PUM.Hijack.StartMenu & black desktop w/userfiles missing

Solved
By all at sea
Apr 26, 2012
  1. Hi all,
    I've been here before and received great help from Broni. Now I'm back again with another virus attack. Hope someone can help.
    Behaviour was as follows:
    A bunch of "System message - Write Fault Error" messages opened up on the desktop, followed by a
    "SYSTEM ERROR. HARD DISK FAILURE DETECTED. Windows has lost access to the system partition ...etc".
    It offers two options, "Scan and repair", or "Scan later". I suspected an attack, so I did neither. Desktop had gone black, with all icons vanished, except Internet Explorer. Access to start menu is allowed, surprisingly. All user files, including documents:eek: are vanished.

    I ran Malwarebytes, which detected two instances of "PUM.Hijack.StartMenu". On restart however, the same behaviour persisted. Ran Malwarebytes again which of course found the same two viruses in the same places. Restarted and ran Avira scan, which didn't even find the two viruses! Gave up trying by myself, and came to techspot to follow the tried-and-tested 5-step plan. Logs to follow. Grateful for any and all assistance.
  2. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org
    Database version: v2012.04.26.02
    Windows Vista Service Pack 1 x64 NTFS
    Internet Explorer 7.0.6001.18000
    jason :: OFFICE-PC [administrator]
    26/04/2012 15:08:28
    mbam-log-2012-04-26 (15-08-28).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 198902
    Time elapsed: 2 minute(s), 6 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  3. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    GMER didn't run automatically, so I clicked the scan button. It found no modifications.
  4. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_31
    Run by jason at 15:32:21 on 2012-04-26
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.4094.2479 [GMT 1:00]
    .
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RAVCpl64.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\ProgramData\LHWmcRqHquM.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files (x86)\Internet Explorer\ieuser.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    mRun: [RemoteControl] "C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\PDVDServ.exe"
    mRun: [LanguageShortcut] "C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\Language\Language.exe"
    mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
    mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
    mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [LHWmcRqHquM.exe] C:\ProgramData\LHWmcRqHquM.exe
    mRunOnce: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPLive.exe
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{56D17326-9347-4CD8-9AEE-998419ADBBA9} : DhcpNameServer = 192.168.1.1
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    BHO-X64: HP Smart BHO Class - No File
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    mRun-x64: [RemoteControl] "C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\PDVDServ.exe"
    mRun-x64: [LanguageShortcut] "C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\Language\Language.exe"
    mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun-x64: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
    mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
    mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [LHWmcRqHquM.exe] C:\ProgramData\LHWmcRqHquM.exe
    mRunOnce-x64: [Malwarebytes Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
    IE-X64: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPLive.exe
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\gqi59nrv.default\
    FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npjpi160_31.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\npoji610.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
    FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mv61xx;mv61xx;C:\Windows\system32\DRIVERS\mv61xx.sys --> C:\Windows\system32\DRIVERS\mv61xx.sys [?]
    R1 avkmgr;avkmgr;C:\Windows\system32\DRIVERS\avkmgr.sys --> C:\Windows\system32\DRIVERS\avkmgr.sys [?]
    R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-11-15 86224]
    R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-11-15 110032]
    R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-11 136176]
    S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-1-21 93696]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-11 136176]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-21 19968]
    .
    =============== Created Last 30 ================
    .
    2012-04-26 14:06:47 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-04-26 14:06:47 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-04-25 21:47:38 300544 ---ha-w- C:\ProgramData\LHWmcRqHquM.exe
    .
    ==================== Find3M ====================
    .
    2012-03-14 17:47:28 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    .
    ============= FINISH: 15:32:39.84 ===============
  5. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/01/2009 19:50:24
    System Uptime: 26/04/2012 14:40:24 (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5QL PRO
    Processor: Intel(R) Core(TM)2 Quad CPU Q9400 @ 2.66GHz | LGA775 | 2670/333mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 450 GiB total, 11.765 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0003
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #4
    PNP Device ID: ROOT\*ISATAP\0003
    Service: tunnel
    .
    ==== System Restore Points ===================
    .
    RP933: 21/04/2012 02:43:17 - Scheduled Checkpoint
    RP934: 22/04/2012 12:44:07 - Scheduled Checkpoint
    RP935: 23/04/2012 12:50:05 - Scheduled Checkpoint
    RP936: 24/04/2012 18:17:06 - Scheduled Checkpoint
    RP937: 25/04/2012 20:10:42 - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    7-Zip 4.65
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.2
    AIO_Scan
    AVI/MPEG/RM/WMV Joiner 4.82
    Avira Free Antivirus
    Boilsoft Video Joiner 6.56
    BufferChm
    C5200
    C5200_Help
    CDisplay 1.8
    ConvertXtoDVD 3.1.2.34
    Copy
    coverXP (remove only)
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DHTML Editing Component
    DocProc
    DocProcQFolder
    DVD Suite
    DVDFab 8.1.0.5 (04/07/2011) Qt
    eSupportQFolder
    Fax
    Google Update Helper
    GPBaseService
    HP Update
    HPProductAssistant
    Java Auto Updater
    Java(TM) 6 Update 31
    JDownloader
    K-Lite Codec Pack 4.5.3 (Standard)
    LabelPrint
    LightScribe System Software 1.10.16.1
    Malwarebytes Anti-Malware version 1.61.0.1400
    MarketingReg
    MediaShow
    Microsoft Office 2000 Small Business
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Works
    MKVtoolnix 4.6.0
    Mozilla Firefox (3.5.9)
    MSXML 4.0 SP2 (KB954430)
    Nero Suite
    NVIDIA PhysX v8.10.13
    PanoStandAlone
    PhotoNow! 1.0
    Power2Go 5.0
    PowerBackup
    PowerDirector Express
    PowerDVD
    PowerDVD Copy
    PowerProducer
    PPLive 1.9
    PS_AIO_02_ProductContext
    PS_AIO_02_Software
    PS_AIO_02_Software_Min
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    Roxio Express Labeler 3
    Scan
    SmartWebPrintingOC
    SolutionCenter
    SopCast 3.2.4
    Status
    Subtitle Workshop 2.51
    Toolbox
    TrayApp
    Turbo Lister 2
    TVAnts 1.0
    UnloadSupport
    Veetle TV 0.9.18
    Visual C++ 8.0 Runtime Setup Package (x64)
    Visual Studio 2008 x64 Redistributables
    VLC media player 1.1.7
    VobSub v2.23 (Remove Only)
    WebReg
    WinRAR archiver
    Xvid 1.1.3 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    26/04/2012 14:43:09, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    26/04/2012 14:43:09, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    26/04/2012 09:58:09, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    25/04/2012 23:11:21, Error: EventLog [6008] - The previous system shutdown at 23:09:20 on 25/04/2012 was unexpected.
    25/04/2012 23:03:23, Error: EventLog [6008] - The previous system shutdown at 23:01:08 on 25/04/2012 was unexpected.
    25/04/2012 22:58:36, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
    25/04/2012 22:58:36, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    20/04/2012 16:43:16, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    19/04/2012 18:01:55, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
    19/04/2012 18:01:55, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
    19/04/2012 18:00:07, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 002354165DDA has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  6. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================================================

