Solved Please Help Malware/keylogger/virus?

cilygo · 2011/01/24

[Resolved] Please Help Malware/keylogger/virus?

Hi, My hubbie had the great idea of letting a friend use our computer to download junk and now we've been having problems with hacked email and WoW accounts and an error of an invalid partition table after running the system repair disk which took gparted to get back into windows. But now I can't run a backup and when I tried to run GMER again, even in safe mode it won't work. I had to reinstall MBAM also. I have tried several tools such as Live Care, Kaspersky, Avast, rootkit buster, threatfire, cwshredder, glary, pavark and sargui, but I am sure the computer still isn't clean. I would like to just reformat and reinstall, but don't know how to do it because the computer came with Vista but I received a Win 7 upgrade when I bought it. Also thought about combofix, but decided against it without any help. Any help would be greatly appreciated.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5534

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/16/2011 8:05:01 PM
mbam-log-2011-01-16 (20-05-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 294257
Time elapsed: 1 hour(s), 15 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Reporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Reporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\SRS_IT_E8790577BC765D573EAC98 (Malware.Trace) -> Value: SRS_IT_E8790577BC765D573EAC98 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\program files\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-21 09:41:54
Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000067 ST332081 rev.SD23
Running: 42vlb76l.exe; Driver: C:\Users\Cindy\AppData\Local\Temp\kglyykoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8244C599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82470F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [739E2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739C5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [739C56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [739E250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [739D8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739D4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [739D50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [739D51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [739D66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [739D82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [739D8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [739D907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [739DE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1088] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [739D4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC2 0x3B 0x70 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE4 0x9B 0x32 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9A 0xD1 0x55 0xD7 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC2 0x3B 0x70 0xED ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE4 0x9B 0x32 0x49 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9A 0xD1 0x55 0xD7 ...

---- EOF - GMER 1.0.15 ----
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: eMachines
System Product Name: ET1810
Logical Drives Mask: 0x00000ffc

