Solved Cant remove this google redirecting rootkit! Tried it all!!

September 9, 2012 at 15:37:42
Specs: Windows 7
Any and all help would be very much appreciated! I have a google redirect rootkit that I somehow obtained approximately 3 days ago & I cannot get rid of it for the life of me :( and I have tried everything I can think of.

Checked my HOST files : Found Nothing
Checked my LAN Setting : Fine
Checked my DNS Server : It is on the proper setting
Scanned with Malwarebytes : It found nothing
Scanned with Avira : It says it finds trojans, deleted them but I still get redirected
Scanned with TDSSKiller (even expanded the search options) : Found NOTHING
Scanned with CCCleaner : Removed a good amount of unnecessary files but still to no avail
Scanned with Combofix : STILL didnt find the problem
Scanned with GMER : Found 3 files I have no idea how to get rid of them
Scanned with SUPERAntiSpyware : Found and removed 179 infected files, but I still get redirected
Scanned with Hitman Pro : Found nothing
Scanned with Avast Rootkit : Found NO rootkits
Performed a system restore : That did nothing
Scanned with FIXTDSS : Found absolutely nothing

Whats a girl to do? I've usually been able to fix any security problems my computer faces with a bit of research and time, but I've searched forums upon forums, tried so many methods and I still cant fix this. If anyone knows what I can do it would be greatly appreciated!

My troubled computer is a HP Mini 210-2150NR with Windows 7 Starter

Thank you for your time



See More: Cant remove this google redirecting rootkit! Tried it all!!

Report •

✔ Best Answer
September 24, 2012 at 16:27:45
There is no quick fix as you have found out, we will have to run more tools, to clear out any remnants.

If any program won't run, let me know. Post the log/logs after each run.
Screenshots ( SS ) may also requested, or if you want to illustrate a point yourself, use the Uploader below. It can take SS, upload images & files.
If any of the logs are too large, upload them to a site of your choosing or, all can be done with this.
z_o_o_m's File & Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://z-o-o-m.eu/

After each fix or change we make, let me know how the comp is running. Example: Still getting redirected.

1: Run Unhide
http://www.bleepingcomputer.com/vir...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3; Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

4: Run TFC
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

5: Run OTL by OldTimer – A Modern Replacement for HijackThis
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.smokey-services.eu/forum...
http://www.smokey-services.eu/forum...
http://www.geekstogo.com/forum/Malw...
http://oldtimer.geekstogo.com/OTL.exe
http://www.geekstogo.com/1888/otl-b...
Make sure all other windows and applications are closed and to let it run uninterrupted.
Save it to your desktop.
Double click on the icon on your desktop.
# Click the "Scan All Users" checkbox.
# When the window appears, underneath Output at the top change it to Minimal Output.
# Check the boxes beside LOP Check and Purity Check.
# Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
* When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post or upload them please.

6: Double check no Combofix files remain, download the latest version & run again. If you did'nt do the uninstall as per the instructions, install again, follow the uninstall instructions & reinstall again.
How to Use & Uninstall Combofix
http://www.bleepingcomputer.com/com...
Use this for searching, I have it open all the time.
UltraSearch
http://www.softpedia.com/get/File-m...
http://www.softpedia.com/progScreen...
http://www.jam-software.com/ultrase...

7: Download Combofix from any of these.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...



#1
September 9, 2012 at 16:03:57
If it's actually a rootkit, you're not going to get rid of it unless you reinstall Windows.

How To Ask Questions The Smart Way


Report •

#2
September 9, 2012 at 16:26:30
How do I go about doing that without a disk drive since I am on a netbook?

Report •

#3
September 9, 2012 at 16:42:38
Well, you could try the recovery partition, but there's no guarantee it's clean. You could make a USB thumb drive recovery disk, but that would require a clean PC with Win 7.

How To Ask Questions The Smart Way


Report •

Related Solutions

#4
September 9, 2012 at 17:02:16
Oh darn, the only working computer in this household is an XP. Thank you very much for the tips.

Report •

#5
September 9, 2012 at 17:06:57
You tried all the above, BUT, did you try these in the EXACT order?
1- rkill.exe
2- tdss killer
3- malwarebytes
Don't reboot until after the last scan. If that doesn't do it...try the same....ONLY this time in safe mode with networking.

You also didn't try trojan remover:
http://www.simplysup.com/tremover/d...
Run it till it runs clean

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#6
September 9, 2012 at 23:05:36
Interesting. No I did not perform those in that order. I will give it a try in the morning , perhaps in safe mode and see how it goes. Thank you for replying.

Report •

#7
September 11, 2012 at 19:43:57
Run ESET & post the log please.
http://www.eset.eu/online-scanner
http://www.eset.com/us/online-scanner
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
How can I view the log file from ESET Online Scanner?
http://www.eset.eu/eset-online-scan...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.

Report •

#8
September 13, 2012 at 09:25:57
Those are the 3 I use most often, and in that order.

Report •

#9
September 13, 2012 at 14:54:58
trojan remover.
use it now.
best regards.

Report •

#10
September 14, 2012 at 07:49:27
Thank you HopperRox! : ) About to try it now.

Report •

#11
September 14, 2012 at 07:50:22
Thank you XPUser.

Report •

#12
September 14, 2012 at 08:55:30
I tried everything you suggested and in the order you listed XPUser4Real and all the programs found nothing. I'm on safe mode right now and ran everything again and it still didn't find anything. The rootkit is still here. I don't know what to do.

I also ran Trojan Remover and that didn't find anything either. :(


Report •

#13
September 14, 2012 at 10:12:27
LilacGlitter, have you tried Spybot S&D? That also finds things that others miss:
http://www.filehippo.com/download_s...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#14
September 14, 2012 at 15:09:09
You are going around in circles, Run ESET & post the log please as per my first post.

Report •

#15
September 15, 2012 at 07:20:44
XpUser4Real : No I dont think I have yet so I'll try that today.

Johnw : Yes I definitely am going in circles, I will post the results.

Thank you.


Report •

#16
September 19, 2012 at 19:30:02
I apologize for replying so late. I have been trying to download programs for days to no avail until now. I can currently running SpyBot's system scan. Fingers crossed that this does the trick.

Report •

#17
September 19, 2012 at 19:33:13
"I have been trying to download programs for days to no avail until now"
The infection will do that, download from a good comp onto a thumb drive.

Report •

#18
September 21, 2012 at 05:27:45
Thank you. I have FINALLY been able to download spybot. I selected the option to "Detect Rootkits" The quick scan results did indeed find two files that can be considered rookits. 1 hidden file in my windows folder and another in my Systems folder. Right now I am running a full on deep scan so hopefully this will help me in eradicating the problem. This has been a long post with a lot of back and forth. I appreciate the people who still are giving me guidance on what to do for this situation. : )

Report •

#19
September 21, 2012 at 10:15:09

Report •

#20
September 21, 2012 at 11:44:43
Thank you XP. Right now I am running a full system scan with Spybot Search & Destroy. I will post the results after I restart my computer.

Report •

#21
September 21, 2012 at 16:14:22
you are welcome

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#22
September 22, 2012 at 14:17:54
Sadly I still have the rootkit, it does not prevent me from downloading items anymore, but every time I try to click on a link from a google search, I'm redirected to another page. Am I suppose to close my browser and all other programs while Spybot is scanning?

Report •

#23
September 22, 2012 at 14:54:38
I am still waiting on an ESET scan log.

"Scanned with Avira : It says it finds trojans, deleted them but I still get redirected"
Log please.

"Scanned with GMER : Found 3 files I have no idea how to get rid of them"
Log please

"I am running a full system scan with Spybot Search & Destroy"
Log please.


Report •

#24
September 22, 2012 at 14:59:34
I apologize, I am actually running the scan now.

Report •

#25
September 22, 2012 at 21:23:39
Okay. The scan FINALLY finished. It took over six hours to complete. The ESET Scan found 8 threats and quarantined them. I'm going to turn off my computer for the night and post my logs tomorrow.

Thank you very much.


Report •

#26
September 22, 2012 at 23:54:22
Also forgot to ask for this log. Need as many clues as we can get.

"Scanned with Combofix : STILL didnt find the problem"
Log please.

We are in different time zones, it's Sunday afternoon here in Western Australia.


Report •

#27
September 23, 2012 at 16:23:58
As you have not got back with the logs, be aware that you are probably not yet clean, ESET was just the start of the cleaning process & remnants left will start to expand & slowly get much deeper into the comp.

Report •

#28
September 24, 2012 at 07:45:41
I see. Thank you for that heads up. I will start putting up the logs now. Here is the

Malware Bytes Log :

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.09.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Caramel Glamour :: LILAC_ANGEL [administrator]

9/24/2012 9:27:19 AM
mbam-log-2012-09-24 (09-27-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193645
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Report •

#29
September 24, 2012 at 07:48:16
This is the GMER Log :

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-09-24 09:47:30
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
Running: 6zebhrh3.exe; Driver: C:\Users\CARAME~1\AppData\Local\Temp\pglcaaow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Report •

#30
September 24, 2012 at 09:49:10
This is the quarantine results from a SpyBot scan I did

[i] 12-09-21 07:16:36 Quarantine: Start purge selected items...
[i] 12-09-21 07:16:36 Quarantine: Purged Babylon.Toolbar: All detected items of product - 2012-09-19 23:44:26
[i] 12-09-21 07:16:36 Quarantine: Purged Babylon.Toolbar: All detected items of product - 2012-09-19 23:43:30
[i] 12-09-21 07:16:36 Quarantine: Finished purge selected items.
[i] 12-09-21 07:16:45 Quarantine: Start purge selected items...
[i] 12-09-21 07:16:45 Quarantine: Purged Cache: All detected items of product - 2012-09-19 23:43:43
[i] 12-09-21 07:16:45 Quarantine: Purged BurstMedia: All detected items of product - 2012-09-19 23:43:38
[i] 12-09-21 07:16:45 Quarantine: Finished purge selected items.
[i] 12-09-21 07:17:03 Quarantine: Start purge selected items...
[i] 12-09-21 07:17:03 Quarantine: Purged IncrediBar: All detected items of product - 2012-09-19 23:43:36
[i] 12-09-21 07:17:03 Quarantine: Purged History: All detected items of product - 2012-09-19 23:43:45
[i] 12-09-21 07:17:03 Quarantine: Purged FastClick: All detected items of product - 2012-09-19 23:43:39
[i] 12-09-21 07:17:03 Quarantine: Purged DoubleClick: All detected items of product - 2012-09-19 23:43:36
[i] 12-09-21 07:17:03 Quarantine: Purged Cookie: All detected items of product - 2012-09-19 23:43:42
[i] 12-09-21 07:17:03 Quarantine: Purged CasaleMedia: All detected items of product - 2012-09-19 23:43:39
[i] 12-09-21 07:17:03 Quarantine: Purged Adobe FlashPlayer Cookies: All detected items of product - 2012-09-19 23:43:40
[i] 12-09-21 07:17:03 Quarantine: Finished purge selected items.
[i] 12-09-21 07:17:25 Quarantine: Start purge selected items...
[i] 12-09-21 07:17:25 Quarantine: Purged W3i.IQ5.fraud: All detected items of product - 2012-09-19 23:44:30
[i] 12-09-21 07:17:25 Quarantine: Purged W3i.IQ5.fraud: All detected items of product - 2012-09-19 23:43:35
[i] 12-09-21 07:17:26 Quarantine: Purged Statcounter: All detected items of product - 2012-09-19 23:43:39
[i] 12-09-21 07:17:26 Quarantine: Purged MediaPlex: All detected items of product - 2012-09-19 23:43:38
[i] 12-09-21 07:17:26 Quarantine: Purged Log: All detected items of product - 2012-09-19 23:44:31
[i] 12-09-21 07:17:26 Quarantine: Purged Log: All detected items of product - 2012-09-19 23:43:40
[i] 12-09-21 07:17:26 Quarantine: Purged Internet Explorer: All detected items of product - 2012-09-19 23:43:40
[i] 12-09-21 07:17:26 Quarantine: Finished purge selected items.
[i] 12-09-21 07:17:42 Quarantine: Start purge selected items...
[i] 12-09-21 07:17:42 Quarantine: Purged Zedo: All detected items of product - 2012-09-19 23:43:38
[i] 12-09-21 07:17:42 Quarantine: Purged WebTrends live: All detected items of product - 2012-09-19 23:43:39
[i] 12-09-21 07:17:42 Quarantine: Finished purge selected items.


Report •

#31
September 24, 2012 at 10:24:08
I was not able to find my combo fix log, since I removed the program after I did the scan but I am able to tell you a list of detections my Avira has quarantined right now.

ADWARE/InstallCore.13.34
ADWARE/InstallCore.13.34
ADWARE/Adware.Gen2
TR/Crpyt.XPACK.Gen
TR/TDss.iszq
TR/ATRAPS.Gen2
TR/ATRAPS.Gen2
TR/ATRAPS.Gen2
EXP/11-3544.FA.1
EXP/CVE-2010-0840.PC
ADSPY/AdSpy.Gen2
TR/Ezula.BD.15
TR/Crypt.XPACK.Gen
TR/PSW.Zbot.Y.872

Thank you so much for your patience.


Report •

#32
September 24, 2012 at 15:44:01
"mbam-log-2012-09-24 (09-27-19).txt"

I am talking about your old logs, from your original scans.


Report •

#33
September 24, 2012 at 15:47:24
Thank you, our posts crossed, just the ESET log now please & I shall examine what I have.

Report •

#34
September 24, 2012 at 16:27:45
✔ Best Answer
There is no quick fix as you have found out, we will have to run more tools, to clear out any remnants.

If any program won't run, let me know. Post the log/logs after each run.
Screenshots ( SS ) may also requested, or if you want to illustrate a point yourself, use the Uploader below. It can take SS, upload images & files.
If any of the logs are too large, upload them to a site of your choosing or, all can be done with this.
z_o_o_m's File & Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://z-o-o-m.eu/

After each fix or change we make, let me know how the comp is running. Example: Still getting redirected.

1: Run Unhide
http://www.bleepingcomputer.com/vir...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3; Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

4: Run TFC
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

5: Run OTL by OldTimer – A Modern Replacement for HijackThis
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.smokey-services.eu/forum...
http://www.smokey-services.eu/forum...
http://www.geekstogo.com/forum/Malw...
http://oldtimer.geekstogo.com/OTL.exe
http://www.geekstogo.com/1888/otl-b...
Make sure all other windows and applications are closed and to let it run uninterrupted.
Save it to your desktop.
Double click on the icon on your desktop.
# Click the "Scan All Users" checkbox.
# When the window appears, underneath Output at the top change it to Minimal Output.
# Check the boxes beside LOP Check and Purity Check.
# Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
* When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post or upload them please.

