Solved System Check virus

[raina]

Hail, benevolent ones,

I have the "System Check" virus - got pop-ups telling me my hard drive wasn't working and that my computer was overheating and so on. I tried to follow the advice on this other website: http://www.myantispyware.com/2012/01/02/how-to-remove-system-check-virus/ , and it did help some... it said to rename some suspicious-looking .exe files whose names consisted of a long string of random letters and numbers, so I renamed them to things like 123.exe, 34.exe, and so on. And after that, as promised, when I rebooted the System Check crap no longer came up and prevented me from doing stuff. So I can find all my files and access the internet and so on normally.

I haven't had much luck properly fixing it though. The next thing that website said to do was to run attrib -h /s /d in the command box, but when I tried that all I got was a string of "Access Denied"s. Then I ran Malwarebytes, and it found a couple things and deleted them (the file named 34.exe, which it deleted, is one of those that I manually renamed earlier - it's presumably a System Check file), but I'm sure that it didn't get everything. My desktop screen is still black (with icons on it for all my documents and programs, but my wallpaper isn't there). I also ran TDSSkiller, but it found nothing.

Below are my starting logs, as requested in the 5-step thread. I had to un-check "Devices" when I did GMER to get it to complete (the first time I tried to run it, it got interrupted mid-scan).

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.03.04.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19190
dawn :: DAWN-PC [administrator]

3/4/2012 7:35:28 PM
mbam-log-2012-03-04 (19-35-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 180123
Time elapsed: 9 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\ProgramData\34.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Users\dawn\AppData\Local\temp\7iOFnfqVi1fCpm.exe.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-04 22:13:39
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000004f ST316081 rev.3.AD
Running: rs5sw4be (1).exe; Driver: C:\Users\dawn\AppData\Local\Temp\pxldapog.sys


---- System - GMER 1.0.15 ----

SSDT 8B94DD86 ZwCreateSection
SSDT 8B94DD8B ZwSetContextThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8BDE1640]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 215 820E1998 4 Bytes [86, DD, 94, 8B]
.text ntkrnlpa.exe!KeSetEvent + 56D 820E1CF0 4 Bytes [8B, DD, 94, 8B]
.text ntkrnlpa.exe!KeSetEvent + 621 820E1DA4 4 Bytes [40, 16, DE, 8B]

---- EOF - GMER 1.0.15 ----



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19190 BrowserJavaVersion: 1.6.0_26
Run by dawn at 22:13:49 on 2012-03-04
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.958.144 [GMT -6:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [DwcShfdOUdbj.exe] c:\programdata\DwcShfdOUdbj.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\dawn\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A822FA93-8917-48F3-B7AB-52199DA2166D} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dawn\appdata\roaming\mozilla\firefox\profiles\7jbhv2ne.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.jzip.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-12 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-12 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-12 66616]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-27 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-5 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-5 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-05 02:04:48 709968 ----a-w- c:\windows\isRS-000.tmp
2012-03-05 01:19:35 338944 ----a-w- c:\programdata\12.exe
2012-03-05 01:06:47 -------- d-----w- c:\users\dawn\appdata\local\{A5DD2183-4423-4F51-B922-010D7A46F306}
2012-03-05 01:06:31 -------- d-----w- c:\users\dawn\appdata\local\{9EE0D689-ADF1-41F1-BF81-410A98E50207}
2012-03-05 00:49:40 338944 ----a-w- c:\programdata\123.exe
2012-03-02 08:34:38 -------- d-----w- c:\users\dawn\appdata\local\{82A287C0-B25D-4900-9B53-802483FF29CD}
2012-03-02 08:34:25 -------- d-----w- c:\users\dawn\appdata\local\{6F80CF1B-6617-4240-B87C-7580497E53E1}
2012-03-02 07:57:01 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cd50030e-f929-4857-a578-7880c717b17c}\mpengine.dll
2012-02-29 21:33:05 -------- d-----w- c:\users\dawn\appdata\local\{2F901420-A044-4056-9883-C1FD56C32E95}
2012-02-29 21:32:52 -------- d-----w- c:\users\dawn\appdata\local\{0CDFF2EA-F450-4DBE-8667-BF4CDEDFB08E}
2012-02-26 19:00:54 -------- d-----w- c:\users\dawn\appdata\local\{74BEBA07-6582-4635-93CB-7F490D9734D3}
2012-02-26 19:00:39 -------- d-----w- c:\users\dawn\appdata\local\{DBE15D7D-DF67-4FCF-9745-C3DF7780D0E3}
2012-02-21 06:12:29 -------- d-----w- c:\users\dawn\appdata\local\{46814D6E-A6EA-44B9-B6DB-15C1333B4EC9}
2012-02-21 06:12:12 -------- d-----w- c:\users\dawn\appdata\local\{F2FD9E30-D9E8-4F1B-BE0F-6BE327AD261C}
2012-02-19 22:08:51 -------- d-----w- c:\users\dawn\appdata\local\{FA1F1255-EE1B-4939-85ED-CD3741C2CE37}
2012-02-16 13:11:33 -------- d-----w- c:\users\dawn\appdata\local\{188844FA-E3B0-4751-85B4-F1ECC09A8EFA}
2012-02-16 00:03:16 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 00:03:11 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 00:03:05 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-15 22:43:15 -------- d-----w- c:\users\dawn\appdata\local\{F99B1246-4EAD-4722-8243-726431BC609E}
2012-02-15 22:42:49 -------- d-----w- c:\users\dawn\appdata\local\{BAFEF87A-4758-43E5-9AE7-5197A03BCFE6}
2012-02-13 04:38:26 -------- d-----w- c:\users\dawn\.texlive2011
2012-02-12 23:00:47 -------- d-----w- C:\texlive
2012-02-12 20:01:37 18328 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2012-02-12 19:56:12 -------- d-----w- c:\users\dawn\appdata\local\{E0C83C6D-BCAC-4EA8-876C-9F6CBF6A88EE}
2012-02-12 19:55:24 -------- d-----w- c:\users\dawn\appdata\local\{2DE6A306-44F8-414A-B57B-2E1251232137}
2012-02-08 18:54:13 -------- d-----w- c:\users\dawn\appdata\local\{7E731A66-814F-4E2F-847F-D4788D3E6F0B}
2012-02-08 18:53:56 -------- d-----w- c:\users\dawn\appdata\local\{F4C59DA3-DDD3-498C-8DD0-72C15E207D04}
2012-02-07 14:27:00 -------- d-----w- c:\users\dawn\appdata\local\{2D59AF0E-1E7A-4E67-AAA5-1AAE6767729E}
2012-02-07 14:26:43 -------- d-----w- c:\users\dawn\appdata\local\{2F1DA3C7-202A-4A8E-929D-BE3834A667F3}
2012-02-05 18:00:30 -------- d-----w- c:\users\dawn\appdata\local\{105093CE-5287-4448-8FD6-6068FF827452}
2012-02-05 17:59:26 -------- d-----w- c:\users\dawn\appdata\local\{42ED9FE6-3015-4356-BE8A-9438DAB461C6}
.
==================== Find3M ====================
.
2012-01-29 11:10:42 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-15 06:22:01 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-15 06:18:03 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-15 06:17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-15 06:17:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-12-15 06:17:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-15 05:21:27 385024 ----a-w- c:\windows\system32\html.iec
2011-12-15 04:45:13 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-15 04:43:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 08:13:26 9815040 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe
.
============= FINISH: 22:14:50.25 ===============

