Recovery Console vs clean up on Vista

Solved
By learninmypc
Feb 11, 2012
  1. A friend in the building I live in asked me yesterday if I was online & I told him yes.
    Long story short, I found out he got hit with Whitesmoke & I told him I could get it cleaned up by coming in here for help.
    He then asked me about using the Recovery Console instead & I told him he'd lose everything & he knows that.
    To my knowledge,he only had the trial programs on his Vista pc.
    So, my question is, would it be faster for me to use the Recovery Console & then install MS updates, SUPERAntispyware, Mbam, Spybot S&D,Avast , CCleaner & probably SeaMonkey for a browser.WOT & other necessary addons?
    Or get help in here to clean it up?
    I believe it is Vista. Other than that, I know no more about it cept he can't get online,yet. TIA:)
  2. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    I assume you're talking about using recovery partition to reset the computer to its original state?
    That will work in most cases.
    However if the computer is infected with some kind of rootkit that won't work.
    To remove a rootkit he'd have to format his hard drive.
    Using recovery partition does NOT format hard drive.
  3. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    Ok, since I'm not too familiar with Vista, I'll tell him & see what he says.
    I don't feel like formatting a harddrive & reinstalling it.
    ALL I do know is I clicked on his Google Chrome Icon & saw a Whitesmoke URL & knew it was not good.
    Thank you Broni
  4. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Sure thing :)
  5. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

  6. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Keep me posted....
  7. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    As previously stated, I used SAS portable & it found over 385 tracking cookies which were removed & I rebooted.
    Still unable to get online,I used a flashdrive to hopefully remove ALL of Norton.
    Still unable to get online, I finally hooked it up to my DSL & am in here in Safe Mode With Networking & running aswMBR ver 0.9.9.1...Will post results in next post.
  8. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-11 13:17:33
    -----------------------------
    13:17:33.437 OS Version: Windows 6.0.6001 Service Pack 1
    13:17:33.437 Number of processors: 2 586 0x6B02
    13:17:33.438 ComputerName: HOMEPC UserName: earl
    13:17:33.981 Initialize success
    13:18:27.689 AVAST engine defs: 12021101
    13:19:04.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004c
    13:19:04.378 Disk 0 Vendor: ST325031 3.AH Size: 238475MB BusType: 3
    13:19:04.385 Disk 0 MBR read successfully
    13:19:04.389 Disk 0 MBR scan
    13:19:04.396 Disk 0 unknown MBR code
    13:19:04.400 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 226949 MB offset 63
    13:19:04.434 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11523 MB offset 464792580
    13:19:04.468 Disk 0 scanning sectors +488392065
    13:19:04.533 Disk 0 scanning C:\Windows\system32\drivers
    13:19:11.444 Service scanning
    13:19:12.559 Modules scanning
    13:19:14.735 Disk 0 trace - called modules:
    13:19:14.754 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    13:19:14.760 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84fbc030]
    13:19:14.767 3 CLASSPNP.SYS[8072e745] -> nt!IofCallDriver -> [0x84a3d4f0]
    13:19:14.779 5 acpi.sys[8060b6a0] -> nt!IofCallDriver -> \Device\0000004c[0x84a41ab8]
    13:19:15.308 AVAST engine scan C:\Windows
    13:19:16.826 AVAST engine scan C:\Windows\system32
    13:21:34.679 AVAST engine scan C:\Windows\system32\drivers
    13:21:43.791 AVAST engine scan C:\Users\earl.homepc
    13:24:09.058 AVAST engine scan C:\ProgramData
    13:25:53.703 Scan finished successfully
    13:30:48.474 Disk 0 MBR has been saved successfully to "C:\Users\earl.homepc\Desktop\MBR.dat"
    13:30:48.497 The log file has been saved successfully to "C:\Users\earl.homepc\Desktop\aswMBR.txt"
  9. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    When I was doing the Bootkit remover, I got this warning
    [​IMG]
    What do I do?

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6
    001), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 306a70bb88e51c06c67244ab8a2237bf

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
  10. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
  11. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    I will do so.
    I'm not in safe mode with networking now.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Good :).......
  13. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.11.06

    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 7.0.6001.18000
    earl :: HOMEPC [administrator]

