Solved Bing.zugotoolbar is back plus more malware

Blue Skys · 2010/03/09

[Resolved] Bing.zugotoolbar is back plus more malware

I have been running Malwarebytes plus my anti virus software continuously and update them everyday I am on the internet. And, I was just redirected by bing.zugotoolbar. I ran Malwarebytes yesterday and no problems found, I just ran it after being redirected and guess what? I have malware again. How do these virus keep getting through my software guards? Please help me, and thanks in advance. And let me know just what to do.

Oh yeah, these problems have also messed up my registries. I only got on line to see what error codes 1904 and (I think it was)error 1704. I get these two errors when I try to download my new AT&T Connect Manager. If I can't get this PC cleaned up, and figure out how to download the AT&T software, it is going to cost me $150.00.

I ran Malwarebytes and here is the log:Malwarebytes' Anti-Malware 1.44
Database version: 3832
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

3/9/2010 6:51:21 PM
mbam-log-2010-03-09 (18-51-07).txt

Scan type: Quick Scan
Objects scanned: 112893
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Charlotte\Documents\Desktop\RegistryEasy.exe (Rogue.Installer) -> No action taken.

wildfire · 2010/03/09

Hi Blue Skys,

As indicated at the start of this forum, please *** READ THIS BEFORE POSTING IN THIS FORUM *** then post the requested logs in this thread.

NOTES:

No shortcuts
Click to expand...

When posting the logs ensure word wrap is switched off (in notepad Uncheck Format->Word Wrap) as this makes them difficult to read.

Be aware that only Malware analysts will advise and they are often busy. Your post will be taken on a first come first served basis but it may take a while before you receive a reply.

broni · 2010/03/09

How do these virus keep getting through my software guards?
Click to expand...

Let me ask you something...
Is this something you willingly downloaded?

C:\Users\Charlotte\Documents\Desktop\RegistryEasy.exe
Click to expand...

Blue Skys · 2010/03/09

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 12/26/2008 7:02:03 AM
System Uptime: 3/5/2010 3:49:12 AM (112 hours ago)

Motherboard: Dell Inc. | | 0RY007
Processor: Pentium(R) Dual-Core CPU E5200 @ 2.50GHz | Socket 775 | 2500/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 451 GiB total, 404.351 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 6.006 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0001
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #2
PNP Device ID: ROOT\*ISATAP\0001
Service: tunnel

==== System Restore Points ===================

RP352: 3/2/2010 9:48:06 AM - Windows Update
RP353: 3/5/2010 4:56:29 AM - Windows Update
RP354: 3/5/2010 12:13:09 PM - Installed AT&T Communication Manager.
RP355: 3/8/2010 9:47:31 AM - Windows Update
RP356: 3/8/2010 7:25:38 PM - Windows Backup

==== Installed Programs ======================

AbiWord 2.6.4
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3
APC PowerChute Personal Edition
Apple Application Support
Apple Software Update
Art Explosion Greeting Card Factory Express
Art Explosion Scrapbook Factory
Avira AntiVir Personal - Free Antivirus
Browser Address Error Redirector
Canon MP Navigator EX 1.0
Canon MX310 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CCScore
Choice Guard
Clip Art Collection
Compatibility Pack for the 2007 Office system
Dell-eBay
Dell Best of Web
Dell Driver Download Manager
Dell Getting Started Guide
Digital Line Detect
EDocs
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
EZ Cards (remove only)
fflink
FoxyTunes for Firefox
Frosty Games
Gimp 2.6.2 Debug
Google Toolbar for Internet Explorer
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
InstallMgr
Java(TM) 6 Update 17
Java(TM) 6 Update 7
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
KODAK EASYSHARE Gallery Upload ActiveX Control
Kodak EasyShare software
KSU
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Default Manager
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Research AutoCollage 2008 version 1.1
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.6)
MSN Toolbar
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
netbrdg
NetWaiting
Notifier
OfotoXMI
Photo Explosion SE
Quicken WillMaker Plus 2005
QuickTime
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Scrapbook Flair
Scrapbooks Please Uploader
SFR
SHASTA
SKIN0001
SKINXSDK
staticcr
tooltips
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Upromise TurboSaver (remove only)
VPRINTOL
Windows Live Communications Platform
Windows Live Essentials
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WIRELESS
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