Kernel Drivers (total 200):
0x8304E000 \SystemRoot\system32\ntkrnlpa.exe
0x83017000 \SystemRoot\system32\halmacpi.dll
0x80BB8000 \SystemRoot\system32\kdcom.dll
0x83611000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83689000 \SystemRoot\system32\PSHED.dll
0x8369A000 \SystemRoot\system32\BOOTVID.dll
0x836A2000 \SystemRoot\system32\CLFS.SYS
0x836E4000 \SystemRoot\system32\CI.dll
0x8378F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x83600000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8AE18000 \SystemRoot\System32\Drivers\spjy.sys
0x8AF0B000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x8AF14000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x8AF3A000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8AF82000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8AF8A000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8AF95000 \SystemRoot\system32\DRIVERS\pci.sys
0x8AFBF000 \SystemRoot\System32\drivers\partmgr.sys
0x8AFD0000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x8B023000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B06E000 \SystemRoot\system32\DRIVERS\pciide.sys
0x8B075000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8B083000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B099000 \SystemRoot\system32\DRIVERS\atapi.sys
0x8B0A2000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8B0C5000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x8B0E9000 \SystemRoot\system32\DRIVERS\storport.sys
0x8B130000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x8B139000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B16D000 \SystemRoot\system32\drivers\fileinfo.sys
0x8B17E000 \SystemRoot\system32\drivers\TfFsMon.sys
0x8B18F000 \SystemRoot\system32\drivers\TfSysMon.sys
0x8B224000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B353000 \SystemRoot\System32\Drivers\msrpc.sys
0x8B37E000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8B391000 \SystemRoot\System32\Drivers\cng.sys
0x8B3EE000 \SystemRoot\System32\drivers\pcw.sys
0x8B200000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8B40E000 \SystemRoot\system32\drivers\ndis.sys
0x8B4C5000 \SystemRoot\system32\drivers\NETIO.SYS
0x8B503000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8B633000 \SystemRoot\System32\drivers\tcpip.sys
0x8B77C000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8B7AD000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8B7EC000 \SystemRoot\System32\Drivers\spldr.sys
0x8B600000 \SystemRoot\System32\drivers\rdyboost.sys
0x8B528000 \SystemRoot\System32\Drivers\mup.sys
0x8B7F4000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8B538000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8B56A000 \SystemRoot\system32\DRIVERS\disk.sys
0x8B57B000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8B1A0000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8B5EC000 \SystemRoot\System32\Drivers\Null.SYS
0x8B5F3000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B400000 \SystemRoot\System32\drivers\vga.sys
0x8B1BF000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B209000 \SystemRoot\System32\drivers\watchdog.sys
0x8B216000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B1E0000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B1E8000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8B1F0000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8B000000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8AFE0000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8B00E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8FC12000 \SystemRoot\system32\drivers\afd.sys
0x8FC6C000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8FC9E000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8FCA5000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8FCC4000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8FCD2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8FCE5000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8FCF5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FD36000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8FD40000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8FD4A000 \SystemRoot\System32\drivers\discache.sys
0x8FD56000 \SystemRoot\System32\Drivers\dfsc.sys
0x8FD6E000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8FD7C000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8FD9D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8FDAF000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8FDC7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8FDD4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8FDE1000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x90C19000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x90C64000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x90C73000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x90C92000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x90DAF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x90DB1000 \SystemRoot\system32\drivers\modem.sys
0x9623D000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x96A2A000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x974A8000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x974AA000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x97561000 \SystemRoot\System32\drivers\dxgmms1.sys
0x9759A000 \SystemRoot\System32\Drivers\a4mqqfk1.SYS
0x975D3000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x975DC000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x975E9000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x96A00000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x96A18000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x96282000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x962A4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x962BC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x962D3000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x962EA000 \SystemRoot\System32\Drivers\pcouffin.sys
0x96A23000 \SystemRoot\system32\DRIVERS\swenum.sys
0x962F6000 \SystemRoot\system32\DRIVERS\ks.sys
0x9632A000 \SystemRoot\system32\DRIVERS\umbus.sys
0x96338000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x9637C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x98601000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x9880E000 \SystemRoot\system32\drivers\portcls.sys
0x9883D000 \SystemRoot\system32\drivers\drmk.sys
0x98D20000 \SystemRoot\System32\win32k.sys
0x98856000 \SystemRoot\System32\drivers\Dxapi.sys
0x98860000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9886D000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x98877000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x9889B000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x988AC000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x988B7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x988CA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x988D1000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x988DC000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x988F3000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x98901000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x9890C000 \SystemRoot\system32\DRIVERS\dot4usb.sys
0x98919000 \SystemRoot\system32\DRIVERS\Dot4.sys
0x9893D000 \SystemRoot\system32\DRIVERS\Dot4Prt.sys
0x98946000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98F80000 \SystemRoot\System32\TSDDD.dll
0x98FB0000 \SystemRoot\System32\cdd.dll
0x98951000 \SystemRoot\system32\DRIVERS\PFC027.SYS
0x989E8000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x9638D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x963A4000 \SystemRoot\system32\drivers\luafv.sys
0x963BF000 \SystemRoot\system32\drivers\WudfPf.sys
0x963D9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8B5A0000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x963E9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x96200000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9841B000 \SystemRoot\system32\drivers\HTTP.sys
0x984A0000 \SystemRoot\system32\DRIVERS\bowser.sys
0x984B9000 \SystemRoot\System32\drivers\mpsdrv.sys
0x984CB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x984EE000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x98529000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9855C000 \SystemRoot\system32\drivers\peauth.sys
0x985F3000 \SystemRoot\System32\Drivers\secdrv.SYS
0x96213000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x98400000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9CC36000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9CC85000 \SystemRoot\system32\drivers\tdtcp.sys
0x9CC8F000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x9CC9C000 \SystemRoot\System32\DRIVERS\srv.sys
0x9CCED000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x9CD1E000 \??\C:\Windows\system32\drivers\TfNetMon.sys
0x9CD2A000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x9CDB5000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xAEE1A000 \SystemRoot\system32\DRIVERS\netr28u.sys
0x77CD0000 \Windows\System32\ntdll.dll
0x476E0000 \Windows\System32\smss.exe
0x77F10000 \Windows\System32\apisetschema.dll
0x002B0000 \Windows\System32\autochk.exe
0x77B70000 \Windows\System32\ole32.dll
0x77E50000 \Windows\System32\msvcrt.dll
0x77E40000 \Windows\System32\normaliz.dll
0x77B30000 \Windows\System32\ws2_32.dll
0x77A80000 \Windows\System32\rpcrt4.dll
0x77E30000 \Windows\System32\psapi.dll
0x77E20000 \Windows\System32\nsi.dll
0x77980000 \Windows\System32\wininet.dll
0x777E0000 \Windows\System32\setupapi.dll
0x77710000 \Windows\System32\user32.dll
0x77640000 \Windows\System32\msctf.dll
0x775E0000 \Windows\System32\shlwapi.dll
0x77580000 \Windows\System32\difxapi.dll
0x77530000 \Windows\System32\gdi32.dll
0x77E10000 \Windows\System32\lpk.dll
0x77450000 \Windows\System32\kernel32.dll
0x77420000 \Windows\System32\imagehlp.dll
0x77380000 \Windows\System32\usp10.dll
0x772E0000 \Windows\System32\advapi32.dll
0x770E0000 \Windows\System32\iertutil.dll
0x76490000 \Windows\System32\shell32.dll
0x76470000 \Windows\System32\imm32.dll
0x763F0000 \Windows\System32\comdlg32.dll
0x76360000 \Windows\System32\oleaut32.dll
0x76340000 \Windows\System32\sechost.dll
0x762B0000 \Windows\System32\clbcatq.dll
0x76170000 \Windows\System32\urlmon.dll
0x76120000 \Windows\System32\Wldap32.dll
0x76100000 \Windows\System32\devobj.dll
0x760B0000 \Windows\System32\KernelBase.dll
0x76080000 \Windows\System32\wintrust.dll
0x75F60000 \Windows\System32\crypt32.dll
0x75F30000 \Windows\System32\cfgmgr32.dll
0x75EA0000 \Windows\System32\comctl32.dll
0x75E90000 \Windows\System32\msasn1.dll
0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

Processes (total 49):
0 System Idle Process
4 System
276 C:\Windows\System32\smss.exe
408 C:\Windows\System32\csrss.exe
468 C:\Windows\System32\wininit.exe
480 C:\Windows\System32\csrss.exe
524 C:\Windows\System32\services.exe
540 C:\Windows\System32\lsass.exe
548 C:\Windows\System32\lsm.exe
620 C:\Windows\System32\winlogon.exe
708 C:\Windows\System32\svchost.exe
772 C:\Windows\System32\nvvsvc.exe
812 C:\Windows\System32\svchost.exe
916 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
1144 C:\Windows\System32\svchost.exe
1212 C:\Windows\System32\nvvsvc.exe
1316 C:\Windows\System32\svchost.exe
1472 C:\Windows\System32\spoolsv.exe
1508 C:\Windows\System32\svchost.exe
1612 C:\Program Files\LSI SoftModem\agrsmsvc.exe
1652 C:\Windows\System32\svchost.exe
1676 C:\Windows\System32\svchost.exe
1708 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
1792 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1924 C:\Program Files\ThreatFire\TFService.exe
1972 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2496 C:\Windows\System32\WUDFHost.exe
3284 C:\Windows\System32\svchost.exe
3324 C:\Windows\System32\SearchIndexer.exe
2588 C:\Windows\System32\taskhost.exe
1684 C:\Windows\System32\dwm.exe
2400 C:\Windows\explorer.exe
3060 C:\Windows\RtHDVCpl.exe
656 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2200 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1200 C:\Program Files\Freecorder\FLVSrvc.exe
1540 C:\Program Files\ThreatFire\TFTray.exe
2404 C:\Program Files\Windows Sidebar\sidebar.exe
2788 C:\Program Files\Mozilla Firefox\firefox.exe
3752 C:\Windows\System32\svchost.exe
2228 C:\Windows\servicing\TrustedInstaller.exe
2196 C:\Program Files\Mozilla Firefox\plugin-container.exe
3896 C:\Windows\System32\audiodg.exe
1248 C:\Windows\System32\dllhost.exe
1136 C:\Windows\System32\dllhost.exe
660 C:\Users\Cindy\Downloads\MBRCheck.exe
3932 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`40100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\L: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3320813AS, Rev: SD23
PhysicalDrive1 Model Number: IBM-DJSA-210, Rev: JS2O