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================

Attach.txt part of DDS is missing, so please provide that.

Then....

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=====================================================================

Download Bootkit Remover to your desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[raina]

Wow, thanks for the quick response!

I tried running Bootkit, but it doesn't work. I get a pop-up window that says this:

ATA_PASS_THROUGH_DIRECT is not supported by your disk controller
SCSI_PASS_THROUGH_DIRECT will be use [sic] for disk I/O

and then on the Bootkit screen (the black screen with white text), it does come up, but it has red text that says ATA_Read (): DeviceIoControl () Error 1 and I can't do anything.

I'm posting below the DDS log I skipped the first time, and the avast log.

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 8/3/2007 2:54:44 AM
System Uptime: 3/4/2012 8:07:27 PM (2 hours ago)
.
Motherboard: Dell Inc. | | 0RY206
Processor: AMD Sempron(tm) Processor 3600+ | Socket AM2 | 2009/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 80.043 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.556 GiB free.
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.3
Avira AntiVir Personal - Free Antivirus
Bing Bar
Canon MP Navigator 2.0
Canon MP500
Conexant D850 PCI V.92 Modem
D3DX10
Dell DataSafe Online
Dell Support Center
Dell System Customization Wizard
DellSupport
Digital Line Detect
EarthLink Setup Files
ESET Online Scanner v3
Games, Music, & Photos Launcher
Google Desktop
Heroes of Might and Magic® III Complete
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Internet Service Offers Launcher
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 26
jZip
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Silverlight
Microsoft UI Engine
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Modem Diagnostic Tool
Mozilla Firefox (3.6.11)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MUSHclient (remove only)
NetWaiting
NVIDIA Drivers
NVIDIANetworkDiagnostic
OGA Notifier 2.0.0048.0
OpenOffice.org 3.3
PowerDVD
Product Documentation Launcher
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Segoe UI
Sonic Activation Module
Spelling Dictionaries Support For Adobe Reader 9
SUPERAntiSpyware
TeX Live 2011
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
User's Guides
Winamp
Winamp Detector Plug-in
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
.
==== Event Viewer Messages From Past Week ========
.
3/4/2012 8:14:03 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
3/4/2012 8:09:30 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
3/4/2012 8:09:30 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/4/2012 7:23:30 PM, Error: Service Control Manager [7022] - The KtmRm for Distributed Transaction Coordinator service hung on starting.
3/4/2012 7:02:57 PM, Error: EventLog [6008] - The previous system shutdown at 6:58:44 PM on 3/4/2012 was unexpected.
3/2/2012 2:31:50 AM, Error: EventLog [6008] - The previous system shutdown at 2:28:33 AM on 3/2/2012 was unexpected.
2/29/2012 3:28:59 PM, Error: EventLog [6008] - The previous system shutdown at 3:25:33 PM on 2/29/2012 was unexpected.
2/26/2012 5:49:36 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
2/26/2012 12:47:21 PM, Error: EventLog [6008] - The previous system shutdown at 12:43:57 PM on 2/26/2012 was unexpected.
.
==== End Of File ===========================


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-05 16:55:25
-----------------------------
16:55:25.759 OS Version: Windows 6.0.6002 Service Pack 2
16:55:25.759 Number of processors: 1 586 0x4F02
16:55:25.759 ComputerName: DAWN-PC UserName: dawn
16:56:16.528 Initialize success
17:02:16.453 AVAST engine defs: 12030501
17:02:52.380 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004f
17:02:52.380 Disk 0 Vendor: ST316081 3.AD Size: 152587MB BusType: 6
17:02:52.411 Disk 0 MBR read successfully
17:02:52.411 Disk 0 MBR scan
17:02:52.629 Disk 0 Windows VISTA default MBR code
17:02:52.629 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
17:02:52.723 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 98304
17:02:52.770 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 142298 MB offset 21069824
17:02:52.817 Disk 0 scanning sectors +312496128
17:02:52.941 Disk 0 scanning C:\Windows\system32\drivers
17:03:20.522 Service scanning
17:04:15.715 Modules scanning
17:04:31.203 Disk 0 trace - called modules:
17:04:31.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys ndis.sys nvmfdx32.sys
17:04:31.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84e39338]
17:04:31.796 3 CLASSPNP.SYS[807348b3] -> nt!IofCallDriver -> [0x83b00f08]
17:04:31.796 5 acpi.sys[806136bc] -> nt!IofCallDriver -> \Device\0000004f[0x84494a18]
17:04:34.542 AVAST engine scan C:\Windows
17:04:48.576 AVAST engine scan C:\Windows\system32
17:12:28.293 AVAST engine scan C:\Windows\system32\drivers
17:12:55.686 AVAST engine scan C:\Users\dawn
17:14:10.785 Disk 0 MBR has been saved successfully to "C:\Users\dawn\Desktop\MBR.dat"
17:14:10.878 The log file has been saved successfully to "C:\Users\dawn\Desktop\aswMBR.txt"

 

[Broni]

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[raina]