    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.

    ==================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  7. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    Hi again Broni,
    You solved a virus problem for me last year, so I know I'm in safe hands. Thank you for helping a serial offender, as it were.

    I ran UnHide. It restored most Desktop icons, but not the My Computer or My Documents icons. Background remains black, and user files and all documents are still missing. Behaviour remains the same.
    I forgot to mention that whenever I reboot, any programmes or logs that have been saved to desktop disappear (although the icons restored by UnHide remain). So when I rebooted, as prompted by UnHide, both itself, GMER, DDS, and associated logs disappeared. Is there somewhere else I can save cleaning applications and logs?

    aswMBR and Bootkit remover logs to follow.
  8. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-26 17:53:13
    -----------------------------
    17:53:13.515 OS Version: Windows x64 6.0.6001 Service Pack 1
    17:53:13.515 Number of processors: 4 586 0x170A
    17:53:13.515 ComputerName: OFFICE-PC UserName: jason
    17:53:23.920 Initialize success
    17:54:16.263 AVAST engine defs: 12042600
    17:54:40.396 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
    17:54:40.396 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
    17:54:40.428 Disk 0 MBR read successfully
    17:54:40.428 Disk 0 MBR scan
    17:54:40.474 Disk 0 Windows VISTA default MBR code
    17:54:40.506 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 16196 MB offset 2048
    17:54:40.537 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 460741 MB offset 33173280
    17:54:40.615 Disk 0 scanning C:\Windows\system32\drivers
    17:55:03.313 Service scanning
    17:55:57.663 Modules scanning
    17:55:57.663 Disk 0 trace - called modules:
    17:55:57.679 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys
    17:55:57.679 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005af9430]
    17:55:57.679 3 CLASSPNP.SYS[fffffa6000fd2b3a] -> nt!IofCallDriver -> [0xfffffa80049229b0]
    17:55:57.679 5 acpi.sys[fffffa60008fbff6] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0xfffffa800491c4b0]
    17:56:08.256 AVAST engine scan C:\Windows
    17:56:23.029 AVAST engine scan C:\Windows\system32
    18:04:04.180 AVAST engine scan C:\Windows\system32\drivers
    18:04:56.721 AVAST engine scan C:\Users\jason
    18:22:23.778 AVAST engine scan C:\ProgramData
    18:54:35.354 Scan finished successfully
    18:56:52.728 Disk 0 MBR has been saved successfully to "C:\Users\jason\Desktop\MBR.dat"
    18:56:52.728 The log file has been saved successfully to "C:\Users\jason\Desktop\aswMBR.txt"
  9. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    I ran Bootkit Remover, but I am unable to post results. I can't get to notepad because Accessories is hidden in start menu. I tried using the instructions (select all, then ctrl & C followed by ctrl & V) in one of the readme notepad files and in MS Word, but it just pastes a web address that I copied earlier. Any ideas?
    (I should probably add that I can't close Word, and Task manager isn't working.)
  10. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    For some reason it works now :p:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6
    001), 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`f45e4000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
  11. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    PS.
    Explorer is starting to crash a lot. I've moved to Firefox.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  13. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    Hi Broni,
    You mention in your last post that I may have to restart PC at some point during this stage. That would mean I'll lose everything saved to desktop so far, including the MBR.dat. Does that matter?
  14. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Yes, go ahead.
  15. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    Ran ComboFix. It auto restarted, and on restart Avira automatically enabled itself. I hope that didn't affect ComboFix.
    The ComboFix log file didn't pop up as the window said it would, but i think I found it in the ComboFix folder. It's posted below. The ComboFix window is still open. (Oh, and it didn't prompt to update or install Recovery Console).

    Behaviour: Background is still black, and user files including all documents still missing. The system error messages have ceased however.