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 49E2A5313717CD5E7D7B59DAEE4D322F3F27221E
9 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

DDS (Ver_10-12-12.02) - NTFSx86
Run by Cindy at 20:07:47.57 on Sun 01/23/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2815.1620 [GMT -6:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\msiexec.exe
C:\Users\Cindy\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\cindy\appdata\roaming\mozilla\firefox\profiles\2v94qpkj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\cindy\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\cindy\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\cindy\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\cindy\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\cindy\appdata\roaming\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-1-22 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-1-22 59664]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-1-23 67584]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2010-5-18 552448]
R3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2008-2-13 618112]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-1-22 33552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-21 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1343400]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S4 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2010-1-21 78104]

=============== Created Last 30 ================

2011-01-24 01:42:07 -------- d-----w- c:\program files\trend micro
2011-01-24 00:54:38 -------- d-----w- c:\users\cindy\appdata\local\Safe mirror
2011-01-24 00:54:19 -------- d-----w- c:\program files\Cobian Backup 10
2011-01-22 09:52:49 -------- d-----w- c:\windows\pss
2011-01-22 08:34:57 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2011-01-22 08:34:57 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2011-01-22 08:34:57 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2011-01-22 08:34:54 -------- d-----w- c:\program files\ThreatFire
2011-01-22 08:34:54 -------- d-----w- c:\progra~2\PC Tools
2011-01-22 07:58:51 -------- d-----w- c:\progra~2\Kaspersky Lab
2011-01-22 07:42:12 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2011-01-21 14:39:02 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4508d9f6-bb37-47dd-8c2a-8f3287dc6ced}\mpengine.dll
2011-01-17 00:39:45 -------- d-----w- c:\users\cindy\appdata\roaming\Malwarebytes
2011-01-17 00:39:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-17 00:39:41 -------- d-----w- c:\progra~2\Malwarebytes
2011-01-17 00:39:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-17 00:39:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-12 14:14:25 573440 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 14:14:24 987136 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-12 14:14:24 372736 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-12 14:14:24 352256 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-12 14:14:24 208896 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-10 21:36:08 -------- d-----w- c:\program files\MSECache
2011-01-06 03:19:08 -------- d-----w- C:\Sierra

==================== Find3M ====================

2011-01-24 01:55:48 87608 ----a-w- c:\users\cindy\appdata\roaming\inst.exe
2011-01-24 01:55:48 47360 ----a-w- c:\users\cindy\appdata\roaming\pcouffin.sys
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll

============= FINISH: 20:10:35.70 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/5/2009 8:53:14 AM
System Uptime: 1/23/2011 7:35:35 PM (1 hours ago)

Motherboard: eMachines | | EMCP73VT-PM
Processor: Pentium(R) Dual-Core CPU E2210 @ 2.20GHz | CPU 1 | 2203/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 285 GiB total, 108.119 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 13 GiB total, 5.632 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&EABE7E6&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&EABE7E6&0
Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Adobe Shockwave Player 11.5
Agere Systems PCI-SV92PP Soft Modem
AIO_Scan
Apple Application Support
Apple Software Update
Audacity 1.2.6
Belkin N Wireless USB Adapter Setup
BufferChm
Character Builder
Cobian Backup 10
Compatibility Pack for the 2007 Office system
Conduit Engine
Copy
Coupon Printer for Windows
CutePDF Writer 2.8
CyberLink LabelPrint
CyberLink Power2Go
Dance Praise
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Setup
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
eSupportQFolder
F4100
F4100_doccd
F4100_Help
ffdshow v1.1.3562 [2010-09-07]
Freecorder
Freecorder Toolbar
Glary Utilities 2.31.0.1098
Google Talk Plugin
Hero Editor V1.03
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Product Assistant
HP Solution Center 9.0
HP Update
HPProductAssistant
Image Resizer Powertoy Clone for Windows
iWin Games (remove only)
Java Auto Updater
Java(TM) 6 Update 23
Jewel Quest II (remove only)
Junk Mail filter update
LeapFrog Connect
LeapFrog My Pals Plugin
LSI PCI-SV92PP Soft Modem
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Microsoft WSE 3.0 Runtime
Move Media Player
Mozilla Firefox (3.6.13)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
NVIDIA Display Control Panel
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PC Camer@
PSSWCORE
PVSonyDll
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Scan
Skypeâ„¢ 4.2
SolutionCenter
Status
ThreatFire
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
Toolbox
TrayApp
UnloadSupport
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
VC80CRTRedist - 8.0.50727.4053
VideoToolkit01
WebReg
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Mobile Device Updater Component
WinRAR archiver
World of Warcraft
Yahoo! Messenger
Zune
Zune Language Pack (DEU)
Zune Language Pack (ESP)
Zune Language Pack (FRA)
Zune Language Pack (ITA)
Zune Language Pack (NLD)
Zune Language Pack (PTB)
Zune Language Pack (PTG)