Okay! Here it is:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 531s
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 140):
0x82039000 \SystemRoot\system32\ntkrnlpa.exe
0x82006000 \SystemRoot\system32\hal.dll
0x80404000 \SystemRoot\system32\kdcom.dll
0x8040B000 \SystemRoot\system32\PSHED.dll
0x8041C000 \SystemRoot\system32\BOOTVID.dll
0x80424000 \SystemRoot\system32\CLFS.SYS
0x80465000 \SystemRoot\system32\CI.dll
0x80545000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805C1000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060B000 \SystemRoot\system32\drivers\acpi.sys
0x80651000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8065A000 \SystemRoot\system32\drivers\msisadrv.sys
0x80662000 \SystemRoot\system32\drivers\pci.sys
0x80689000 \SystemRoot\System32\drivers\partmgr.sys
0x80698000 \SystemRoot\system32\drivers\volmgr.sys
0x806A7000 \SystemRoot\System32\drivers\volmgrx.sys
0x806F1000 \SystemRoot\system32\drivers\pciide.sys
0x806F8000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80706000 \SystemRoot\System32\drivers\mountmgr.sys
0x80716000 \SystemRoot\system32\drivers\nvraid.sys
0x8072F000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80750000 \SystemRoot\system32\drivers\atapi.sys
0x80758000 \SystemRoot\system32\drivers\ataport.SYS
0x80776000 \SystemRoot\system32\drivers\nvstor32.sys
0x80790000 \SystemRoot\system32\drivers\storport.sys
0x805CE000 \SystemRoot\system32\drivers\fltmgr.sys
0x807D1000 \SystemRoot\system32\drivers\fileinfo.sys
0x807E1000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x82609000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8267B000 \SystemRoot\system32\drivers\ndis.sys
0x82786000 \SystemRoot\system32\drivers\msrpc.sys
0x827B1000 \SystemRoot\system32\drivers\NETIO.SYS
0x86005000 \SystemRoot\System32\drivers\tcpip.sys
0x860EF000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x86201000 \SystemRoot\System32\Drivers\Ntfs.sys
0x86311000 \SystemRoot\system32\drivers\volsnap.sys
0x8634A000 \SystemRoot\System32\Drivers\spldr.sys
0x86352000 \SystemRoot\System32\Drivers\mup.sys
0x86361000 \SystemRoot\System32\drivers\ecache.sys
0x86388000 \SystemRoot\system32\drivers\disk.sys
0x86399000 \SystemRoot\system32\drivers\crcdisk.sys
0x863D3000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x863DE000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x863E7000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8610A000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x86114000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x86152000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x86161000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0x861AB000 \SystemRoot\system32\DRIVERS\ks.sys
0x89C0A000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x89D0D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x89DC1000 \SystemRoot\system32\drivers\modem.sys
0x8A004000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8A091000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8A204000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8AB22000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x8AB24000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8ABC4000 \SystemRoot\System32\drivers\watchdog.sys
0x8ABD0000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8A192000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8A19D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8A1B4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8A1BF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8A1E2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x89DCE000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x89DE2000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x861D5000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8A1F1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x861E5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8A200000 \SystemRoot\system32\DRIVERS\swenum.sys
0x89C00000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x861F0000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8AC02000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8AC37000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8AC48000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8BA0B000 \SystemRoot\system32\drivers\portcls.sys
0x8BA38000 \SystemRoot\system32\drivers\drmk.sys
0x8BA75000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8BA7E000 \SystemRoot\System32\Drivers\Null.SYS
0x8BA85000 \SystemRoot\System32\Drivers\Beep.SYS
0x8BA95000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8BA9C000 \SystemRoot\System32\drivers\vga.sys
0x8BAA8000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8BAC9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8BAD1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8BAD9000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8BAE4000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8BAF2000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8BAFB000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8BB11000 \SystemRoot\system32\DRIVERS\smb.sys
0x8BB25000 \SystemRoot\system32\drivers\afd.sys
0x8BB6D000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8BB9F000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8BBB5000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8BBC3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8BBD6000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8BBDC000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0x8BA00000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x8C80C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8C848000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8C852000 \SystemRoot\System32\Drivers\dfsc.sys
0x8C869000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8C890000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8C89D000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x8C8A7000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x8C8C1000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8C8CA000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8C8DA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8C8DC000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8C8E4000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x942A0000 \SystemRoot\System32\win32k.sys
0x8C8ED000 \SystemRoot\System32\drivers\Dxapi.sys
0x8C8F7000 \SystemRoot\system32\DRIVERS\monitor.sys
0x944C0000 \SystemRoot\System32\TSDDD.dll
0x944E0000 \SystemRoot\System32\cdd.dll
0x8C906000 \SystemRoot\system32\drivers\luafv.sys
0x8C921000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x8C940000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8C950000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8C963000 \SystemRoot\system32\drivers\HTTP.sys
0x8C9D0000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x863A2000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8BA5D000 \SystemRoot\System32\drivers\mpsdrv.sys
0x99009000 \SystemRoot\system32\drivers\mrxdav.sys
0x9902A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x99049000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x99082000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9909A000 \SystemRoot\System32\DRIVERS\srv2.sys
0x990C2000 \SystemRoot\System32\DRIVERS\srv.sys
0x99111000 \SystemRoot\system32\drivers\spsys.sys
0x991D9000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0x991DB000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x80C06000 \SystemRoot\system32\drivers\peauth.sys
0x80CE4000 \SystemRoot\System32\Drivers\fastfat.SYS
0x80D0C000 \SystemRoot\System32\Drivers\secdrv.SYS
0x80D16000 \SystemRoot\System32\drivers\tcpipreg.sys
0x80D22000 \SystemRoot\system32\DRIVERS\xaudio.sys
0x80D2A000 \??\C:\Windows\system32\drivers\mbam.sys
0x80D2E000 \??\C:\Users\dawn\AppData\Local\Temp\aswMBR.sys
0x77BE0000 \Windows\System32\ntdll.dll