    ComboFix 12-04-26.01 - jason 26/04/2012 20:11:24.3.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.4094.2482 [GMT 1:00]
    Running from: C:\Users\jason\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\ProgramData\LHWmcRqHquM.exe
    C:\Users\jason\AppData\Roaming\vso_ts_preview.xml


    ((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))


    2012-04-26 14:06:47 . 2012-04-26 14:06:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-04-26 14:06:47 . 2012-04-04 14:56:40 24904 ----a-w- C:\Windows\system32\drivers\mbam.sys
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2012-03-14 17:47:28 . 2010-04-21 11:25:39 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2012-02-15 09:42:29 . 2011-11-15 21:24:59 132320 ----a-w- C:\Windows\system32\drivers\avipbb.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16:38 39792]
    "RemoteControl"="C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01:30 71216]
    "LanguageShortcut"="C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17:42 52256]
    "HP Software Update"="C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 21:17:32 49152]
    "NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [2001-07-09 11:50:42 155648]
    "TkBellExe"="C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" [2010-11-07 19:13:17 274608]
    "avgnt"="C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 16:56:24 258512]
    "SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 14:02:04 254696]

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    Microsoft Office.lnk - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-09-19 21:46:18 451872 ----a-w- C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe

    Contents of the 'Scheduled Tasks' folder

    2012-04-26 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 15:09:30 . 2011-05-11 15:09:23]

    2012-04-26 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 15:09:30 . 2011-05-11 15:09:23]


    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RAVCpl64.exe" [2008-01-15 11:25:20 5641728]
    "Skytel"="Skytel.exe" [2007-11-20 18:15:58 1826816]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-11-12 14:54:00 16121888]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-11-12 14:54:00 82464]

    ------- Supplementary Scan -------

    uLocal Page = C:\Windows\system32\blank.htm
    uStart Page = hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN
    mLocal Page = %SystemRoot%\system32\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\gqi59nrv.default\
    FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

    - - - - ORPHANS REMOVED - - - -

    Wow6432Node-HKCU-Run-WMPNSCFG - C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    Wow6432Node-HKLM-Run-LHWmcRqHquM.exe - C:\ProgramData\LHWmcRqHquM.exe
  16. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    It's incomplete.
    Please re-run Combofix.
  17. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    ComboFix 12-04-26.01 - jason 26/04/2012 20:45:08.4.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.4094.2738 [GMT 1:00]
    Running from: c:\users\jason\Desktop\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\programdata\LHWmcRqHquM.exe
    c:\users\jason\AppData\Roaming\vso_ts_preview.xml
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-26 19:51 . 2012-04-26 19:54 -------- d-----w- c:\users\jason\AppData\Local\temp
    2012-04-26 19:51 . 2012-04-26 19:51 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-04-26 19:51 . 2012-04-26 19:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-04-26 14:06 . 2012-04-26 14:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-04-26 14:06 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-14 17:47 . 2010-04-21 11:25 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-02-15 09:42 . 2011-11-15 21:24 132320 ----a-w- c:\windows\system32\drivers\avipbb.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-26_19.22.46 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 02:23 . 2012-04-26 19:24 46364 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2012-04-26 19:24 73786 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-01-12 17:19 . 2012-04-26 19:24 13560 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1318639389-2330378091-3496585167-1000_UserData.bin
    - 2009-01-11 20:01 . 2012-04-26 17:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-01-11 20:01 . 2012-04-26 19:46 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-01-11 20:01 . 2012-04-26 19:46 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-01-11 20:01 . 2012-04-26 17:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-01-11 20:01 . 2012-04-26 19:46 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-01-11 20:01 . 2012-04-26 17:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-04-05 23:08 . 2012-04-26 19:51 5416 c:\windows\system32\WDI\ERCQueuedResolutions.dat
    - 2012-04-26 19:20 . 2012-04-26 19:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-04-26 19:52 . 2012-04-26 19:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-04-26 19:52 . 2012-04-26 19:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-04-26 19:20 . 2012-04-26 19:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2006-11-02 12:46 . 2012-04-26 16:53 599942 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2012-04-26 19:27 599942 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2012-04-26 16:53 105448 c:\windows\system32\perfc009.dat
    + 2006-11-02 12:46 . 2012-04-26 19:27 105448 c:\windows\system32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "RemoteControl"="c:\program files (x86)\ (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
    "LanguageShortcut"="c:\program files (x86)\ (x86)\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2010-11-07 274608]
    "avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "LHWmcRqHquM.exe"="c:\programdata\LHWmcRqHquM.exe" [BU]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-09-19 21:46 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 15:09]
    .
    2012-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 15:09]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RAVCpl64.exe" [2008-01-15 5641728]
    "Skytel"="Skytel.exe" [2007-11-20 1826816]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 16121888]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 82464]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN
    mLocal Page = %SystemRoot%\system32\blank.htm
    TCP: DhcpNameServer = 192.168.1.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\gqi59nrv.default\
    FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
    @Denied: (A 2) (Everyone)
    @="FlashProp Class"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
    c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe
    c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-26 20:57:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-26 19:57
    .
    Pre-Run: 12,263,985,152 bytes free
    Post-Run: 12,231,495,680 bytes free
    .
    - - End Of File - - C7D3264DE274F59C196F01B0FA22285E
  18. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    The log popped up this time, and the Combofix window closed

    Behaviour: Background still black, and My Ducuments and My Computer icons still missing. However, User files and docs can now be accessed :).
  19. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    Very good :)

    See if you can change it manually.

    See my manual here: http://www.smartestcomputing.us.com/topic/49859-missing-items-from-main-start-menu-window-fix/

    Any other issues?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  20. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    I just realized that I don't remember for 100% sure whether I disabled Avira before running ComboFix the second time :confused:.
    Do you want me to rerun it?
  21. Broni

    Broni Malware Annihilator Posts: 46,177   +251

    No, you're fine.
  22. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    OTL logfile created on: 26/04/2012 21:15:22 - Run 1
    OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\jason\Desktop
    64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6001.18000)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    4.00 Gb Total Physical Memory | 2.64 Gb Available Physical Memory | 66.08% Memory free
    8.22 Gb Paging File | 6.74 Gb Available in Paging File | 81.96% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 449.94 Gb Total Space | 11.42 Gb Free Space | 2.54% Space Free | Partition Type: NTFS

    Computer Name: OFFICE-PC | User Name: jason | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/04/26 21:13:02 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\jason\Desktop\OTL.exe
    PRC - [2011/10/19 17:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    PRC - [2011/10/19 17:56:24 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2011/10/19 17:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010/11/07 20:13:17 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe


    ========== Modules (No Company Name) ==========


    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2008/01/21 03:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2011/10/19 17:56:36 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2011/10/19 17:56:24 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2008/01/21 03:50:58 | 000,070,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/02/15 10:42:29 | 000,132,320 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\avipbb.sys -- (avipbb)
    DRV:64bit: - [2011/10/19 17:56:50 | 000,027,760 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\avkmgr.sys -- (avkmgr)
    DRV:64bit: - [2011/10/19 17:56:49 | 000,097,312 | ---- | M] () [File_System | Auto | Running] -- C:\Windows\SysNative\DRIVERS\avgntflt.sys -- (avgntflt)
    DRV:64bit: - [2009/01/13 00:57:23 | 000,082,816 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\pcouffin.sys -- (pcouffin)
    DRV:64bit: - [2008/07/22 12:58:00 | 000,056,320 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\L1E60x64.sys -- (L1E)
    DRV:64bit: - [2008/01/21 03:51:07 | 000,016,384 | ---- | M] () [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2007/06/15 16:52:10 | 000,163,736 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\mv61xx.sys -- (mv61xx)
    DRV:64bit: - [2006/10/31 16:23:42 | 000,015,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ASACPI.sys -- (MTsensor)
    DRV:64bit: - [2006/10/10 03:09:03 | 000,742,696 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nvm60x64.sys -- (NVENETFD)

    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN
    IE - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://login.live.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&tw=900&fs=1&lc=2057&_lang=EN"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
    FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.0
    FF - prefs.js..extensions.enabledItems: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.2.1
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
    FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.599: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.599: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.599: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll File not found
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.599: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll (Veetle Inc)
    FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/11/07 20:13:38 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/11/07 20:13:29 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/05/12 11:38:40 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Thunderbird\Extensions\\{380AE6CB-09B9-4373-B360-D01C2462A6E7}: C:\Program Files\BullGuard Ltd\BullGuard\files32\backup\thunderbirdbkplugin
    FF - HKEY_CURRENT_USER\software\mozilla\Thunderbird\Extensions\\{0E810812-F4BB-4309-942A-755587587A5E}: C:\Program Files\BullGuard Ltd\BullGuard\files32\antispam\tbspamfilter

    [2010/01/08 15:49:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jason\AppData\Roaming\Mozilla\Extensions
    [2012/04/26 19:59:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\gqi59nrv.default\extensions
    [2010/08/24 15:45:22 | 000,000,000 | ---D | M] (Torbutton) -- C:\Users\jason\AppData\Roaming\Mozilla\Firefox\Profiles\gqi59nrv.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
    [2012/03/14 18:47:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2010/04/21 12:25:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/08/14 12:13:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2010/10/28 12:13:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2011/01/13 12:56:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    [2011/02/24 12:16:50 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    [2011/07/06 10:23:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    [2012/03/14 18:47:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    [2010/11/07 20:13:38 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
    [2012/03/14 18:47:29 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
    [2010/08/04 13:34:44 | 000,001,538 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2010/08/04 13:34:44 | 000,000,947 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2010/08/04 13:34:44 | 000,000,769 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2010/08/04 13:34:44 | 000,000,831 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2012/04/26 20:18:23 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.dll ()
    O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.dll ()
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
    O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files (x86)\ (x86)\CyberLink\PowerDVD\Language\Language.exe ()
    O4 - HKLM..\Run: [LHWmcRqHquM.exe] C:\ProgramData\LHWmcRqHquM.exe File not found
    O4 - HKLM..\Run: [NeroFilterCheck] C:\Windows\SysWOW64\NeroCheck.exe (Ahead Software Gmbh)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
    O4 - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1318639389-2330378091-3496585167-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPLive.exe ()
    O9 - Extra 'Tools' menuitem : PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPLive.exe ()
    O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{56D17326-9347-4CD8-9AEE-998419ADBBA9}: DhcpNameServer = 192.168.1.1
    O18:64bit: - Protocol\Handler\ipp - No CLSID value found
    O18:64bit: - Protocol\Handler\ipp\0x00000001 - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll File not found
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\jason\Documents\derechaz.jpg
    O24 - Desktop BackupWallPaper: C:\Users\jason\Documents\derechaz.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)


    Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm ()
    Drivers32: msacm.clmp3enc - C:\Program Files (x86)\ (x86)\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
    Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
    Drivers32: vidc.XVID - C:\Windows\SysWow64\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/04/26 21:13:02 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\jason\Desktop\OTL.exe
    [2012/04/26 20:57:24 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/04/26 20:57:23 | 000,000,000 | ---D | C] -- C:\Users\jason\AppData\Local\temp
    [2012/04/26 20:54:32 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/04/26 20:10:05 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/04/26 20:10:05 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/04/26 20:10:05 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/04/26 20:09:59 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/04/26 20:01:15 | 004,477,246 | R--- | C] (Swearware) -- C:\Users\jason\Desktop\ComboFix.exe
    [2012/04/26 19:35:15 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Users\jason\Desktop\boot_cleaner.exe
    [2012/04/26 17:51:57 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\jason\Desktop\aswMBR.exe
    [2012/04/26 17:15:32 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\jason\Desktop\unhide.exe
    [2012/04/26 15:31:16 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\jason\Desktop\dds.scr
    [2012/04/26 15:06:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/04/26 15:06:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/04/26 15:05:36 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\jason\Desktop\mbam-setup-1.61.0.1400.exe