6: Double check no Combofix files remain, download the latest version & run again. If you did'nt do the uninstall as per the instructions, install again, follow the uninstall instructions & reinstall again.
How to Use & Uninstall Combofix
http://www.bleepingcomputer.com/com...
Use this for searching, I have it open all the time.
UltraSearch
http://www.softpedia.com/get/File-m...
http://www.softpedia.com/progScreen...
http://www.jam-software.com/ultrase...

7: Download Combofix from any of these.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...


Report •

#35
September 25, 2012 at 11:31:21
I see. That's quite a bit of steps. I will get on it as soon as I am free and shall post the results.

Thank you so much for this. I hope it works.


Report •

#36
September 30, 2012 at 12:08:43
Ok I started this process at 10:30am and now I am finally finished! I haven't checked google yet because I'm a little scared the rootkit will still be there but I will post all the log results now. Thank you so much for all the help I have been receiving for almost a month now. I hope this works or lets me know where the problem is directly.

Report •

#37
September 30, 2012 at 12:10:29
a re-direct should never take this long to be resolved....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#38
September 30, 2012 at 12:14:13
PART 1 OF LOGS

UnHide Log :

Program started at: 09/30/2012 10:43:24 AM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 171583 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 79 files processed.

Processing the E:\ drive
Finished processing the E:\ drive. 22 files processed.

Processing the Q:\ drive
Finished processing the Q:\ drive. 0 files processed.

The C:\Users\CARAME~1\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 09/30/2012 10:53:02 AM
Execution time: 0 hours(s), 9 minute(s), and 37 seconds(s)


AdwCleaner Search Log :

# AdwCleaner v2.003 - Logfile created 09/30/2012 at 11:12:03
# Updated 23/09/2012 by Xplode
# Operating system : Windows 7 Starter Service Pack 1 (32 bits)
# User : Caramel Glamour - LILAC_ANGEL
# Boot Mode : Normal
# Running from : C:\Users\Caramel Glamour\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****

Found : Browser Manager

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Found : C:\user.js
Folder Found : C:\ProgramData\Browser Manager
Folder Found : C:\Users\Caramel Glamour\AppData\LocalLow\BabylonToolbar
Folder Found : C:\Users\Caramel Glamour\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Manager
Folder Found : C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\Smartbar

***** [Registry] *****

Data Found : HKLM\..\Windows [AppInit_DLLs] = c:\progra~2\browse~1\22630~1.40\{16cdf~1\browse~1.dll
Key Found : HKCU\Software\BabylonToolbar
Key Found : HKCU\Software\BrowserMngr
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\DataMngr_Toolbar
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKLM\Software\Babylon
Key Found : HKLM\Software\BabylonToolbar
Key Found : HKLM\Software\BrowserMngr
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Found : HKLM\SOFTWARE\Classes\b
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
Key Found : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2878731
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\Software\Default Tab
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Found : HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Value Found : HKCU\Software\Mozilla\Firefox\Extensions [{b64982b1-d112-42b5-b1e4-d3867c4533f8}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\prefs.js

Found : user_pref("browser.babylon.HPOnNewTab", "isearch.babylon.com");
Found : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
Found : user_pref("browser.search.order.1", "Search the web (Babylon)");
Found : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110141");
Found : user_pref("extensions.BabylonToolbar_i.hardId", "3204201c0000000000003c4a92cd94a7");
Found : user_pref("extensions.BabylonToolbar_i.id", "3204201c0000000000003c4a92cd94a7");
Found : user_pref("extensions.BabylonToolbar_i.instlDay", "15445");
Found : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Found : user_pref("extensions.BabylonToolbar_i.newTab", true);
Found : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://isearch.babylon.com/?babsrc=NT_ss&mntrId=[...]
Found : user_pref("extensions.BabylonToolbar_i.ovrDmn", "isearch.babylon.com");
Found : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Found : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Found : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Found : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1718:06:43");
Found : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Found : user_pref("keyword.URL", "hxxp://isearch.babylon.com/?babsrc=adbartrp&babsrc=SP_ss&mntrId=3204201c00[...]

*************************

AdwCleaner[R1].txt - [7628 octets] - [30/09/2012 11:12:03]

########## EOF - C:\AdwCleaner[R1].txt - [7688 octets] ##########


AdwCleaner Deletion Log :

# AdwCleaner v2.003 - Logfile created 09/30/2012 at 11:14:47
# Updated 23/09/2012 by Xplode
# Operating system : Windows 7 Starter Service Pack 1 (32 bits)
# User : Caramel Glamour - LILAC_ANGEL
# Boot Mode : Normal
# Running from : C:\Users\Caramel Glamour\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : Browser Manager

***** [Files / Folders] *****

Deleted on reboot : C:\ProgramData\Browser Manager
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\user.js
Folder Deleted : C:\Users\Caramel Glamour\AppData\LocalLow\BabylonToolbar
Folder Deleted : C:\Users\Caramel Glamour\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Browser Manager
Folder Deleted : C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\Smartbar

***** [Registry] *****

Data Deleted : HKLM\..\Windows [AppInit_DLLs] = c:\progra~2\browse~1\22630~1.40\{16cdf~1\browse~1.dll
Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\BrowserMngr
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\BabylonToolbar
Key Deleted : HKLM\Software\BrowserMngr
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\b
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{44C3C1DB-2127-433C-98EC-4C9412B5FC3A}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4D5132DD-BB2B-4249-B5E0-D145A8C982E1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8BE10F21-185F-4CA0-B789-9921674C3993}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B32672B3-F656-46E0-B584-FE61C0BB6037}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2878731
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Default Tab
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8375D9C8-634F-4ECB-8CF5-C7416BA5D542}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4A99-B4B6-146BF802613B}
Value Deleted : HKCU\Software\Mozilla\Firefox\Extensions [{b64982b1-d112-42b5-b1e4-d3867c4533f8}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\prefs.js

Deleted : user_pref("browser.babylon.HPOnNewTab", "isearch.babylon.com");
Deleted : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110141");
Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "3204201c0000000000003c4a92cd94a7");
Deleted : user_pref("extensions.BabylonToolbar_i.id", "3204201c0000000000003c4a92cd94a7");
Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15445");
Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://isearch.babylon.com/?babsrc=NT_ss&mntrId=[...]
Deleted : user_pref("extensions.BabylonToolbar_i.ovrDmn", "isearch.babylon.com");
Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1718:06:43");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
Deleted : user_pref("keyword.URL", "hxxp://isearch.babylon.com/?babsrc=adbartrp&babsrc=SP_ss&mntrId=3204201c00[...]

*************************

AdwCleaner[R1].txt - [7757 octets] - [30/09/2012 11:12:03]
AdwCleaner[S2].txt - [7707 octets] - [30/09/2012 11:14:47]

########## EOF - C:\AdwCleaner[S2].txt - [7767 octets] ##########


Report •

#39
September 30, 2012 at 12:19:44
TFC Log :

Getting user folders.

Stopping running processes.

Emptying Temp folders.


User: All Users

User: Caramel Glamour
->Temp folder emptied: 92068 bytes
->Temporary Internet Files folder emptied: 6540122 bytes
->Java cache emptied: 85536082 bytes
->FireFox cache emptied: 1154427955 bytes
->Flash cache emptied: 66419 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 90746635 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 0 bytes
Process complete!

Total Files Cleaned = 1,276.00 mb


Report •

#40
September 30, 2012 at 12:23:34
PART 3 Of Logs

OTL.Txt Log :

OTL logfile created on: 9/30/2012 11:52:08 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Caramel Glamour\Downloads
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1011.87 Mb Total Physical Memory | 275.45 Mb Available Physical Memory | 27.22% Memory free
1.99 Gb Paging File | 1.09 Gb Available in Paging File | 54.63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 214.52 Gb Total Space | 173.04 Gb Free Space | 80.66% Space Free | Partition Type: NTFS
Drive D: | 18.07 Gb Total Space | 2.62 Gb Free Space | 14.49% Space Free | Partition Type: NTFS

Computer Name: LILAC_ANGEL | User Name: Caramel Glamour | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - C:\Users\Caramel Glamour\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
PRC - C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Hewlett-Packard Company)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe (Hewlett-Packard Development Company L.P.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe (DeviceVM, Inc.)
PRC - C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe (Roxio)
PRC - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe (Hewlett-Packard Development Company, L.P.)
PRC - C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe (Hewlett-Packard Company)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\AEstSrv.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard Company)
PRC - C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe (Alcor Micro Corp.)
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


[color=#E56717]========== Modules (No Company Name) ==========[/color]

MOD - C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\06269663e6482bc4ceeb48c2a7d1ad34\IAStorUtil.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\Yahoo!\Messenger\yui.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\hpCASLLibrary\3.0.1.1__67b8d1b5179ba5f8\hpCASLLibrary.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HardwareAccess.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPCommon.XmlSerializers.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_LogicLayer.dll ()


[color=#E56717]========== Services (SafeList) ==========[/color]

SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (sftvsa) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (HP Support Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Hewlett-Packard Company)
SRV - (HPDrvMntSvc.exe) -- C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
SRV - (DvmMDES) -- C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe (DeviceVM, Inc.)
SRV - (RoxioNow Service) -- C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe (Roxio)
SRV - (HPWMISVC) -- C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe (Hewlett-Packard Development Company, L.P.)
SRV - (HPClientSvc) -- C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe (Hewlett-Packard Company)
SRV - (STacSV) -- C:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
SRV - (AESTFilters) -- C:\Program Files\IDT\WDM\AEstSrv.exe (Andrea Electronics Corporation)
SRV - (HP Wireless Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard Company)
SRV - (GameConsoleService) -- C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe (WildTangent, Inc.)
SRV - (IAStorDataMgrSvc) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - (catchme) -- C:\Users\CARAME~1\AppData\Local\Temp\catchme.sys File not found
DRV - (aswArKrn) -- C:\Users\CARAME~1\AppData\Local\Temp\aswArKrn.sys File not found
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (Sftvol) -- C:\Windows\System32\drivers\Sftvollh.sys (Microsoft Corporation)
DRV - (Sftredir) -- C:\Windows\System32\drivers\Sftredirlh.sys (Microsoft Corporation)
DRV - (Sftplay) -- C:\Windows\System32\drivers\Sftplaylh.sys (Microsoft Corporation)
DRV - (Sftfs) -- C:\Windows\System32\drivers\Sftfslh.sys (Microsoft Corporation)
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira GmbH)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (AmUStor) -- C:\Windows\System32\drivers\AmUStor.sys (Alcor Micro, Corp.)
DRV - (DVMIO) -- C:\Windows\System32\drivers\dvmio.sys (DeviceVM, Inc.)
DRV - (yukonw7) -- C:\Windows\System32\drivers\yk62x86.sys (Marvell)
DRV - (netw5v32) -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={s...
IE - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Specia...
IE - HKLM\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-1...
IE - HKLM\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searc...


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{0169E633-8781-F882-9BC7-7B014AE4DE4E}: "URL" = http://www.bing.com/search?q={searc...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={s...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Specia...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-1...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searc...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


Report •

#41
September 30, 2012 at 12:24:29
PART 4 Of Logs

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/firefox"
FF - prefs.js..extensions.enabledAddons: newtaburl@sogame.cat:2.2.3
FF - prefs.js..extensions.enabledAddons: qbwuqatvdh@qbwuqatvdh.org:2.5
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35
FF - prefs.js..extensions.enabledAddons: amznUWL@amazon.com:2.15
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Musicnotes.com/Musicnotes Viewer: C:\Program Files\Musicnotes\npmusicn.dll (Musicnotes, Inc.)
FF - HKLM\Software\MozillaPlugins\@photoproduct.rocketlife.com/RocketLife App Viewer;version=0.8: File not found
FF - HKLM\Software\MozillaPlugins\@Sibelius.com/Scorch Plugin: C:\Program Files\Musicnotes\npsibelius.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Caramel Glamour\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Caramel Glamour\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/09 12:33:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/08/19 11:08:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Extensions
[2012/09/14 09:38:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions
[2012/09/14 09:38:06 | 000,000,000 | ---D | M] ("Amazon Toolbar") -- C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\amznUWL@amazon.com
[2012/09/14 09:37:58 | 000,257,091 | ---- | M] () (No name found) -- C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\amznUWL@amazon.com.xpi
[2012/06/27 17:11:01 | 000,051,994 | ---- | M] () (No name found) -- C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\newtaburl@sogame.cat.xpi
[2009/07/13 18:11:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\qbwuqatvdh@qbwuqatvdh.org.xpi
[2012/09/09 12:33:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/09 11:10:26 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/09/09 11:10:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
[2012/09/05 20:27:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/05 20:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2012/09/05 20:26:22 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/09/09 12:06:05 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe (Alcor Micro Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe ()
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000..\Run: [cdloader] C:\Users\Caramel Glamour\AppData\Roaming\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000..\Run: [Spotify] C:\Users\Caramel Glamour\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
O4 - Startup: C:\Users\Caramel Glamour\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/ji... (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 10.7.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9F2100B2-4BA0-4098-812E-1C040B487477}: DhcpNameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D9F1DFA7-FAC4-4AFC-8B1A-8D1D0D8ACE00}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (c:\progra~2\browse~1\22630~1.40\{16cdf~1\browse~1.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)