Processes (total 59):
0 System Idle Process
4 System
428 C:\Windows\System32\smss.exe
496 csrss.exe
544 C:\Windows\System32\wininit.exe
552 csrss.exe
592 C:\Windows\System32\services.exe
624 C:\Windows\System32\lsass.exe
632 C:\Windows\System32\lsm.exe
640 C:\Windows\System32\winlogon.exe
808 C:\Windows\System32\svchost.exe
868 C:\Windows\System32\nvvsvc.exe
892 C:\Windows\System32\svchost.exe
928 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
1092 C:\Windows\System32\svchost.exe
1108 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\audiodg.exe
1192 C:\Windows\System32\svchost.exe
1208 C:\Windows\System32\SLsvc.exe
1240 C:\Windows\System32\svchost.exe
1324 C:\Windows\System32\rundll32.exe
1464 C:\Windows\System32\svchost.exe
1612 C:\Windows\System32\spoolsv.exe
1648 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1664 C:\Windows\System32\svchost.exe
2024 C:\Windows\System32\taskeng.exe
244 C:\Windows\System32\dwm.exe
300 C:\Windows\explorer.exe
1536 C:\Windows\RtHDVCpl.exe
1152 C:\Program Files\SUPERAntiSpyware\SASCore.exe
2008 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1156 C:\Windows\System32\svchost.exe
1896 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
2160 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
2236 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2288 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2332 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
2388 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
2432 C:\Windows\System32\svchost.exe
2476 C:\Windows\System32\svchost.exe
2532 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2592 C:\Windows\System32\SearchIndexer.exe
2624 C:\Windows\System32\drivers\XAudio.exe
2696 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3052 C:\Program Files\OpenOffice.org 3\program\soffice.exe
3488 C:\Program Files\OpenOffice.org 3\program\soffice.bin
1288 C:\Windows\System32\svchost.exe
3420 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
3392 C:\Windows\System32\taskeng.exe
3596 C:\Program Files\Internet Explorer\iexplore.exe
2188 C:\Program Files\Internet Explorer\iexplore.exe
2096 C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe
4092 C:\texlive\2011\bin\win32\texworks.exe
4076 C:\texlive\2011\tlpkg\texworks\texworks.exe
3956 C:\Windows\System32\SearchProtocolHost.exe
1028 C:\Windows\System32\SearchFilterHost.exe
1892 C:\Windows\System32\SearchProtocolHost.exe
3640 C:\Users\dawn\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`83000000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`03000000 (NTFS)

PhysicalDrive0 Model Number: ST3160815AS, Rev: 3.AD

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[raina]

Cool! My desktop wallpaper isn't back yet (the only noticeable symptom of the virus at this point) but Combofix deleted some stuff.... Here's the log:

ComboFix 12-03-04.02 - dawn 03/05/2012 18:07:12.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.958.411 [GMT -6:00]
Running from: c:\users\dawn\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~XhR5rXAe2w5YSI
c:\programdata\~XhR5rXAe2w5YSIr
c:\programdata\~ZaC8aMM5BeTe5t
c:\programdata\~ZaC8aMM5BeTe5tr
c:\programdata\12.exe
c:\programdata\123.exe
c:\users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
2012-03-06 00:19 . 2012-03-06 00:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-06 00:19 . 2012-03-06 00:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-02 07:57 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CD50030E-F929-4857-A578-7880C717B17C}\mpengine.dll
2012-02-16 00:03 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 00:03 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 00:03 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-13 04:38 . 2012-02-13 04:38 -------- d-----w- c:\users\dawn\.texlive2011
2012-02-12 23:00 . 2012-02-12 23:00 -------- d-----w- C:\texlive
2012-02-12 20:01 . 2012-02-12 20:01 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 11:10 . 2009-10-02 16:45 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-10 21:24 . 2009-01-06 03:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-02-08 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-15 4390912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-01-13 981680]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-08-03 08:26 1862144 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-10-03 15:35 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-10-03 15:37 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-03 05:16 13535776 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-03 05:16 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-05-03 05:16 526880 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-03-15 13:32 4390912 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\dawn\AppData\Roaming\Mozilla\Firefox\Profiles\7jbhv2ne.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.jzip.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DwcShfdOUdbj.exe - c:\programdata\DwcShfdOUdbj.exe
MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-05 18:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-03-05 18:28:33
ComboFix-quarantined-files.txt 2012-03-06 00:28
ComboFix2.txt 2010-10-22 17:51
ComboFix3.txt 2010-10-21 22:44
.
Pre-Run: 87,154,233,344 bytes free
Post-Run: 87,612,542,976 bytes free
.
- - End Of File - - 0A51065269640AA5DAFE4FE334F98374

 

[Broni]

See if you can change your background manually.

Combofix log looks good.

Any other current issues?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[raina]

Re-setting my desktop wallpaper worked just fine. I'm glad things are looking good. Here is the first OTL log:

OTL logfile created on: 3/5/2012 6:52:31 PM - Run 1
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\dawn\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

957.76 Mb Total Physical Memory | 360.09 Mb Available Physical Memory | 37.60% Memory free
2.13 Gb Paging File | 1.36 Gb Available in Paging File | 63.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.96 Gb Total Space | 81.53 Gb Free Space | 58.67% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.56 Gb Free Space | 65.56% Space Free | Partition Type: NTFS

Computer Name: DAWN-PC | User Name: dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/05 18:51:25 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\dawn\Desktop\OTL.exe
PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/11/14 12:10:19 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe
PRC - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/06/28 10:25:34 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/27 15:15:47 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/02/25 09:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/01/17 17:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 17:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/11/04 10:20:36 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/03/15 07:32:14 | 004,390,912 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe


========== Modules (No Company Name) ==========

MOD - [2011/05/15 00:53:15 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/06/28 10:25:34 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/27 15:15:47 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/02/28 17:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 09:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2008/01/19 01:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/03/19 10:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/22 10:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 15:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/06/28 10:25:42 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 10:25:41 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/07/14 17:54:00 | 009,557,216 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2007/03/23 05:09:16 | 000,129,832 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2007/03/23 05:09:16 | 000,101,160 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/03/15 07:57:30 | 001,059,112 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/02/25 10:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/02 01:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 01:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2006/10/18 12:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/10/05 15:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/04 18:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DKUS


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
IE - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DKUS
IE - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chrf-i3752"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-i3752"
FF - prefs.js..browser.startup.homepage: "http://home.jzip.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/21 22:03:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/14 15:03:38 | 000,000,000 | ---D | M]