    2/11/2012 2:42:22 PM
    mbam-log-2012-02-11 (14-42-22).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 177996
    Time elapsed: 4 minute(s), 13 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  14. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6001.18000
    Run by earl at 15:25:05 on 2012-02-11
    .
    ============== Running Processes ===============
    .
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80273&lng=en
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
    uSearch Page = hxxp://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860
    uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
    uSearchAssistant = hxxp://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860
    mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80273&lng=en
    mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80273
    uURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Shopping Assistant Plugin: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.5.3\PriceGongIE.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AppGraffiti: {6f6a5334-78e9-4d9b-8182-8b41ea8c39ef} - c:\progra~1\appgra~1\APPGRA~1.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: : {ccb69577-088b-4004-9ed8-ff5bcc83a039} - c:\progra~1\rebate~1\RebateI.dll
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
    BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
    uRun: [Google Update] "c:\users\earl.homepc\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [ChicaPasswordManager] c:\program files\chicalogic\chica password manager\stpass.exe
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    uRun: [Linkury Chrome Smartbar] c:\users\earl.homepc\appdata\local\linkury\application\Linkury.exe startup
    uRun: [RebateInformer] c:\progra~1\rebate~1\REBATE~1.EXE /STARTUP
    uRun: [InstallIQUpdater] "c:\program files\w3i\installiqupdater\InstallIQUpdater.exe" /silent /autorun
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1 184.16.33.54
    TCP: Interfaces\{B1C57204-5091-4C47-8EED-2FA742EAA100} : DhcpNameServer = 192.168.1.1 184.16.33.54
    Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
    Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\rebate~1\RebateI.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
    R? gupdate;Google Update Service (gupdate)
    R? gupdatem;Google Update Service (gupdatem)
    R? SASDIFSV;SASDIFSV
    R? SASKUTIL;SASKUTIL
    R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
    S? aswFsBlk;aswFsBlk
    S? aswMonFlt;aswMonFlt
    S? aswSnx;aswSnx
    S? aswSP;aswSP
    S? avast! Antivirus;avast! Antivirus
    .
    =============== Created Last 30 ================
    .
    2012-02-11 23:05:36 -------- d-----w- c:\users\earl.homepc\appdata\local\Mozilla
    2012-02-11 23:05:00 -------- d-----w- c:\program files\SeaMonkey
    2012-02-11 22:40:56 -------- d-----w- c:\users\earl.homepc\appdata\roaming\Malwarebytes
    2012-02-11 22:40:50 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-11 22:40:49 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 22:40:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-11 22:30:02 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-02-11 22:30:02 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-02-11 22:29:20 41184 ----a-w- c:\windows\avastSS.scr
    2012-02-11 22:29:02 -------- d-----w- c:\programdata\AVAST Software
    2012-02-11 22:29:02 -------- d-----w- c:\program files\AVAST Software
    2012-02-11 20:56:01 2730536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
    2012-02-11 20:55:54 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c4e7f698-a5a2-4ed5-854d-f8a35872170d}\mpengine.dll
    2012-02-11 20:55:53 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-11 19:40:26 -------- d-----w- c:\users\earl.homepc\appdata\roaming\SUPERAntiSpyware.com
    2012-02-11 19:40:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2012-01-27 20:13:15 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2012-01-27 20:13:14 143360 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2012-01-27 20:11:36 -------- d-----w- c:\users\earl.homepc\appdata\local\Apple
    2012-01-25 23:32:31 -------- d-----w- c:\program files\AppGraffiti
    2012-01-25 23:32:23 -------- d-----w- c:\program files\RebateInformer
    2012-01-25 23:32:23 -------- d-----w- c:\program files\Inbox.com
    2012-01-25 23:30:33 -------- d-----w- c:\program files\Inbox Toolbar
    2012-01-23 17:58:35 -------- d-----w- c:\users\earl.homepc\appdata\roaming\RealNetworks
    2012-01-16 17:33:51 -------- d-----w- c:\users\earl.homepc\appdata\local\Real
    2012-01-16 17:33:30 -------- d-----w- c:\program files\common files\xing shared
    2012-01-13 18:19:54 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2012-01-13 18:19:53 17920 ----a-w- c:\windows\system32\netevent.dll
    2012-01-13 18:19:28 378368 ----a-w- c:\windows\system32\winhttp.dll
    .
    ==================== Find3M ====================
    .
    2012-01-16 17:33:11 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-01-16 17:33:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-01-09 20:46:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-03 18:02:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 15:26:49.04 ===============
  15. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    .
    ==== Installed Programs ======================
    .
    ActiveCheck component for HP Active Support Library
    Adobe Flash Player 11 Plugin
    Adobe Flash Player ActiveX
    Amazon Kindle
    AppGraffiti
    Apple Software Update
    ASPCA Tri Reminder by We-Care.com v4.0.13.5
    avast! Free Antivirus
    Community Smartbar
    CyberLink DVD Suite Deluxe
    Google Chrome
    Google Earth
    Google Update Helper
    Hardware Diagnostic Tools
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Demo
    HP Recovery Manager RSS
    HP Total Care Advisor
    HP Total Care Setup
    HP Update
    HPAsset component for HP Active Support Library
    Inbox Toolbar
    InstallIQ Updater
    Java Auto Updater
    Java(TM) 6 Update 30
    Java(TM) 6 Update 7
    Juno Preloader
    LabelPrint
    LightScribe System Software 1.14.25.1
    LightScribe Template Labeler
    Malwarebytes Anti-Malware version 1.60.1.1000
    Media Player Classic - Home Cinema v1.5.2.3456
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Live Search Toolbar
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Music Oasis
    muvee Reveal
    My HP Games
    NetZero Preloader
    NVIDIA Drivers
    PictureMover
    Power2Go
    PowerDirector
    PriceGong 2.5.3
    Python 2.5.2
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    RebateInformer
    SeaMonkey (2.7.1)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Soft Data Fax Modem with SmartCP
    SPORE Creature Creator Trial Edition
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== End Of File ===========================
  16. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    ...and GMER....
  17. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-02-11 16:25:58
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\0000004f ST325031 rev.3.AH