Report •

#42
September 30, 2012 at 12:25:22
PART 5 Of Logs

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2012/09/30 10:34:50 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{24A2C9CD-7850-434C-91A7-153C805C68B3}
[2012/09/26 03:00:46 | 000,245,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\OxpsConverter.exe
[2012/09/24 12:15:19 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/09/24 12:10:35 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/09/24 09:52:58 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\Documents\ProcAlyzer Dumps
[2012/09/23 08:36:26 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/09/23 08:36:20 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/09/23 08:36:19 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2012/09/23 08:36:19 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/09/23 08:36:19 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/09/23 08:36:16 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/09/23 08:36:16 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/09/23 08:36:11 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/09/22 17:36:11 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{7E45C4D2-02E4-47C8-B1D7-BF253181AA08}
[2012/09/22 16:58:21 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/09/22 09:59:08 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2012/09/19 21:21:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/09/15 17:37:24 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{5805F9EC-9C09-4160-8E30-EA1FCDF26316}
[2012/09/11 20:08:11 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\RNDISMP.sys
[2012/09/11 20:08:04 | 000,240,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[2012/09/11 20:08:04 | 000,187,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\FWPKCLNT.SYS
[2012/09/11 20:07:57 | 000,490,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2012/09/10 21:07:16 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{DE55A241-9D66-40B9-A299-B4C211C94D42}
[2012/09/10 01:30:00 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{4F069229-B6B6-405B-9FF4-87B0CBE609E9}
[2012/09/09 15:08:16 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Roaming\SUPERAntiSpyware.com
[2012/09/09 15:07:59 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/09/09 14:36:52 | 000,100,864 | ---- | C] (GMER) -- C:\pglcaaow.sys
[2012/09/09 13:29:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/09 13:29:18 | 000,821,736 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2012/09/09 13:29:18 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2012/09/09 13:28:54 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2012/09/09 13:28:54 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2012/09/09 13:28:54 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2012/09/09 12:49:59 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/09 12:45:56 | 000,000,000 | ---D | C] -- C:\Windows\TEMP
[2012/09/09 12:33:50 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/09/09 11:44:05 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/09/09 11:44:05 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/09/09 11:44:05 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/09/09 11:43:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/09 11:43:10 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/09/09 10:49:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
[2012/09/09 10:49:33 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/09/09 10:47:51 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/09/09 09:59:33 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{9B6D9FCC-774E-4D3C-BAB1-77D1BFCD6AC1}
[2012/09/09 09:19:50 | 000,000,000 | ---D | C] -- C:\ProgramData\RegRun
[2012/09/09 09:19:35 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\Documents\RegRun2
[2012/09/09 09:19:24 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2012/09/08 20:15:21 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{E3209C99-D743-48F5-ABC0-3F56C05A60C9}
[2012/09/08 08:14:44 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{022D1BBE-9F14-4870-AE11-88DA45963149}
[2012/09/05 14:52:47 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{B29A0C13-EFE8-437D-8887-4674C5C542EE}
[2012/09/05 12:18:36 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\Macromedia
[2012/09/05 11:01:14 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/09/05 10:48:22 | 000,696,520 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/09/03 11:18:53 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{146BD016-1102-4943-909D-5DE60D61232C}
[2012/09/02 23:07:34 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{9206886C-D01D-49C5-A03B-8B5C70314EA9}
[2012/09/01 23:56:42 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\AppData\Local\{320A0DA1-6290-4FA9-918C-0CA85EE6FEB1}
[2012/09/01 14:58:10 | 000,000,000 | ---D | C] -- C:\Users\Caramel Glamour\Documents\My Digital Editions
[2012/09/01 14:58:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2012/09/30 11:41:02 | 000,014,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/30 11:41:02 | 000,014,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/30 11:32:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/09/30 11:32:39 | 795,762,688 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/30 11:30:33 | 000,020,946 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Logs.rtf
[2012/09/30 11:04:03 | 000,000,948 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2956755359-1845293498-3388496615-1000UA.job
[2012/09/30 10:57:52 | 000,624,622 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/09/30 10:57:52 | 000,106,708 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/09/29 18:58:06 | 000,000,360 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForCaramel Glamour.job
[2012/09/29 13:04:04 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2956755359-1845293498-3388496615-1000Core.job
[2012/09/29 10:52:47 | 000,000,221 | ---- | M] () -- C:\Users\Caramel Glamour\AppData\Local\mv_Photo.xml
[2012/09/29 10:52:47 | 000,000,137 | ---- | M] () -- C:\Users\Caramel Glamour\AppData\Local\mv_music.xml
[2012/09/28 08:31:26 | 000,367,208 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/09/24 14:00:13 | 000,031,541 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\In The Still Of The Night in Eb.pdf
[2012/09/24 13:59:52 | 000,004,111 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\In The Still Of The Night.mscz
[2012/09/24 13:53:39 | 000,003,935 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\.In The Still Of The Night.mscz,
[2012/09/24 09:50:06 | 000,003,538 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Rhythms 1 - 8.mscz
[2012/09/23 13:26:09 | 000,003,309 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Amazing Grace.mscz
[2012/09/22 09:59:08 | 000,002,016 | ---- | M] () -- C:\Users\Public\Desktop\Avira Control Center.lnk
[2012/09/21 07:11:56 | 000,000,969 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/09/20 13:09:00 | 000,032,493 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Week 3 Homework Raiders of the Lost Ark.pdf
[2012/09/20 13:06:01 | 000,004,062 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Raiders Of the Lost Ark.mscz
[2012/09/20 12:41:55 | 000,003,897 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\.Raiders Of the Lost Ark.mscz,
[2012/09/19 23:44:31 | 000,000,113 | ---- | M] () -- C:\Windows\wininit.ini
[2012/09/18 10:15:14 | 032,925,659 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Private Voice Lesson 2.wma
[2012/09/17 15:56:44 | 000,003,115 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\.Amazing Grace.mscz,
[2012/09/17 11:19:19 | 022,991,516 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Indiana Jones Theme Song Sheet Music.pdf
[2012/09/11 12:31:59 | 000,004,608 | ---- | M] () -- C:\Users\Caramel Glamour\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/10 22:19:35 | 000,002,655 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Red River Valley.mscz
[2012/09/10 20:52:57 | 000,002,072 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\.Red River Valley.mscz,
[2012/09/10 19:52:58 | 000,013,799 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Page 309 Part B Week I Theory III.pdf
[2012/09/10 19:52:41 | 000,002,275 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Page 309 Part B Week I Theory III.mscz
[2012/09/09 16:44:03 | 000,001,152 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\f---in Rootkit.rtf
[2012/09/09 14:36:52 | 000,100,864 | ---- | M] (GMER) -- C:\pglcaaow.sys
[2012/09/09 13:28:38 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2012/09/09 13:28:37 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2012/09/09 13:28:37 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2012/09/09 13:28:36 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2012/09/09 13:28:36 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2012/09/09 13:28:36 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2012/09/09 12:33:53 | 000,001,092 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/09/09 12:06:05 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/09/06 07:32:45 | 000,001,853 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Virginia Company.mscz
[2012/09/06 02:20:45 | 000,000,727 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Virginia Company Lyrics.rtf
[2012/09/06 02:17:00 | 000,001,226 | ---- | M] () -- C:\Users\Caramel Glamour\Documents\Tech II Goals.rtf
[2012/09/05 22:31:17 | 000,006,662 | ---- | M] () -- C:\Users\Caramel Glamour\.recently-used.xbel
[2012/09/05 10:48:22 | 000,696,520 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2012/09/30 10:59:47 | 000,020,946 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Logs.rtf
[2012/09/28 08:31:11 | 000,367,208 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/09/24 13:54:05 | 000,031,541 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\In The Still Of The Night in Eb.pdf
[2012/09/24 13:53:38 | 000,004,111 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\In The Still Of The Night.mscz
[2012/09/24 13:53:38 | 000,003,935 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\.In The Still Of The Night.mscz,
[2012/09/23 14:57:35 | 000,003,538 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Rhythms 1 - 8.mscz
[2012/09/20 13:08:59 | 000,032,493 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Week 3 Homework Raiders of the Lost Ark.pdf
[2012/09/19 23:44:31 | 000,000,113 | ---- | C] () -- C:\Windows\wininit.ini
[2012/09/18 10:15:14 | 032,925,659 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Private Voice Lesson 2.wma
[2012/09/17 20:25:51 | 000,004,062 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Raiders Of the Lost Ark.mscz
[2012/09/17 20:25:51 | 000,003,897 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\.Raiders Of the Lost Ark.mscz,
[2012/09/17 15:01:39 | 000,003,309 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Amazing Grace.mscz
[2012/09/17 15:01:39 | 000,003,115 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\.Amazing Grace.mscz,
[2012/09/17 11:19:17 | 022,991,516 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Indiana Jones Theme Song Sheet Music.pdf
[2012/09/11 12:31:55 | 000,004,608 | ---- | C] () -- C:\Users\Caramel Glamour\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/10 20:52:56 | 000,002,655 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Red River Valley.mscz
[2012/09/10 20:52:56 | 000,002,072 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\.Red River Valley.mscz,
[2012/09/10 19:52:53 | 000,013,799 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Page 309 Part B Week I Theory III.pdf
[2012/09/10 19:52:40 | 000,002,275 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Page 309 Part B Week I Theory III.mscz
[2012/09/09 15:04:11 | 000,001,152 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\f---in Rootkit.rtf
[2012/09/09 12:33:52 | 000,001,104 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/09/09 12:33:52 | 000,001,092 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/09/09 11:44:05 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/09/09 11:44:05 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/09/09 11:44:05 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/09/09 11:44:05 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/09/09 11:44:05 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/09/06 07:32:44 | 000,001,853 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Virginia Company.mscz
[2012/09/06 02:20:44 | 000,000,727 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Virginia Company Lyrics.rtf
[2012/09/06 02:17:00 | 000,001,226 | ---- | C] () -- C:\Users\Caramel Glamour\Documents\Tech II Goals.rtf
[2012/09/05 22:31:17 | 000,006,662 | ---- | C] () -- C:\Users\Caramel Glamour\.recently-used.xbel
[2012/08/21 01:57:42 | 000,000,017 | ---- | C] () -- C:\Windows\System32\shortcut_ex.dat
[2012/03/16 07:39:44 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/11/19 12:28:54 | 000,098,304 | ---- | C] () -- C:\Users\Caramel Glamour\fbchathistory.dat
[2011/08/28 15:23:28 | 000,001,849 | ---- | C] () -- C:\Users\Caramel Glamour\AppData\Roaming\GhostObjGAFix.xml
[2011/08/19 11:08:30 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/08/19 10:56:28 | 000,000,221 | ---- | C] () -- C:\Users\Caramel Glamour\AppData\Local\mv_Photo.xml
[2011/08/19 10:56:28 | 000,000,137 | ---- | C] () -- C:\Users\Caramel Glamour\AppData\Local\mv_music.xml
[2011/03/05 12:04:09 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2011/03/05 11:59:19 | 000,006,656 | ---- | C] () -- C:\Windows\System32\bcmwlrc.dll
[2011/03/05 11:58:21 | 000,000,292 | ---- | C] () -- C:\Windows\System32\RStoneLog2.ini
[2011/03/05 11:58:21 | 000,000,233 | ---- | C] () -- C:\Windows\System32\RStoneLog.ini
[2010/10/19 18:05:37 | 000,000,188 | ---- | C] () -- C:\Windows\System32\HPWA.ini

[color=#E56717]========== ZeroAccess Check ==========[/color]

[2009/07/13 23:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 23:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 07:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 20:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[color=#E56717]========== LOP Check ==========[/color]

[2012/03/16 07:37:05 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\Aps
[2012/09/20 12:11:37 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\Audacity
[2012/03/16 07:36:08 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\Ehdyri
[2011/11/19 11:44:44 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\GetRightToGo
[2012/09/09 11:10:41 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\gtk-2.0
[2012/08/23 20:37:37 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\mjusbsp
[2012/09/09 11:10:42 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\MusE
[2012/02/20 22:40:25 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\Musicnotes
[2012/06/24 03:09:04 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\Nico Mak Computing
[2011/10/02 20:02:45 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\OpenOffice.org
[2012/07/22 00:05:42 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\SoftGrid Client
[2012/09/30 11:33:30 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\Spotify
[2011/11/06 20:37:07 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\TP
[2012/07/27 10:49:38 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\uTorrent
[2012/07/22 21:42:30 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\WildTangent
[2011/09/07 15:53:56 | 000,000,000 | ---D | M] -- C:\Users\Caramel Glamour\AppData\Roaming\Windows Live Writer

[color=#E56717]========== Purity Check ==========[/color]



[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 126 bytes -> C:\ProgramData\Temp:CB0AACC9
<End of Report>


Report •

#43
September 30, 2012 at 12:26:29
Part 6 Of Logs

OTL Extras.Txt Log :

OTL Extras logfile created on: 9/30/2012 11:52:08 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Caramel Glamour\Downloads
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1011.87 Mb Total Physical Memory | 275.45 Mb Available Physical Memory | 27.22% Memory free
1.99 Gb Paging File | 1.09 Gb Available in Paging File | 54.63% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 214.52 Gb Total Space | 173.04 Gb Free Space | 80.66% Space Free | Partition Type: NTFS
Drive D: | 18.07 Gb Total Space | 2.62 Gb Free Space | 14.49% Space Free | Partition Type: NTFS

Computer Name: LILAC_ANGEL | User Name: Caramel Glamour | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]


[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[color=#E56717]========== System Restore Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[color=#E56717]========== Firewall Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Report •

#44
September 30, 2012 at 12:27:45
PART 8 Of Logs

[color=#E56717]========== Vista Active Open Ports Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0D7BA8AC-11CD-4EE3-AE8B-23DCAA23160C}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{3EF95A62-64A5-46F2-A85E-04D7532FA80A}" = lport=8182 | protocol=6 | dir=in | name=java(tm) platform se binary |
"{DFC0A59D-570E-48EE-97FF-88459321A440}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{E1074FE1-B282-4E63-9C63-F000AA6F741A}" = lport=5353 | protocol=17 | dir=in | name=java(tm) platform se binary |