3/7/2010 10:08:35 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document mhtml:{66B1F463-A8F0-4B5C-A4F7-36047231DAAD}mid://00000088/, owned by Charlotte, failed to print on printer Canon MX310 series Printer. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 115380. Number of bytes printed: 71460. Total number of pages in the document: 2. Number of pages printed: 0. Client computer: \\HOME-PC. Win32 error code returned by the print processor: 1. Incorrect function.
3/7/2010 10:07:02 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document mhtml:{66B1F463-A8F0-4B5C-A4F7-36047231DAAD}mid://00000088/, owned by Charlotte, failed to print on printer Canon MX310 series Printer. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 262144. Number of bytes printed: 119812. Total number of pages in the document: 7. Number of pages printed: 4. Client computer: \\HOME-PC. Win32 error code returned by the print processor: 0. The operation completed successfully.
3/5/2010 1:16:17 PM, Error: Microsoft-Windows-Windows Defender [3006] - Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: Not Applicable Scan ID: {99B6735B-A032-4734-86E0-DC0D1251FDEC} User: Home-PC\Charlotte Name: Unknown ID: Severity ID: Category ID: Path: runkey:HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\AT&T Communication Manager Alert Type: Unclassified software Action: Quarantine Error Code: 0x80508019 Error description: The file or drive you are trying to scan does not exist on this computer. Choose another file or drive, and then scan your computer again.
3/3/2010 5:58:40 PM, Error: Microsoft-Windows-PrintSpooler [6161] - The document Full page photo, owned by Charlotte, failed to print on printer Canon MX310 series Printer. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 2031616. Number of bytes printed: 1106508. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\HOME-PC. Win32 error code returned by the print processor: 122. The data area passed to a system call is too small.
3/2/2010 11:06:50 PM, Error: Service Control Manager [7031] - The Avira AntiVir Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/2/2010 11:02:13 PM, Error: Service Control Manager [7034] - The Dock Login Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

DDS (Ver_09-12-01.01) - NTFSX64
Run by Charlotte at 19:31:09.82 on Tue 03/09/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4084.1912 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSr64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Upromise\UpromiseTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Digital Line Detect\DLG.exe
C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Windows\splwow64.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\mmc.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Charlotte\Documents\Desktop\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5081226
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5081226
mLocal Page = c:\windows\syswow64\blank.htm
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files (x86)\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files (x86)\search toolbar\tbhelper.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files (x86)\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\4.1.805.1852\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files (x86)\upromise\dca-bho.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files (x86)\dell\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files (x86)\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files (x86)\upromise\upromisetoolbar.dll
BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files (x86)\search toolbar\tbcore3.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files (x86)\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files (x86)\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files (x86)\upromise\upromisetoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files (x86)\yahoo!\companion\installs\cpn\yt.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - c:\program files (x86)\search toolbar\tbcore3.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Upromise Tray] c:\program files (x86)\upromise\UpromiseTray.exe
uRun: [Weather] c:\program files (x86)\aws\weatherbug\Weather.exe 1
uRun: [Pareto_Update] c:\program files (x86)\common files\paretologic\uus2\Pareto_Update.exe
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
mRun: [Microsoft Default Manager] "c:\program files (x86)\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [avgnt] "c:\program files (x86)\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\charlo~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files (x86)\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files (x86)\digital line detect\DLG.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files (x86)\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files (x86)\upromise\upromisetoolbar.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: google.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {3F571984-8185-4021-8231-3C596A17027E} = 64.179.43.190 69.95.31.250
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No File
TB-X64: {0C8413C1-FAD1-446C-8584-BE50576F863E} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [Skytel] Skytel.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
mRun-x64: [CanonSolutionMenu] "c:\program files (x86)\canon\solutionmenu\CNSLMAIN.exe" /logon
mRun-x64: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

================= FIREFOX ===================

FF - ProfilePath - c:\users\charlo~1\appdata\roaming\mozilla\firefox\profiles\zh5wtzxu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: c:\users\charlotte\appdata\roaming\mozilla\firefox\profiles\zh5wtzxu.default\extensions\{896642e4-c556-4ed3-85d1-9ac431603e7d}\components\Engine.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files (x86)\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2008-12-26 53488]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSr64.exe [2008-12-26 86016]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\avira\antivir desktop\sched.exe [2009-7-27 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files (x86)\avira\antivir desktop\avguard.exe [2009-7-27 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-27 74880]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R3 CAXHWBS2;CAXHWBS2;c:\windows\system32\drivers\CAXHWBS2.sys [2008-12-26 411136]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-8-16 89920]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S4 TmPfw;Trend Micro Personal Firewall;c:\progra~2\trendm~1\intern~1\tmpfw.exe --> c:\progra~2\trendm~1\intern~1\TmPfw.exe [?]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-03-03 04:02:13 0 d-----w- C:\_OTL
2010-02-27 20:51:52 0 d-----w- c:\users\charlotte\DoctorWeb
2010-02-26 22:39:16 0 d-----w- c:\users\charlo~1\appdata\roaming\Sierra Wireless
2010-02-26 22:39:16 0 d-----w- c:\program files (x86)\Sierra Wireless Inc
2010-02-26 22:06:51 0 d-----w- c:\program files (x86)\Trend Micro
2010-02-26 08:23:46 0 d-----w- c:\users\charlo~1\appdata\roaming\Malwarebytes
2010-02-26 08:23:40 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 08:23:40 0 d-----w- c:\programdata\Malwarebytes
2010-02-26 08:23:40 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-02-25 05:36:34 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-02-25 05:36:34 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 04:48:38 0 d-----w- c:\programdata\FileCure
2010-02-24 02:04:27 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 02:04:27 28672 ----a-w- c:\windows\syswow64\Apphlpdm.dll
2010-02-24 02:04:27 1927680 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 02:04:27 1696256 ----a-w- c:\windows\syswow64\gameux.dll
2010-02-24 02:04:26 4240384 ----a-w- c:\windows\syswow64\GameUXLegacyGDFs.dll
2010-02-24 02:04:26 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-24 01:19:36 726528 ----a-w- c:\windows\syswow64\jscript.dll
2010-02-13 18:15:59 0 d-----w- c:\users\charlo~1\appdata\roaming\PeerNetworking
2010-02-10 22:25:31 4698184 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 21:43:52 1425480 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 21:43:49 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 21:15:49 453632 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 21:15:49 142336 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 18:56:41 273408 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 18:56:41 135168 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