    Running: gmer.exe; Driver: C:\Users\EARL~1.HOM\AppData\Local\Temp\kfldipow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E5137A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
  18. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  19. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    I've posted them already. Do I need to re do them?
  20. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Oh, sorry about it :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  21. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    ComboFix 12-02-11.03 - earl 02/11/2012 17:01:54.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1917 [GMT -8:00]
    Running from: c:\users\earl.homepc\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-12 to 2012-02-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-11 23:05 . 2012-02-11 23:05 -------- d-----w- c:\users\earl.homepc\AppData\Local\Mozilla
    2012-02-11 23:05 . 2012-02-11 23:05 -------- d-----w- c:\program files\SeaMonkey
    2012-02-11 22:40 . 2012-02-11 22:40 -------- d-----w- c:\users\earl.homepc\AppData\Roaming\Malwarebytes
    2012-02-11 22:40 . 2012-02-11 22:40 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-11 22:40 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-11 22:40 . 2012-02-11 22:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-02-11 22:30 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-02-11 22:30 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-02-11 22:30 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-02-11 22:30 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-02-11 22:30 . 2011-11-28 17:52 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-02-11 22:30 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-02-11 22:29 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2012-02-11 22:29 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
    2012-02-11 22:29 . 2012-02-11 22:29 -------- d-----w- c:\programdata\AVAST Software
    2012-02-11 22:29 . 2012-02-11 22:29 -------- d-----w- c:\program files\AVAST Software
    2012-02-11 20:55 . 2012-01-17 12:39 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C4E7F698-A5A2-4ED5-854D-F8A35872170D}\mpengine.dll
    2012-02-11 20:55 . 2012-01-29 13:10 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-11 19:40 . 2012-02-11 19:40 -------- d-----w- c:\users\earl.homepc\AppData\Roaming\SUPERAntiSpyware.com
    2012-02-11 19:40 . 2012-02-11 19:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-02-01 21:53 . 2012-02-08 22:08 -------- d-----w- c:\program files\Google
    2012-01-27 20:13 . 2012-01-27 20:13 143360 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
    2012-01-27 20:13 . 2012-01-27 20:13 143360 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
    2012-01-27 20:13 . 2012-01-27 20:13 143360 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
    2012-01-27 20:13 . 2012-01-27 20:13 143360 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
    2012-01-27 20:13 . 2012-01-27 20:13 143360 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
    2012-01-27 20:13 . 2012-01-27 20:13 143360 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
    2012-01-27 20:13 . 2012-01-27 20:13 143360 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
    2012-01-27 20:12 . 2012-01-27 20:13 -------- d-----w- c:\program files\QuickTime
    2012-01-27 20:12 . 2012-01-27 20:12 -------- d-----w- c:\programdata\Apple Computer
    2012-01-27 20:11 . 2012-01-27 20:11 -------- d-----w- c:\users\earl.homepc\AppData\Local\Apple
    2012-01-27 20:11 . 2012-01-27 20:11 -------- d-----w- c:\programdata\Apple
    2012-01-27 20:11 . 2012-01-27 20:11 -------- d-----w- c:\program files\Apple Software Update
    2012-01-25 23:32 . 2012-01-25 23:32 -------- d-----w- c:\program files\AppGraffiti
    2012-01-25 23:32 . 2012-02-11 21:59 -------- d-----w- c:\program files\RebateInformer
    2012-01-25 23:32 . 2012-01-25 23:32 -------- d-----w- c:\program files\Inbox.com
    2012-01-25 23:30 . 2012-01-25 23:30 -------- d-----w- c:\program files\Inbox Toolbar
    2012-01-16 17:33 . 2012-01-16 17:33 -------- d-----w- c:\users\earl.homepc\AppData\Local\Real
    2012-01-16 17:33 . 2012-01-16 17:33 -------- d-----w- c:\program files\Common Files\xing shared
    2012-01-16 17:33 . 2012-01-16 17:33 -------- d-----w- c:\program files\Real
    2012-01-15 23:30 . 2012-01-15 23:30 -------- d-----w- c:\users\earl.homepc\AppData\Roaming\Media Player Classic
    2012-01-13 18:19 . 2010-09-06 16:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2012-01-13 18:19 . 2010-09-06 16:23 17920 ----a-w- c:\windows\system32\netevent.dll
    2012-01-13 18:19 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-16 17:33 . 2008-11-13 10:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-01-16 17:33 . 2008-11-13 10:34 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-01-09 20:46 . 2012-01-09 20:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-03 18:02 . 2012-01-03 18:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}]
    2012-01-03 17:38 832680 ----a-w- c:\progra~1\REBATE~1\RebateI.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-10-17 972080]
    "Linkury Chrome Smartbar"="c:\users\earl.homepc\AppData\Local\Linkury\Application\Linkury.exe" [2012-01-25 19768]
    "InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-10-11 1179648]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2012-01-16 296056]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - kfldipow
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-01 21:53]
    .
    2012-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-02-01 21:53]
    .
    2012-02-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556668068-2155704131-84744496-1000Core.job
    - c:\users\earl.homepc\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-01 20:55]
    .
    2012-02-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3556668068-2155704131-84744496-1000UA.job
    - c:\users\earl.homepc\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-01 20:55]
    .
    2012-02-03 c:\windows\Tasks\HPCeeScheduleForearl.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-11-13 19:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80273&lng=en
    uSearchAssistant = hxxp://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860
    TCP: DhcpNameServer = 192.168.1.1 184.16.33.54
    Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\REBATE~1\RebateI.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-ChicaPasswordManager - c:\program files\ChicaLogic\Chica Password Manager\stpass.exe
    HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-11 17:08
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2012-02-11 17:10:11
    ComboFix-quarantined-files.txt 2012-02-12 01:10
    .
    Pre-Run: 168,266,170,368 bytes free
    Post-Run: 169,105,739,776 bytes free
    .
    - - End Of File - - 80E1B03E081E5BE2FBF622525247361D
  22. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    None of the Rkill would work.
  23. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    You run rKill only if Combofix doesn't want to run - not your case.

