&invocationType=tb50hpcndtie7-en-gb
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}: "URL" = http://search.imesh.com/web?src=ieb&systemid=1&q={searchTerms}
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}: "URL" = http://search.alot.com/web?q={searc...id=31155&camp_id=5106&tb_version=1.2.2000.2(B)
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\SearchScopes\{CAD45A71-C81A-4209-B4B6-FF9EF797E590}: "URL" = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

Tobydog, Sep 16, 2012

#47
Tobydog Newcomer, in training Posts: 44

Second part of OTL log:

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@rim.com/npappworld: C:\Program Files\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll ()
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\3\NP_wtapp.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Mark\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Mark\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/12 23:50:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2011/02/28 14:54:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/09/08 21:57:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F04D2D30-776C-4d02-8627-8E4385ECA58D}: C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2012.6.3.2\coFFPlgn\ [2012/09/16 21:47:29 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/12 23:50:47 | 000,000,000 | ---D | M]

[2010/07/11 16:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mark\AppData\Roaming\Mozilla\Extensions
[2010/07/11 16:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mark\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com
[2012/09/08 15:06:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/17 19:14:28 | 000,002,149 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml

========== Chrome ==========

CHR - homepage:
CHR - homepage:
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\npSkypeChromePlugin.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Motive Plugin (Enabled) = C:\Program Files\Common Files\Motive\npMotive.dll
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Musicnotes (Enabled) = C:\Program Files\Musicnotes\npmusicn.dll
CHR - plugin: ScorchPlugin (Enabled) = C:\Program Files\Musicnotes\npsibelius.dll
CHR - plugin: BlackBerry AppWorld (Enabled) = C:\Program Files\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: RealNetworks(tm) Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Download Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpplugin.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
CHR - Extension: YouTube = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: Motive Extension = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\edmgmpmklgfbohogafcfobonnkogchec\1.0_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: Norton Identity Protection = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2013.1.1.4_0\
CHR - Extension: Gmail = C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/09/15 21:40:33 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Broadband Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (Norton Identity Protection) - {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Identity Safe Toolbar) - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2012.6.3.2\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (AOL Broadband Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Broadband Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\Toolbar\WebBrowser: (AOL Broadband Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Broadband Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [Google Updater] C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\aol\1219316984\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe File not found
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OsdMaestro] C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (OsdMaestro)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateReg] C:\Windows\System32\jureg.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000..\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogoff = 0
O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0
O7 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 0
O8 - Extra context menu item: &AOL Toolbar Search - c:\Program Files\AOL\AOL Broadband Toolbar 5.0\resources\en-GB\local\search.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab (Reg Error: Value error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DF935B54-EE05-4BDB-BF19-E742BFB044C4}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Users\Mark\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Mark\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {E54729E8-BB3D-4270-9D49-7389EA579090} - C:\Windows\System32\ezUPBHook.dll (EasyBits Software Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/04 23:47:14 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/15 22:22:44 | 000,000,000 | ---D | C] -- C:\Users\Mark\Documents\log