==================== Find3M ====================

2010-03-07 21:42:03 17014 ----a-w- c:\users\charlo~1\appdata\roaming\wklnhst.dat
2010-02-24 14:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-01-25 12:10:22 538624 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:10:22 160768 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:10:22 160768 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:10:03 539136 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:08:59 460288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\syswow64\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\syswow64\msdrm.dll
2010-01-25 08:29:35 413696 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:29:31 600576 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:29:31 409600 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:29:28 599552 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:20 526336 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-01-02 07:08:29 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 07:03:21 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 07:03:21 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:38:20 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-01-02 06:38:04 1208832 ----a-w- c:\windows\syswow64\urlmon.dll
2010-01-02 06:36:10 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-01-02 06:33:34 5942784 ----a-w- c:\windows\syswow64\mshtml.dll
2010-01-02 06:33:32 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-01-02 06:33:32 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-01-02 06:32:51 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-01-02 06:32:33 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2010-01-02 06:32:33 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-01-02 06:32:32 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-01-02 06:32:32 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-01-02 06:32:32 11070464 ----a-w- c:\windows\syswow64\ieframe.dll
2010-01-02 06:32:26 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-01-02 05:25:39 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-02 04:57:00 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-01-02 04:56:50 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-01-02 04:56:14 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2009-12-09 21:24:52 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-09 21:24:52 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-28 06:27:19 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-28 06:27:19 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-09 20:08:07 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-16 15:15:08 245760 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-12-26 19:28:01 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:32:14.90 ===============

broni · 2010/03/09

You didn't answer my previous question.

Blue Skys · 2010/03/09

If you are talking about \RegistryEasy.exe. Then yes. At&T suggested it to me (their software techs), when I received and error code 1904. They said to get a registry cleaner, I went to http://www.windowsbbs.com/windows-vista/62864-registry-cleaners-windows-vista.html. And downloaded from here. I thought that this (your)site could be trusted to get real (and clean) help. Is this where I got the malware again? If it is, I'm really sorry. I guess I really do not know where to go to get help, for each problem that arises. You are the only person that has helped me, and I did not think that a registry problem was your area, so I should not bother you with questions not pertaining to your area.

Again, I am sorry if this is where I picked up the malware again. I don't really know what else I can say. I know how hard you worked to help me the first time.

broni · 2010/03/09

Don't feel too bad. We all learn.
Registry cleaners are never recommended. They don't bring any gains and they may cause serious problems.
Instead of asking AT&T (what a stupid advice), you know where you can come with any questions....here

As you can see from MBAM log, that download was a serious mistake:

C:\Users\Charlotte\Documents\Desktop\RegistryEasy.exe (Rogue.Installer)
Click to expand...

Let's see, what we got there....

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

[color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

Blue Skys · 2010/03/10

Thanks for being so forgiving, I appreciate it. I just started the down load for DrWeb. It says it will be aprox 4.5 hours for the download. I was wondering if I could use the download I already have and update the files? That will probably be quicker. Please let me know, what you want me to do. Thanks a bunch.

Blue Skys · 2010/03/10

Please disregard post #8. I tried to update and got my answer. I am doing as you request. Thanks again!

Blue Skys · 2010/03/10

The HOSTS file modified. Is what I got from the short scan. The "NO" button was already highlighted. So I went with that so I could run the full scan. I hope this was OK.

broni · 2010/03/10

The "NO" button was already highlighted
Click to expand...

"No" button regarding what?

Blue Skys · 2010/03/10

Regarding "do you want to restore the Host Default file ". The No button was already highlighted so I went with that. After I clicked "No ", the program would then let me start the Complete Scan, which I did. It did ask to "cure/move file ", I followed your directions and hit "Yes to All ". DrWeb has been running up until now (a long time I thought), and I just (like 5 mins. ago) got the extra window stating "My Host File Has Been Modified ", and do i want to restore my Host file. It also says that "A copy of the existing Host file will be stored in the Dr. Web Quarantine directory," Do I want to restore the default host file, or not. When you let me know what you want me to do, I'll save, copy and post the report, reboot, run a new HiJackThis log and post for you.