    ========== Files - Modified Within 30 Days ==========

    [2012/04/26 21:13:02 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\jason\Desktop\OTL.exe
    [2012/04/26 21:13:01 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/04/26 20:59:30 | 000,690,960 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/04/26 20:59:30 | 000,599,942 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/04/26 20:59:30 | 000,105,448 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/04/26 20:53:24 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/04/26 20:52:45 | 000,003,616 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/04/26 20:52:45 | 000,003,616 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/04/26 20:52:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/04/26 20:18:23 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/04/26 20:01:31 | 004,477,246 | R--- | M] (Swearware) -- C:\Users\jason\Desktop\ComboFix.exe
    [2012/04/26 19:34:59 | 000,044,607 | ---- | M] () -- C:\Users\jason\Desktop\bootkit_remover.zip
    [2012/04/26 18:56:52 | 000,000,512 | ---- | M] () -- C:\Users\jason\Desktop\MBR.dat
    [2012/04/26 17:52:06 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\jason\Desktop\aswMBR.exe
    [2012/04/26 17:15:36 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\jason\Desktop\unhide.exe
    [2012/04/26 15:31:21 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\jason\Desktop\dds.scr
    [2012/04/26 15:15:41 | 000,302,592 | ---- | M] () -- C:\Users\jason\Desktop\6gibrndy.exe
    [2012/04/26 15:05:36 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\jason\Desktop\mbam-setup-1.61.0.1400.exe
    [2012/04/26 10:21:41 | 000,000,956 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/04/24 20:00:47 | 000,166,400 | ---- | M] () -- C:\Users\jason\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/04/04 15:56:40 | 000,024,904 | ---- | M] () -- C:\Windows\SysNative\drivers\mbam.sys

    ========== Files Created - No Company Name ==========

    [2012/04/26 20:10:05 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/04/26 20:10:05 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/04/26 20:10:05 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/04/26 20:10:05 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/04/26 20:10:05 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/04/26 19:34:59 | 000,044,607 | ---- | C] () -- C:\Users\jason\Desktop\bootkit_remover.zip
    [2012/04/26 18:56:52 | 000,000,512 | ---- | C] () -- C:\Users\jason\Desktop\MBR.dat
    [2012/04/26 17:33:31 | 000,002,048 | ---- | C] () -- C:\Users\Public\Desktop\CyberLink DVD Suite.lnk
    [2012/04/26 17:33:31 | 000,002,039 | ---- | C] () -- C:\Users\jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Subtitle Workshop.lnk
    [2012/04/26 17:33:31 | 000,001,960 | ---- | C] () -- C:\Users\Public\Desktop\eBay Turbo Lister 2.lnk
    [2012/04/26 17:33:31 | 000,001,952 | ---- | C] () -- C:\Users\Public\Desktop\LightScribe.lnk
    [2012/04/26 17:33:31 | 000,001,925 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
    [2012/04/26 17:33:31 | 000,001,909 | ---- | C] () -- C:\Users\Public\Desktop\Avira Control Center.lnk
    [2012/04/26 17:33:31 | 000,001,810 | ---- | C] () -- C:\Users\jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2012/04/26 17:33:31 | 000,001,786 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2012/04/26 17:33:31 | 000,001,635 | ---- | C] () -- C:\Users\jason\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay Turbo Lister 2.lnk
    [2012/04/26 17:33:31 | 000,001,453 | ---- | C] () -- C:\Users\jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero StartSmart.lnk
    [2012/04/26 17:33:31 | 000,001,429 | ---- | C] () -- C:\Users\Public\Desktop\Nero StartSmart.lnk
    [2012/04/26 17:33:31 | 000,001,192 | ---- | C] () -- C:\Users\Public\Desktop\HP Solution Center.lnk
    [2012/04/26 17:33:31 | 000,001,107 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
    [2012/04/26 17:33:31 | 000,000,981 | ---- | C] () -- C:\Users\jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/04/26 17:33:31 | 000,000,868 | ---- | C] () -- C:\Users\Public\Desktop\JDownloader.lnk
    [2012/04/26 17:33:31 | 000,000,258 | ---- | C] () -- C:\Users\jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
    [2012/04/26 17:33:31 | 000,000,240 | ---- | C] () -- C:\Users\jason\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
    [2012/04/26 15:15:40 | 000,302,592 | ---- | C] () -- C:\Users\jason\Desktop\6gibrndy.exe
    [2012/04/26 15:06:48 | 000,000,956 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/04/26 15:06:47 | 000,024,904 | ---- | C] () -- C:\Windows\SysNative\drivers\mbam.sys
    [2011/11/14 20:36:55 | 000,000,680 | ---- | C] () -- C:\Users\jason\AppData\Local\d3d9caps.dat

    ========== LOP Check ==========

    [2011/11/10 18:32:34 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\Boilsoft
    [2011/07/07 18:07:41 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\DVDFab
    [2009/09/25 17:33:18 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\Maxthon2
    [2011/03/19 13:02:30 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\mkvtoolnix
    [2009/09/25 18:11:18 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\PPLive
    [2009/09/25 17:30:26 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\PPLiveVA
    [2011/11/14 21:19:32 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\QuickScan
    [2009/08/04 19:14:17 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\Seven Zip
    [2009/09/27 20:08:29 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\StreamTorrent
    [2011/02/24 12:53:53 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\VitySoft
    [2012/04/22 21:01:33 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\Vso
    [2012/02/19 19:29:56 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\Yziq
    [2012/02/19 19:22:01 | 000,000,000 | ---D | M] -- C:\Users\jason\AppData\Roaming\Zivouka
    [2012/04/26 20:51:37 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >
    [2008/01/21 03:50:15 | 000,333,203 | RHS- | M] () -- C:\bootmgr
    [2008/06/16 20:31:33 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
    [2012/04/26 20:57:21 | 000,014,605 | ---- | M] () -- C:\ComboFix.txt
    [2011/05/18 17:03:55 | 000,005,734 | ---- | M] () -- C:\InstallHelper.log
    [2005/09/23 01:39:38 | 000,894,976 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
    [2012/04/26 20:52:38 | 312,672,255 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/11/02 16:06:41 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 16:06:41 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 16:06:41 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2006/11/02 16:06:41 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 22:35:48 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/01/21 04:21:59 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/04/27 19:15:52 | 000,000,221 | -HS- | M] () -- C:\Users\jason\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/04/26 15:15:41 | 000,302,592 | ---- | M] () -- C:\Users\jason\Desktop\6gibrndy.exe
    [2012/04/26 17:52:06 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\jason\Desktop\aswMBR.exe
    [2011/09/20 03:02:40 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Users\jason\Desktop\boot_cleaner.exe
    [2012/04/26 20:01:31 | 004,477,246 | R--- | M] (Swearware) -- C:\Users\jason\Desktop\ComboFix.exe
    [2012/04/26 15:05:36 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\jason\Desktop\mbam-setup-1.61.0.1400.exe
    [2012/04/26 21:13:02 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\jason\Desktop\OTL.exe
    [2011/11/17 10:27:32 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\jason\Desktop\TFC.exe
    [2012/04/26 17:15:36 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\jason\Desktop\unhide.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2012/04/26 20:53:24 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/04/26 21:13:01 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/04/26 20:52:43 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
    [2012/04/26 20:51:37 | 000,032,644 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2009/01/11 21:06:31 | 000,000,402 | -HS- | M] () -- C:\Users\jason\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2009/01/23 18:27:12 | 000,000,795 | ---- | M] () -- C:\ProgramData\hpzinstall.log