[2009/01/19 13:37:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\dawn\AppData\Roaming\Mozilla\Extensions
[2012/02/12 17:08:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\dawn\AppData\Roaming\Mozilla\Firefox\Profiles\7jbhv2ne.default\extensions
[2009/09/19 13:12:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\dawn\AppData\Roaming\Mozilla\Firefox\Profiles\7jbhv2ne.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/12/28 12:35:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/23 05:02:54 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/21 08:16:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/22 15:37:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/10 12:40:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/16 11:23:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/07/12 10:33:56 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll

O1 HOSTS File: ([2012/03/05 18:19:50 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 File not found
O15 - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A822FA93-8917-48F3-B7AB-52199DA2166D}: DhcpNameServer = 192.168.0.1
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Users\dawn\Pictures\Backgrounds\harbinger2k911280.jpg
O24 - Desktop BackupWallPaper: C:\Users\dawn\Pictures\Backgrounds\harbinger2k911280.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/05 18:51:16 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Users\dawn\Desktop\OTL.exe
[2012/03/05 18:28:43 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/03/05 18:27:39 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/03/05 17:57:46 | 004,427,148 | R--- | C] (Swearware) -- C:\Users\dawn\Desktop\ComboFix.exe
[2012/03/05 16:54:20 | 000,000,000 | ---D | C] -- C:\Users\dawn\Desktop\bootkit_remover
[2012/03/05 16:54:19 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Users\dawn\Desktop\aswMBR.exe
[2012/03/05 14:32:09 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{132B2796-D80E-4EE9-A48C-DD4A91BA3CA7}
[2012/03/05 14:31:53 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{A956B4AB-D815-4168-A4A0-8CF7A5C1C05E}
[2012/03/04 21:18:01 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\dawn\Desktop\dds.scr
[2012/03/04 21:12:21 | 000,000,000 | ---D | C] -- C:\Users\dawn\Desktop\tdsskiller
[2012/03/04 19:06:47 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{A5DD2183-4423-4F51-B922-010D7A46F306}
[2012/03/04 19:06:31 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{9EE0D689-ADF1-41F1-BF81-410A98E50207}
[2012/03/02 02:34:38 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{82A287C0-B25D-4900-9B53-802483FF29CD}
[2012/03/02 02:34:25 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{6F80CF1B-6617-4240-B87C-7580497E53E1}
[2012/02/29 15:33:05 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{2F901420-A044-4056-9883-C1FD56C32E95}
[2012/02/29 15:32:52 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{0CDFF2EA-F450-4DBE-8667-BF4CDEDFB08E}
[2012/02/26 13:00:54 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{74BEBA07-6582-4635-93CB-7F490D9734D3}
[2012/02/26 13:00:39 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{DBE15D7D-DF67-4FCF-9745-C3DF7780D0E3}
[2012/02/21 00:12:29 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{46814D6E-A6EA-44B9-B6DB-15C1333B4EC9}
[2012/02/21 00:12:12 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{F2FD9E30-D9E8-4F1B-BE0F-6BE327AD261C}
[2012/02/19 16:08:51 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{FA1F1255-EE1B-4939-85ED-CD3741C2CE37}
[2012/02/16 07:11:33 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{188844FA-E3B0-4751-85B4-F1ECC09A8EFA}
[2012/02/15 16:43:15 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{F99B1246-4EAD-4722-8243-726431BC609E}
[2012/02/15 16:42:49 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{BAFEF87A-4758-43E5-9AE7-5197A03BCFE6}
[2012/02/12 23:27:30 | 000,000,000 | ---D | C] -- C:\Users\dawn\Desktop\TeX documents
[2012/02/12 22:38:26 | 000,000,000 | ---D | C] -- C:\Users\dawn\.texlive2011
[2012/02/12 22:32:17 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TeX Live 2011
[2012/02/12 17:00:47 | 000,000,000 | ---D | C] -- C:\texlive
[2012/02/12 13:56:12 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{E0C83C6D-BCAC-4EA8-876C-9F6CBF6A88EE}
[2012/02/12 13:55:24 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{2DE6A306-44F8-414A-B57B-2E1251232137}
[2012/02/08 12:54:13 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{7E731A66-814F-4E2F-847F-D4788D3E6F0B}
[2012/02/08 12:53:56 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{F4C59DA3-DDD3-498C-8DD0-72C15E207D04}
[2012/02/07 08:27:00 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{2D59AF0E-1E7A-4E67-AAA5-1AAE6767729E}
[2012/02/07 08:26:43 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{2F1DA3C7-202A-4A8E-929D-BE3834A667F3}
[2012/02/05 12:00:30 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{105093CE-5287-4448-8FD6-6068FF827452}
[2012/02/05 11:59:26 | 000,000,000 | ---D | C] -- C:\Users\dawn\AppData\Local\{42ED9FE6-3015-4356-BE8A-9438DAB461C6}
[1 C:\Users\dawn\Desktop\*.tmp files -> C:\Users\dawn\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/05 18:51:25 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\dawn\Desktop\OTL.exe
[2012/03/05 18:33:32 | 000,003,552 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/05 18:33:31 | 000,003,552 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/05 18:33:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/05 18:33:18 | 1005,051,904 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/05 18:19:50 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/03/05 17:57:49 | 004,427,148 | R--- | M] (Swearware) -- C:\Users\dawn\Desktop\ComboFix.exe
[2012/03/05 17:36:32 | 000,080,384 | ---- | M] () -- C:\Users\dawn\Desktop\MBRCheck.exe
[2012/03/05 17:14:10 | 000,000,512 | ---- | M] () -- C:\Users\dawn\Desktop\MBR.dat
[2012/03/05 16:54:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Users\dawn\Desktop\aswMBR.exe
[2012/03/04 21:11:02 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\dawn\Desktop\dds.scr
[2012/03/04 21:10:08 | 000,302,592 | ---- | M] () -- C:\Users\dawn\Desktop\rs5sw4be (1).exe
[2012/03/04 19:21:58 | 000,000,456 | ---- | M] () -- C:\ProgramData\56
[2012/03/04 19:07:22 | 000,000,440 | ---- | M] () -- C:\ProgramData\78
[2012/03/04 18:49:58 | 000,000,631 | ---- | M] () -- C:\Users\dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/04 00:42:17 | 000,064,938 | ---- | M] () -- C:\Users\dawn\Desktop\deleting ****.rtf
[2012/03/03 17:15:57 | 000,000,094 | ---- | M] () -- C:\Users\dawn\psv.ini
[2012/02/28 03:05:08 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/28 03:05:08 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/28 01:11:31 | 000,033,516 | ---- | M] () -- C:\Users\dawn\Desktop\comments.odt
[2012/02/27 04:17:48 | 000,024,357 | ---- | M] () -- C:\Users\dawn\Desktop\comments on paper 2.rtf
[2012/02/16 03:42:30 | 000,352,104 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Users\dawn\Desktop\*.tmp files -> C:\Users\dawn\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/05 17:36:32 | 000,080,384 | ---- | C] () -- C:\Users\dawn\Desktop\MBRCheck.exe
[2012/03/05 17:14:10 | 000,000,512 | ---- | C] () -- C:\Users\dawn\Desktop\MBR.dat
[2012/03/04 21:18:05 | 000,302,592 | ---- | C] () -- C:\Users\dawn\Desktop\rs5sw4be (1).exe
[2012/03/04 20:58:59 | 000,000,951 | ---- | C] () -- C:\Users\dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2012/03/04 19:54:15 | 001,008,120 | ---- | C] () -- C:\Users\dawn\Desktop\rkill.com
[2012/03/04 19:19:58 | 000,000,456 | ---- | C] () -- C:\ProgramData\56
[2012/03/04 19:05:24 | 000,000,631 | ---- | C] () -- C:\Users\dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/04 18:49:48 | 000,000,440 | ---- | C] () -- C:\ProgramData\78
[2012/02/27 23:02:11 | 000,033,516 | ---- | C] () -- C:\Users\dawn\Desktop\comments.odt
[2012/02/14 22:20:13 | 000,024,357 | ---- | C] () -- C:\Users\dawn\Desktop\comments on paper 2.rtf
[2012/02/12 23:12:50 | 000,000,094 | ---- | C] () -- C:\Users\dawn\psv.ini
[2011/12/11 14:37:08 | 000,008,888 | -HS- | C] () -- C:\Users\dawn\AppData\Local\8f34yf7m41b300
[2011/12/11 14:37:08 | 000,008,888 | -HS- | C] () -- C:\ProgramData\8f34yf7m41b300
[2010/10/21 16:27:07 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2010/10/21 16:27:07 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2010/10/21 16:27:07 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/10/21 16:27:07 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/10/21 16:27:07 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