==== Event Viewer Messages From Past Week ========

1/23/2011 7:37:25 PM, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
1/23/2011 6:51:21 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Block Level Backup Engine Service service, but this action failed with the following error: An instance of the service is already running.
1/23/2011 6:49:21 PM, Error: Service Control Manager [7031] - The Block Level Backup Engine Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
1/23/2011 6:46:08 PM, Error: Service Control Manager [7034] - The Windows Backup service terminated unexpectedly. It has done this 1 time(s).
1/23/2011 6:45:19 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
1/23/2011 6:28:03 PM, Error: Ntfs [137] - The default transaction resource manager on volume L: encountered a non-retryable error and could not start. The data contains the error code.
1/23/2011 4:24:12 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:23:57 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:23:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/23/2011 4:23:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/23/2011 4:23:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments " " in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
1/23/2011 4:23:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments " " in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/23/2011 4:23:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/23/2011 4:23:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments " " in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/23/2011 4:22:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/23/2011 4:22:12 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/23/2011 4:22:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments " " in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
1/23/2011 4:21:49 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .
1/23/2011 2:34:26 PM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
1/22/2011 2:38:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
1/22/2011 2:35:21 AM, Error: Service Control Manager [7030] - The ThreatFire service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
1/22/2011 12:52:47 AM, Error: Service Control Manager [7030] - The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
1/22/2011 1:58:50 AM, Error: Service Control Manager [7000] - The Kaspersky Lab Driver service failed to start due to the following error: This driver has been blocked from loading
1/22/2011 1:58:49 AM, Error: Application Popup [875] - Driver klif.sys has been blocked from loading.
1/22/2011 1:04:51 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x00000003, 0x86b166e0, 0x86b1684c, 0x8323edd0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 012211-43087-01.
1/21/2011 9:08:37 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswFW aswRdr aswSnx aswSP aswTdi DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf
1/21/2011 10:59:52 PM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

==== End Of File ===========================

broni · 2011/01/24

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

We need to fix your MBR.

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

Place a blank CD in your CD drive.

Double click on NTBR_CD.exe file and a folder of the same name will appear.

Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.

Follow the prompts to burn the CD.

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

Insert the newly created CD into your infected PC and reboot your computer.

Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!

Read the warning and then continue as prompted.

You first need to select your keyboard layout - press Enter for English.

Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK

On the following screen enter 5 to select Install Standard MBR code.

Enter 2 to overwrite the infected MBR Code with the Windows 7 MBR code.

When asked to confirm please do so.

Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.

Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

**Important note to Dell users - fixing the MBR may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.

cilygo · 2011/01/25

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: eMachines
System Product Name: ET1810
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 189):
0x82C04000 \SystemRoot\system32\ntkrnlpa.exe
0x83014000 \SystemRoot\system32\halmacpi.dll
0x80B9B000 \SystemRoot\system32\kdcom.dll
0x8320F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83287000 \SystemRoot\system32\PSHED.dll
0x83298000 \SystemRoot\system32\BOOTVID.dll
0x832A0000 \SystemRoot\system32\CLFS.SYS
0x832E2000 \SystemRoot\system32\CI.dll
0x8338D000 \SystemRoot\system32\drivers\Wdf01000.sys
0x83200000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83814000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x8385C000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x83865000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x8386D000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x83878000 \SystemRoot\system32\DRIVERS\pci.sys
0x838A2000 \SystemRoot\System32\drivers\partmgr.sys
0x838B3000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x838C3000 \SystemRoot\System32\drivers\volmgrx.sys
0x8390E000 \SystemRoot\system32\DRIVERS\pciide.sys
0x83915000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x83923000 \SystemRoot\System32\drivers\mountmgr.sys
0x83939000 \SystemRoot\system32\DRIVERS\atapi.sys
0x83942000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x83965000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x83989000 \SystemRoot\system32\DRIVERS\storport.sys
0x839D0000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x83A20000 \SystemRoot\system32\drivers\fltmgr.sys
0x83A54000 \SystemRoot\system32\drivers\fileinfo.sys
0x83A65000 \SystemRoot\system32\drivers\TfFsMon.sys
0x83A76000 \SystemRoot\system32\drivers\TfSysMon.sys
0x83A87000 \SystemRoot\System32\Drivers\Ntfs.sys
0x83BB6000 \SystemRoot\System32\Drivers\msrpc.sys
0x83BE1000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8AA2D000 \SystemRoot\System32\Drivers\cng.sys
0x8AA8A000 \SystemRoot\System32\drivers\pcw.sys
0x8AA98000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8AAA1000 \SystemRoot\system32\drivers\ndis.sys
0x8AB58000 \SystemRoot\system32\drivers\NETIO.SYS
0x8AB96000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8AC01000 \SystemRoot\System32\drivers\tcpip.sys
0x8AD4A000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8AD7B000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8ADBA000 \SystemRoot\System32\Drivers\spldr.sys
0x8ADC2000 \SystemRoot\System32\drivers\rdyboost.sys
0x8ADEF000 \SystemRoot\System32\Drivers\mup.sys
0x8ABBB000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8ABC3000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8AA00000 \SystemRoot\system32\DRIVERS\disk.sys
0x839D9000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8F052000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8F071000 \SystemRoot\System32\Drivers\Null.SYS
0x8F078000 \SystemRoot\System32\Drivers\Beep.SYS
0x8F07F000 \SystemRoot\System32\drivers\vga.sys
0x8F08B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F0AC000 \SystemRoot\System32\drivers\watchdog.sys
0x8F0B9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8F0C1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8F0C9000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8F0D1000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8F0DC000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8F0EA000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F101000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F10C000 \SystemRoot\system32\drivers\afd.sys
0x8F166000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F198000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8F19F000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F1BE000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F1CC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F1DF000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8FA2F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FA70000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8FA7A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8FA84000 \SystemRoot\System32\drivers\discache.sys
0x8FA90000 \SystemRoot\System32\Drivers\dfsc.sys
0x8FAA8000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8FAB6000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8FAD7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8FAE9000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8FB01000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8FB0E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8FB1B000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8FB25000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8FB70000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8FB7F000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x90638000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x90755000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x90757000 \SystemRoot\system32\drivers\modem.sys
0x90764000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x95218000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x95C96000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x95C98000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x95D4F000 \SystemRoot\System32\drivers\dxgmms1.sys
0x95D88000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x95D91000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x95D9E000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x95DB0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x95DC8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x95DD3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x95200000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x907A9000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x907C0000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x95DF5000 \SystemRoot\system32\DRIVERS\swenum.sys
0x90600000 \SystemRoot\system32\DRIVERS\ks.sys
0x907D7000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8FB9E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x907E5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9702E000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x9723B000 \SystemRoot\system32\drivers\portcls.sys
0x9726A000 \SystemRoot\system32\drivers\drmk.sys
0x97500000 \SystemRoot\System32\win32k.sys
0x97283000 \SystemRoot\System32\drivers\Dxapi.sys
0x9728D000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x972A3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x972AE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x972C1000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x972C8000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x972D3000 \SystemRoot\System32\Drivers\crashdmp.sys
0x972E0000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x972EA000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x9730E000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x9731F000 \SystemRoot\system32\DRIVERS\PFC027.SYS
0x973B6000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x973C4000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97760000 \SystemRoot\System32\TSDDD.dll
0x97790000 \SystemRoot\System32\cdd.dll
0x8221A000 \SystemRoot\system32\DRIVERS\netr28u.sys
0x822AA000 \SystemRoot\system32\drivers\luafv.sys
0x822C5000 \SystemRoot\system32\drivers\WudfPf.sys
0x822DF000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x822F6000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x82306000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8234C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8235C000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8236F000 \SystemRoot\system32\drivers\HTTP.sys
0x82200000 \SystemRoot\system32\DRIVERS\bowser.sys
0x973CF000 \SystemRoot\System32\drivers\mpsdrv.sys
0x97000000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8F000000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x973E1000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9AA0A000 \SystemRoot\system32\drivers\peauth.sys
0x9AAA1000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9AAAB000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9AACC000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9AAD9000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9AB28000 \SystemRoot\system32\drivers\tdtcp.sys
0x9AB32000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x9AB3F000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x9AB70000 \SystemRoot\System32\DRIVERS\srv.sys
0x9ABC1000 \??\C:\Windows\system32\drivers\TfNetMon.sys
0x9ABCD000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x77240000 \Windows\System32\ntdll.dll
0x482A0000 \Windows\System32\smss.exe
0x77480000 \Windows\System32\apisetschema.dll
0x00CE0000 \Windows\System32\autochk.exe
0x77410000 \Windows\System32\difxapi.dll
0x771A0000 \Windows\System32\advapi32.dll
0x770D0000 \Windows\System32\user32.dll
0x76F90000 \Windows\System32\urlmon.dll
0x76EE0000 \Windows\System32\rpcrt4.dll
0x76E10000 \Windows\System32\msctf.dll
0x77380000 \Windows\System32\oleaut32.dll
0x76E00000 \Windows\System32\psapi.dll
0x76DF0000 \Windows\System32\lpk.dll
0x76D10000 \Windows\System32\kernel32.dll
0x76CE0000 \Windows\System32\imagehlp.dll
0x76C50000 \Windows\System32\clbcatq.dll
0x76C40000 \Windows\System32\nsi.dll
0x76AE0000 \Windows\System32\ole32.dll
0x76A90000 \Windows\System32\gdi32.dll
0x76A80000 \Windows\System32\normaliz.dll
0x76880000 \Windows\System32\iertutil.dll
0x767E0000 \Windows\System32\usp10.dll
0x75B90000 \Windows\System32\shell32.dll
0x75B70000 \Windows\System32\imm32.dll
0x75AF0000 \Windows\System32\comdlg32.dll
0x75950000 \Windows\System32\setupapi.dll
0x758F0000 \Windows\System32\shlwapi.dll
0x758B0000 \Windows\System32\ws2_32.dll
0x757B0000 \Windows\System32\wininet.dll
0x75790000 \Windows\System32\sechost.dll
0x756E0000 \Windows\System32\msvcrt.dll
0x75690000 \Windows\System32\Wldap32.dll
0x75670000 \Windows\System32\devobj.dll
0x75640000 \Windows\System32\cfgmgr32.dll
0x75520000 \Windows\System32\crypt32.dll
0x754F0000 \Windows\System32\wintrust.dll
0x75460000 \Windows\System32\comctl32.dll
0x75410000 \Windows\System32\KernelBase.dll
0x75400000 \Windows\System32\msasn1.dll

Processes (total 50):
0 System Idle Process
4 System
264 C:\Windows\System32\smss.exe
404 C:\Windows\System32\csrss.exe
468 C:\Windows\System32\wininit.exe
480 C:\Windows\System32\csrss.exe
524 C:\Windows\System32\services.exe
540 C:\Windows\System32\lsass.exe
548 C:\Windows\System32\lsm.exe
612 C:\Windows\System32\winlogon.exe
708 C:\Windows\System32\svchost.exe
776 C:\Windows\System32\nvvsvc.exe
816 C:\Windows\System32\svchost.exe
916 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
1000 C:\Windows\System32\svchost.exe
1064 C:\Windows\System32\audiodg.exe
1112 C:\Windows\System32\svchost.exe
1232 C:\Windows\System32\svchost.exe
1384 C:\Windows\System32\nvvsvc.exe
1448 C:\Windows\System32\spoolsv.exe
1488 C:\Windows\System32\svchost.exe
1580 C:\Program Files\LSI SoftModem\agrsmsvc.exe
1600 C:\Program Files\Cobian Backup 10\cbVSCService.exe
1668 C:\Windows\System32\svchost.exe
1692 C:\Windows\System32\svchost.exe
1760 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
1952 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2004 C:\Windows\System32\svchost.exe
312 C:\Program Files\ThreatFire\TFService.exe
340 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2412 C:\Windows\System32\dwm.exe
2420 C:\Windows\System32\taskeng.exe
2452 C:\Windows\explorer.exe
2460 C:\Windows\System32\taskhost.exe
2628 C:\Windows\System32\taskeng.exe
3072 C:\Windows\System32\WUDFHost.exe
4032 C:\Windows\RtHDVCpl.exe
4040 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
4052 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4064 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
4092 C:\Program Files\Freecorder\FLVSrvc.exe
1188 C:\Program Files\ThreatFire\TFTray.exe
2112 C:\Program Files\Windows Sidebar\sidebar.exe
856 C:\Windows\System32\SearchIndexer.exe
3564 C:\Windows\System32\svchost.exe
1340 C:\Windows\System32\dllhost.exe
2660 C:\Windows\System32\dllhost.exe
2196 C:\Users\Cindy\Downloads\MBRCheck.exe
1364 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`40100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: ST3320813AS, Rev: SD23