[2012/09/15 21:54:11 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/09/15 21:40:43 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/09/15 21:19:41 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/09/15 21:19:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/09/15 21:19:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/09/15 21:19:33 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/15 21:18:54 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/09/15 09:51:56 | 000,000,000 | ---D | C] -- C:\FRST
[2012/09/13 20:51:00 | 000,132,744 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NST\7DC06030.002\ccSetx86.sys
[2012/09/13 20:50:57 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Identity Safe
[2012/09/13 20:50:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NST
[2012/09/13 20:50:57 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Identity Safe
[2012/09/13 20:50:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NST\7DC06030.002
[2012/09/13 19:51:06 | 000,000,000 | ---D | C] -- C:\NBRT
[2012/09/09 19:44:17 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\CrashDumps
[2012/09/09 17:11:18 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\Malwarebytes
[2012/09/09 17:11:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/09/09 09:11:27 | 000,000,000 | ---D | C] -- C:\ProgramData\SMR310
[2012/09/09 09:11:09 | 000,097,440 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SMR310.SYS
[2012/09/08 17:16:38 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/08 15:29:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NBRTWizard
[2012/09/08 15:29:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NBRTWizard\0501000.01A
[2012/09/08 15:29:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Bootable Recovery Tool Wizard
[2012/09/08 15:29:10 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Bootable Recovery Tool Wizard
[2012/09/08 14:52:28 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
[2012/09/07 22:04:20 | 000,000,000 | ---D | C] -- C:\Windows\System32\N360_BACKUP
[2012/09/07 20:02:06 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\NPE
[2012/09/07 19:33:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/09/07 19:30:24 | 000,000,000 | ---D | C] -- C:\Users\Mark\Documents\Symantec
[2012/09/07 19:26:16 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2012/09/07 19:26:16 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2012/09/07 18:31:23 | 000,000,000 | ---D | C] -- C:\Users\Mark\Sources
[2012/09/07 18:09:30 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\NokiaAccount
[2012/09/07 17:43:02 | 000,000,000 | ---D | C] -- C:\Users\Mark\Documents\NPS
[2012/08/23 10:29:59 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\MediaShow
[2012/08/23 10:26:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BT Desktop Help
[2012/08/23 09:03:17 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\Power2Go8
[2012/08/22 17:04:14 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\MediaServer
[2012/08/22 17:04:14 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\CyberLink
[2012/08/22 17:04:11 | 000,000,000 | ---D | C] -- C:\ProgramData\PDVD
[2012/08/22 17:02:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NewBlue
[2012/08/22 16:58:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CyberLink
[2012/08/22 16:54:16 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\Cyberlink
[2012/08/22 16:51:42 | 000,000,000 | ---D | C] -- C:\ProgramData\install_clap
[2012/08/22 16:47:38 | 000,000,000 | ---D | C] -- C:\ProgramData\CLSK
[2009/04/10 16:47:51 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Mark\AppData\Roaming\pcouffin.sys
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/16 22:25:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/09/16 22:22:55 | 000,000,508 | ---- | M] () -- C:\Users\Mark\Desktop\OTL.exe - Shortcut.lnk
[2012/09/16 21:56:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/09/16 21:45:23 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/09/16 21:45:22 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/16 21:45:22 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/16 21:45:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/16 21:45:15 | 3488,915,456 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/16 19:36:13 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000UA.job
[2012/09/16 10:14:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2012/09/15 21:40:33 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/09/15 20:35:00 | 000,000,852 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-802167735-3406490535-3852651081-1000Core.job
[2012/09/15 19:28:17 | 000,000,064 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/09/15 19:28:17 | 000,000,044 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/09/13 19:54:27 | 271,553,641 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/09/13 19:36:20 | 000,000,873 | ---- | M] () -- C:\Users\Mark\Desktop\Norton Installation Files.lnk
[2012/09/13 18:50:01 | 000,070,656 | ---- | M] () -- C:\Windows\System32\umstartup.etl
[2012/09/12 10:22:20 | 000,033,046 | ---- | M] () -- C:\Users\Mark\AppData\Roaming\wklnhst.dat
[2012/09/11 16:29:30 | 012,888,064 | ---- | M] () -- C:\Users\Mark\Documents\dan passport photo.wps
[2012/09/09 18:51:46 | 000,064,000 | ---- | M] () -- C:\Users\Mark\Documents\DDS log 1 and 2.wps