It sounds like I really messed up this time, I mean my Host File is messed up. How much worse could it be??

Let me know as soon as you can, and thanks again for all of your help.

broni · 2010/03/10

You're fine
Agree to hosts file restoration.

Blue Skys · 2010/03/11

I tried to post the log from Dr. Web but it was to large. I went to the site you gave me before (when this same thing happened), and here is the link. http://www.uploadmb.com/dw.php?id=1268286955

I will run HiJackThis, and post the log in a minute. Thanks for your help, again!!

Blue Skys · 2010/03/11

Here it is. And also, I never did anything with the Rogue Installer, is it still in my Malwarebytes?? If so, with what we are doing now take care of it or will I go back to Malwarebytes to handle the Rogue Installer?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:33 AM, on 3/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Upromise\UpromiseTray.exe
C:\Program Files (x86)\Digital Line Detect\DLG.exe
C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files (x86)\Search Toolbar\tbhelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: DCA - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files (x86)\Upromise\dca-bho.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O2 - BHO: ToolHelper - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll
O2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Search Toolbar - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Upromise Tray] C:\Program Files (x86)\Upromise\UpromiseTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Pareto_Update] C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files (x86)\Digital Line Detect\DLG.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll
O9 - Extra 'Tools' menuitem: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F571984-8185-4021-8231-3C596A17027E}: NameServer = 64.179.43.190 69.95.31.250
O23 - Service: Andrea RT Filters Service (AERTFilters) - Unknown owner - C:\Windows\system32\AERTSr64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 10722 bytes

broni · 2010/03/11

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Blue Skys · 2010/03/11

OTL logfile created on: 3/11/2010 1:46:45 AM - Run 2
OTL by OldTimer - Version 3.1.36.1 Folder = C:\Users\Charlotte\Documents\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18882)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 64.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.07 Gb Total Space | 404.09 Gb Free Space | 89.58% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 6.01 Gb Free Space | 41.00% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-PC
Current User Name: Charlotte
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/11 01:43:12 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\OTL(2).exe
PRC - [2010/01/15 22:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2009/08/05 16:46:56 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/01 12:35:38 | 000,167,936 | ---- | M] () -- C:\Program Files (x86)\Upromise\UpromiseTray.exe
PRC - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/09/23 23:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2007/02/20 04:10:26 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2006/11/03 19:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files (x86)\Digital Line Detect\DLG.exe
PRC - [2005/12/12 15:03:54 | 000,417,855 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
PRC - [2005/12/12 15:02:24 | 000,176,193 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe

========== Modules (SafeList) ==========

MOD - [2010/03/11 01:43:12 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\OTL(2).exe
MOD - [2009/04/11 01:28:18 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/09/24 20:26:26 | 001,142,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)
SRV:64bit: - [2008/09/23 23:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/07/17 23:54:02 | 000,086,016 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2008/07/02 02:11:34 | 000,412,672 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysNative\DRIVERS\xaudio64.exe -- (XAudioService)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/08/05 16:46:56 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/04/20 05:28:07 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/03/29 23:39:54 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2006/11/02 08:34:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2006/11/02 01:35:15 | 000,060,994 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2006/11/02 01:35:15 | 000,055,846 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vss.mof -- (VSS)
SRV - [2005/12/12 15:02:24 | 000,176,193 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5081226
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5081226
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B8 4B 36 B9 D8 1E CA 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://home.core.com/home/start
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files (x86)\Search Toolbar\tbhelper.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Live Search "
FF - prefs.js..browser.search.defaulturl: "http://search.live.com/results.aspx?FORM=SOLTDF&q= "
FF - prefs.js..browser.search.selectedEngine: "Google "
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}:1.3
FF - prefs.js..extensions.enabledItems: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}:0.9.10.1
FF - prefs.js..extensions.enabledItems: FFToolbar@upromise:6.2.2.1363
FF - prefs.js..extensions.enabledItems: {896642E4-C556-4ED3-85D1-9AC431603E7D}:1.0.4
FF - prefs.js..keyword.URL: "http://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q= "

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/02/14 01:37:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/02/14 01:37:08 | 000,000,000 | ---D | M]