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 49E2A5313717CD5E7D7B59DAEE4D322F3F27221E

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

broni · 2011/01/25

Hmm...it didn't work.

Let's try different method.

If you have Vista/7 DVD...

start with step 2

If you don't have Vista/7 DVD...

1. Create Vista/7 Recovery Disc.

Option 1 :
Vista: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html (Option Two)
Windows 7: http://www.guidingtech.com/3816/system-repair-recovery-disc-windows-7/

Option 2:
Download Vista Recovery Disc iso image: http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/
Download Windows 7 Recovery Disc iso image: http://neosmart.net/blog/2009/windows-7-system-repair-discs/
Burn it to CD, or DVD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

2. Boot from created disk.

Vista users. At first screen click on Repair your computer:

Windows 7 users. At first screen click on Install now:

Select your language and click next:

Click the button for "Use recovery tools ":

The following applies to both, Vista and Windows 7 users.

This will bring you to a new screen where the repair process will look for all Windows Vista/7 installations on your computer. When done you will be presented with the System Recovery Options dialog box:

After this, it will present you with a list of options including startup repair, system restore and command prompt:

Select Command Prompt

Type in:
bootrec /FixMbr (<--- there is a "space" after "bootrec ")
and then press Enter

Once completed then type Exit, press Enter and restart computer.

Post fresh MBRCheck log.