    All looks clean so far.
    Any current issues?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  24. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    I'll run OTL in a bit, but I thought I'd let you know I'm getting a pop up that says "Smartbar has stopped working correctly. Windows will close the program & notify you if a solution is available"

    AND right behind it is an Avast warning. I'll try to post a screenshot of it shortly.
    [​IMG]
  25. learninmypc

    learninmypc TechSpot Evangelist Topic Starter Posts: 5,093   +223

    OTL logfile created on: 2/11/2012 5:51:10 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\earl.homepc\Desktop
    Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.6001.18000)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.87 Gb Total Physical Memory | 2.07 Gb Available Physical Memory | 72.00% Memory free
    5.97 Gb Paging File | 5.09 Gb Available in Paging File | 85.31% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 221.63 Gb Total Space | 157.33 Gb Free Space | 70.99% Space Free | Partition Type: NTFS
    Drive D: | 11.25 Gb Total Space | 1.54 Gb Free Space | 13.68% Space Free | Partition Type: NTFS
    Drive F: | 955.52 Mb Total Space | 693.20 Mb Free Space | 72.55% Space Free | Partition Type: FAT

    Computer Name: HOMEPC | User Name: earl | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/02/11 17:46:54 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\earl.homepc\Desktop\OTL.exe
    PRC - [2012/01/16 09:33:12 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
    PRC - [2012/01/03 09:38:30 | 001,142,784 | ---- | M] (Inbox.com, Inc.) -- C:\Program Files\RebateInformer\RebateInf.exe
    PRC - [2011/11/28 10:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/10/11 12:49:14 | 001,179,648 | ---- | M] (W3i, LLC) -- C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
    PRC - [2008/10/28 22:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/09/08 15:12:40 | 000,430,080 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\PictureMover\Bin\PictureMover.exe
    PRC - [2007/04/18 07:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/01/23 10:12:24 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\1ba19f8efcff8ad7f972aa38ab9a15f5\System.Runtime.Remoting.ni.dll
    MOD - [2012/01/22 14:55:57 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\e3180b4230f052996adb81da3dc64ad0\System.Management.ni.dll
    MOD - [2012/01/22 14:45:06 | 000,627,712 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\1c06ada12457242969cdc35d5af12b01\System.EnterpriseServices.ni.dll
    MOD - [2012/01/22 14:45:06 | 000,627,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\fdbb4d76b37aada9010c49a6e09da067\System.Transactions.ni.dll
    MOD - [2012/01/22 14:45:06 | 000,280,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\1c06ada12457242969cdc35d5af12b01\System.EnterpriseServices.Wrapper.dll
    MOD - [2012/01/22 14:44:48 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\aa3e053d433c48e1e8c3f436b4de1ed3\System.Configuration.ni.dll
    MOD - [2012/01/22 14:44:45 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cfb60f99da570cc494e27e0e8ee747e2\System.Xml.ni.dll
    MOD - [2012/01/22 14:44:29 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll
    MOD - [2012/01/22 14:44:16 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll
    MOD - [2012/01/22 14:43:46 | 006,616,576 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\ca69ec9d6589d3526ee38212ef28e2bb\System.Data.ni.dll
    MOD - [2012/01/22 14:43:30 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\6bebfe5b7776c84cb38efdb2a7c9d447\PresentationFramework.Aero.ni.dll
    MOD - [2012/01/22 14:43:19 | 014,327,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\415ef2ec8cbd9f3368da6ade10beae26\PresentationFramework.ni.dll
    MOD - [2012/01/22 14:42:48 | 012,216,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\c1498ba4652483d5adddd4c5d3927170\PresentationCore.ni.dll
    MOD - [2012/01/22 14:42:27 | 003,313,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\29d729043903b7b4b2ea695db220d866\WindowsBase.ni.dll
    MOD - [2012/01/22 14:42:23 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll
    MOD - [2012/01/22 14:42:09 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
    MOD - [2008/10/17 09:39:18 | 000,032,768 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Content.XmlSerializers.dll
    MOD - [2008/10/17 09:32:58 | 000,007,168 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
    MOD - [2008/10/17 09:32:54 | 000,057,344 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
    MOD - [2008/10/17 09:32:48 | 000,118,784 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\ECLibrary.dll