[2009/04/05 06:18:01 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Extensions
[2010/03/11 00:47:22 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions
[2009/06/24 10:04:35 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2009/10/04 21:12:08 | 000,000,000 | ---D | M] (Send Page By Email) -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\{06C43693-2C7F-4beb-BB52-EF92C6CA0C44}
[2009/06/24 10:05:37 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/08 09:37:41 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2009/10/11 06:29:06 | 000,000,000 | ---D | M] (Fire.fm) -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\{6F0976E6-26F3-4AFE-BBEC-9E99E27E4DF3}
[2010/01/30 07:20:10 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\{896642E4-C556-4ED3-85D1-9AC431603E7D}
[2009/10/11 06:29:13 | 000,000,000 | ---D | M] (Interclue) -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\{c33c5b47-69c8-45a4-a5e0-af85bbe628dd}
[2009/09/09 17:26:31 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\autopager@mozilla.org
[2009/10/11 06:29:06 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\FFToolbar@upromise
[2009/09/08 09:37:41 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\fotofox@mozilla.com
[2009/09/08 09:37:40 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\extensions\isreaditlater@ideashower.com
[2009/05/01 19:20:25 | 000,002,207 | ---- | M] () -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\searchplugins\askcom.xml
[2010/01/30 07:24:15 | 000,002,180 | ---- | M] () -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\searchplugins\bing-ff.xml
[2009/04/07 11:04:56 | 000,001,632 | ---- | M] () -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\searchplugins\live-search.xml
[2010/02/13 13:49:12 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2009/07/30 03:52:48 | 000,000,000 | ---D | M] (Wyyo) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{0CA8283E-056B-40D7-A343-83C84105CE78}
[2009/03/28 16:43:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions\kodak-companion@mozilla.com
[2009/03/28 16:43:01 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions\kodak-online@partners.mozilla.com
[2010/01/30 16:39:57 | 000,393,216 | ---- | M] (Invenda Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll

O1 HOSTS File: ([2010/03/11 00:30:00 | 000,000,806 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll (Google Inc.)
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files (x86)\Upromise\dca-bho.dll (Compete, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files (x86)\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (Upromise TurboSaver) - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O2 - BHO: (TBSB05974 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files (x86)\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files (x86)\Search Toolbar\tbcore3.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll ()
O4:64bit: - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] File not found
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)
O4 - HKCU..\Run: [Pareto_Update] C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe File not found
O4 - HKCU..\Run: [Upromise Tray] C:\Program Files (x86)\Upromise\UpromiseTray.exe ()
O4 - HKCU..\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe File not found
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\Charlotte\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files (x86)\Dell\DellDock\DellDock.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 60
O9 - Extra Button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra 'Tools' menuitem : Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files (x86)\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: google.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - Reg Error: Key error. - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Charlotte\Pictures\Outdoor Wonders\Our Galaxy\jupiter.bmp
O24 - Desktop BackupWallPaper: C:\Users\Charlotte\Pictures\Outdoor Wonders\Our Galaxy\jupiter.bmp
O32 - HKLM CDRom: AutoRun - 0
O33 - MountPoints2\{0a106bf6-1f01-11df-8277-001d099bf2a0}\Shell - " " = AutoRun
O33 - MountPoints2\{0a106bf6-1f01-11df-8277-001d099bf2a0}\Shell\AutoRun\command - " " = F:\WIN\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

NetSvcs:64bit: Ias - C:\Windows\SysNative\ias [2008/01/20 22:06:38 | 000,000,000 | ---D | M]
NetSvcs:64bit: Irmon - C:\Windows\SysNative\irmon.dll (Microsoft Corporation)
NetSvcs:64bit: Wmi - C:\Windows\SysNative\wmi.dll (Microsoft Corporation)
NetSvcs: Ias - C:\Windows\SysWOW64\ias [2008/01/20 22:08:35 | 000,000,000 | ---D | M]
NetSvcs: Wmi - C:\Windows\SysWOW64\wmi.dll (Microsoft Corporation)
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/03/11 01:39:31 | 000,554,496 | ---- | C] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\OTL(2).exe
[2010/03/02 23:02:13 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/02 16:33:43 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\OTL.exe
[2010/02/28 20:58:25 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\TFC.exe
[2010/02/27 15:51:52 | 000,000,000 | ---D | C] -- C:\Users\Charlotte\DoctorWeb
[2010/02/26 20:46:31 | 000,000,000 | ---D | C] -- C:\Users\Charlotte\Documents\INB Christmas Scrapbook_images
[2010/02/26 17:39:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sierra Wireless Inc
[2010/02/26 17:39:16 | 000,000,000 | ---D | C] -- C:\Users\Charlotte\AppData\Roaming\Sierra Wireless
[2010/02/26 17:06:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2010/02/26 17:01:47 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Users\Charlotte\Documents\Desktop\HijackThisInstaller.exe
[2010/02/26 03:23:46 | 000,000,000 | ---D | C] -- C:\Users\Charlotte\AppData\Roaming\Malwarebytes
[2010/02/26 03:23:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/02/26 03:23:40 | 000,022,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/02/26 03:23:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/02/26 03:23:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/02/26 02:27:35 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Charlotte\Documents\Desktop\mbam-setup.exe