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

    < >
    < End of report >
  23. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

  24. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60

    I forgot this, sorry.

    OTL Extras logfile created on: 26/04/2012 21:15:22 - Run 1
    OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\jason\Desktop
    64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6001.18000)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    4.00 Gb Total Physical Memory | 2.64 Gb Available Physical Memory | 66.08% Memory free
    8.22 Gb Paging File | 6.74 Gb Available in Paging File | 81.96% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 449.94 Gb Total Space | 11.42 Gb Free Space | 2.54% Space Free | Partition Type: NTFS

    Computer Name: OFFICE-PC | User Name: jason | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    ========== Shell Spawning ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" ()
    inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 ()
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    InternetShortcut [print] -- rundll32.exe C:\Windows\system32\mshtml.dll,PrintHTML "%1" ()
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L"
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L"
    Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "oobe_av" = 1

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{01943767-EA0F-4C16-A703-C6068163BB4A}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
    "{09312CA8-FD14-46CD-A2EC-77EF5A7064E6}" = protocol=17 | dir=in | app=c:\program files (x86)\pplive\ppliveu.exe |
    "{199170A2-95BF-427C-B417-5056D5737F40}" = dir=in | app=c:\program files (x86)\ (x86)\cyberlink\powerdvd\powerdvd.exe |
    "{2048BD4F-B565-4FD7-BE04-65663055E655}" = protocol=6 | dir=in | app=c:\programdata\ppliveva\application\ppap.exe |
    "{316043AA-5BBF-42FD-877B-1F7A0520B878}" = protocol=17 | dir=in | app=c:\programdata\ppliveva\application\ppap.exe |
    "{35143099-3730-4240-B9B9-11CB4BCB1803}" = protocol=6 | dir=in | app=c:\program files (x86)\pplive\pplive.exe |
    "{38C6DF66-04B3-40F0-9704-0CC84EE196F4}" = protocol=17 | dir=in | app=c:\program files (x86)\ppliveva\download.exe |
    "{3D9AA8E1-B323-417D-87EE-B8F8DA5DD006}" = protocol=6 | dir=in | app=c:\program files (x86)\ppliveva\downloadprogress.exe |
    "{426FE995-4074-4B9D-8EE8-58006BB7E944}" = protocol=6 | dir=in | app=c:\program files (x86)\ppliveva\download.exe |
    "{55A410EB-09F4-4584-98CB-2547CC7D218C}" = protocol=17 | dir=in | app=c:\program files (x86)\pplive\pplive.exe |
    "{55B921F7-ED7F-49C6-8569-B52DC8876AA3}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |
    "{69EB51F6-8E3E-4B45-ADBB-FFEF4B14DD62}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg10\avgmfapx.exe |
    "{A4293591-8190-498B-847D-00E888B40B26}" = protocol=17 | dir=in | app=c:\program files (x86)\ppliveva\ppliveva.exe |
    "{BA2C4881-EB68-4794-A9EE-B5A595893AE3}" = protocol=17 | dir=in | app=c:\program files (x86)\ppliveva\downloadprogress.exe |
    "{BC6794B1-A597-4ADE-A517-AD7CE72F4CA3}" = protocol=6 | dir=in | app=c:\program files (x86)\pplive\ppliveu.exe |
    "{E02344D7-12CC-40C6-9574-A1852E10EB9F}" = protocol=6 | dir=in | app=c:\program files (x86)\ppliveva\flvpick.exe |
    "{E5D4A84D-0A3E-4732-9538-33209B0C9861}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg10\avgmfapx.exe |
    "{ECBD86DA-B940-486E-A5A3-5E9408DCD303}" = dir=in | app=c:\program files (x86)\ (x86)\cyberlink\powerdirector express\pdx.exe |
    "{ECD4EE7B-10E4-4C39-8A06-CC8D522A391E}" = protocol=17 | dir=in | app=c:\program files (x86)\ppliveva\crashupload.exe |
    "{F1446D3E-CEC0-415B-8070-3D86F0A71B6C}" = protocol=6 | dir=in | app=c:\program files (x86)\ppliveva\crashupload.exe |
    "{FAFBE5E9-E37C-4C00-8931-E3A4200449E5}" = protocol=17 | dir=in | app=c:\program files (x86)\ppliveva\flvpick.exe |
    "{FED0F273-876C-4402-A162-B7D1AB0311B8}" = protocol=6 | dir=in | app=c:\program files (x86)\ppliveva\ppliveva.exe |
    "TCP Query User{19028F86-DF55-40B8-91D3-3CD958D6F527}C:\program files (x86)\sopcast\adv\sopadver.exe" = protocol=6 | dir=in | app=c:\program files (x86)\sopcast\adv\sopadver.exe |
    "TCP Query User{3A86A0D0-4687-4235-930D-8F1A481987D3}C:\users\jason\appdata\roaming\yziq\liewbya.exe" = protocol=6 | dir=in | app=c:\users\jason\appdata\roaming\yziq\liewbya.exe |