[color=#E56717]========== Vista Active Application Exception List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{026C8891-9A0B-454B-876D-3ADE55D10CD0}" = protocol=6 | dir=in | app=c:\windows\system32\javaw.exe |
"{1012B497-D8BD-47E4-901B-40EC64601D8C}" = protocol=6 | dir=in | app=c:\progra~1\hewlet~1\hpmedi~1\video\hpvideo.exe |
"{12FC06CF-9604-4E2A-A547-250B0684861F}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{3C41722C-EF44-4C1B-BD1F-6209465F4912}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{44814F84-9B6D-41BF-B1E7-23707D888013}" = protocol=17 | dir=in | app=c:\progra~1\hewlet~1\hpmedi~1\photo\hpphoto.exe |
"{4AF14997-6BFA-4B9D-BB14-F754C3541CC3}" = protocol=17 | dir=in | app=c:\progra~1\hewlet~1\hpmedi~1\music\hpmusic.exe |
"{4DBADAD0-6A13-45F6-88A2-77DCC23C010D}" = protocol=6 | dir=in | app=c:\users\caramel glamour\appdata\roaming\spotify\spotify.exe |
"{6804148B-D687-49C5-B678-28ACF7F970D3}" = protocol=6 | dir=in | app=c:\program files\roxio\roxionow player\rnowshell.exe |
"{8087018D-6196-426C-83A2-908750ADB62D}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{9A0F462F-BF9A-42A0-8463-3356C3DAFFFD}" = protocol=17 | dir=in | app=c:\windows\system32\javaw.exe |
"{A101AD2A-B787-470A-B726-08B32280DBCF}" = protocol=17 | dir=in | app=c:\users\caramel glamour\appdata\roaming\spotify\spotify.exe |
"{A2F733F2-BD59-414D-840B-F3404CB1E3CE}" = protocol=6 | dir=in | app=c:\progra~1\hewlet~1\hpmedi~1\photo\hpphoto.exe |
"{AE86DB12-4A81-4E12-AD7C-4B89421369E4}" = protocol=17 | dir=in | app=c:\progra~1\hewlet~1\hpmedi~1\video\hpvideo.exe |
"{AE9A08FA-A56F-4BAA-9D11-01628EB341F6}" = protocol=17 | dir=in | app=c:\users\caramel glamour\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{B2DB2646-B77C-4516-AA73-F0B8FD1F9A2E}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{C110EE07-948B-4FD6-B294-4D4C4308C701}" = protocol=17 | dir=in | app=c:\program files\roxio\roxionow player\rnowshell.exe |
"{D020D910-CE66-4812-8763-8035F1947842}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{D09C59B9-EF58-4FD2-B603-0592FBA934BD}" = dir=out | app=c:\program files\hewlett-packard\hp clouddrive\zumodrive.exe |
"{D45258E0-3417-4290-B8F7-ACABAF4CB351}" = protocol=6 | dir=in | app=c:\progra~1\hewlet~1\hpmedi~1\music\hpmusic.exe |
"{DCB62B77-067C-440B-A706-D7FEA78D7FB2}" = protocol=6 | dir=in | app=c:\users\caramel glamour\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{F50CC87D-CE59-4624-A15D-502D98395EE8}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{F99BBD32-26D5-4E6E-B01F-5FBC9C70B620}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{FBFA1D0C-AB2D-4655-95F3-0EBC0CC709B8}" = dir=in | app=c:\program files\hewlett-packard\hp clouddrive\zumodrive.exe |
"TCP Query User{1A278AE9-B0B6-47FC-8491-61417052C6EB}C:\users\caramel glamour\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\caramel glamour\appdata\roaming\spotify\spotify.exe |
"TCP Query User{39B3107F-248F-4345-8E26-A5E00D9D52CB}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{4C960C6F-EB41-4CA4-AD40-A130982D84C5}C:\windows\system32\taskhost.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskhost.exe |
"TCP Query User{9C395045-A8E5-4A2F-A655-B63D990C9E2D}C:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe" = protocol=6 | dir=in | app=c:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe |
"TCP Query User{CCC739C6-D289-41FD-8767-CBBF0D94D4D2}C:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe" = protocol=6 | dir=in | app=c:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe |
"TCP Query User{DFCCA704-5B33-4F59-9056-B30DC2E9602B}C:\windows\system32\taskhost.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskhost.exe |
"TCP Query User{F215F47A-B1E3-4145-ABDE-5B8F45E848D0}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{0DCD0EC4-C44E-4133-BD5A-335B52699FE5}C:\windows\system32\taskhost.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskhost.exe |
"UDP Query User{1011584A-BEFC-4598-8E54-EC46D313EF49}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{30921E78-863A-414B-808A-EA97181E75D3}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{3B4A0C1F-90F5-4A61-B0D6-60BC2D8B5B38}C:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe" = protocol=17 | dir=in | app=c:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe |
"UDP Query User{6EAF5311-6A9E-4F7B-B175-6CBFFAD0561F}C:\users\caramel glamour\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\caramel glamour\appdata\roaming\spotify\spotify.exe |
"UDP Query User{BBDC6AAC-5C89-418B-A79F-DF37C79E89F7}C:\windows\system32\taskhost.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskhost.exe |
"UDP Query User{E387B528-384C-44F7-8619-3B7032D65378}C:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe" = protocol=17 | dir=in | app=c:\users\caramel glamour\appdata\roaming\mjusbsp\magicjack.exe |

[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0EDEB615-1A60-425E-8306-0E10519C7B55}" = RoxioNow Player
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX320_series" = Canon MX320 series MP Drivers
"{13DCC2C7-454D-42F0-A892-E0E9A5DE4E67}" = HP Wireless Assistant
"{1588DD21-B959-4674-9CF0-4D13B7D75020}" = Alcor Micro USB Card Reader
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{2856A1C2-70C5-4EC3-AFF7-E5B51E5530A2}" = HP Client Services
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Windows 7
"{394FA67A-FF0A-4356-BB77-D85E5A300BDE}" = HP QuickWeb Installer
"{3B834B54-EC4B-48E2-BFC6-03FF5DA06F62}" = Adobe Shockwave Player 11.5
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{40C19172-F700-4056-8683-2C64BE3202C8}" = HP QuickSync
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = Recovery Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F22707C-C8E4-4BC8-881C-FAAB2EF5914B}" = HP HomeBase
"{504CC891-B140-4E1B-860B-5E4C1DFBA9E3}" = Blio
"{53469506-A37E-4314-A9D9-38724EC23A75}" = HP Setup
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{626B5918-B395-4B69-A06B-14C3EB1C3942}" = HP Quick Launch
"{637E8378-C99C-47E1-9DF8-2DC0251BA276}" = HP MovieStore
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.2.0
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{86E2E2E0-F7DA-457E-893B-1E2F4B00EAD6}_is1" = Fchat 1.2.0
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver For Windows 7
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{9008D736-35CA-40DB-A2BE-5F32D954E5AA}" = HP MovieStore
"{90140000-006D-0409-0000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{90140011-0066-0409-0000-0000000FF1CE}" = Microsoft Office Starter 2010 - English
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B50678F-3A52-4426-804C-AAA9A731E655}" = HP Software Framework
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9D87DD24-2400-4920-B51B-E1AFC054941B}" = HP Documentation
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-FFFF-7B44-A91000000001}" = Adobe Reader 9.5.2 MUI
"{AE856388-AFAD-4753-81DF-D96B19D0A17C}" = HP Setup Manager
"{AF306BD8-F9D1-4627-89B9-246E59074A05}" = HP Power Manager
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}" = Energy Star Digital Logo
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CC4D56B7-6F18-470B-8734-ABCD75BCF4F1}" = HP Auto
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E52F8D95-AEB5-3B67-879C-C59DF8AF88EE}" = Google Talk Plugin
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E82A57BC-E9B8-42F9-BDC7-4950BD73EA32}_is1" = Pazera Free FLV to AVI Converter 1.5
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.13 (Unicode)
"Avira AntiVir Desktop" = Avira Free Antivirus
"Broadcom 802.11 Wireless LAN Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CCleaner" = CCleaner
"ESET Online Scanner" = ESET Online Scanner v3
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HP Photo Creations" = HP Photo Creations
"InstallShield_{1588DD21-B959-4674-9CF0-4D13B7D75020}" = Alcor Micro USB Card Reader
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"LAME for Audacity_is1" = LAME v3.98.3 for Audacity
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 15.0.1 (x86 en-US)" = Mozilla Firefox 15.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MuseScore" = MuseScore 1.1 MuseScore score typesetter
"Musicnotes Combined Installer_is1" = Musicnotes Software Suite 1.7.0
"My HP Game Console" = HP Game Console
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"uTorrent" = µTorrent
"WildTangent hp Master Uninstall" = HP Games
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite" = Windows Live Essentials
"WT087330" = Bounce Symphony
"WT087361" = FATE
"WT087374" = Jewel Quest - Heritage
"WT087385" = JoJo's Fashion Show
"WT087394" = Penguins!
"WT087396" = Polar Bowler
"WT087408" = Skip-Bo - Castaway Caper
"WT087409" = Tradewinds Legends
"WT087428" = Bejeweled 2 Deluxe
"WT087453" = Chuzzle Deluxe
"WT087467" = Dream Chronicles
"WT087480" = Insaniquarium Deluxe
"WT087485" = Jewel Quest II
"WT087490" = Jewel Quest Solitaire
"WT087495" = Mahjongg Artifacts
"WT087501" = Plants vs. Zombies
"WT087510" = Slingo Deluxe
"WT087513" = Virtual Villagers - The Secret City
"WT087519" = Wedding Dash
"WT087533" = Zuma Deluxe
"WT087536" = Diner Dash 2 Restaurant Rescue
"WT089308" = Blasterball 3
"WT089328" = Farm Frenzy
"WT089359" = Cake Mania
"WT089362" = Agatha Christie - Peril at End House
"Yahoo Messenger Log Viewer_is1" = Yahoo Messenger Log Viewer 2.0
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"YTdetect" = Yahoo! Detect
"ZumoDrive" = HP CloudDrive

[color=#E56717]========== HKEY_USERS Uninstall List ==========[/color]

[HKEY_USERS\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Amazon Kindle" = Amazon Kindle
"magicJack" = magicJack
"Spotify" = Spotify

[color=#E56717]========== Last 20 Event Log Errors ==========[/color]

[ Application Events ]
Error - 9/9/2012 2:12:19 PM | Computer Name = Lilac_Angel | Source = Windows Search Service | ID = 7042
Description =

Error - 9/9/2012 2:12:19 PM | Computer Name = Lilac_Angel | Source = Windows Search Service | ID = 9002
Description =

Error - 9/9/2012 2:12:19 PM | Computer Name = Lilac_Angel | Source = Windows Search Service | ID = 3029
Description =

Error - 9/9/2012 2:12:19 PM | Computer Name = Lilac_Angel | Source = Windows Search Service | ID = 3029
Description =

Error - 9/9/2012 2:12:19 PM | Computer Name = Lilac_Angel | Source = Windows Search Service | ID = 3028
Description =

Error - 9/9/2012 2:12:19 PM | Computer Name = Lilac_Angel | Source = Windows Search Service | ID = 3058
Description =

Error - 9/9/2012 2:12:19 PM | Computer Name = Lilac_Angel | Source = Windows Search Service | ID = 7010
Description =

Error - 9/9/2012 2:16:02 PM | Computer Name = Lilac_Angel | Source = Avira Antivirus | ID = 4110
Description = An unknown error occurred during init of the engine! Returned error
code: 0x35

Error - 9/21/2012 11:05:30 AM | Computer Name = Lilac_Angel | Source = Application Hang | ID = 1002
Description = The program SDFiles.exe version 2.0.10.130 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 1678 Start
Time: 01cd97f6eff28a31 Termination Time: 279 Application Path: C:\Program Files\Spybot
- Search & Destroy 2\SDFiles.exe Report Id: b56e0a70-03fd-11e2-96a9-3c4a92cd94a7


Error - 9/23/2012 2:25:31 PM | Computer Name = Lilac_Angel | Source = CVHSVC | ID = 100
Description = Information only. (Patch task for {90140011-0066-0409-0000-0000000FF1CE}):
DownloadLatest Failed: There are currently no active network connections. Background
Intelligent Transfer Service (BITS) will try again when an adapter is connected.


[ Hewlett-Packard Events ]
Error - 1/22/2012 11:09:47 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description = HP Error ID: -2146233087 Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message) Exception rethrown at [0] Message: The server did not provide a meaningful
reply; this might be caused by a contract mismatch, a premature session shutdown
or an internal server error. StackTrace: Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type) at HP.SupportFramework.Communicator.MessengerComm.IMessengerCommunicator.UpdateTimer()

at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: mscorlib


Report •

#45
September 30, 2012 at 12:28:28
PART 9 Of Logs

Name:
HPSF.exe Version: 06.00.01.01 Path: C:\Program Files\Hewlett-Packard\HP Support Framework\HPSF.exe
Format:
en-US RAM: 1011 Ram Utilization: TargetSite: Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
System.Runtime.Remoting.Messaging.IMessage)

Error - 2/5/2012 2:10:46 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description =

Error - 4/8/2012 1:45:00 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description =

Error - 5/27/2012 1:08:37 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description =

Error - 6/10/2012 1:15:04 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description = HP Error ID: -2146233087 Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message) Exception rethrown at [0] Message: The server did not provide a meaningful
reply; this might be caused by a contract mismatch, a premature session shutdown
or an internal server error. StackTrace: Server stack trace: at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String
action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[]
outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage
methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type) at HP.SupportFramework.Communicator.MessengerComm.IMessengerCommunicator.UpdateTimer()

at HP.SupportAssistant.UI.MessengerCommunication.sendTimerUpdate() Source: mscorlib

Name:
HPSF.exe Version: 06.00.01.01 Path: C:\Program Files\Hewlett-Packard\HP Support Framework\HPSF.exe
Format:
en-US RAM: 1011 Ram Utilization: 60 TargetSite: Void HandleReturnMessage(System.Runtime.Remoting.Messaging.IMessage,
System.Runtime.Remoting.Messaging.IMessage)

Error - 7/1/2012 1:56:26 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description =

Error - 7/29/2012 1:57:11 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description =

Error - 7/29/2012 1:57:11 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description =

Error - 9/9/2012 10:57:41 AM | Computer Name = Lilac_Angel | Source = HPSFMsgr.exe | ID = 4000
Description =

Error - 9/16/2012 2:23:17 PM | Computer Name = Lilac_Angel | Source = HPSF.exe | ID = 4000
Description =

[ HP Wireless Assistant Events ]
Error - 8/27/2012 1:30:36 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException Call was canceled by the
message filter. (Exception from HRESULT: 0x80010002 (RPC_E_CALL_CANCELED)) at
System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode,
IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object
o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at System.Management.ManagementBaseObject.get_Item(String propertyName)

at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 8/27/2012 1:33:11 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException The remote procedure call
failed. (Exception from HRESULT: 0x800706BE) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at System.Management.ManagementBaseObject.get_Item(String propertyName)

at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 8/27/2012 1:50:14 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException Call was canceled by the
message filter. (Exception from HRESULT: 0x80010002 (RPC_E_CALL_CANCELED)) at
System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode,
IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object
o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at System.Management.ManagementBaseObject.get_Item(String propertyName)

at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 8/27/2012 1:52:16 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException Call was canceled by the
message filter. (Exception from HRESULT: 0x80010002 (RPC_E_CALL_CANCELED)) at
System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode,
IntPtr errorInfo) at System.Management.ManagementScope.InitializeGuts(Object
o) at System.Management.ManagementScope.Initialize() at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at System.Management.ManagementBaseObject.get_Item(String propertyName)

at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 8/27/2012 1:54:20 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException The remote procedure call
failed. (Exception from HRESULT: 0x800706BE) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at System.Management.ManagementBaseObject.get_Item(String propertyName)

at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 8/27/2012 3:00:09 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Exception GetDeviceInfo() failed : 597 at HP_Common.CaslWrapper.GetDeviceInfo(List`1&
radioList) at HPPA_Service.CurrentConfiguration.ReloadRadioList()

Error - 8/27/2012 3:00:23 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Exception GetDeviceInfo() failed : 597 at HP_Common.CaslWrapper.GetDeviceInfo(List`1&
radioList) at HPPA_Service.CurrentConfiguration.ReloadRadioList()

Error - 8/27/2012 3:00:26 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Exception GetDeviceInfo() failed : 597 at HP_Common.CaslWrapper.GetDeviceInfo(List`1&
radioList) at HPPA_Service.CurrentConfiguration.ReloadRadioList()

Error - 9/3/2012 2:15:58 PM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at System.Management.ManagementBaseObject.get_Item(String propertyName)

at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

Error - 9/29/2012 3:38:18 AM | Computer Name = Lilac_Angel | Source = HP WA Service | ID = 0
Description = System.Runtime.InteropServices.COMException at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32
errorCode, IntPtr errorInfo) at System.Management.ManagementObject.Initialize(Boolean
getObject) at System.Management.ManagementBaseObject.get_Properties() at System.Management.ManagementBaseObject.GetPropertyValue(String
propertyName) at System.Management.ManagementBaseObject.get_Item(String propertyName)

at HPPA_Service.CurrentConfiguration.<ReloadRadioList>b__c()

[ System Events ]
Error - 9/29/2012 4:26:13 PM | Computer Name = Lilac_Angel | Source = DCOM | ID = 10010
Description =

Error - 9/30/2012 11:32:45 AM | Computer Name = Lilac_Angel | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom

Error - 9/30/2012 11:56:07 AM | Computer Name = Lilac_Angel | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 9/30/2012 11:56:08 AM | Computer Name = Lilac_Angel | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 9/30/2012 11:56:08 AM | Computer Name = Lilac_Angel | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 9/30/2012 11:56:09 AM | Computer Name = Lilac_Angel | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR2.