========== Files - Modified Within 14 Days ==========

[2010/03/11 01:45:06 | 003,670,016 | -HS- | M] () -- C:\Users\Charlotte\ntuser.dat
[2010/03/11 01:43:12 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\OTL(2).exe
[2010/03/11 01:00:53 | 000,000,400 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{8559B34B-EA1A-48B0-A38D-9C17DAD3CDAB}.job
[2010/03/11 00:50:23 | 000,790,054 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/03/11 00:50:23 | 000,663,486 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/03/11 00:50:23 | 000,128,906 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/03/11 00:45:17 | 000,003,744 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/11 00:45:16 | 000,003,744 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/11 00:44:14 | 000,065,536 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl
[2010/03/11 00:44:05 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/11 00:44:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/11 00:43:45 | 000,471,576 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/03/11 00:42:20 | 000,524,288 | -HS- | M] () -- C:\Users\Charlotte\ntuser.dat{4767af02-5505-11de-b94e-9a0a1e35dc81}.TMContainer00000000000000000001.regtrans-ms
[2010/03/11 00:42:20 | 000,065,536 | -HS- | M] () -- C:\Users\Charlotte\ntuser.dat{4767af02-5505-11de-b94e-9a0a1e35dc81}.TM.blf
[2010/03/11 00:33:58 | 003,827,078 | -H-- | M] () -- C:\Users\Charlotte\AppData\Local\IconCache.db
[2010/03/11 00:30:50 | 000,115,575 | ---- | M] () -- C:\Users\Charlotte\Documents\Desktop\DrWeb.csv
[2010/03/11 00:30:00 | 000,000,806 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2010/03/10 17:40:30 | 000,001,610 | ---- | M] () -- C:\Users\Charlotte\Documents\Desktop\DR. WEb help.rtf
[2010/03/10 15:33:17 | 033,363,360 | ---- | M] () -- C:\Users\Charlotte\Documents\Desktop\x7y58s5w.exe
[2010/03/09 19:30:44 | 000,524,288 | ---- | M] () -- C:\Users\Charlotte\Documents\Desktop\dds(2).scr
[2010/03/09 00:27:00 | 000,000,412 | ---- | M] () -- C:\Windows\tasks\DriverCure.job
[2010/03/08 17:16:38 | 000,152,064 | ---- | M] () -- C:\Users\Charlotte\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/07 16:42:03 | 000,017,920 | ---- | M] () -- C:\Users\Charlotte\Documents\Internet,computer,printer information.xlr
[2010/03/07 16:42:03 | 000,017,014 | ---- | M] () -- C:\Users\Charlotte\AppData\Roaming\wklnhst.dat
[2010/03/03 13:03:38 | 000,014,336 | ---- | M] () -- C:\Users\Charlotte\Documents\Computer Short Cuts,Error fixes,etc..xlr
[2010/03/02 23:10:26 | 005,928,960 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mbb
[2010/03/02 23:10:26 | 002,754,560 | R--- | M] () -- C:\Users\Public\Documents\ESBK.mb
[2010/03/02 16:37:33 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\OTL.exe
[2010/03/01 21:32:49 | 000,010,752 | ---- | M] () -- C:\Users\Charlotte\Documents\Computer, error codes, things and places to check.xlr
[2010/02/28 21:00:50 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Users\Charlotte\Documents\Desktop\TFC.exe
[2010/02/27 07:39:38 | 032,244,920 | ---- | M] () -- C:\Users\Charlotte\Documents\Desktop\drweb-cureit.exe
[2010/02/26 20:51:29 | 000,008,230 | ---- | M] () -- C:\Users\Charlotte\Documents\INB Christmas Scrapbook.ppp
[2010/02/26 17:06:31 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Users\Charlotte\Documents\Desktop\HijackThisInstaller.exe
[2010/02/26 03:23:44 | 000,000,850 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/26 03:05:16 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Charlotte\Documents\Desktop\mbam-setup.exe