    MOD - [2008/10/17 09:32:46 | 000,010,240 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
    MOD - [2008/10/17 09:32:26 | 000,040,960 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
    MOD - [2008/10/17 09:32:26 | 000,028,672 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll
    MOD - [2008/10/17 09:32:26 | 000,005,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
    MOD - [2008/09/08 15:20:54 | 001,703,936 | ---- | M] () -- C:\Users\earl.homepc\AppData\Roaming\PictureMover\EN-US\Presentation.dll
    MOD - [2008/09/08 15:11:56 | 003,870,720 | ---- | M] () -- C:\Users\earl.homepc\AppData\Roaming\PictureMover\Bin\Core.dll
    MOD - [2008/07/27 10:22:54 | 000,113,664 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
    MOD - [2008/07/27 10:03:15 | 002,933,248 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    MOD - [2008/07/27 10:03:15 | 000,261,632 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
    MOD - [2008/01/20 18:24:29 | 000,368,640 | ---- | M] () -- C:\Windows\System32\msjetoledb40.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/11/28 10:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2008/01/20 18:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/11/28 09:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/11/28 09:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/11/28 09:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/11/28 09:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/11/28 09:52:07 | 000,055,128 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/11/28 09:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2008/09/26 22:51:00 | 007,478,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/09/10 04:48:20 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
    DRV - [2008/09/10 04:46:22 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
    DRV - [2008/09/04 03:34:34 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
    DRV - [2008/08/01 04:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
    DRV - [2008/07/21 08:12:50 | 000,133,152 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
    DRV - [2008/07/21 08:12:22 | 000,145,952 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
    DRV - [2008/05/22 01:39:34 | 000,015,360 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvsmu.sys -- (nvsmu)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.inbox.com/homepage.aspx?tbid=80273&lng=en
    IE - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860
    IE - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860
    IE - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\npctrl.1.0.30716.0.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\earl.homepc\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\earl.homepc\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/21 14:35:04 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\SeaMonkey 2.7.1\extensions\\Components: C:\Program Files\SeaMonkey\components [2012/02/11 15:05:01 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\SeaMonkey 2.7.1\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins

    [2012/02/11 15:05:36 | 000,000,000 | ---D | M] (No name found) -- C:\Users\earl.homepc\AppData\Roaming\mozilla\Extensions
    [2012/02/11 15:21:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\earl.homepc\AppData\Roaming\mozilla\SeaMonkey\Profiles\574a9a2d.default\extensions
    [2012/02/11 15:08:53 | 000,000,000 | ---D | M] (WOT) -- C:\Users\earl.homepc\AppData\Roaming\mozilla\SeaMonkey\Profiles\574a9a2d.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    () (No name found) -- C:\USERS\EARL.HOMEPC\APPDATA\ROAMING\MOZILLA\SEAMONKEY\PROFILES\574A9A2D.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    () (No name found) -- C:\USERS\EARL.HOMEPC\APPDATA\ROAMING\MOZILLA\SEAMONKEY\PROFILES\574A9A2D.DEFAULT\EXTENSIONS\{F13B157F-B174-47E7-A34D-4815DDFDFEB8}.XPI
    () (No name found) -- C:\USERS\EARL.HOMEPC\APPDATA\ROAMING\MOZILLA\SEAMONKEY\PROFILES\574A9A2D.DEFAULT\EXTENSIONS\INSPECTOR@MOZILLA.ORG.XPI

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\earl\AppData\Local\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\earl\AppData\Local\Google\Chrome\Application\16.0.912.63\pdf.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\earl\AppData\Local\Google\Chrome\Application\16.0.912.63\gcswf32.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\earl\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\npctrl.1.0.30716.0.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: YouTube = C:\Users\earl\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
    CHR - Extension: Google Search = C:\Users\earl\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
    CHR - Extension: Gmail = C:\Users\earl\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