Error - 9/30/2012 12:03:25 PM | Computer Name = Lilac_Angel | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom

Error - 9/30/2012 12:17:30 PM | Computer Name = Lilac_Angel | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom

Error - 9/30/2012 12:24:17 PM | Computer Name = Lilac_Angel | Source = Service Control Manager | ID = 7034
Description = The Audio Service service terminated unexpectedly. It has done this
1 time(s).

Error - 9/30/2012 12:33:44 PM | Computer Name = Lilac_Angel | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom
< End of report >


Report •

#46
September 30, 2012 at 12:30:38
PART 10 Of Logs

ComboFix 12-09-30.01 - Caramel Glamour 09/30/2012 13:32:46.2.2 - x86
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1012.414 [GMT -5:00]
Running from: c:\users\Caramel Glamour\Downloads\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-30 )))))))))))))))))))))))))))))))
.
.
2012-09-30 18:50 . 2012-09-30 18:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-26 08:00 . 2012-08-21 20:12 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-09-22 21:58 . 2012-09-22 21:58 -------- d-----w- c:\program files\ESET
2012-09-20 02:21 . 2012-09-24 14:49 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-12 01:08 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 01:08 . 2012-07-04 19:45 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 01:08 . 2012-08-22 17:16 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 01:08 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 01:08 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 01:07 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-09 20:08 . 2012-09-09 20:08 -------- d-----w- c:\users\Caramel Glamour\AppData\Roaming\SUPERAntiSpyware.com
2012-09-09 20:07 . 2012-09-09 20:07 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-09-09 19:36 . 2012-09-09 19:36 100864 ----a-w- C:\pglcaaow.sys
2012-09-09 18:29 . 2012-09-09 18:29 -------- d-----w- c:\program files\Common Files\Java
2012-09-09 18:29 . 2012-09-09 18:28 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-09 18:28 . 2012-09-09 18:28 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-09 17:49 . 2012-09-09 17:49 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-09 15:49 . 2012-09-09 16:10 -------- d-----w- c:\program files\HitmanPro
2012-09-09 15:47 . 2012-09-09 15:49 -------- d-----w- c:\programdata\HitmanPro
2012-09-09 14:19 . 2012-09-09 15:22 -------- d-----w- c:\programdata\RegRun
2012-09-09 14:19 . 2012-09-09 16:10 -------- d-----w- c:\program files\UnHackMe
2012-09-05 17:18 . 2012-09-05 17:18 -------- d-----w- c:\users\Caramel Glamour\AppData\Local\Macromedia
2012-09-05 16:01 . 2012-09-05 16:01 -------- d-----w- c:\programdata\McAfee
2012-09-05 15:48 . 2012-09-05 15:48 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-09 18:28 . 2010-10-19 22:59 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-18 16:38 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-07-03 18:46 . 2011-12-29 01:03 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-06 01:27 . 2012-09-09 17:33 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00Zecter]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-09-23 04:53 754176 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01Zecter]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-09-23 04:53 754176 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02Zecter]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-09-23 04:53 754176 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03Zecter]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-09-23 04:53 754176 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04Zecter]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-09-23 04:53 754176 ----a-w- c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2011-08-22 6276408]
"Spotify"="c:\users\Caramel Glamour\AppData\Roaming\Spotify\Spotify.exe" [2012-03-08 4008112]
"cdloader"="c:\users\Caramel Glamour\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-23 150552]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-07-30 1873192]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-06-08 284696]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2010-06-17 237568]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-08-03 495708]
"HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-08-24 584760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-08 348664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Caramel Glamour\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Media Suite.lnk - c:\program files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe [2010-4-1 91648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 aswArKrn;aswArKrn;c:\users\CARAME~1\AppData\Local\Temp\aswArKrn.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files\Roxio\RoxioNow Player\RNowSvc.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B}]
2010-09-03 19:14 715840 ----a-w- c:\program files\Hewlett-Packard\HP Media Suite\Home\HPMediaSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B}]
2009-07-14 01:14 141824 ----a-w- c:\windows\System32\wscript.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2956755359-1845293498-3388496615-1000Core.job
- c:\users\Caramel Glamour\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-02 19:26]
.
2012-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2956755359-1845293498-3388496615-1000UA.job
- c:\users\Caramel Glamour\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-02 19:26]
.
2012-09-30 c:\windows\Tasks\HPCeeScheduleForCaramel Glamour.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2740)
c:\program files\Hewlett-Packard\HP CloudDrive\ShellExt.dll
.
Completion time: 2012-09-30 13:55:23
ComboFix-quarantined-files.txt 2012-09-30 18:55
.
Pre-Run: 195,652,849,664 bytes free
Post-Run: 195,608,727,552 bytes free
.
- - End Of File - - 75579DF897B7DFC5FD32886FCB2EA300


Report •

#47
September 30, 2012 at 12:33:17
OK that's everything. It's quite a bit but I tried to display it as neatly as possible, stating when each log begins.

Again, thank you so much.


Report •

#48
September 30, 2012 at 14:30:49
Yeah. I'm actually starting to get pretty discouraged XPUser. I followed all the steps JohnW asked of me and the rootkit is still here. It only redirects me the first time I click on a link though. Maybe I should just give up.

Report •

#49
September 30, 2012 at 18:49:57
" I followed all the steps JohnW asked of me and the rootkit is still here"

Will probably start on your logs later, going out today, in the meantime run this please.

8: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://www.sur-la-toile.com/RogueKi...
http://www.sur-la-toile.com/RogueKi...
[RogueKiller] Official Tutorial
http://www.geekstogo.com/forum/topi...
•Please quit all programs
•Right-click the RogueKiller file and select "Run as Administrator'
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked.
•Then, press the [Delete] button.
An RKreport (Mode: Delete) is created on the Desktop.
Please provide the RKreport (Mode: Delete) in your reply.
Restart the computer.
After doing the above, see if you have any luck getting to the Repair your computer option.


Report •

#50
September 30, 2012 at 18:57:35
9: Also download the latest version & run TDSSKiller again.

Report •

#51
September 30, 2012 at 21:29:18
LilacGlitter,
the last thing I can suggest is to maybe physically remove the HD from the troubled PC and slave it to another PC and do some virus scans on it....that may clean out your problem.

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#52
October 1, 2012 at 05:15:40
10: Please reopen OTL on your desktop.
Copy and Paste the following code into the Custom Scans/Fixes textbox.
DRV - (catchme) -- C:\Users\CARAME~1\AppData\Local\Temp\catchme.sys File not found
DRV - (aswArKrn) -- C:\Users\CARAME~1\AppData\Local\Temp\aswArKrn.sys File not found
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@photoproduct.rocketlife.com/RocketLife App Viewer;version=0.8: File not found
O20 - AppInit_DLLs: (c:\progra~2\browse~1\22630~1.40\{16cdf~1\browse~1.dll) - File not found
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={s...
IE - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Specia...
IE - HKLM\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-1...
IE - HKLM\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searc...
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{0169E633-8781-F882-9BC7-7B014AE4DE4E}: "URL" = http://www.bing.com/search?q={searc...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={s...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Specia...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-1...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searc...
FF - prefs.js..extensions.enabledAddons: newtaburl@sogame.cat:2.2.3
FF - prefs.js..extensions.enabledAddons: qbwuqatvdh@qbwuqatvdh.org:2.5
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35
FF - prefs.js..extensions.enabledAddons: amznUWL@amazon.com:2.15
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
Push > Run Fix
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply & of course, tell me how it is running.

Report •

#53
October 3, 2012 at 15:30:03
Update. The scan did find a few things so I deleted them.

Rogue Killer Log :

SSDT[370] : NtTerminateProcess @ 0x81CAABCD -> HOOKED (Unknown @ 0x896E842F)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x896E84B6)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x896E84BB)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEKT-60PVMT0 +++++
--- User ---
[MBR] eb53beafca8741dd571ce6e96d1384cd
[BSP] 4a9cb6a6196639405aaad72ab4ad1fb7 : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 219671 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 450295808 | Size: 18500 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: USB Disk +++++
--- User ---
[MBR] ac9cd26537e569ea4d683b9e98376e29
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 101 | Size: 240 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Report •

#54
October 3, 2012 at 15:35:17
Here are the results to the OTL Scan. A lot of errors it seems.

Error: Unable to interpret <DRV - (catchme) -- C:\Users\CARAME~1\AppData\Local\Temp\catchme.sys File not found> in the current context!
Error: Unable to interpret <DRV - (aswArKrn) -- C:\Users\CARAME~1\AppData\Local\Temp\aswArKrn.sys File not found> in the current context!
Error: Unable to interpret <FF - user.js - File not found> in the current context!
Error: Unable to interpret <FF - HKLM\Software\MozillaPlugins\@photoproduct.rocketlife.com/RocketLife App Viewer;version=0.8: File not found> in the current context!
Error: Unable to interpret <O20 - AppInit_DLLs: (c:\progra~2\browse~1\22630~1.40\{16cdf~1\browse~1.dll) - File not found> in the current context!
Error: Unable to interpret <"VistaSp1" = Reg Error: Unknown registry data type -- File not found> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = " target="_blank">http://search.yahoo.com/search?p={s... in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = " target="_blank">http://en.wikipedia.org/wiki/Specia... in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = " target="_blank">http://rover.ebay.com/rover/1/711-1... in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = " target="_blank">http://www.bing.com/search?q={searc... in the current context!
Error: Unable to interpret <IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{0169E633-8781-F882-9BC7-7B014AE4DE4E}: "URL" = " target="_blank">http://www.bing.com/search?q={searc... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = " target="_blank">http://search.yahoo.com/search?p={s... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = " target="_blank">http://en.wikipedia.org/wiki/Specia... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = " target="_blank">http://rover.ebay.com/rover/1/711-1... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = " target="_blank">http://www.bing.com/search?q={searc... in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: newtaburl@sogame.cat:2.2.3> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: qbwuqatvdh@qbwuqatvdh.org:2.5> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: amznUWL@amazon.com:2.15> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 10032012_173353


Report •

#55
October 3, 2012 at 15:42:18
Also TDSSKiller still did not find any threats.

Report •

#56
October 3, 2012 at 16:45:43
Go back to my post #49

"After doing the above, see if you have any luck getting to the Repair your computer option."

Did you try that after the scan?


Report •

#57
October 3, 2012 at 20:12:05
"Repair my computer option" Under which program?

Report •

#58
October 3, 2012 at 20:17:24
8: Run RogueKiller, it is the only program in my post #49

Report •

#59
October 3, 2012 at 20:28:41
If that repair option is not available, lets move on.

11: Deckard's System Scanner (DSS)
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...
Download DDS and save it to your desktop.
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop & post them here please.


Report •

#60
October 4, 2012 at 00:20:06
As we remove the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.

12: Please download and run ListParts by Farbar (for 32-bit system):
http://download.bleepingcomputer.co...
Unplug/disconnect any external drives, usb etc.
Click on the Scan button.
The scan results will open in Notepad.
Post those results in your next reply.

13: Run aswMBR
http://public.avast.com/~gmerek/asw...
aswMBR is the rootkit scanner that scans for TDL4/3 and MBRoot (Sinowal) rootkits.
How to scan
#
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
Click the "Fix" in case of infection
Important > you need to wait for the tool to report ... Infection fixed successfully
Do not reboot the machine until it has said so.
Save the aswASW.log to the desktop

14: Run Trojan.Zeroaccess Removal Tool
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.symantec.com/business/se...

15: Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

16: Run Eset online scan again please.

17: Make sure you have the latest GMER version & run again please.