========== LOP Check ==========

[2011/08/01 08:14:09 | 000,000,000 | ---D | M] -- C:\Users\dawn\AppData\Roaming\Canon
[2009/01/05 20:30:16 | 000,000,000 | ---D | M] -- C:\Users\dawn\AppData\Roaming\My Games
[2009/11/04 21:04:31 | 000,000,000 | ---D | M] -- C:\Users\dawn\AppData\Roaming\OpenOffice.org
[2012/03/05 18:32:17 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/09/18 15:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 00:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2006/11/10 15:59:07 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2012/03/05 18:28:37 | 000,014,502 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 15:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2007/08/03 09:46:33 | 000,004,696 | R--- | M] () -- C:\dell.sdr
[2012/03/05 18:33:18 | 1005,051,904 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/05 18:33:17 | 1318,854,656 | -HS- | M] () -- C:\pagefile.sys
[2012/03/04 19:55:30 | 000,000,421 | ---- | M] () -- C:\rkill.log
[2007/08/03 02:31:55 | 000,000,071 | ---- | M] () -- C:\SystemInfo.ini
[2012/03/04 21:17:49 | 000,071,770 | ---- | M] () -- C:\TDSSKiller.2.7.18.0_04.03.2012_21.12.40_log.txt
[2008/10/19 10:06:22 | 000,591,296 | ---- | M] (Discordia Limited) -- C:\WebmailPlugin.dll

< %systemroot%\Fonts\*.com >
[2006/11/02 06:35:34 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 06:35:34 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 06:35:34 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2010/10/21 20:39:27 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 15:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 03:46:03 | 000,070,144 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNBPP3.DLL
[2006/09/13 05:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPD7L.DLL
[2006/09/13 05:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPP7L.DLL

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2009/01/23 10:05:24 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini
[2002/03/11 02:45:04 | 001,708,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\instmsia.exe
[2002/03/11 03:06:30 | 001,822,520 | ---- | M] (Microsoft Corporation) -- C:\Program Files\instmsiw.exe
[2009/08/20 02:15:08 | 135,630,545 | ---- | M] () -- C:\Program Files\openofficeorg1.cab
[2009/08/20 02:13:26 | 009,815,040 | ---- | M] () -- C:\Program Files\openofficeorg31.msi
[2009/08/19 02:31:00 | 000,000,336 | ---- | M] () -- C:\Program Files\setup.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/02 04:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 04:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 04:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 04:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 04:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/10/24 00:59:33 | 000,000,281 | -HS- | M] () -- C:\Users\dawn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2012/03/05 16:54:20 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Users\dawn\Desktop\aswMBR.exe
[2012/03/05 17:57:49 | 004,427,148 | R--- | M] (Swearware) -- C:\Users\dawn\Desktop\ComboFix.exe
[2012/03/05 17:36:32 | 000,080,384 | ---- | M] () -- C:\Users\dawn\Desktop\MBRCheck.exe
[2012/03/05 18:51:25 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\dawn\Desktop\OTL.exe
[2012/03/04 21:10:08 | 000,302,592 | ---- | M] () -- C:\Users\dawn\Desktop\rs5sw4be (1).exe
[1 C:\Users\dawn\Desktop\*.tmp files -> C:\Users\dawn\Desktop\*.tmp -> ]

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\tasks\*.* >
[2012/03/05 18:33:26 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2012/03/05 18:32:17 | 000,032,644 | ---- | M] () -- C:\Windows\tasks\SCHEDLGU.TXT

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >
[2011/09/23 21:42:51 | 171,855,112 | ---- | M] (MiKTeX.org) -- C:\Users\dawn\basic-miktex-2.9.4250.exe

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2010/10/21 21:38:04 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
[2010/10/21 21:37:34 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
[2009/01/23 10:04:11 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
[2009/01/23 10:04:11 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/08/30 13:03:15 | 000,000,402 | -HS- | M] () -- C:\Users\dawn\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2009/10/26 22:03:35 | 000,004,100 | ---- | M] () -- C:\ProgramData\34
[2012/03/04 19:21:58 | 000,000,456 | ---- | M] () -- C:\ProgramData\56
[2012/03/04 19:07:22 | 000,000,440 | ---- | M] () -- C:\ProgramData\78
[2011/12/11 14:41:11 | 000,008,888 | -HS- | M] () -- C:\ProgramData\8f34yf7m41b300

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:359B3BDA

< End of report >

 

[raina]

And here's the "extras" file.