    O1 HOSTS File: ([2006/09/18 13:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (AppGraffiti) - {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - C:\Program Files\AppGraffiti\AppGraffiti.dll (Omega Partners Ltd)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O2 - BHO: (no name) - {CCB69577-088B-4004-9ED8-FF5BCC83A039} - C:\Program Files\RebateInformer\RebateI.dll (Inbox.com, Inc.)
    O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
    O2 - BHO: (Inbox Toolbar) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O3 - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\..\Toolbar\WebBrowser: (&Inbox Toolbar) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [UpdateP2GoShortCut] c:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePDIRShortCut] c:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [UpdatePSTShortCut] c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
    O4 - HKU\S-1-5-21-3556668068-2155704131-84744496-1000..\Run: [InstallIQUpdater] C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe (W3i, LLC)
    O4 - HKU\S-1-5-21-3556668068-2155704131-84744496-1000..\Run: [Linkury Chrome Smartbar] C:\Users\earl.homepc\AppData\Local\Linkury\Application\Linkury.exe ()
    O4 - HKU\S-1-5-21-3556668068-2155704131-84744496-1000..\Run: [RebateInformer] C:\Program Files\RebateInformer\RebateInf.exe (Inbox.com, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\##aswSnx private storage\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
    O15 - HKU\S-1-5-21-3556668068-2155704131-84744496-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 184.16.33.54
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B1C57204-5091-4C47-8EED-2FA742EAA100}: DhcpNameServer = 192.168.1.1 184.16.33.54
    O18 - Protocol\Handler\inbox {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\Program Files\Inbox Toolbar\Inbox.dll (Inbox.com, Inc.)
    O18 - Protocol\Handler\rebinfo {AF808758-C780-404C-A4EE-4526323FD9B6} - C:\Program Files\RebateInformer\RebateI.dll (Inbox.com, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Users\earl.homepc\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O24 - Desktop BackupWallPaper: C:\Users\earl.homepc\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/11 17:46:52 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\earl.homepc\Desktop\OTL.exe
    [2012/02/11 17:26:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/02/11 17:09:37 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/02/11 17:00:12 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/02/11 17:00:12 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/02/11 17:00:12 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/02/11 17:00:08 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/02/11 17:00:07 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/02/11 17:00:05 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/02/11 16:58:13 | 004,402,217 | R--- | C] (Swearware) -- C:\Users\earl.homepc\Desktop\ComboFix.exe
    [2012/02/11 15:24:01 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\earl.homepc\Desktop\dds.scr
    [2012/02/11 15:05:36 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Roaming\Mozilla
    [2012/02/11 15:05:36 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Local\Mozilla
    [2012/02/11 15:05:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SeaMonkey
    [2012/02/11 15:05:00 | 000,000,000 | ---D | C] -- C:\Program Files\SeaMonkey
    [2012/02/11 14:40:56 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Roaming\Malwarebytes
    [2012/02/11 14:40:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/11 14:40:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/02/11 14:40:49 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/02/11 14:40:48 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/02/11 14:30:02 | 000,435,032 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2012/02/11 14:30:02 | 000,314,456 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2012/02/11 14:30:02 | 000,055,128 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2012/02/11 14:30:02 | 000,052,952 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2012/02/11 14:30:02 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2012/02/11 14:30:02 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2012/02/11 14:30:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2012/02/11 14:29:20 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2012/02/11 14:29:19 | 000,199,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2012/02/11 14:29:02 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2012/02/11 14:29:02 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2012/02/11 13:34:14 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\Desktop\bootkit_remover
    [2012/02/11 13:16:45 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Users\earl.homepc\Desktop\aswMBR.exe
    [2012/02/11 11:40:26 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Roaming\SUPERAntiSpyware.com
    [2012/02/11 11:40:26 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
    [2012/02/08 14:09:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
    [2012/02/01 13:53:09 | 000,000,000 | ---D | C] -- C:\Program Files\Google
    [2012/01/27 12:12:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
    [2012/01/27 12:12:02 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
    [2012/01/27 12:12:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
    [2012/01/27 12:11:36 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Local\Apple
    [2012/01/27 12:11:34 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
    [2012/01/27 12:11:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
    [2012/01/25 15:32:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AppGraffiti
    [2012/01/25 15:32:31 | 000,000,000 | ---D | C] -- C:\Program Files\AppGraffiti
    [2012/01/25 15:32:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RebateInformer
    [2012/01/25 15:32:23 | 000,000,000 | ---D | C] -- C:\Program Files\RebateInformer
    [2012/01/25 15:32:23 | 000,000,000 | ---D | C] -- C:\Program Files\Inbox.com
    [2012/01/25 15:30:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inbox Toolbar
    [2012/01/25 15:30:33 | 000,000,000 | ---D | C] -- C:\Program Files\Inbox Toolbar
    [2012/01/23 09:58:35 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Roaming\RealNetworks
    [2012/01/20 15:18:00 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\MCE Logs
    [2012/01/16 09:33:51 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Local\Real
    [2012/01/16 09:33:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
    [2012/01/16 09:33:15 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\Windows\System32\pncrt.dll
    [2012/01/16 09:33:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Real
    [2012/01/16 09:33:06 | 000,000,000 | ---D | C] -- C:\Program Files\Real
    [2012/01/16 09:33:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Real
    [2012/01/16 09:33:00 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Roaming\Real
    [2012/01/15 15:30:10 | 000,000,000 | ---D | C] -- C:\Users\earl.homepc\AppData\Roaming\Media Player Classic
    [2012/01/15 03:02:35 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell

    ========== Files - Modified Within 30 Days ==========

    [2012/02/11 17:46:54 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\earl.homepc\Desktop\OTL.exe
    [2012/02/11 17:43:16 | 000,070,755 | ---- | M] () -- C:\Users\earl.homepc\Desktop\SMART WARNING.jpg
    [2012/02/11 17:36:25 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/02/11 17:36:25 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/02/11 17:31:20 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/02/11 17:31:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/02/11 17:31:09 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/02/11 17:31:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/02/11 17:31:01 | 3085,361,152 | -HS- | M] () -- C:\hiberfil.sys
    [2012/02/11 17:16:58 | 001,008,141 | ---- | M] () -- C:\Users\earl.homepc\Desktop\rkill.exe
    [2012/02/11 17:05:00 | 000,000,918 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3556668068-2155704131-84744496-1000UA.job
    [2012/02/11 16:58:24 | 004,402,217 | R--- | M] (Swearware) -- C:\Users\earl.homepc\Desktop\ComboFix.exe
    [2012/02/11 16:58:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/02/11 16:25:21 | 000,001,545 | ---- | M] () -- C:\Users\earl.homepc\Desktop\gmer.exe
    [2012/02/11 16:21:56 | 000,294,216 | ---- | M] () -- C:\Users\earl.homepc\Desktop\gmer.zip
    [2012/02/11 16:05:00 | 000,000,866 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3556668068-2155704131-84744496-1000Core.job
    [2012/02/11 15:24:03 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\earl.homepc\Desktop\dds.scr
    [2012/02/11 15:05:04 | 000,001,821 | ---- | M] () -- C:\Users\earl.homepc\Application Data\Microsoft\Internet Explorer\Quick Launch\SeaMonkey.lnk
    [2012/02/11 15:05:04 | 000,001,797 | ---- | M] () -- C:\Users\Public\Desktop\SeaMonkey.lnk
    [2012/02/11 14:40:51 | 000,000,912 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/11 14:30:02 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2012/02/11 14:30:02 | 000,001,835 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2012/02/11 14:13:45 | 000,002,078 | ---- | M] () -- C:\Users\earl.homepc\Desktop\Google Chrome.lnk
    [2012/02/11 14:13:45 | 000,002,040 | ---- | M] () -- C:\Users\earl.homepc\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2012/02/11 13:42:31 | 000,031,591 | ---- | M] () -- C:\Users\earl.homepc\Desktop\WARNING.jpg
    [2012/02/11 13:32:21 | 000,044,607 | ---- | M] () -- C:\Users\earl.homepc\Desktop\bootkit_remover.zip
    [2012/02/11 13:30:48 | 000,000,512 | ---- | M] () -- C:\Users\earl.homepc\Desktop\MBR.dat
    [2012/02/11 13:17:16 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Users\earl.homepc\Desktop\aswMBR.exe
    [2012/02/11 11:39:51 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
    [2012/02/08 14:09:15 | 000,002,079 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
    [2012/02/02 18:01:01 | 000,000,318 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForearl.job
    [2012/01/27 12:12:47 | 000,001,732 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
    [2012/01/25 15:32:23 | 000,000,793 | ---- | M] () -- C:\Users\Public\Desktop\RebateInformer.lnk
    [2012/01/25 15:32:23 | 000,000,052 | ---- | M] () -- C:\Users\Public\Desktop\RebateGiant.com.url
    [2012/01/17 14:50:43 | 000,257,768 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/01/16 09:33:38 | 000,001,075 | ---- | M] () -- C:\Users\Public\Desktop\RealPlayer.lnk
    [2012/01/16 09:33:15 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\Windows\System32\pncrt.dll