Report •

#61
October 5, 2012 at 18:17:58
Ok I'll get started on this as soon as I can. Thank you so much once again

Report •

#62
October 6, 2012 at 15:09:16
DDS Attach.txt Log :

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Starter
Boot Device: \Device\HarddiskVolume1
Install Date: 8/19/2011 10:17:03 AM
System Uptime: 10/5/2012 2:05:13 PM (27 hours ago)
.
Motherboard: Hewlett-Packard | | 1584
Processor: Intel(R) Atom(TM) CPU N455 @ 1.66GHz | CPU | 1332/667mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 215 GiB total, 177.676 GiB free.
D: is FIXED (NTFS) - 18 GiB total, 2.617 GiB free.
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP336: 9/30/2012 1:24:08 PM - ComboFix created restore point
RP337: 10/1/2012 3:00:16 AM - Windows Update
RP338: 10/2/2012 10:20:50 AM - Windows Update
RP339: 10/3/2012 12:45:43 PM - Windows Update
RP340: 10/3/2012 4:50:33 PM - Windows Update
RP341: 10/3/2012 5:22:05 PM - Windows Update
RP342: 10/4/2012 1:51:35 AM - Windows Update
RP343: 10/6/2012 3:00:19 AM - Windows Update
.
==== Installed Programs ======================
.
µTorrent
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.2 MUI
Adobe Shockwave Player 11.5
Agatha Christie - Peril at End House
Alcor Micro USB Card Reader
Amazon Kindle
Audacity 1.3.13 (Unicode)
Avira Free Antivirus
Bejeweled 2 Deluxe
Blasterball 3
Blio
Bounce Symphony
Broadcom 802.11 Wireless LAN Adapter
Cake Mania
Canon MX320 series MP Drivers
CCleaner
Chuzzle Deluxe
CyberLink DVD Suite
D3DX10
Diner Dash 2 Restaurant Rescue
Dream Chronicles
Energy Star Digital Logo
ESET Online Scanner v3
ESU for Microsoft Windows 7
Farm Frenzy
FATE
Fchat 1.2.0
GIMP 2.6.11
Google Talk Plugin
Hewlett-Packard ACLM.NET v1.1.2.0
HP Auto
HP Client Services
HP CloudDrive
HP Customer Experience Enhancements
HP Documentation
HP Game Console
HP Games
HP HomeBase
HP MovieStore
HP Photo Creations
HP Power Manager
HP Quick Launch
HP QuickSync
HP QuickWeb Installer
HP Setup
HP Setup Manager
HP Software Framework
HP Wireless Assistant
IDT Audio
Insaniquarium Deluxe
Intel(R) Graphics Media Accelerator Driver
Intel(R) Rapid Storage Technology
Java 7 Update 7
Java Auto Updater
Java(TM) 6 Update 22
Jewel Quest - Heritage
Jewel Quest II
Jewel Quest Solitaire
JoJo's Fashion Show
Junk Mail filter update
LAME v3.98.3 for Audacity
magicJack
Mahjongg Artifacts
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Office Click-to-Run 2010
Microsoft Office Starter 2010 - English
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WSE 3.0 Runtime
Mozilla Firefox 15.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MuseScore 1.1 MuseScore score typesetter
Musicnotes Software Suite 1.7.0
OpenOffice.org 3.3
Pazera Free FLV to AVI Converter 1.5
Penguins!
Plants vs. Zombies
PlayReady PC Runtime x86
Polar Bowler
Power2Go
Realtek Ethernet Controller Driver For Windows 7
Recovery Manager
RoxioNow Player
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Skip-Bo - Castaway Caper
Skype Click to Call
Skype™ 5.10
Slingo Deluxe
Spotify
Synaptics Pointing Device Driver
Tradewinds Legends
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Virtual Villagers - The Secret City
Wedding Dash
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Yahoo Messenger Log Viewer 2.0
Yahoo! Detect

DDS Log :

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Caramel Glamour at 17:00:13 on 2012-10-06
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1012.259 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2EECD738-5844-4a99-B4B6-146BF802613B} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Spotify] "c:\users\caramel glamour\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
mRun: [AmIcoSinglun] c:\program files\amicosinglun\AmIcoSinglun.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [HP Quick Launch] c:\program files\hewlett-packard\hp quick launch\HPMSGSVC.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\carame~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpmedi~1.lnk - c:\program files\hewlett-packard\hp media suite\home\ArcStart.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{9F2100B2-4BA0-4098-812E-1C040B487477} : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{D9F1DFA7-FAC4-4AFC-8B1A-8D1D0D8ACE00} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{D9F1DFA7-FAC4-4AFC-8B1A-8D1D0D8ACE00}\3405C475946494 : DhcpNameServer = 206.166.17.20 206.166.83.20
TCP: Interfaces\{D9F1DFA7-FAC4-4AFC-8B1A-8D1D0D8ACE00}\3616C6F5C6962627162797 : DhcpNameServer = 192.168.162.72
TCP: Interfaces\{D9F1DFA7-FAC4-4AFC-8B1A-8D1D0D8ACE00}\642756560284F6374756C6027596D26496 : DhcpNameServer = 10.10.0.1
TCP: Interfaces\{D9F1DFA7-FAC4-4AFC-8B1A-8D1D0D8ACE00}\96261686E6F536F6E666 : DhcpNameServer = 172.16.2.5 172.18.82.11 4.2.2.2
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
mASetup: {4FB2407C-C8E4-BBC8-BB1C-FCCB2EF5914B} - c:\program files\hewlett-packard\hp media suite\home\HPMediaSuite.exe "/installer"
mASetup: {4FB2AA7C-C8E4-BBC8-BB1C-FAAB2EF5914B} - c:\windows\system32\wscript.exe "c:\program files\hewlett-packard\hp media suite\home\PinItem.vbs"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\caramel glamour\appdata\roaming\mozilla\firefox\profiles\lb2jqj4p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\caramel glamour\appdata\local\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\users\caramel glamour\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\caramel glamour\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-12 36000]
R1 DVMIO;DeviceVM IO Service;c:\windows\system32\drivers\dvmio.sys [2009-11-11 18136]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-12 83392]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.sys [2010-6-17 27136]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
.
=============== Created Last 30 ================
.
2012-10-03 22:33:07 -------- d-----w- C:\_OTL
2012-10-02 15:23:36 -------- d-----w- c:\users\caramel glamour\appdata\local\{64945BD1-1E16-437C-A243-F01DFEEFDEB3}
2012-10-01 20:29:33 -------- d-----w- c:\users\caramel glamour\appdata\local\{85B5516D-43DA-4CA8-A4AC-E75C29C145A1}
2012-09-30 18:53:46 -------- d-sh--w- C:\$RECYCLE.BIN
2012-09-30 18:29:53 98816 ----a-w- c:\windows\sed.exe
2012-09-30 18:29:53 518144 ----a-w- c:\windows\SWREG.exe
2012-09-30 18:29:53 256000 ----a-w- c:\windows\PEV.exe
2012-09-30 18:29:53 208896 ----a-w- c:\windows\MBR.exe
2012-09-30 15:34:50 -------- d-----w- c:\users\caramel glamour\appdata\local\{24A2C9CD-7850-434C-91A7-153C805C68B3}
2012-09-26 08:00:46 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-09-22 22:36:11 -------- d-----w- c:\users\caramel glamour\appdata\local\{7E45C4D2-02E4-47C8-B1D7-BF253181AA08}
2012-09-22 21:58:21 -------- d-----w- c:\program files\ESET
2012-09-20 02:21:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-15 22:37:24 -------- d-----w- c:\users\caramel glamour\appdata\local\{5805F9EC-9C09-4160-8E30-EA1FCDF26316}
2012-09-12 01:08:11 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 01:08:11 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 01:08:05 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 01:08:04 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 01:08:04 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 01:07:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-11 02:07:16 -------- d-----w- c:\users\caramel glamour\appdata\local\{DE55A241-9D66-40B9-A299-B4C211C94D42}
2012-09-10 06:30:00 -------- d-----w- c:\users\caramel glamour\appdata\local\{4F069229-B6B6-405B-9FF4-87B0CBE609E9}
2012-09-09 20:08:16 -------- d-----w- c:\users\caramel glamour\appdata\roaming\SUPERAntiSpyware.com
2012-09-09 20:07:59 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-09-09 19:36:52 100864 ----a-w- C:\pglcaaow.sys
2012-09-09 18:29:18 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-09 18:28:54 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-09 17:49:59 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-09 15:49:33 -------- d-----w- c:\program files\HitmanPro
2012-09-09 15:47:51 -------- d-----w- c:\programdata\HitmanPro
2012-09-09 14:59:33 -------- d-----w- c:\users\caramel glamour\appdata\local\{9B6D9FCC-774E-4D3C-BAB1-77D1BFCD6AC1}
2012-09-09 14:19:50 -------- d-----w- c:\programdata\RegRun
2012-09-09 14:19:24 -------- d-----w- c:\program files\UnHackMe
2012-09-09 01:15:21 -------- d-----w- c:\users\caramel glamour\appdata\local\{E3209C99-D743-48F5-ABC0-3F56C05A60C9}
2012-09-08 13:14:44 -------- d-----w- c:\users\caramel glamour\appdata\local\{022D1BBE-9F14-4870-AE11-88DA45963149}
.
==================== Find3M ====================
.
2012-09-09 18:28:36 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-05 15:48:22 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-07-18 16:38:06 152576 ----a-w- c:\windows\system32\msclmd.dll
.
============= FINISH: 17:03:38.28 ===============


Report •

#63
October 6, 2012 at 15:14:13
ListParts Log :

ListParts by Farbar Version: 02-10-2012
Ran by Caramel Glamour (administrator) on 06-10-2012 at 17:11:19
Windows 7 (X86)
Running From: C:\Users\Caramel Glamour\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 74%
Total physical RAM: 1011.87 MB
Available physical RAM: 254.06 MB
Total Pagefile: 2475.2 MB
Available Pagefile: 1058.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.67 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:214.52 GB) (Free:177.66 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (RECOVERY) (Fixed) (Total:18.07 GB) (Free:2.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 103 MB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 214 GB 200 MB
Partition 3 Primary 18 GB 214 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 214 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D RECOVERY NTFS Partition 18 GB Healthy

======================================================================================================

****** End Of Log ******


Report •

#64
October 7, 2012 at 01:06:17
18: Please reopen OTL on your desktop.
Copy and Paste the following code into the Custom Scans/Fixes textbox.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.

Push > Run Fix
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply & of course, tell me how it is running.

Still waiting on > 8: Run RogueKiller ( this is the 3rd time I have asked )

Still waiting on > 13: Run aswMBR

Still waiting on > 16: Run Eset online scan again please.

Still waiting on > 17: Make sure you have the latest GMER version & run again please.

"12: Please download and run ListParts by Farbar (for 32-bit system)" Good result > NO HIDDEN PARTITIONS.


Report •

#65
October 7, 2012 at 19:48:47
Updated OTL Log :

Error: Unable to interpret <O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.> in the current context!

Error: Unable to interpret <O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 10072012_214821



Report •

#66
October 7, 2012 at 19:54:16
Rogue Killer Log : (I saved the log but somehow forgot to post it here I apologize)

SSDT[370] : NtTerminateProcess @ 0x81CAABCD -> HOOKED (Unknown @ 0x896E842F)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x896E84B6)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x896E84BB)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEKT-60PVMT0 +++++
--- User ---
[MBR] eb53beafca8741dd571ce6e96d1384cd
[BSP] 4a9cb6a6196639405aaad72ab4ad1fb7 : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 219671 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 450295808 | Size: 18500 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: USB Disk +++++
--- User ---
[MBR] ac9cd26537e569ea4d683b9e98376e29
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 101 | Size: 240 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt


Report •

#67
October 7, 2012 at 19:58:35
GMER Log :

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-10-07 21:57:51
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0
Running: zvrqbx0n.exe; Driver: C:\Users\CARAME~1\AppData\Local\Temp\pglcaaow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Report •

#68
October 7, 2012 at 21:04:16
aswMBR Log :

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-07 23:01:19
-----------------------------
23:01:19.815 OS Version: Windows 6.1.7601 Service Pack 1
23:01:19.815 Number of processors: 2 586 0x1C0A
23:01:19.830 ComputerName: LILAC_ANGEL UserName:
23:01:20.826 Initialize success
23:01:38.795 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:01:38.809 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
23:01:38.839 Disk 0 MBR read successfully
23:01:38.851 Disk 0 MBR scan
23:01:38.867 Disk 0 unknown MBR code
23:01:38.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
23:01:38.917 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 219671 MB offset 409600
23:01:38.967 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 18500 MB offset 450295808
23:01:38.995 Disk 0 scanning sectors +488183808
23:01:39.103 Disk 0 scanning C:\Windows\system32\drivers
23:01:49.227 Service scanning
23:02:04.350 Modules scanning
23:02:10.894 Disk 0 trace - called modules:
23:02:10.977 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
23:02:11.408 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85acb030]
23:02:11.445 3 CLASSPNP.SYS[867ba59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x83ffc028]
23:02:11.481 Scan finished successfully
23:02:32.256 Disk 0 MBR has been saved successfully to "C:\Users\Caramel Glamour\Downloads\MBR.dat"
23:02:32.323 The log file has been saved successfully to "C:\Users\Caramel Glamour\Downloads\aswMBR.txt"



Report •

#69
October 7, 2012 at 21:07:33
I will put up the ESET log when I can, the scan takes quite a few hours.

Report •

#70
October 7, 2012 at 22:28:58
"I will put up the ESET log when I can, the scan takes quite a few hours"

Ok, knew that one would be slow. Post log before doing below.

19: Reboot & run HiJackthis & post log please.

HijackThis ( HJT )
http://sourceforge.net/projects/hjt/


Report •

#71
October 9, 2012 at 11:01:13
OK. I'll start the ESET tomorrow on my day off.

Report •

#72
October 9, 2012 at 14:05:41
20: Please download the latest version of OTL onto your desktop. I made a mistake on my previous instructions, left out the > :OTL ( Sorry )

Copy and Paste the following code into the Custom Scans/Fixes textbox.

:OTL
DRV - (catchme) -- C:\Users\CARAME~1\AppData\Local\Temp\catchme.sys File not found
DRV - (aswArKrn) -- C:\Users\CARAME~1\AppData\Local\Temp\aswArKrn.sys File not found
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@photoproduct.rocketlife.com/RocketLife App Viewer;version=0.8: File not found
O20 - AppInit_DLLs: (c:\progra~2\browse~1\22630~1.40\{16cdf~1\browse~1.dll) - File not found
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={s...
IE - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Specia...
IE - HKLM\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-1...
IE - HKLM\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searc...
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{0169E633-8781-F882-9BC7-7B014AE4DE4E}: "URL" = http://www.bing.com/search?q={searc...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = http://search.yahoo.com/search?p={s...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = http://en.wikipedia.org/wiki/Specia...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = http://rover.ebay.com/rover/1/711-1...
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = http://www.bing.com/search?q={searc...
FF - prefs.js..extensions.enabledAddons: newtaburl@sogame.cat:2.2.3
FF - prefs.js..extensions.enabledAddons: qbwuqatvdh@qbwuqatvdh.org:2.5
FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35
FF - prefs.js..extensions.enabledAddons: amznUWL@amazon.com:2.15
Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\qbwuqatvdh@qbwuqatvdh.org.xpi
[2012/09/09 12:33:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found
O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found

Push > Run Fix
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply & of course, TELL ME HOW IT IS RUNNING.


Report •

#73
October 10, 2012 at 05:35:16
sounds like things are going in a circle...probably the best thing to do is a fresh install....AFTER you have saved the files you need to DVD...A reformat is probably the best thing at this point....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#74
October 11, 2012 at 05:57:31
I apologize. I was unable to get to my computer yesterday because I woke to no gas, so I was occupied with that. At my workplace we are unable to download anything on there wifi so I have scan with ESET overnight and post the results the following morning.

Thank you.