[2012/09/09 09:11:09 | 000,097,440 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SMR310.SYS
[2012/09/09 08:28:18 | 000,285,328 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/09/08 18:55:25 | 002,416,348 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2012/09/08 14:41:32 | 000,000,040 | ---- | M] () -- C:\Users\Public\Documents\_rgpl
[2012/09/07 18:29:50 | 000,001,537 | ---- | M] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2012/09/07 18:29:44 | 000,001,537 | ---- | M] () -- C:\Users\Mark\Desktop\Windows Explorer.lnk
[2012/09/07 18:14:29 | 000,604,124 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/09/07 18:14:29 | 000,107,264 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/09/07 17:47:10 | 000,000,134 | ---- | M] () -- C:\Users\Mark\Desktop\Programs.lnk
[2012/09/01 21:39:28 | 000,038,400 | ---- | M] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/27 12:39:38 | 001,483,597 | ---- | M] () -- C:\Users\Mark\Documents\scan0012.jpg
[2012/08/25 11:46:19 | 001,122,273 | ---- | M] () -- C:\Users\Mark\Documents\Centauro.jpg
[2012/08/23 10:26:46 | 000,001,095 | ---- | M] () -- C:\Users\Public\Desktop\BT Desktop Help.lnk
[2012/08/22 17:38:01 | 000,001,046 | ---- | M] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\CyberLink DVD Suite Deluxe.lnk
[2012/08/22 15:37:57 | 1238,864,448 | ---- | M] () -- C:\Users\Mark\Documents\CyberLink_MES120105-04.exe
[2012/08/22 04:14:29 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NBRTWizard\0501000.01A\isolate.ini
[2012/08/21 11:51:55 | 011,912,192 | ---- | M] () -- C:\Users\Mark\Documents\New @ Condado.wps
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/16 22:22:55 | 000,000,508 | ---- | C] () -- C:\Users\Mark\Desktop\OTL.exe - Shortcut.lnk
[2012/09/15 21:19:41 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/09/15 21:19:41 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/09/15 21:19:41 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/09/15 21:19:41 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/09/15 21:19:41 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/09/15 20:42:41 | 3488,915,456 | -HS- | C] () -- C:\hiberfil.sys
[2012/09/13 20:50:58 | 000,000,827 | R--- | C] () -- C:\Windows\System32\drivers\NST\7DC06030.002\ccSetx86.inf
[2012/09/13 20:50:57 | 000,007,468 | R--- | C] () -- C:\Windows\System32\drivers\NST\7DC06030.002\ccsetx86.cat
[2012/09/13 20:50:57 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NST\7DC06030.002\isolate.ini
[2012/09/11 16:29:27 | 012,888,064 | ---- | C] () -- C:\Users\Mark\Documents\dan passport photo.wps
[2012/09/09 18:51:45 | 000,064,000 | ---- | C] () -- C:\Users\Mark\Documents\DDS log 1 and 2.wps
[2012/09/08 18:52:20 | 002,416,348 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2012/09/08 15:29:12 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NBRTWizard\0501000.01A\isolate.ini
[2012/09/08 14:52:28 | 000,000,873 | ---- | C] () -- C:\Users\Mark\Desktop\Norton Installation Files.lnk
[2012/09/08 14:41:32 | 000,000,040 | ---- | C] () -- C:\Users\Public\Documents\_rgpl
[2012/09/07 18:29:50 | 000,001,537 | ---- | C] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2012/09/07 18:29:44 | 000,001,537 | ---- | C] () -- C:\Users\Mark\Desktop\Windows Explorer.lnk
[2012/09/07 17:47:10 | 000,000,134 | ---- | C] () -- C:\Users\Mark\Desktop\Programs.lnk
[2012/08/25 11:47:12 | 001,122,273 | ---- | C] () -- C:\Users\Mark\Documents\Centauro.jpg
[2012/08/23 10:26:46 | 000,001,095 | ---- | C] () -- C:\Users\Public\Desktop\BT Desktop Help.lnk
[2012/08/22 17:38:01 | 000,001,046 | ---- | C] () -- C:\Users\Mark\Application Data\Microsoft\Internet Explorer\Quick Launch\CyberLink DVD Suite Deluxe.lnk
[2012/08/22 15:23:29 | 1238,864,448 | ---- | C] () -- C:\Users\Mark\Documents\CyberLink_MES120105-04.exe
[2012/08/21 11:51:55 | 011,912,192 | ---- | C] () -- C:\Users\Mark\Documents\New @ Condado.wps
[2012/02/06 15:36:11 | 000,000,037 | ---- | C] () -- C:\Windows\Qtw.ini
[2012/01/16 13:01:48 | 003,304,960 | ---- | C] () -- C:\Users\Mark\Dancard6.wps
[2011/11/26 13:25:20 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011/11/26 13:25:20 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011/06/16 23:42:54 | 000,000,000 | ---- | C] () -- C:\Users\Mark\AppData\Local\{0F4A96EB-8BAE-4078-A0D4-DEF926CD6265}
[2011/06/15 23:52:23 | 000,000,000 | ---- | C] () -- C:\Users\Mark\AppData\Local\{3B110506-E16A-4CEB-9457-D618758456B5}
[2011/05/31 17:41:20 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2011/05/31 17:41:20 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2010/06/03 10:13:04 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/10/20 07:28:56 | 000,000,680 | ---- | C] () -- C:\Users\Mark\AppData\Local\d3d9caps.dat
[2009/04/10 16:47:51 | 000,007,887 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\pcouffin.cat
[2009/04/10 16:47:51 | 000,001,144 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\pcouffin.inf
[2009/02/17 11:09:36 | 000,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt
[2008/10/06 16:38:15 | 000,038,400 | ---- | C] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/20 12:38:24 | 000,033,046 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\wklnhst.dat