cilygo · 2011/01/25

Looks like it didn't work again...does it matter that the first MBR had this < 9 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected > and in the next one it's gone? Thanks again for your help.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 32-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: eMachines
System Product Name: ET1810
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 189):
0x82C47000 \SystemRoot\system32\ntkrnlpa.exe
0x82C10000 \SystemRoot\system32\halmacpi.dll
0x80B99000 \SystemRoot\system32\kdcom.dll
0x83203000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8327B000 \SystemRoot\system32\PSHED.dll
0x8328C000 \SystemRoot\system32\BOOTVID.dll
0x83294000 \SystemRoot\system32\CLFS.SYS
0x832D6000 \SystemRoot\system32\CI.dll
0x83381000 \SystemRoot\system32\drivers\Wdf01000.sys
0x833F2000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83839000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x83881000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x8388A000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x83892000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x8389D000 \SystemRoot\system32\DRIVERS\pci.sys
0x838C7000 \SystemRoot\System32\drivers\partmgr.sys
0x838D8000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x838E8000 \SystemRoot\System32\drivers\volmgrx.sys
0x83933000 \SystemRoot\system32\DRIVERS\pciide.sys
0x8393A000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x83948000 \SystemRoot\System32\drivers\mountmgr.sys
0x8395E000 \SystemRoot\system32\DRIVERS\atapi.sys
0x83967000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x8398A000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x839AE000 \SystemRoot\system32\DRIVERS\storport.sys
0x839F5000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x83800000 \SystemRoot\system32\drivers\fltmgr.sys
0x83A09000 \SystemRoot\system32\drivers\fileinfo.sys
0x83A1A000 \SystemRoot\system32\drivers\TfFsMon.sys
0x83A2B000 \SystemRoot\system32\drivers\TfSysMon.sys
0x83A3C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x83B6B000 \SystemRoot\System32\Drivers\msrpc.sys
0x83B96000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8AA2A000 \SystemRoot\System32\Drivers\cng.sys
0x8AA87000 \SystemRoot\System32\drivers\pcw.sys
0x8AA95000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8AA9E000 \SystemRoot\system32\drivers\ndis.sys
0x8AB55000 \SystemRoot\system32\drivers\NETIO.SYS
0x8AB93000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8AC1E000 \SystemRoot\System32\drivers\tcpip.sys
0x8AD67000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8AD98000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x8ADD7000 \SystemRoot\System32\Drivers\spldr.sys
0x8ABB8000 \SystemRoot\System32\drivers\rdyboost.sys
0x8ADDF000 \SystemRoot\System32\Drivers\mup.sys
0x8ADEF000 \SystemRoot\System32\drivers\hwpolicy.sys
0x83BA9000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8AC00000 \SystemRoot\system32\DRIVERS\disk.sys
0x8AA00000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8F41B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8F43A000 \SystemRoot\System32\Drivers\Null.SYS
0x8F441000 \SystemRoot\System32\Drivers\Beep.SYS
0x8F448000 \SystemRoot\System32\drivers\vga.sys
0x8F454000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F475000 \SystemRoot\System32\drivers\watchdog.sys
0x8F482000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8F48A000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8F492000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8F49A000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8F4A5000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8F4B3000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F4CA000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F4D5000 \SystemRoot\system32\drivers\afd.sys
0x8F52F000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F561000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8F568000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F587000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F595000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F5A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8F5B8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F400000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F40A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8F600000 \SystemRoot\System32\drivers\discache.sys
0x8F60C000 \SystemRoot\System32\Drivers\dfsc.sys
0x8F624000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8F632000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8F653000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8F665000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8F67D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8F68A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F697000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8F6A1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8F6EC000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8F6FB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x91432000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x9154F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x91551000 \SystemRoot\system32\drivers\modem.sys
0x9155E000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x95238000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x95CB6000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x95CB8000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x95D6F000 \SystemRoot\System32\drivers\dxgmms1.sys
0x95DA8000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x95DB1000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x95DBE000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x95DD0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x95DE8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x95200000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x915A3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x915BB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x915D2000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x95222000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8F71A000 \SystemRoot\system32\DRIVERS\ks.sys
0x95224000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8F74E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x915E9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x96E1B000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x97028000 \SystemRoot\system32\drivers\portcls.sys
0x97057000 \SystemRoot\system32\drivers\drmk.sys
0x97460000 \SystemRoot\System32\win32k.sys
0x97070000 \SystemRoot\System32\drivers\Dxapi.sys
0x9707A000 \SystemRoot\system32\DRIVERS\udfs.sys
0x970BA000 \SystemRoot\system32\DRIVERS\PFC027.SYS
0x97151000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x9715F000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9716C000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x97176000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x9719A000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x971AB000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x971B6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x971C9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x971D0000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x971DB000 \SystemRoot\system32\DRIVERS\monitor.sys
0x976C0000 \SystemRoot\System32\TSDDD.dll
0x8C015000 \SystemRoot\system32\DRIVERS\netr28u.sys
0x976F0000 \SystemRoot\System32\cdd.dll
0x8C0A5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8C0BC000 \SystemRoot\system32\drivers\luafv.sys
0x8C0D7000 \SystemRoot\system32\drivers\WudfPf.sys
0x8C0F1000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8C101000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8C147000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8C157000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8C16A000 \SystemRoot\system32\drivers\HTTP.sys
0x971E6000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8C000000 \SystemRoot\System32\drivers\mpsdrv.sys
0x91400000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8F792000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x96E00000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x98601000 \SystemRoot\system32\drivers\peauth.sys
0x98698000 \SystemRoot\System32\Drivers\secdrv.SYS
0x986A2000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x986C3000 \SystemRoot\System32\drivers\tcpipreg.sys
0x986D0000 \SystemRoot\system32\drivers\tdtcp.sys
0x986DA000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x986E7000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x98718000 \SystemRoot\System32\DRIVERS\srv2.sys
0x98767000 \SystemRoot\System32\DRIVERS\srv.sys
0x987B8000 \??\C:\Windows\system32\drivers\TfNetMon.sys
0x987C4000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x77C90000 \Windows\System32\ntdll.dll
0x47930000 \Windows\System32\smss.exe
0x77ED0000 \Windows\System32\apisetschema.dll
0x00F20000 \Windows\System32\autochk.exe
0x77040000 \Windows\System32\shell32.dll
0x77E80000 \Windows\System32\ws2_32.dll
0x77E20000 \Windows\System32\difxapi.dll
0x77E10000 \Windows\System32\normaliz.dll
0x76E40000 \Windows\System32\iertutil.dll
0x77DF0000 \Windows\System32\sechost.dll
0x76DB0000 \Windows\System32\clbcatq.dll
0x76D60000 \Windows\System32\Wldap32.dll
0x77DD0000 \Windows\System32\imm32.dll
0x76C90000 \Windows\System32\user32.dll
0x76C10000 \Windows\System32\comdlg32.dll
0x76B70000 \Windows\System32\usp10.dll
0x76AE0000 \Windows\System32\oleaut32.dll
0x76A10000 \Windows\System32\msctf.dll
0x76960000 \Windows\System32\msvcrt.dll
0x76860000 \Windows\System32\wininet.dll
0x76810000 \Windows\System32\gdi32.dll
0x76800000 \Windows\System32\lpk.dll
0x76750000 \Windows\System32\rpcrt4.dll
0x76720000 \Windows\System32\imagehlp.dll
0x765E0000 \Windows\System32\urlmon.dll
0x76480000 \Windows\System32\ole32.dll
0x763E0000 \Windows\System32\advapi32.dll
0x76240000 \Windows\System32\setupapi.dll
0x761E0000 \Windows\System32\shlwapi.dll
0x76100000 \Windows\System32\kernel32.dll
0x760F0000 \Windows\System32\nsi.dll
0x760E0000 \Windows\System32\psapi.dll
0x75FC0000 \Windows\System32\crypt32.dll
0x75F90000 \Windows\System32\wintrust.dll
0x75F40000 \Windows\System32\KernelBase.dll
0x75EB0000 \Windows\System32\comctl32.dll
0x75E80000 \Windows\System32\cfgmgr32.dll
0x75E60000 \Windows\System32\devobj.dll
0x75E50000 \Windows\System32\msasn1.dll

Processes (total 53):
0 System Idle Process
4 System
264 C:\Windows\System32\smss.exe
404 C:\Windows\System32\csrss.exe
468 C:\Windows\System32\wininit.exe
480 C:\Windows\System32\csrss.exe
524 C:\Windows\System32\services.exe
540 C:\Windows\System32\lsass.exe
548 C:\Windows\System32\lsm.exe
612 C:\Windows\System32\winlogon.exe
708 C:\Windows\System32\svchost.exe
776 C:\Windows\System32\nvvsvc.exe
816 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
988 C:\Windows\System32\svchost.exe
1064 C:\Windows\System32\audiodg.exe
1112 C:\Windows\System32\svchost.exe
1204 C:\Windows\System32\svchost.exe
1380 C:\Windows\System32\nvvsvc.exe
1440 C:\Windows\System32\spoolsv.exe
1476 C:\Windows\System32\svchost.exe
1548 C:\Program Files\LSI SoftModem\agrsmsvc.exe
1580 C:\Program Files\Cobian Backup 10\cbVSCService.exe
1636 C:\Windows\System32\svchost.exe
1664 C:\Windows\System32\svchost.exe
1716 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
1872 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1988 C:\Windows\System32\svchost.exe
2020 C:\Program Files\ThreatFire\TFService.exe
656 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2344 C:\Windows\System32\dwm.exe
2352 C:\Windows\System32\taskeng.exe
2384 C:\Windows\explorer.exe
2392 C:\Windows\System32\taskhost.exe
2552 C:\Windows\RtHDVCpl.exe
2560 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2572 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2584 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
2608 C:\Program Files\Freecorder\FLVSrvc.exe
2628 C:\Program Files\ThreatFire\TFTray.exe
2664 C:\Program Files\Windows Sidebar\sidebar.exe
2828 C:\Windows\System32\taskeng.exe
2932 C:\Windows\System32\wbem\WmiPrvSE.exe
3456 C:\Windows\System32\wermgr.exe
3500 C:\Windows\System32\SearchIndexer.exe
3908 C:\Windows\System32\dllhost.exe
3972 C:\Windows\System32\taskhost.exe
4000 C:\Windows\System32\WUDFHost.exe
1344 C:\Windows\System32\dllhost.exe
2200 C:\Users\Cindy\Downloads\MBRCheck.exe
2540 C:\Windows\System32\conhost.exe
3284 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`40100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: ST3320813AS, Rev: SD23