Report •

#75
October 11, 2012 at 06:05:40
Hi XPUser. I'm not sure how I would re install windows 7 starter to my netbook. I honestly don't have the money for the CD and even if I did, my netbook doesn't even have a CD / DVD drive. If this in the end doesn't work out I guess I'll just deal with it. Could be worse right?

Report •

#76
October 11, 2012 at 06:55:10
"I have scan with ESET overnight and post the results the following morning"
Ok, I was looking forward to your day off & getting right into it. Hopefully things are getting better for you, your luck will turn around soon, I'm sure.

Report •

#77
October 11, 2012 at 10:16:47
LilacGlitter,
There should be a hidden partition with the OS on it for restoring to factory settings....right now you are just beating your head against a wall...going in circles....a redirect should only take up to 20 posts max....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#78
October 11, 2012 at 18:10:37
LilacGlitter
"a redirect should only take up to 20 posts max...."
Take no notice of that, it is absolute nonsense from a person who did not even bother to read your post. Fixing takes whatever it takes & hopefully we are very close & even if removing the infection does not work out, we still can get you going other ways.

Here are a few sites that are working on redirect, some are not yet finished.
#59 posts
http://www.bleepingcomputer.com/for...
#46 posts
http://www.bleepingcomputer.com/for...
#82 posts
http://www.bleepingcomputer.com/for...
#49 posts
http://www.bleepingcomputer.com/for...
#80 posts
http://www.bleepingcomputer.com/for...
#49 posts
http://www.windowsbbs.com/malware-v...
#57 posts
http://www.windowsbbs.com/malware-v...
#33 posts
http://www.windowsbbs.com/malware-v...
#31 posts
http://www.geekstogo.com/forum/topi...
#38 posts
http://www.geekstogo.com/forum/topi...
#54 posts
http://discussions.virtualdr.com/sh...
#60 posts
http://discussions.virtualdr.com/sh...
#37 posts
http://www.techspot.com/community/t...
#36 posts
http://www.techspot.com/community/t...

Report •

#79
October 11, 2012 at 18:22:24
sorry John....looks like the people helping in those posts are probably not too creditable. I am only making a statement because I actually do physical repairs and I have never seen a redirect take so many posts ever. No discredit to you...I only use google when I am actually stuck for an answer. I see this thread going in a constant circle and that's why I suggested saving files and doing a restore back to factory settings...no harm meant...my apologies if you think 'it is absolute nonsense from a person who did not even bother to read your post.'

In case you don't know...I read each post carefully...but thanks for trying to point that out...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#80
October 11, 2012 at 21:11:18
I appreciate the advice that both of you are providing for me to help me in this situation. Thank you for sticking around for so long. I am about to start the ESET scan now.

Report •

#81
October 12, 2012 at 14:42:10
Still scanning with ESET. Currently at 21% : (

Report •

#82
October 12, 2012 at 16:15:28
18 hours have passed. Currently at 28%

Report •

#83
October 12, 2012 at 16:54:00
"18 hours have passed. Currently at 28%"

To late now, but may help googlers. I just read the ESET FAQ's.

5. Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
http://kb.eset.com/esetkb/index?pag...


Report •

#84
October 12, 2012 at 17:29:23
I see. The ESET scan is at 30% currently & has found one trojan. Should I cancel the scan or proceed still? I disabled my Avira to hopefully speed up the scan (that doesn't appear to be working though).

Report •

#85
October 12, 2012 at 19:04:01
The scan is complete and here are the results of what the scan found.

ESET Log? :

C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\qbwuqatvdh@qbwuqatvdh.org.xpi JS/Redirector.NCA trojan deleted - quarantined


Report •

#86
October 12, 2012 at 19:17:33
It is always best when doing any of these infection scans, to disable any running programs, such as email, AV's etc. In other words, don't touch anything whilst scanning.

How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...

I just went to my spare comp that I used 6 mths ago to clean up an infected HDD with ESET, here is a SS of page 1.
http://i.imgur.com/3U7YC.gif

"ESET Log? :"
Thanks.

Now do post 72 please.


Report •

#87
October 12, 2012 at 19:20:36
I found the log from a previous ESET Scan

First ESET Log :

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-07 23:01:19
-----------------------------
23:01:19.815 OS Version: Windows 6.1.7601 Service Pack 1
23:01:19.815 Number of processors: 2 586 0x1C0A
23:01:19.830 ComputerName: LILAC_ANGEL UserName:
23:01:20.826 Initialize success
23:01:38.795 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
23:01:38.809 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
23:01:38.839 Disk 0 MBR read successfully
23:01:38.851 Disk 0 MBR scan
23:01:38.867 Disk 0 unknown MBR code
23:01:38.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
23:01:38.917 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 219671 MB offset 409600
23:01:38.967 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 18500 MB offset 450295808
23:01:38.995 Disk 0 scanning sectors +488183808
23:01:39.103 Disk 0 scanning C:\Windows\system32\drivers
23:01:49.227 Service scanning
23:02:04.350 Modules scanning
23:02:10.894 Disk 0 trace - called modules:
23:02:10.977 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
23:02:11.408 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85acb030]
23:02:11.445 3 CLASSPNP.SYS[867ba59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x83ffc028]
23:02:11.481 Scan finished successfully
23:02:32.256 Disk 0 MBR has been saved successfully to "C:\Users\Caramel Glamour\Downloads\MBR.dat"
23:02:32.323 The log file has been saved successfully to "C:\Users\Caramel Glamour\Downloads\aswMBR.txt"


Report •

#88
October 12, 2012 at 20:05:36
RunFix OTL Log :

Error: Unable to interpret <DRV - (catchme) -- C:\Users\CARAME~1\AppData\Local\Temp\catchme.sys File not found> in the current context!
Error: Unable to interpret <DRV - (aswArKrn) -- C:\Users\CARAME~1\AppData\Local\Temp\aswArKrn.sys File not found> in the current context!
Error: Unable to interpret <FF - user.js - File not found> in the current context!
Error: Unable to interpret <FF - HKLM\Software\MozillaPlugins\@photoproduct.rocketlife.com/RocketLife App Viewer;version=0.8: File not found> in the current context!
Error: Unable to interpret <O20 - AppInit_DLLs: (c:\progra~2\browse~1\22630~1.40\{16cdf~1\browse~1.dll) - File not found> in the current context!
Error: Unable to interpret <"VistaSp1" = Reg Error: Unknown registry data type -- File not found> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = " target="_blank">http://search.yahoo.com/search?p={s... in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = " target="_blank">http://en.wikipedia.org/wiki/Specia... in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = " target="_blank">http://rover.ebay.com/rover/1/711-1... in the current context!
Error: Unable to interpret <IE - HKLM\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = " target="_blank">http://www.bing.com/search?q={searc... in the current context!
Error: Unable to interpret <IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{0169E633-8781-F882-9BC7-7B014AE4DE4E}: "URL" = " target="_blank">http://www.bing.com/search?q={searc... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671}: "URL" = " target="_blank">http://search.yahoo.com/search?p={s... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3}: "URL" = " target="_blank">http://en.wikipedia.org/wiki/Specia... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}: "URL" = " target="_blank">http://rover.ebay.com/rover/1/711-1... in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\..\SearchScopes\{ec29edf6-ad3c-4e1c-a087-d6cb81400c43}: "URL" = " target="_blank">http://www.bing.com/search?q={searc... in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: newtaburl@sogame.cat:2.2.3> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: qbwuqatvdh@qbwuqatvdh.org:2.5> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35> in the current context!
Error: Unable to interpret <FF - prefs.js..extensions.enabledAddons: amznUWL@amazon.com:2.15> in the current context!
Error: Unable to interpret <Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\qbwuqatvdh@qbwuqatvdh.org.xpi> in the current context!
Error: Unable to interpret <[2012/09/09 12:33:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions> in the current context!
Error: Unable to interpret <IE - HKU\S-1-5-21-2956755359-1845293498-3388496615-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 10122012_220453


Report •

#89
October 12, 2012 at 20:10:42
I noticed that the ESET stated that I have a redirecting trojan.


C:\Users\Caramel Glamour\AppData\Roaming\Mozilla\Firefox\Profiles\lb2jqj4p.default\extensions\qbwuqatvdh@qbwuqatvdh.org.xpi

JS/Redirector.NCA trojan

Is this possibly why all the rootkit removing programs did not work?


Report •

#90
October 12, 2012 at 20:12:58
"OTL by OldTimer - Version 3.2.69.0 log created on 10122012_220453"
Thanks, still not deleting or removing..

Do post #70 please.


Report •

#91
October 12, 2012 at 20:27:33
"I noticed that the ESET stated that I have a redirecting trojan"
ESET said it was > deleted - quarantined

It is definitely not wanted & I have been trying to remove it.

You are still not following instructions.

"After each fix or change we make, let me know how the comp is running. Example: Still getting redirected."


Report •

#92
October 12, 2012 at 20:31:44
C:\Users\CARAME~1\DOWNLO~1\HIJACK~1.EXE
The NTVD CPU has encountered an illegal instruction
CS:05cf IP:0104 OP:63 74 79 70 65 Choose 'Close' to terminate the application

Report •

#93
October 12, 2012 at 20:50:35
"The NTVD CPU has encountered an illegal instruction"
Did you mean NTVDM

Download HijackThis, but before saving HijackThis.exe, rename it first to iexplore.exe and click Save button to save it to desktop.

If it still won't run try, Safe mode or Safe mode with networking.


Report •

#94
October 12, 2012 at 21:32:50
Oh my Goodness. I don't think I'm getting redirected anymore! I've run several searches and everything seems to be working fine so far! Thank you so very much Johnw for all of the help you have provided.

Report •

#95
October 12, 2012 at 21:40:17
"I don't think I'm getting redirected anymore!"
Beautiful, I knew we were getting close.

With HJT, here is another version to try, I want you to run it, as there are still remnants to be removed out of your system.
http://go.trendmicro.com/free-tools...

Must be close to your bed time.


Report •

#96
October 12, 2012 at 21:43:47
Ok then, I will do that now. And yes it is 11:43 pm here so I am pretty tired.

Report •

#97
October 12, 2012 at 21:49:14
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:47:17 PM, on 10/12/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Caramel Glamour\Downloads\HiJackThis(1).exe
C:\Users\Caramel Glamour\Downloads\HiJackThis(1).exe

O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\stlang.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 1773 bytes


Report •

#98
October 12, 2012 at 21:50:35
The above is the HiJack This log

Report •

#99
October 12, 2012 at 22:33:16
Thanks, but there is a lot missing, after the C: drive, there should be R1 through to 023.

Tutorial
http://www.help2go.com/Tutorials/Pr...
http://www.bleepingcomputer.com/tut...

Sample here.
http://www.bleepingcomputer.com/for...


Report •

#100
October 12, 2012 at 22:54:55
I see. I will try again.

Report •

#101
October 13, 2012 at 05:15:40
Ended up falling asleep and having nightmares. Here is the HiJack This Log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:13:46 AM, on 10/13/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Users\Caramel Glamour\Downloads\HiJackThis(1).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPNOT/1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spotify] "C:\Users\Caramel Glamour\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Media Suite.lnk = C:\Program Files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\aestsrv.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Wireless Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
O23 - Service: HP Client Services (HPClientSvc) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HPWMISVC - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: RoxioNow Service - Roxio - C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\stlang.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8041 bytes


Report •

#102
October 13, 2012 at 05:20:45
Thanks, I shall work on that now, here are the next steps.

22: Run TFC again & post log please.

23: Run Security Check by screen317 as per my post #60


Report •

#103
October 13, 2012 at 05:24:19
"Ended up falling asleep and having nightmares"
Yep, that was a long session, not working today?

Report •

#104
October 13, 2012 at 05:43:41
24: Open HJT.
Do a system scan only, check these 2 entries & down the bottom of the page, click on > Fix checked.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - (no file)

Report •

#105
October 13, 2012 at 05:54:39
Yes I am off today luckily. Ready to perform the system scan.

Report •

#106
October 13, 2012 at 06:01:26
"Ready to perform the system scan"
Reboot when done & run HJT again, make sure those entries stayed off.

If they did'nt, do them again in Safe mode, reboot & check again.


Report •

#107
October 13, 2012 at 06:19:49
Updated TFC Log :

Getting user folders.

Stopping running processes.

Emptying Temp folders.


User: All Users

User: Caramel Glamour
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1033123 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 0 bytes
Process complete!

Total Files Cleaned = 1.00 mb


Report •

#108
October 13, 2012 at 06:24:00
Performing the security check now then I'll proceed to run HJT

Report •

#109
October 13, 2012 at 06:26:37
Security Check Log :

Results of screen317's Security Check version 0.99.51
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
Avira Desktop
Antivirus up to date!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java(TM) 6 Update 22
Java 7 Update 7
Adobe Flash Player 10 [color=red][b]Flash Player out of Date![/b][/color]
Adobe Flash Player 10.3.183.5 [b][color=red]Flash Player out of Date![/color][/b]
Adobe Reader 9 [color=red][b]Adobe Reader out of Date![/b][/color]
Mozilla Firefox (15.0.1)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 3%
[b][u]````````````````````End of Log``````````````````````[/b][/u]


Report •

#110
October 13, 2012 at 06:33:59
Updated HJT Log : The files I "fixed" did not return

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:32:28 AM, on 10/13/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\Caramel Glamour\Downloads\HiJackThis(1).exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spotify] "C:\Users\Caramel Glamour\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Media Suite.lnk = C:\Program Files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\aestsrv.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Wireless Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
O23 - Service: HP Client Services (HPClientSvc) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HPWMISVC - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: RoxioNow Service - Roxio - C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\stlang.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6715 bytes


Report •

#111
October 13, 2012 at 06:41:11
Going real good now.

Let me know when this is finished.

25: Open OTL & run Cleanup
Double-click OTL.exe to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CLEANUP button
Say Yes to the prompt and then allow the program to reboot your computer.


Report •

#112
October 13, 2012 at 06:44:53
"Updated HJT Log : The files I "fixed" did not return"

Opp's.

This one is still there.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


Report •

#113
October 13, 2012 at 07:22:38
I'm off to bed now, here is stuff to keep you busy until I check in again.

If post #112 dos'nt work out, just move on & we shall get back to it later.

26: Run these cleaners, I use these & others on every single comp I work on. Remove all they find, there will be a large amount.
Wise Disk Cleaner ( Run the 1st three boxes, left to right. I use default settings, leave boxes that are unchecked, unchecked )
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/download...

Wise Registry Cleaner ( Only use Registry Cleaner with default settings )
http://www.softpedia.com/get/Tweak/...
http://www.softpedia.com/progScreen...
http://www.wisecleaner.com/wiseregi...