========== LOP Check ==========

[2011/05/07 11:16:55 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\acccore
[2009/09/06 20:34:15 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Alawar
[2009/02/17 10:40:27 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Amazon
[2009/06/30 21:38:18 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2010/04/25 19:27:58 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\eGames
[2010/04/09 10:13:04 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Farm Mania
[2010/09/17 21:23:27 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Friday's games
[2009/05/06 19:49:47 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Gamelab
[2012/09/08 18:51:33 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\GetRightToGo
[2010/03/21 13:47:36 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Home Sweet Home Christmas
[2012/05/03 20:15:14 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\LEGO Company
[2009/10/27 18:20:58 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Nokia
[2009/09/09 18:44:51 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\PC Suite
[2010/03/18 19:45:29 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\PlayFirst
[2011/04/11 19:10:56 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Registry Mechanic
[2011/11/01 21:45:06 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Research In Motion
[2012/09/07 18:52:56 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Samsung
[2009/03/26 08:21:14 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\SaveThePuppy
[2010/02/21 10:53:27 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\SBTT
[2010/10/19 17:13:52 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Template
[2009/09/06 20:31:44 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\TikGames
[2010/07/11 16:47:57 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\TomTom
[2012/09/08 21:58:21 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\uTorrent
[2012/09/01 22:35:53 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Vso
[2009/12/28 13:58:24 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Wild Tangent
[2011/03/29 18:29:31 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\WildTangent
[2008/11/19 22:03:40 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\WinBatch
[2012/09/16 20:18:41 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\snow angel.MOV:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\sliding on snow.MOV:TOC.WMV
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMPFC5A2B2
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP1B5B4F1
< End of report >

Tobydog, Sep 16, 2012

#48
Broni Malware Annihilator Posts: 39,398 +177
Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfSysMon.sys -- (TfSysMon) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\TfNetMon.sys -- (TfNetMon) DRV - File not found [Kernel | Boot | Stopped] -- system32\drivers\TfFsMon.sys -- (TfFsMon) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys -- (Lavasoft Kernexplorer) O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKU\S-1-5-21-802167735-3406490535-3852651081-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O4 - HKLM..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" File not found O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe File not found O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab (Reg Error: Value error.) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) [2012/09/15 09:51:56 | 000,000,000 | ---D | C] -- C:\FRST [2011/04/11 19:10:56 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Registry Mechanic @Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\snow angel.MOV:TOC.WMV @Alternate Data Stream - 64 bytes -> C:\Users\Mark\Documents\sliding on snow.MOV:TOC.WMV @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2 @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:D1B5B4F1 :Commands [purity] [emptytemp] [emptyjava] [emptyflash] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

====================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

3. Please download AdwCleaner by Xplode onto your desktop.

Double click on AdwCleaner.exe to run the tool.

Click on Search.

A logfile will automatically open after the scan has finished.

Please post the contents of that logfile with your next reply.

You can find the logfile at C:\AdwCleaner[R1].txt as well.

4. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

5. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Sep 16, 2012

#49
Tobydog Newcomer, in training Posts: 44

Hi Broni

Thanks

Here's the latest OTL log - OTL ran without stalling

I will run the Security Check next and will post the checkup.txt asap

All processes killed
========== OTL ==========
Service TfSysMon stopped successfully!
Service TfSysMon deleted successfully!
File system32\drivers\TfSysMon.sys not found.
Service TfNetMon stopped successfully!
Service TfNetMon deleted successfully!
File C:\Windows\system32\drivers\TfNetMon.sys not found.
Service TfFsMon stopped successfully!
Service TfFsMon deleted successfully!
File system32\drivers\TfFsMon.sys not found.
Service Lavasoft Kernexplorer stopped successfully!
Service Lavasoft Kernexplorer deleted successfully!
File C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
Registry value HKEY_USERS\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Ad-Aware Browsing Protection deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\HP Health Check Scheduler deleted successfully.
Starting removal of ActiveX control {44990B00-3C9D-426D-81DF-AAB636FA4345}
C:\Windows\Downloaded Program Files\tgctlcm.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990B00-3C9D-426D-81DF-AAB636FA4345}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Folder move failed. C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\{4a3e861e-894a-adb2-035b-695524750cd2} scheduled to be moved on reboot.
C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\U folder moved successfully.
C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2} folder moved successfully.
C:\FRST\Quarantine folder moved successfully.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
C:\Users\Mark\AppData\Roaming\Registry Mechanic folder moved successfully.
ADS C:\Users\Mark\Documents\snow angel.MOV:TOC.WMV deleted successfully.
ADS C:\Users\Mark\Documents\sliding on snow.MOV:TOC.WMV deleted successfully.
ADS C:\ProgramData\TEMPFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP1B5B4F1 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41085 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mark
->Temp folder emptied: 1962363820 bytes
->Temporary Internet Files folder emptied: 259265986 bytes
->Java cache emptied: 15792062 bytes
->Google Chrome cache emptied: 300195929 bytes
->Apple Safari cache emptied: 1129472 bytes
->Flash cache emptied: 2142395 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 14648 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57986 bytes
RecycleBin emptied: 2718517 bytes

Total Files Cleaned = 2,426.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Mark
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Mark
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.56.0 log created on 09172012_093723
Files\Folders moved on Reboot...
File\Folder C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\{4a3e861e-894a-adb2-035b-695524750cd2} not found!
PendingFileRenameOperations files...
File C:\FRST\Quarantine\{4a3e861e-894a-adb2-035b-695524750cd2}\{4a3e861e-894a-adb2-035b-695524750cd2} not found!
Registry entries deleted on Reboot...

Tobydog, Sep 17, 2012

#50
Tobydog Newcomer, in training Posts: 44

Hi Broni

Here's the checkup.txt log

I did get the following message when I ran it:

AutoIt Error
Line 1
Error: Variable must be of the type "Object"

After acknowledging the error by clicking ok Security Check ran fine

FSS.txt log coming next

Results of screen317's Security Check version 0.99.51
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Java(TM) 6 Update 31
Java(TM) SE Runtime Environment 6 Update 1
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader X (10.1.4)
Mozilla Firefox (for.)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

Tobydog, Sep 17, 2012

#51
Tobydog Newcomer, in training Posts: 44

Hi Broni

Here's the FSS.txt log

Entries in the checkup.txt log above turned red by themselves !

AdwCleaner[R1].txt log coming next

Farbar Service Scanner Version: 06-08-2012
Ran by Mark (administrator) on 17-09-2012 at 10:11:39
Running from "C:\Users\Mark\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Tobydog, Sep 17, 2012

#52
Tobydog Newcomer, in training Posts: 44

Hi Broni

Here's the AdwCleaner(R1).txt log

Will run TFC next - no log?

# AdwCleaner v2.002 - Logfile created 09/17/2012 at 10:18:08
# Updated 16/09/2012 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Mark - MARK-PC
# Boot Mode : Normal
# Running from : C:\Users\Mark\Downloads\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****
Folder Found : C:\Program Files\Viewpoint
Folder Found : C:\ProgramData\Viewpoint
***** [Registry] *****
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\SOFTWARE\Software
Key Found : HKLM\Software\Viewpoint
Key Found : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Found : HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKU\S-1-5-21-802167735-3406490535-3852651081-1000\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
-\\ Google Chrome v21.0.1180.89
File : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [2929 octets] - [17/09/2012 10:18:08]
########## EOF - C:\AdwCleaner[R1].txt - [2989 octets] ##########

Tobydog, Sep 17, 2012

#53
Tobydog Newcomer, in training Posts: 44

Hi Broni

Ran TFC

My side bar has disappeared ( clock and calendar ) but they will be easy to restore

I did get the following message when I closed AdwCleaner:

'By only using Search Mode AdwCleaner has not removed detected items. To perform the deletion of items found, restart AdwCleaner and then click on 'Delete', unless you were asked to use only the search mode'.