========== Files Created - No Company Name ==========

[2010/03/11 00:30:50 | 000,115,575 | ---- | C] () -- C:\Users\Charlotte\Documents\Desktop\DrWeb.csv
[2010/03/10 17:40:30 | 000,001,610 | ---- | C] () -- C:\Users\Charlotte\Documents\Desktop\DR. WEb help.rtf
[2010/03/10 10:48:14 | 033,363,360 | ---- | C] () -- C:\Users\Charlotte\Documents\Desktop\x7y58s5w.exe
[2010/03/09 19:27:14 | 000,524,288 | ---- | C] () -- C:\Users\Charlotte\Documents\Desktop\dds(2).scr
[2010/03/02 14:26:08 | 000,014,336 | ---- | C] () -- C:\Users\Charlotte\Documents\Computer Short Cuts,Error fixes,etc..xlr
[2010/03/01 21:29:43 | 000,010,752 | ---- | C] () -- C:\Users\Charlotte\Documents\Computer, error codes, things and places to check.xlr
[2010/02/27 03:52:42 | 032,244,920 | ---- | C] () -- C:\Users\Charlotte\Documents\Desktop\drweb-cureit.exe
[2010/02/26 20:46:30 | 000,008,230 | ---- | C] () -- C:\Users\Charlotte\Documents\INB Christmas Scrapbook.ppp
[2010/02/26 03:23:44 | 000,000,850 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/22 00:10:58 | 000,000,028 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/01/21 22:16:37 | 000,044,544 | ---- | C] () -- C:\Windows\SysWow64\gif89.dll
[2010/01/21 22:16:05 | 000,000,537 | ---- | C] () -- C:\Windows\SIERRA.INI
[2009/08/16 23:16:24 | 000,076,407 | ---- | C] () -- C:\Users\Charlotte\AppData\Roaming\Smiley.ico
[2009/08/16 17:25:21 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/08/16 17:24:07 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/07/31 08:42:31 | 000,000,097 | ---- | C] () -- C:\Users\Charlotte\AppData\Local\fusioncache.dat
[2009/07/30 18:08:08 | 000,743,720 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2009/07/27 23:52:16 | 000,412,140 | ---- | C] () -- C:\Users\Charlotte\AppData\Local\dd_vcredistMSI07EB.txt
[2009/07/27 23:52:16 | 000,011,458 | ---- | C] () -- C:\Users\Charlotte\AppData\Local\dd_vcredistUI07EB.txt
[2009/05/23 07:19:15 | 000,000,022 | ---- | C] () -- C:\Users\Charlotte\AppData\Local\kodakpcd.ini
[2009/04/19 13:59:30 | 000,000,680 | ---- | C] () -- C:\Users\Charlotte\AppData\Local\d3d9caps.dat
[2009/03/22 13:42:11 | 000,008,248 | ---- | C] () -- C:\Users\Charlotte\AppData\Local\en.ini
[2009/01/29 18:49:20 | 000,026,478 | ---- | C] () -- C:\Users\Charlotte\AppData\Roaming\UserTile.png
[2009/01/29 18:44:38 | 000,017,014 | ---- | C] () -- C:\Users\Charlotte\AppData\Roaming\wklnhst.dat
[2009/01/28 17:28:50 | 000,003,584 | ---- | C] () -- C:\Users\Charlotte\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/26 14:53:31 | 001,953,696 | ---- | C] () -- C:\Windows\SysWow64\igklg400.dll
[2008/12/26 14:53:31 | 001,533,360 | ---- | C] () -- C:\Windows\SysWow64\igklg450.dll
[2008/12/26 14:53:31 | 000,104,636 | ---- | C] () -- C:\Windows\SysWow64\igmedcompkrn.dll
[2008/01/20 21:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2002/12/11 18:19:34 | 000,708,608 | ---- | C] () -- C:\Windows\SysWow64\ltcry13n.dll
[2002/12/11 18:19:34 | 000,147,456 | ---- | C] () -- C:\Windows\SysWow64\lttls13n.dll
[2000/04/12 16:28:12 | 000,118,784 | ---- | C] () -- C:\Windows\SysWow64\lfkodak.dll
[2000/04/12 16:24:10 | 000,338,944 | ---- | C] () -- C:\Windows\SysWow64\lffpx7.dll