====================================

Reduce your Java Cache ( I set mine at 100mb )
http://www.steveshank.com/Newslette...

Managing your Internet Explorer Temporary Internet Files ( I set all my browsers at 50mb )
http://www.bleepingcomputer.com/tut...
Amount of Disk Space to Use.
This shows the amount of disk space that will be allocated for your Temporary Internet Files. By default Windows uses 10 percent of your Windows system partition. This amount can be significant if you use the 10 percent model. It is advised that you change this setting to a lower number such as 50 MB.

Results of screen317's Security Check version 0.99.51
Things are pretty good, go to Programs and Features & remove > Java(TM) 6 Update 22
http://gizmodo.com/5138189/win-7-ti...
These all need updating.
Adobe Flash Player 10 [color=red][b]Flash Player out of Date![/b][/color]
Adobe Flash Player 10.3.183.5 [b][color=red]Flash Player out of Date![/color][/b]
Adobe Reader 9 [color=red][b]Adobe Reader out of Date![/b][/color]
Mozilla Firefox (15.0.1) Now 16.0.1

"Scanned with SUPERAntiSpyware : Found and removed 179 infected files"
They were mainly tracking cookies, use Ghostery to stop.
http://www.ghostery.com/
http://www.ghostery.com/download
Firefox
https://addons.mozilla.org/en-US/fi...
Internet Explorer
http://www.ghostery.com/download-ie
Chrome
https://chrome.google.com/extension...
Opera
https://addons.opera.com/addons/ext...
Protect your privacy. See who's tracking your web browsing and block them with Ghostery.

"I somehow obtained approximately 3 days ago & I cannot get rid of it for the life of me"
Malware Prevention
http://www.malwarevault.com/index.html
"There is no magic involved. The majority of malware is installed by the user themselves"


Report •

#114
October 13, 2012 at 07:42:13
OK Thanks again. I will get started on this process. Have a Good Night.

Report •

#115
October 13, 2012 at 10:17:28
LilacGlitter
I noticed you are running Avira....One other thing you may not have tried is Avast free:
http://www.filehippo.com/download_a...
You can stop Avira from running while trying this.

You can try installing it and get avast to do a bootscan on reboot. Then move EVERYTHING it finds to the chest....that is the safest way to do it. I'm sure if there are any more problems Avast will find them....as Avast finds things that others tend to miss. Good luck

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#116
October 13, 2012 at 10:20:26
Interesting. Thank you very much XPUser.

Report •

#117
October 13, 2012 at 13:06:11
LilacGlitter and Johnw great work guys! Well done.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#118
October 13, 2012 at 13:46:03
"LilacGlitter and Johnw great work guys! Well done"
Thanks MrGoodguy

Report •

#119
October 13, 2012 at 14:00:55
LilacGlitter, as we now know, a user got conned/tricked into allowing a virus into your comp, Once on, Avira told you that you were infected, but did'nt solve the problem. Virtually no installed AV could solve your problem, that's why you have to use an online AV & all the other special programs.

Just in case you ar'nt using the free version, here it is.

Avira AntiVir PersonalEdition Classic
http://www.softpedia.com/get/Antivi...
http://www.free-av.com/en/download/...
http://www.download.com/Avira-AntiV...
http://www.avira.com/en/download/in...
Disable the Avira AntiVir nag screen:
http://www.elitekiller.com/files/di...
Configuring AntiVir for maximum protection
http://tanaya.net/AntiVir/
Despite these hang-ups and the nag screen that follows updates, we found AntiVir to offer such effective protection with such a well-rounded set of features that as long as the definitions file updates keep coming, this app is our first line of defense.
http://www.download.com/Avira-AntiV...
User Manual
http://www.free-av.com/documents/pr...


Report •

#120
October 13, 2012 at 14:15:04
As a matter of interest, I use MSE.

Microsoft Security Essentials ( MSE )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.techsupportalert.com/bes...
http://www.cnet.com.au/microsoft-se...
http://windows.microsoft.com/en-US/...
System requirements
http://www.microsoft.com/en-us/secu...
Can Microsoft Security Essentials ( MSE ) protect me from online banking and shopping.
http://answers.microsoft.com/en-us/...
If you choose to use Security Essentials, please follow the steps in this thread first, especially the part about removing all existing realtime antimalware:
http://kb.eset.com/esetkb/index?pag...


Report •

#121
October 13, 2012 at 14:17:41
LilacGlitter, have you done #111 & on?

Report •

#122
October 13, 2012 at 16:49:30
'Interesting. Thank you very much XPUser.'
You are very welcome...I put Avast on 3/4's of the repairs I do and it has done very well....no scheduled scans needed and automatic updates daily....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#123
October 14, 2012 at 05:52:12
Should I use Avast in replacement of Avira?

Report •

#124
October 14, 2012 at 05:53:39
Starting step #111 Now John

Report •

#125
October 14, 2012 at 06:08:16
Updated HJT Scan Log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:07:34 AM, on 10/14/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Caramel Glamour\Downloads\HiJackThis(1).exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [AmIcoSinglun] C:\Program Files\AmIcoSingLun\AmIcoSinglun.exe
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [HP Quick Launch] C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Spotify] "C:\Users\Caramel Glamour\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: HP Media Suite.lnk = C:\Program Files\Hewlett-Packard\HP Media Suite\Home\ArcStart.exe
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\aestsrv.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM, Inc. - C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
O23 - Service: HP Support Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
O23 - Service: HP Wireless Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
O23 - Service: HP Client Services (HPClientSvc) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HPWMISVC - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: RoxioNow Service - Roxio - C:\Program Files\Roxio\RoxioNow Player\RNowSvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\stlang.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7554 bytes


Report •

#126
October 14, 2012 at 06:09:55
Thank you for the advice about Avira JohnW. It truly has been successful in ridding my computer of infections until this point.

Report •

#127
October 14, 2012 at 06:15:24
In the process of performing step # 26 now.

Report •

#128
October 14, 2012 at 06:59:40
Wise Cleaner : Completed

Wise Registry Cleaner : Received an error message from Firefox stating it cannot find the page I need to download the program from.

Reduce your Java Cache : I am directed to the "Current Newsletter" page http://steveshank.com/cgi-bin/newsl...


Managing your Internet Explorer Temporary Internet Files : Completed


Update Adobe Flash Player : Completed

Firefox Update : Completed

Install Ghostery to Browser : Completed

Advice about malware protection : Noted



Report •

#129
October 14, 2012 at 07:06:56
LilacGlitter,
Yes, I would definitely change from Avira to Avast....I'm sure you would notice quite a difference....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#130
October 14, 2012 at 07:17:27
Interesting. I noticed that after I finished cleaning and updated programs, that facebook doesn't appear properly. The main page is nothing but blue text and a white background. None of my messages or notifications are there either.

Report •

#131
October 14, 2012 at 07:24:41
Same notion applies to Youtube.

Report •

#132
October 14, 2012 at 07:46:16
Nevermind. I fixed it. Being on this site, taking all this advice has taught me so much about how to handle my computer and the problems I might encounter.

Thank you so much JohnW and XPUser sooooo very much for staying through this long and tedious journey.


Report •

#133
October 14, 2012 at 07:58:17
You are very welcome....it WAS a long journey and like I said before....if things fail again...look for the recovery partition and give that a shot bearing in mind to back up ALL important files, pics and docs before doing so. Happy computing....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#134
October 14, 2012 at 08:03:30
Post #125
All good, nice & clean.

" Received an error message from Firefox stating it cannot find the page I need to download the program from"
I just tried & this link worked.
http://www.softpedia.com/dyn-postdo...

"Reduce your Java Cache : I am directed to the "Current Newsletter" page"
He has changed his link.
http://i.imgur.com/Fw9cy.gif
http://i.imgur.com/MTQf2.gif
http://i.imgur.com/1JYLz.gif
http://steveshank.com/cgi-bin/artic...


Report •

#135
October 14, 2012 at 08:06:33
To protect yourself for the future, I think there is enough info here to show you how to install Windows from a thumb/flash drive.
Digital River is the official MS site for ISO downloads of operating systems, you then use your Product Key.
I am looking for an ISO of Windows 7 starter edition.
http://answers.microsoft.com/en-us/...
http://www.mydigitallife.info/offic...
http://en.community.dell.com/suppor...
WinToFlash
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://wintoflash.com/home/en/
Easiest way to install Windows with a USB flash drive.
http://liliputing.com/2009/08/easie...

If you have lost your Product number, this will reveal it under Licenses.
SIW ( I use the Freeware version )
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.gtopala.com/siw-download...
Copy of the Free version I use ( No need to take out a Premium account or sign up for anything )
http://www.filedropper.com/siw-setup_1
Or here,
http://www.datafilehost.com/downloa...
I use SIW for Licenses & Passwords.
1: Left hand column. Software > Licenses.
2: Software > Passwords
3: Top bar. Tools > Win 9x Password Cracker.


Report •

#136
October 14, 2012 at 08:11:54
If you don't have your manual, here it is here. On your browser, Click File > Save Page As.
http://h10032.www1.hp.com/ctg/Manua...
To use the recovery partition, here is what is in the manual.

YOU WILL LOSE ALL YOUR INSTALLED PROGRAMS, USING THIS METHOD.

Recovering using the partition on the hard drive (select models only)
On some models, you can perform a recovery from the partition on the hard drive, which is accessed
by pressing either the Start button or f11. This restores the computer to its factory condition.
NOTE: This method of recovery is also an HP Recovery Manager solution.
NOTE: Computers with an SSD may not have a recovery partition. If the computer does not have a
recovery partition, you will not be able to recover using this procedure. Recovery discs have been
included for computers that do not have a partition. Use these discs to recover your operating system
and software.
To restore the system from the partition, follow these steps:
1. Access Recovery Manager in either of the following ways:
? Click Start, click All Programs, click Recovery Manager, and then click Recovery
Manager.
– or –
a. Turn on or restart the computer.
b. Press f11 while the “Press <F11> for recovery” message is displayed on the screen.
NOTE: It may take several minutes for Recovery Manager to load.
2. Click Yes when prompted.
3. In the Recovery Manager window, click System Recovery.
4. Follow the on-screen instructions.


Report •

#137
October 14, 2012 at 08:16:35
Wise Care 365 : Complete

Reduce Java Cache : Complete


Report •

#138
October 14, 2012 at 08:19:08
Thank for you for the tips on recovery partition & installing programs via thumb drive. I've had to do both several times before for my mother's Dell Inspiron since I had to reinstall her hard drive, but never had it explained to me before.

Report •

#139
October 14, 2012 at 08:20:37
Post #137

You should now find the comp nice & snappy, with that almost new feeling.


Report •

#140
October 14, 2012 at 08:25:02
"but never had it explained to me before"
Probably 90% of what I have given you, has come from GOOGLING.
I have been googling like crazy, to stay ahead of you, researching all I could to anticipate problems.

Report •

#141
October 14, 2012 at 08:31:08
I suppose I'm not as good at googling as I had presumed. No matter what issue I had with computers, I was always able to google the problem and find a solution within 24 hours, but this google redirecting problem was the first to stump me. I have never asked for help with my computer before this.

Report •

#142
October 14, 2012 at 08:32:29
Google is a good tool to use when stumped on a query...and also to be able to relate to problems with previous hands on experience really helps.

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#143
October 14, 2012 at 08:38:23
"I suppose I'm not as good at googling as I had presumed"
Always harder, when under pressure.

Off to bed for me, stay tuned, in case I think of other stuff to do.


Report •

#144
October 14, 2012 at 08:43:11
No problem. Thank you again & have a good night.

Report •

#145
October 14, 2012 at 14:29:34
So what fixed this? Complete reload?

Report •

#146
October 14, 2012 at 15:14:30
"So what fixed this? Complete reload?"
No, we removed the rootkit, with relentless attack, using all the tools in the posts above & slowly pulling it apart bit by bit.

Go to the sites mentioned in my post #78 where you have specialist trained malware members, who have to do a school before they can help & you will see the way they do it.


Report •

#147
October 14, 2012 at 15:27:37
LilacGlitter your post #75
" I honestly don't have the money for the CD and even if I did, my netbook doesn't even have a CD / DVD drive"

LilacGlitter post #138
" & installing programs via thumb drive"

Not programs, this is the way to get the W7 operating system on a thumb drive instead of a CD.


Report •

#148
October 14, 2012 at 15:48:25
LilacGlitter post #128
Install Ghostery to Browser : Completed

Did you run SUPERAntiSpyware again after installing Ghostery ( all browsers closed )
Ghostery will block the tracking cookies, but not remove them.
If say in 2 weeks you run SUPERAntiSpyware again & it finds more tracking cookies, that is telling you that you hav'nt blocked everything in Ghostery Options.
Upload screenshots of your settings, if you are not sure.
Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru


Report •

#149
October 14, 2012 at 16:04:15
LilacGlitter
I use CCleaner as well, very handy for lots of reasons. Tools has a Startup section, if you want to stop something running at startup.
Options has a Cookie section where you can move cookies over to the right hand side. I move cookies over for all the sites that I want to log in automatically, without a password.
I use the Slim version of CCleaner ( no Yahoo toolbar )
http://www.piriform.com/ccleaner/bu...

Report •

#150
October 14, 2012 at 16:43:49
LilacGlitter

Could I have a SS ( screen shot ) of 5 & then click on > Configure & another SS.
http://www.sevenforums.com/tutorial...

Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru


Report •

#151
October 14, 2012 at 17:15:34
LilacGlitter post #126
"Thank you for the advice about Avira JohnW. It truly has been successful in ridding my computer of infections until this point"

If you are comfortable using Avira & it is not costing you any money, stay with it.
MSE, Avira & Avast are all good as a first line of defense.
You can go to any forum on infections & you will find computers all infected, even though they were using one of the above brands.
The user ignored warnings & got conned.
Ratings on the above, vary from month to month, with thousands of new infections coming out daily, no brand can keep up with them.

The Badies are always ahead of the Goodies.


Report •

#152
October 15, 2012 at 07:07:33
Yes I did run the spyware and ghostery is working properly.

"Could I have a SS ( screen shot ) of 5 & then click on > Configure & another SS."

I'm afraid I don't understand what you want me to screen shot 5 of.

P.S. If I don't come back to this forum it because my internet got disconnected. :(


Report •

#153
October 15, 2012 at 15:15:16
"I'm afraid I don't understand what you want me to screen shot 5 of"
http://www.sevenforums.com/tutorial...
http://i.imgur.com/a4BJ5.gif

"P.S. If I don't come back to this forum it because my internet got disconnected. :( "
Ok.


Report •

Ask Question