OTL Extras logfile created on: 3/5/2012 6:52:31 PM - Run 1
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\dawn\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19190)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

957.76 Mb Total Physical Memory | 360.09 Mb Available Physical Memory | 37.60% Memory free
2.13 Gb Paging File | 1.36 Gb Available in Paging File | 63.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.96 Gb Total Space | 81.53 Gb Free Space | 58.67% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.56 Gb Free Space | 65.56% Space Free | Partition Type: NTFS

Computer Name: DAWN-PC | User Name: dawn | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3162089250-4011727672-1247853657-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2F2C0E43-3223-45B4-94FC-A953B3F9BD84}" = lport=2869 | protocol=6 | dir=in | app=system |
"{ACD64D14-D8E4-4C11-A23B-E34CD6382C4F}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{D88B32E7-FE3B-4C86-A78A-E0146A0B10A7}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{E33359E2-A648-4263-942C-FAA6DC6B7EF2}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{204CD914-855D-4870-8398-72CBCCE2208C}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{3ECE0B71-714E-4382-B7EC-4B3323960979}" = protocol=17 | dir=in | app=c:\users\dawn\appdata\local\temp\7zs367b.tmp\symnrt.exe |
"{5252E98B-7A69-4A71-BECA-60ED7AC911EA}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{BFFC4B1B-2473-488D-BC93-22472B0E29A6}" = protocol=6 | dir=in | app=c:\users\dawn\appdata\local\temp\7zs367b.tmp\symnrt.exe |
"TCP Query User{C43296B7-15F2-4275-9518-DCECA9712D9F}C:\users\dawn\desktop\vadi for awan\mb-core.exe" = protocol=6 | dir=in | app=c:\users\dawn\desktop\vadi for awan\mb-core.exe |
"TCP Query User{E38837DE-4F46-4B3C-9835-5E51037F267B}C:\program files\mushclient\statusbar.exe" = protocol=6 | dir=in | app=c:\program files\mushclient\statusbar.exe |
"TCP Query User{EB321800-31FD-454C-97DE-CE8739AAD8F1}C:\users\dawn\desktop\vadi system 2.1 (with mapper)\mb-core.exe" = protocol=6 | dir=in | app=c:\users\dawn\desktop\vadi system 2.1 (with mapper)\mb-core.exe |
"UDP Query User{82006A95-5F24-4C82-9EFF-BF6971BA8660}C:\users\dawn\desktop\vadi system 2.1 (with mapper)\mb-core.exe" = protocol=17 | dir=in | app=c:\users\dawn\desktop\vadi system 2.1 (with mapper)\mb-core.exe |
"UDP Query User{BA85BE9D-9AEE-4718-B1C5-249839569B3B}C:\users\dawn\desktop\vadi for awan\mb-core.exe" = protocol=17 | dir=in | app=c:\users\dawn\desktop\vadi for awan\mb-core.exe |
"UDP Query User{ECFE7082-504B-41FF-A4BB-0D19938B2B71}C:\program files\mushclient\statusbar.exe" = protocol=17 | dir=in | app=c:\program files\mushclient\statusbar.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 26
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2C6C74C2-042F-4D36-B7B0-0C538FCF01AB}" = Dell DataSafe Online
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{3E25E350-949F-4DB7-8288-2A60E018B4C1}" = Games, Music, & Photos Launcher
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}" = EarthLink Setup Files
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}" = Bing Bar
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}" = Dell Support Center
"{BA4DF4C3-196E-4128-969A-00996B5A46F8}" = Canon MP500
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CCFF1E13-77A2-4032-8B12-7566982A27DF}" = Internet Service Offers Launcher
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EFAD4066-CAF3-4B27-9669-12EED352C376}" = NVIDIANetworkDiagnostic
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 PCI V.92 Modem
"ESET Online Scanner" = ESET Online Scanner v3
"Google Desktop" = Google Desktop
"Heroes of Might and Magic® III" = Heroes of Might and Magic® III Complete
"InstallShield_{EFAD4066-CAF3-4B27-9669-12EED352C376}" = NVIDIANetworkDiagnostic
"jZip" = jZip
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.11)" = Mozilla Firefox (3.6.11)
"MP Navigator 2.0" = Canon MP Navigator 2.0
"MUSHclient" = MUSHclient (remove only)
"NVIDIA Drivers" = NVIDIA Drivers
"Winamp" = Winamp
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3162089250-4011727672-1247853657-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"TeXLive2011" = TeX Live 2011
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/3/2012 5:18:57 PM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19190, time stamp
0x4ee97b78, faulting module Flash11e.ocx, version 11.1.102.55, time stamp 0x4eaf89fc,
exception code 0xc0000005, fault offset 0x00117408, process id 0xd84, application
start time 0x01ccf9831d722690.

Error - 3/3/2012 5:20:18 PM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19190, time stamp
0x4ee97b78, faulting module Flash11e.ocx, version 11.1.102.55, time stamp 0x4eaf89fc,
exception code 0xc0000005, fault offset 0x00117408, process id 0xfe4, application
start time 0x01ccf983506276e0.

Error - 3/3/2012 5:20:20 PM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19190, time stamp
0x4ee97b78, faulting module Flash11e.ocx, version 11.1.102.55, time stamp 0x4eaf89fc,
exception code 0xc0000005, fault offset 0x00117408, process id 0xb20, application
start time 0x01ccf983544c3430.

Error - 3/3/2012 5:21:17 PM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19190, time stamp
0x4ee97b78, faulting module Flash11e.ocx, version 11.1.102.55, time stamp 0x4eaf89fc,
exception code 0xc0000005, fault offset 0x00117408, process id 0xb14, application
start time 0x01ccf98372f0bf50.