I accepted the message as I was using search mode only

ESET Online Scanner next

Tobydog, Sep 17, 2012

#54
Tobydog Newcomer, in training Posts: 44

Hi Broni

Here's the ESETScan log

C:\TDSSKiller_Quarantine\08.09.2012_17.15.34\zasubsys0000\file0000\tsk0000.dta Win32/Sirefef.FB.Gen trojan deleted - quarantined
C:\Users\Mark\Documents\IWONGlobal.exe Win32/Toolbar.MyWebSearch application deleted - quarantined

Tobydog, Sep 17, 2012

#55
Tobydog Newcomer, in training Posts: 44

Hi Broni

Computer definitely running faster, but...

a) cannot find side bar - clock, calendar etc

b) no sound - no response to mute, volume up / down buttons on keyboard, no sound through headphones

Tobydog, Sep 17, 2012

#56
Broni Malware Annihilator Posts: 39,398 +177
Is your Norton 360 in working condition?
I don't see it listed by Security Check.

================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Do NOT post JavaRa log.

===================================

Close all open programs and internet browsers.

Double click on adwcleaner.exe to run the tool.

Click on Delete.

Confirm each time with Ok.

Your computer will be rebooted automatically. A text file will open after the restart.

Please post the contents of that logfile with your next reply.

You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

Double click on adwcleaner.exe to run the tool.

Click on Uninstall.

Confirm with yes.

====================================

We have some registry keys missing so...

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Go to Step 4 and under "System Restore" click on Create button:

Go to Start Repairs tab and click Start button.

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

Post new FSS log.
Broni, Sep 17, 2012

#57
Tobydog Newcomer, in training Posts: 44

Hi Broni - many thanks

Here's the AdwCleaner(S1).txt.log

I uninstalled Norton 360 - I think it was causing the computer to be unstable, continually shutting down / restarting. The error message I kept getting pointed to a fault with Norton itself, so I uninstalled it - computer stabilised immediately. I had only installed it a week last Friday - it detected the zeroaccess trojan, but appeared to be problematic since, so I decided Norton had to go

# AdwCleaner v2.002 - Logfile created 09/17/2012 at 17:58:15
# Updated 16/09/2012 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# User : Mark - MARK-PC
# Boot Mode : Normal
# Running from : C:\Users\Mark\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\ProgramData\Viewpoint
***** [Registry] *****
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\SOFTWARE\Software
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
-\\ Google Chrome v21.0.1180.89
File : C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [3058 octets] - [17/09/2012 10:18:08]
AdwCleaner[S1].txt - [3037 octets] - [17/09/2012 17:58:15]
########## EOF - C:\AdwCleaner[S1].txt - [3097 octets] ##########

Tobydog, Sep 17, 2012

#58
Broni Malware Annihilator Posts: 39,398 +177

When done with Windows Repair run this tool to remove possible Norton's leftovers: http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html
Then...
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php