    "TCP Query User{40F23AFC-0EAE-4B68-A43F-76ED6D16A1DC}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "TCP Query User{455B432D-74B4-4ED7-8EEA-406A2EEC9EF8}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "TCP Query User{55C6C619-32BE-40DD-B975-EB5F59E50440}C:\program files (x86)\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files (x86)\real\realplayer\realplay.exe |
    "TCP Query User{61263F19-ABAF-4D01-B1B7-80D90001D2EC}C:\program files (x86)\streamtorrent 1.0\streamtorrent.exe" = protocol=6 | dir=in | app=c:\program files (x86)\streamtorrent 1.0\streamtorrent.exe |
    "TCP Query User{9E2BCB3A-8632-44E0-8DAA-71073087E107}C:\program files (x86)\tvants\tvants.exe" = protocol=6 | dir=in | app=c:\program files (x86)\tvants\tvants.exe |
    "TCP Query User{9EADF232-BD4D-4B70-AE17-97CD8D479283}C:\program files (x86)\java\jre6\launch4j-tmp\frd.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\launch4j-tmp\frd.exe |
    "TCP Query User{CA38E55A-7677-49AB-BD3F-B4DCFCA5B20B}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
    "TCP Query User{CB600C67-EBB3-466D-A757-A00E000D95FC}C:\program files (x86)\stormii\box\stline.exe" = protocol=6 | dir=in | app=c:\program files (x86)\stormii\box\stline.exe |
    "TCP Query User{CBC64387-9843-4343-B541-64E3C178A81F}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
    "TCP Query User{DA97EB7C-C4EE-475F-AAF5-7101D63FDCC5}C:\program files (x86)\java\jre6\launch4j-tmp\frd.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre6\launch4j-tmp\frd.exe |
    "TCP Query User{F2BB6FF1-690A-40C7-AD27-4A69ADDCAC89}C:\program files (x86)\stormii\stormpop.exe" = protocol=6 | dir=in | app=c:\program files (x86)\stormii\stormpop.exe |
    "TCP Query User{FFC2D772-F3C1-4530-9E46-B109C332B108}C:\program files (x86)\sopcast\sopcast.exe" = protocol=6 | dir=in | app=c:\program files (x86)\sopcast\sopcast.exe |
    "UDP Query User{22201877-7EAE-4982-AD2F-013A8C42C0F3}C:\program files (x86)\sopcast\adv\sopadver.exe" = protocol=17 | dir=in | app=c:\program files (x86)\sopcast\adv\sopadver.exe |
    "UDP Query User{23F352CF-625F-4AE2-8996-34BDF4C82B99}C:\program files (x86)\streamtorrent 1.0\streamtorrent.exe" = protocol=17 | dir=in | app=c:\program files (x86)\streamtorrent 1.0\streamtorrent.exe |
    "UDP Query User{2D59D20C-086E-4FDD-ADC8-BA455D5297F6}C:\program files (x86)\tvants\tvants.exe" = protocol=17 | dir=in | app=c:\program files (x86)\tvants\tvants.exe |
    "UDP Query User{3C3B691A-EED3-44B5-BF91-4BC680566DC5}C:\program files (x86)\sopcast\sopcast.exe" = protocol=17 | dir=in | app=c:\program files (x86)\sopcast\sopcast.exe |
    "UDP Query User{49B96208-A3D0-4476-AAC8-86548D194B7F}C:\program files (x86)\stormii\box\stline.exe" = protocol=17 | dir=in | app=c:\program files (x86)\stormii\box\stline.exe |
    "UDP Query User{6E041A17-0A2B-4790-B3C0-7131E3DF6A49}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
    "UDP Query User{8C95C653-EBF7-482D-9C5A-5000636E3706}C:\program files (x86)\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\bin\javaw.exe |
    "UDP Query User{998476E7-8230-461A-9543-6AF6DACD5635}C:\program files (x86)\java\jre6\launch4j-tmp\frd.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\launch4j-tmp\frd.exe |
    "UDP Query User{9F4D4178-B17D-46EB-84F4-56D5A7778512}C:\program files (x86)\java\jre6\launch4j-tmp\frd.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre6\launch4j-tmp\frd.exe |
    "UDP Query User{A57AFF31-9DF1-4541-84A5-0590C8F3EACC}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "UDP Query User{CE054CF4-469A-475D-AFF2-AFF24406E9AD}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
    "UDP Query User{F73775B2-C662-419C-9FAD-F759D469FDF8}C:\users\jason\appdata\roaming\yziq\liewbya.exe" = protocol=17 | dir=in | app=c:\users\jason\appdata\roaming\yziq\liewbya.exe |
    "UDP Query User{F7B7D7DA-4D72-4971-89ED-F4914087C41E}C:\program files (x86)\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files (x86)\real\realplayer\realplay.exe |
    "UDP Query User{F7F8B58B-5FB2-44DD-8C40-B063CD24B657}C:\program files (x86)\stormii\stormpop.exe" = protocol=17 | dir=in | app=c:\program files (x86)\stormii\stormpop.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{20B30DC1-E423-4939-B51D-05C58B0F9BBB}" = HP Photosmart All-In-One Driver Software 10.0 Rel .2
    "{3850334B-82B7-4875-BEFD-CB91F2527565}" = 64 Bit HP CIO Components Installer
    "{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
    "HP Imaging Device Functions" = HP Imaging Device Functions 10.0
    "HP Smart Web Printing" = HP Smart Web Printing
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
    "HPOCR" = OCR Software by I.R.I.S. 10.0
    "NVIDIA Drivers" = NVIDIA Drivers