    ========== Files Created - No Company Name ==========

    [2012/02/11 17:43:38 | 000,070,755 | ---- | C] () -- C:\Users\earl.homepc\Desktop\SMART WARNING.jpg
    [2012/02/11 17:16:54 | 001,008,141 | ---- | C] () -- C:\Users\earl.homepc\Desktop\rkill.exe
    [2012/02/11 17:00:12 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/02/11 17:00:12 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/02/11 17:00:12 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/02/11 17:00:12 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/02/11 17:00:12 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/02/11 16:25:21 | 000,001,545 | ---- | C] () -- C:\Users\earl.homepc\Desktop\gmer.exe
    [2012/02/11 16:21:52 | 000,294,216 | ---- | C] () -- C:\Users\earl.homepc\Desktop\gmer.zip
    [2012/02/11 15:05:02 | 000,001,821 | ---- | C] () -- C:\Users\earl.homepc\Application Data\Microsoft\Internet Explorer\Quick Launch\SeaMonkey.lnk
    [2012/02/11 15:05:02 | 000,001,797 | ---- | C] () -- C:\Users\Public\Desktop\SeaMonkey.lnk
    [2012/02/11 14:40:51 | 000,000,912 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/11 14:30:02 | 000,001,835 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2012/02/11 13:58:33 | 3085,361,152 | -HS- | C] () -- C:\hiberfil.sys
    [2012/02/11 13:42:31 | 000,031,591 | ---- | C] () -- C:\Users\earl.homepc\Desktop\WARNING.jpg
    [2012/02/11 13:32:21 | 000,044,607 | ---- | C] () -- C:\Users\earl.homepc\Desktop\bootkit_remover.zip
    [2012/02/11 13:30:48 | 000,000,512 | ---- | C] () -- C:\Users\earl.homepc\Desktop\MBR.dat
    [2012/02/11 11:39:51 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
    [2012/02/08 14:09:15 | 000,002,079 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
    [2012/02/01 13:53:19 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/02/01 13:53:18 | 000,000,878 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/01/27 12:12:47 | 000,001,732 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
    [2012/01/27 12:11:34 | 000,001,830 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
    [2012/01/25 15:32:23 | 000,000,793 | ---- | C] () -- C:\Users\Public\Desktop\RebateInformer.lnk
    [2012/01/25 15:32:23 | 000,000,052 | ---- | C] () -- C:\Users\Public\Desktop\RebateGiant.com.url
    [2012/01/16 09:33:38 | 000,001,075 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk
    [2008/11/13 02:35:04 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom25.dll
    [2008/11/13 02:35:04 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes25.dll
    [2008/11/13 02:19:40 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2008/11/13 02:19:40 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2006/11/02 04:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 04:47:37 | 000,257,768 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 04:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 02:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 02:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 02:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 02:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 02:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 00:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 00:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/01 23:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/01 23:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/12/29 14:42:09 | 000,000,000 | ---D | M] -- C:\Users\earl\AppData\Roaming\PictureMover
    [2012/01/01 12:03:01 | 000,000,000 | ---D | M] -- C:\Users\earl.homepc\AppData\Roaming\PictureMover
    [2012/01/09 11:04:21 | 000,000,000 | ---D | M] -- C:\Users\earl.homepc\AppData\Roaming\Titanium Gears
    [2012/02/11 17:30:02 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2008/01/20 18:24:42 | 000,333,203 | RHS- | M] () -- C:\bootmgr
    [2008/11/13 02:10:46 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
    [2012/02/11 17:10:12 | 000,010,599 | ---- | M] () -- C:\ComboFix.txt
    [2006/09/18 13:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2012/02/11 17:31:01 | 3085,361,152 | -HS- | M] () -- C:\hiberfil.sys
    [2012/02/11 17:31:00 | 3399,233,536 | -HS- | M] () -- C:\pagefile.sys
    [2012/01/01 12:08:15 | 000,000,489 | ---- | M] () -- C:\updatedatfix.log
    [2008/08/26 04:37:52 | 000,000,458 | ---- | M] () -- C:\Windows Sidebar

    < %systemroot%\Fonts\*.com >
    [2006/11/02 04:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 04:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 04:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2006/11/02 04:37:12 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 13:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/11/02 04:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/11/28 10:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/01/20 18:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2008/01/20 19:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2008/01/20 19:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2008/01/20 19:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 02:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 02:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2012/01/02 20:11:24 | 000,000,286 | -HS- | M] () -- C:\Users\earl.homepc\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/02/11 13:17:16 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Users\earl.homepc\Desktop\aswMBR.exe
    [2012/02/11 16:58:24 | 004,402,217 | R--- | M] (Swearware) -- C:\Users\earl.homepc\Desktop\ComboFix.exe
    [2012/02/11 16:25:21 | 000,001,545 | ---- | M] () -- C:\Users\earl.homepc\Desktop\gmer.exe
    [2012/02/11 17:46:54 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\earl.homepc\Desktop\OTL.exe
    [2012/02/11 17:16:58 | 001,008,141 | ---- | M] () -- C:\Users\earl.homepc\Desktop\rkill.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2012/01/01 12:01:53 | 000,000,402 | -HS- | M] () -- C:\Users\earl.homepc\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.