Broni, Sep 17, 2012

#59
Tobydog Newcomer, in training Posts: 44

Hi Broni

Here's the Windows Repair log

Starting Repairs...
Start (17/09/2012 19:31:26)
Reset Registry Permissions 01/03
HKEY_CURRENT_USER & Sub Keys
Start (17/09/2012 19:31:26)
Done (17/09/2012 19:31:33)
Reset Registry Permissions 02/03
HKEY_LOCAL_MACHINE & Sub Keys
Start (17/09/2012 19:31:33)
Done (17/09/2012 19:34:49)
Reset Registry Permissions 03/03
HKEY_CLASSES_ROOT & Sub Keys
Start (17/09/2012 19:34:49)
Done (17/09/2012 19:35:15)
Reset File Permissions 01/18
C:\Boot & Sub Folders
Start (17/09/2012 19:35:15)
Done (17/09/2012 19:35:17)
Reset File Permissions 02/18
C:\DKMM & Sub Folders
Start (17/09/2012 19:35:17)
Done (17/09/2012 19:35:20)
Reset File Permissions 03/18
C:\Games & Sub Folders
Start (17/09/2012 19:35:20)
Done (17/09/2012 19:35:22)
Reset File Permissions 04/18
C:\hiberfil.sys & Sub Folders
Start (17/09/2012 19:35:22)
Done (17/09/2012 19:35:28)
Reset File Permissions 05/18
C:\hp & Sub Folders
Start (17/09/2012 19:35:28)
Done (17/09/2012 19:35:47)
Reset File Permissions 06/18
C:\MMAPP & Sub Folders
Start (17/09/2012 19:35:47)
Done (17/09/2012 19:35:49)
Reset File Permissions 07/18
C:\NBRT & Sub Folders
Start (17/09/2012 19:35:49)
Done (17/09/2012 19:35:52)
Reset File Permissions 08/18
C:\PerfLogs & Sub Folders
Start (17/09/2012 19:35:52)
Done (17/09/2012 19:35:54)
Reset File Permissions 09/18
C:\Program Files & Sub Folders
Start (17/09/2012 19:35:54)
Done (17/09/2012 19:45:05)
Reset File Permissions 10/18
C:\ProgramData & Sub Folders
Start (17/09/2012 19:45:05)
Done (17/09/2012 19:46:03)
Reset File Permissions 11/18
C:\Qoobox & Sub Folders
Start (17/09/2012 19:46:03)
Done (17/09/2012 19:46:06)
Reset File Permissions 12/18
C:\Setup & Sub Folders
Start (17/09/2012 19:46:06)
Done (17/09/2012 19:46:08)
Reset File Permissions 13/18
C:\TDSSKiller_Quarantine & Sub Folders
Start (17/09/2012 19:46:08)
Done (17/09/2012 19:46:11)
Reset File Permissions 14/18
C:\temp & Sub Folders
Start (17/09/2012 19:46:11)
Done (17/09/2012 19:46:13)
Reset File Permissions 15/18
C:\Tweaking.com_Windows_Repair_Logs & Sub Folders
Start (17/09/2012 19:46:13)
Done (17/09/2012 19:46:15)
Reset File Permissions 16/18
C:\Windows & Sub Folders
Start (17/09/2012 19:46:15)
Done (17/09/2012 19:53:32)
Reset File Permissions 17/18
C:\_OTL & Sub Folders
Start (17/09/2012 19:53:32)
Done (17/09/2012 19:53:34)
Reset File Permissions 18/18
C:\_torrents & Sub Folders
Start (17/09/2012 19:53:34)
Done (17/09/2012 19:53:59)
Register System Files
Start (17/09/2012 19:53:59)
Done (17/09/2012 19:54:10)
Repair WMI
Start (17/09/2012 19:54:10)
Step 01/03 - Deleting WMI Repository...
The system cannot find the path specified.
Step 02/03 - Rebuilding WMI Repository...
Step 03/03 - Registering WMI...
Invalid Global Switch.
Done (17/09/2012 19:54:52)
Repair Windows Firewall
Start (17/09/2012 19:54:52)
The Windows Firewall service is not started.
More help is available by typing NET HELPMSG 3521.
System error 1060 has occurred.
The specified service does not exist as an installed service.
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
Done (17/09/2012 19:55:04)
Repair Internet Explorer
Start (17/09/2012 19:55:04)
Done (17/09/2012 19:55:11)
Remove Policies Set By Infections
Start (17/09/2012 19:55:11)
Done (17/09/2012 19:55:13)
Repair Winsock & DNS Cache
Start (17/09/2012 19:55:13)
Done (17/09/2012 19:55:20)
Repair Proxy Settings
Start (17/09/2012 19:55:20)
Done (17/09/2012 19:55:22)
Repair Windows Updates
Start (17/09/2012 19:55:22)
System error 1060 has occurred.
The specified service does not exist as an installed service.
The Windows Update service is not started.
More help is available by typing NET HELPMSG 3521.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
C:\Windows\system32\catroot2\edb.log - The process cannot access the file because it is being used by another process.
C:\Windows\system32\catroot2\{127D0~1\catdb - The process cannot access the file because it is being used by another process.
C:\Windows\system32\catroot2\{F750E~1\catdb - The process cannot access the file because it is being used by another process.
'proxycfg.exe' is not recognized as an internal or external command,
operable program or batch file.
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
Done (17/09/2012 19:55:28)
Set Windows Services To Default Startup
Start (17/09/2012 19:55:28)
Done (17/09/2012 19:55:31)
Repair MSI (Windows Installer)
Start (17/09/2012 19:55:31)
The Windows Installer service is not started.
More help is available by typing NET HELPMSG 3521.
Done (17/09/2012 19:55:35)
Cleaning up empty logs...
All Selected Repairs Done.
Done (17/09/2012 19:55:35)
Total Repair Time: 00:24:09

...YOU MUST RESTART YOUR SYSTEM...

Tobydog, Sep 17, 2012

#60

Page 3 of 4

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.