========== LOP Check ==========

[2010/01/30 07:49:57 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Blitware
[2010/02/28 00:36:07 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Canon
[2010/02/04 01:41:12 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Clip Art Collection
[2009/10/12 22:16:35 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/11/10 15:00:21 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\DriverCure
[2010/01/30 11:23:33 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\E-centives
[2009/08/19 18:42:52 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Free-backup.info
[2010/02/06 10:04:06 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\gtk-2.0
[2009/11/10 11:45:05 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\licenses
[2009/11/10 01:19:49 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\PCMM2009
[2010/02/13 13:15:59 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\PeerNetworking
[2009/04/07 18:45:47 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Shape games
[2010/02/26 17:39:16 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Sierra Wireless
[2009/05/12 18:26:41 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\SmartDraw
[2009/07/29 06:15:43 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\SPAMfighter
[2009/01/29 18:44:39 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Template
[2009/11/10 17:00:51 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Uniblue
[2009/08/01 06:35:57 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\upromise
[2009/09/20 21:57:37 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\WeatherBug
[2009/04/07 10:39:50 | 000,000,000 | ---D | M] -- C:\Users\Charlotte\AppData\Roaming\Windows Live Writer
[2010/03/09 00:27:00 | 000,000,412 | ---- | M] () -- C:\Windows\Tasks\DriverCure.job
[2010/03/11 00:42:41 | 000,032,536 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/03/11 01:00:53 | 000,000,400 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{8559B34B-EA1A-48B0-A38D-9C17DAD3CDAB}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2008/01/20 21:46:51 | 000,064,568 | ---- | M] (Microsoft Corporation) MD5=F6F6793B7F17B550ECFDBD3B229173F7 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_163188bf770e4ab0\AGP440.sys
[2008/01/20 21:46:51 | 000,064,568 | ---- | M] (Microsoft Corporation) MD5=F6F6793B7F17B550ECFDBD3B229173F7 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_181d01cb743015fc\AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/01/20 21:46:50 | 000,022,584 | ---- | M] (Microsoft Corporation) MD5=1898FAE8E07D97F2F6C2D5326C633FAC -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2\atapi.sys
[2008/12/26 14:25:44 | 000,022,584 | ---- | M] (Microsoft Corporation) MD5=5EB9EF6EEC5D873E94992095A1719BF6 -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_39c3f1ccf31998cb\atapi.sys
[2009/04/11 02:15:00 | 000,020,952 | ---- | M] (Microsoft Corporation) MD5=E68D9B3A3905619732F7FE039466A623 -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_3b423ca9d7090b1e\atapi.sys
[2008/12/26 14:25:44 | 000,022,584 | ---- | M] (Microsoft Corporation) MD5=F988BB0690CD660318037908E9B8DBF7 -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_393a5501d9fbf901\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 06:16:48 | 000,014,848 | ---- | M] (Microsoft Corporation) MD5=21322B1A2AD337C579F4A65EA0D25193 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_424bc4aceb06de1c\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\SysWOW64\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\SysWOW64\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/20 21:46:59 | 000,290,872 | ---- | M] (Intel Corporation) MD5=3E3BF3627D886736D0B4E90054F929F6 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_0b2fedfc40256bc5\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2008/01/20 21:51:03 | 000,716,800 | ---- | M] (Microsoft Corporation) MD5=5D0A4891F8CD0E9E64FF57A6A34044F5 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_59d652c6f057598d\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SysWOW64\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SysWOW64\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_6616762521d9e6d4\netlogon.dll
[2009/04/11 02:11:16 | 000,717,312 | ---- | M] (Microsoft Corporation) MD5=A3F1B171702CA04744EE514243B45BFB -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_5bc1cbd2ed7924d9\netlogon.dll
[2008/01/20 21:48:28 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_642afd1924b81b88\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2008/01/20 21:46:54 | 000,054,328 | ---- | M] (NVIDIA Corporation) MD5=F7EA0FE82842D05EDA3EFDD376DBFDBA -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_95f95eab775c159d\nvstor.sys

< MD5 for: SCECLI.DLL >
[2008/01/20 21:50:28 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_9e812831c5d9a243\scecli.dll
[2008/01/20 21:49:49 | 000,235,520 | ---- | M] (Microsoft Corporation) MD5=35F1DD99F9903BC267C2AF16B09F9BF7 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_942c7ddf9178e048\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SysWOW64\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SysWOW64\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_a06ca13dc2fb6d8f\scecli.dll
[2009/04/11 02:11:23 | 000,235,520 | ---- | M] (Microsoft Corporation) MD5=9922ADB6DCA8F0F5EA038BEFF339C08B -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_9617f6eb8e9aab94\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

========== Alternate Data Streams ==========

@Alternate Data Stream - 765 bytes -> C:\Users\Charlotte\Documents\6 pictures for you.eml:OECustomProperty
< End of report >

Blue Skys · 2010/03/11

I must have done something wrong. I cannot seem to find the EXTRAS.txt file, and the OTL.txt I posted twice. I tried to do a search for the EXTRAS.txt file and found nothing. It is getting late I guess.
Please let me know what you want me to do next.

And, Thanks so very much for all that you have done to help me.

broni · 2010/03/11

Open Firefox.
In address bar type in:
about:config
Press Enter

In "Filter" bar type in:
keyword.URL
You'll be presented with one entry, "keyword.URL "
Right click on it, click "Modify ".
Copy and paste following string:
http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
Click OK.

Now....

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
[2010/01/30 07:24:15 | 000,002,180 | ---- | M] () -- C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\zh5wtzxu.default\searchplugins\bing-ff.xml

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[resethosts]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
===============================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box into the main textfield:
Code:
:regfind
bing
Click the Look button to start the scan. It may take a while. Be patient.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Blue Skys · 2010/03/11

Hi there, I hope you are having a good day. A little help is required. I need to know where or what is a "filter bar?

Log in or Sign up

Solved Bing.zugotoolbar is back plus more malware

Blue Skys Inactive Thread Starter

wildfire Getting Old

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Bing.zugotoolbar is back plus more malware

Blue Skys Inactive Thread Starter

wildfire Getting Old

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Blue Skys Inactive Thread Starter

broni Moderator Malware Analyst

Blue Skys Inactive Thread Starter

Share This Page

Useful Searches