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
    "{021C4C4F-C93C-4425-BFFD-C2D16776BFAE}" = Visual C++ 8.0 Runtime Setup Package (x64)
    "{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
    "{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
    "{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
    "{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
    "{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
    "{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
    "{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
    "{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
    "{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
    "{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
    "{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
    "{6B437F94-056F-4791-AF2C-0D10E2706AF0}" = PanoStandAlone
    "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{76C24F39-B161-498F-BD8B-C64789812D13}_is1" = ConvertXtoDVD 3.1.2.34
    "{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
    "{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
    "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
    "{8927E07C-97F7-4A54-88FB-D976F50DD46E}" = Turbo Lister 2
    "{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
    "{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
    "{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{AC54E544-3E42-443C-A91D-A00A6974C592}" = NVIDIA PhysX v8.10.13
    "{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
    "{ADD5DB49-72CF-11D8-9D75-000129760D75}" = PowerBackup
    "{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
    "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
    "{b9be267c-e096-4cce-a4fd-f24eec004938}" = PS_AIO_02_ProductContext
    "{c4549405-195f-4450-8865-6be9dc5ad136}" = PS_AIO_02_Software_Min
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "{C708333C-B1B9-43be-B797-49FEC7A8D15B}" = C5200
    "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
    "{cd0b9359-b716-4fd0-8e0a-09b3e312e8a4}" = PS_AIO_02_Software
    "{cef78f86-19a8-4bbd-91fa-e9b6b2d37348}" = C5200_Help
    "{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow! 1.0
    "{D5A9B7C0-8751-11D8-9D75-000129760D75}" = MediaShow
    "{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
    "{DD920AB6-2DB9-48B7-8052-0A4F0C4277BC}" = MarketingReg
    "{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = PowerDVD Copy
    "{E6CFBFB5-9232-410C-B353-AF6E614B2681}" = LightScribe System Software 1.10.16.1
    "{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
    "{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy
    "{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}" = Visual Studio 2008 x64 Redistributables
    "{FD39EF4B-0B5C-4B33-8D57-2EE865A80EB1}_is1" = Boilsoft Video Joiner 6.56
    "7-Zip" = 7-Zip 4.65
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "AVI MPEG RM WMV Joiner_is1" = AVI/MPEG/RM/WMV Joiner 4.82
    "Avira AntiVir Desktop" = Avira Free Antivirus
    "CDisplay_is1" = CDisplay 1.8
    "coverXP" = coverXP (remove only)
    "DVDFab 8 Qt_is1" = DVDFab 8.1.0.5 (04/07/2011) Qt
    "JDownloader" = JDownloader
    "KLiteCodecPack_is1" = K-Lite Codec Pack 4.5.3 (Standard)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
    "MKVtoolnix" = MKVtoolnix 4.6.0
    "Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
    "NeroMultiInstaller!UninstallKey" = Nero Suite
    "PPLive" = PPLive 1.9
    "RealPlayer 12.0" = RealPlayer
    "SopCast" = SopCast 3.2.4
    "SubtitleWorkshop" = Subtitle Workshop 2.51
    "TVAnts 1.0" = TVAnts 1.0
    "Veetle TV" = Veetle TV 0.9.18
    "VLC media player" = VLC media player 1.1.7
    "VobSub" = VobSub v2.23 (Remove Only)
    "WinRAR archiver" = WinRAR archiver
    "Xvid_is1" = Xvid 1.1.3 final uninstall

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-1318639389-2330378091-3496585167-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 24/04/2012 04:19:40 | Computer Name = Office-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 24/04/2012 05:38:15 | Computer Name = Office-PC | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 7.0.6001.18000, time stamp
    0x47918f11, faulting module mshtml.dll, version 7.0.6001.18203, time stamp 0x496ed0f3,
    exception code 0xc0000005, fault offset 0x00097a4e, process id 0xfa4, application
    start time 0x01cd21f731ef9a42.

    Error - 24/04/2012 08:16:33 | Computer Name = Office-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 24/04/2012 12:14:36 | Computer Name = Office-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 24/04/2012 15:16:56 | Computer Name = Office-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 25/04/2012 04:58:24 | Computer Name = Office-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 25/04/2012 11:03:15 | Computer Name = Office-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 25/04/2012 13:01:57 | Computer Name = Office-PC | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files (x86)\Real\RealPlayer\plugins\rmxrend.dll".
    Dependent
    Assembly Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 25/04/2012 13:01:59 | Computer Name = Office-PC | Source = SideBySide | ID = 16842785
    Description = Activation context generation failed for "C:\Program Files (x86)\Real\RealPlayer\plugins\rmxrend.dll".
    Dependent
    Assembly Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
    could not be found. Please use sxstrace.exe for detailed diagnosis.

    Error - 25/04/2012 17:55:52 | Computer Name = Office-PC | Source = WinMgmt | ID = 10
    Description =

    [ ODiag Events ]
    Error - 21/04/2009 17:02:31 | Computer Name = Office-PC | Source = Microsoft Office 12 Diagnostics | ID = 320
    Description =

    [ System Events ]
    Error - 26/04/2012 15:20:56 | Computer Name = Office-PC | Source = HTTP | ID = 15016
    Description =

    Error - 26/04/2012 15:22:34 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7022
    Description =

    Error - 26/04/2012 15:22:35 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7026
    Description =

    Error - 26/04/2012 15:43:50 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7034
    Description =

    Error - 26/04/2012 15:43:50 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7034
    Description =

    Error - 26/04/2012 15:47:17 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 26/04/2012 15:51:32 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 26/04/2012 15:52:43 | Computer Name = Office-PC | Source = HTTP | ID = 15016
    Description =

    Error - 26/04/2012 15:54:21 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7022
    Description =

    Error - 26/04/2012 15:54:22 | Computer Name = Office-PC | Source = Service Control Manager | ID = 7026
    Description =


    < End of report >
  25. Broni

    Broni Malware Annihilator Posts: 46,177   +251

  26. all at sea

    all at sea Newcomer, in training Topic Starter Posts: 60



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.