Error - 3/3/2012 5:21:20 PM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19190, time stamp
0x4ee97b78, faulting module Flash11e.ocx, version 11.1.102.55, time stamp 0x4eaf89fc,
exception code 0xc0000005, fault offset 0x00117408, process id 0xce4, application
start time 0x01ccf983723362c0.

Error - 3/3/2012 5:22:05 PM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19190, time stamp
0x4ee97b78, faulting module Flash11e.ocx, version 11.1.102.55, time stamp 0x4eaf89fc,
exception code 0xc0000005, fault offset 0x00117408, process id 0xb7c, application
start time 0x01ccf98395812aa0.

Error - 3/4/2012 12:11:59 AM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19190, time stamp
0x4ee97b78, faulting module mshtml.dll, version 8.0.6001.19190, time stamp 0x4ee9919b,
exception code 0xc0000005, fault offset 0x00383aa5, process id 0xef0, application
start time 0x01ccf9831d856070.

Error - 3/4/2012 10:20:10 PM | Computer Name = dawn-PC | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: dawn-PC\dawn Checkpoint ID: 27 Error Code: 0x80070005 Error
description: Access is denied.

Error - 3/4/2012 11:22:05 PM | Computer Name = dawn-PC | Source = Application Error | ID = 1000
Description = Faulting application rs5sw4be (1).exe, version 1.0.15.15641, time
stamp 0x4e21f2b1, faulting module rs5sw4be (1).exe, version 1.0.15.15641, time stamp
0x4e21f2b1, exception code 0xc0000005, fault offset 0x0000c676, process id 0x6c0,
application start time 0x01ccfa7e9760c831.

Error - 3/4/2012 11:25:38 PM | Computer Name = dawn-PC | Source = Perflib | ID = 1010
Description =

[ System Events ]
Error - 3/5/2012 10:38:42 AM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 3/5/2012 4:29:14 PM | Computer Name = dawn-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 2:26:41 PM on 3/5/2012 was unexpected.

Error - 3/5/2012 4:31:00 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 3/5/2012 4:31:00 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 3/5/2012 8:06:02 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 3/5/2012 8:06:53 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 3/5/2012 8:13:03 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 3/5/2012 8:19:59 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 3/5/2012 8:35:05 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 3/5/2012 8:35:05 PM | Computer Name = dawn-PC | Source = Service Control Manager | ID = 7026
Description =


< End of report >

 

[Broni]

Good

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 File not found
  O15 - HKU\S-1-5-21-3162089250-4011727672-1247853657-1000\..Trusted Ranges: GD ([http] in Local intranet)
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
  [2012/03/04 18:49:58 | 000,000,631 | ---- | M] () -- C:\Users\dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
  [2011/12/11 14:37:08 | 000,008,888 | -HS- | C] () -- C:\Users\dawn\AppData\Local\8f34yf7m41b300
  [2011/12/11 14:37:08 | 000,008,888 | -HS- | C] () -- C:\ProgramData\8f34yf7m41b300
  @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:359B3BDA
  
  :Commands
  [purity]
  [emptytemp]
  [emptyjava]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

====================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

===================================================================

Last checks...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[raina]

I did everything you said. Posting my OTL log, then the Security Check log, then the FSS log, then the ESET log, which found some trojans.

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3162089250-4011727672-1247853657-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3162089250-4011727672-1247853657-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\Users\dawn\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.
C:\Users\dawn\AppData\Local\8f34yf7m41b300 moved successfully.
C:\ProgramData\8f34yf7m41b300 moved successfully.
ADS C:\ProgramData\TEMP:359B3BDA deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: dawn
->Temp folder emptied: 57559 bytes
->Temporary Internet Files folder emptied: 324497604 bytes
->Java cache emptied: 7887996 bytes
->FireFox cache emptied: 93845352 bytes
->Flash cache emptied: 565977 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 266376 bytes

Total Files Cleaned = 407.00 mb


[EMPTYJAVA]

User: All Users

User: dawn
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: dawn
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.35.1 log created on 03052012_192301

Files\Folders moved on Reboot...
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XOHNJ7R5\918[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XOHNJ7R5\showthread[1].php moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\45PB00KR\partner[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware
Java(TM) 6 Update 31
Adobe Flash Player ( 10.0.12.36) Flash Player Out of Date!
Mozilla Firefox (3.6.11) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

Farbar Service Scanner Version: 01-03-2012
Ran by dawn (administrator) on 05-03-2012 at 19:49:58
Running from "C:\Users\dawn\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

ESET scan:

C:\Qoobox\Quarantine\C\ProgramData\12.exe.vir a variant of Win32/Kryptik.ABXW trojan
C:\Qoobox\Quarantine\C\ProgramData\123.exe.vir a variant of Win32/Kryptik.ABXW trojan

 

[Broni]

Those trojans are in Combofix quarantine folder already.

Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

===================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[raina]

Hooray!

I've updated Flash and changed my passwords, and run OTL for the log below. I got swamped with work and haven't done any of the other things you suggest yet, but will be doing so in the next couple of days.

The computer's working great.

Thank you so much for all your help!



All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: dawn
->Temp folder emptied: 141099667 bytes
->Temporary Internet Files folder emptied: 87432015 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 7670 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 254946 bytes
RecycleBin emptied: 39938142 bytes

Total Files Cleaned = 256.00 mb


[EMPTYFLASH]

User: All Users

User: dawn
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: dawn
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.35.1 log created on 03102012_024658

Files\Folders moved on Reboot...
File\Folder C:\Users\dawn\AppData\Local\Temp\svagh.tmp\svagj.tmp not found!
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZLHIGR6J\c=851_rand=912688301_pv=y_rt=ifr[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JLKJ6W16\918[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JLKJ6W16\ads[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7XB0XY9A\1502798_CON_130104_SYS_NOTEBOOK_XPS13_BA_SPYDER_INTEL_300x250_en[1].html moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7XB0XY9A\ads[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7XB0XY9A\ads[2].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7XB0XY9A\download-the-latest-adobe-flash-for-firefox-and-ie-without-any-extras[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7XB0XY9A\newreply[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7XB0XY9A\partner[1].htm moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\dawn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...

 

[Broni]

Way to go!!

Good luck and stay safe