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 49E2A5313717CD5E7D7B59DAEE4D322F3F27221E

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

broni · 2011/01/25

We'll leave it for now....

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

cilygo · 2011/01/25

ComboFix 11-01-23.03 - Cindy 01/25/2011 17:42:19.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2815.1708 [GMT -6:00]
Running from: c:\users\Cindy\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\iWin Games\iWinGamesHookIE.dll
c:\users\Cindy\AppData\Roaming\inst.exe
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2010-12-25 to 2011-01-25 )))))))))))))))))))))))))))))))
.

2011-01-25 23:57 . 2011-01-25 23:57 -------- d-----w- c:\users\Cindy\AppData\Local\temp
2011-01-25 11:17 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{22FC7E68-6C22-41F8-8F43-5AB71FCFB631}\mpengine.dll
2011-01-25 02:49 . 2011-01-25 02:49 -------- d-----w- c:\programdata\Blizzard Entertainment
2011-01-24 18:42 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-24 18:42 . 2011-01-24 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-24 18:42 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-24 18:32 . 2011-01-24 18:32 -------- d-----w- c:\programdata\Malwarebytes
2011-01-24 18:01 . 2011-01-24 18:01 -------- d-----w- c:\program files\SIW
2011-01-24 17:27 . 2011-01-24 17:27 -------- d-----w- c:\programdata\PC Tools
2011-01-24 17:27 . 2011-01-24 17:27 -------- d-----w- c:\programdata\NVIDIA
2011-01-24 01:42 . 2011-01-24 01:42 -------- d-----w- c:\program files\trend micro
2011-01-24 01:42 . 2011-01-24 01:42 -------- d-----w- C:\rsit
2011-01-24 00:54 . 2011-01-24 00:54 -------- d-----w- c:\program files\Cobian Backup 10
2011-01-22 08:34 . 2010-01-14 22:08 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2011-01-22 08:34 . 2010-01-14 22:08 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2011-01-22 08:34 . 2010-01-14 22:08 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2011-01-22 08:34 . 2011-01-22 08:35 -------- d-----w- c:\program files\ThreatFire
2011-01-22 07:42 . 2011-01-24 15:29 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-01-17 00:39 . 2011-01-17 00:39 -------- d-----w- c:\users\Cindy\AppData\Roaming\Malwarebytes
2011-01-12 14:14 . 2010-10-16 04:34 573440 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 14:14 . 2010-10-16 04:33 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 14:14 . 2010-10-16 04:33 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 14:14 . 2010-10-16 04:33 987136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 14:14 . 2010-10-16 04:33 208896 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-10 21:36 . 2011-01-10 21:36 -------- d-----w- c:\program files\MSECache
2011-01-06 03:19 . 2011-01-06 03:19 -------- d-----w- C:\Sierra
2010-12-30 03:25 . 2011-01-22 14:25 -------- d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-24 01:55 . 2010-10-11 14:40 47360 ----a-w- c:\users\Cindy\AppData\Roaming\pcouffin.sys
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-13 00:53 . 2010-05-06 18:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-11 20:01 . 2010-11-11 20:01 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2010-11-11 20:00 . 2010-11-11 20:00 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2010-11-04 05:52 . 2010-12-16 04:30 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48 . 2010-12-16 04:30 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41 . 2010-12-16 04:30 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08 . 2010-12-16 04:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41 . 2010-12-16 04:30 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40 . 2010-12-16 04:30 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40 . 2010-12-16 04:30 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39 . 2010-12-16 04:30 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34 . 2010-12-16 04:30 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34 . 2010-12-16 04:30 179712 ----a-w- c:\windows\system32\schtasks.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612} "= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612} "= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl "= "RtHDVCpl.exe" [2008-07-23 6183456]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Freecorder FLV Service "= "c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"ThreatFire "= "c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 5 (0x5)
"ConsentPromptBehaviorUser "= 3 (0x3)
"EnableUIADesktopToggle "= 0 (0x0)
"PromptOnSecureDesktop "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2009-07-14 01:14 144384 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 21:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 17:56 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-02-17 08:30 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2010-11-19 19:38 193880 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC207_Monitor]
2007-12-11 01:55 323584 ----a-w- c:\windows\PixArt\Pac207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-11-11 19:55 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EMCD;EMCD;c:\users\Cindy\AppData\Local\Temp\EMCD.exe [x]
R3 GQRIEDDK;GQRIEDDK;c:\users\Cindy\AppData\Local\Temp\GQRIEDDK.exe [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-08-16 552448]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1343400]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]
R4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2010-01-21 78104]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-12 691696]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-01-14 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-01-14 59664]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-01-14 33552]

--- Other Services/Drivers In Memory ---

*Deregistered* - eeCtrl
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - IDSVix86
*Deregistered* - SymEFA
*Deregistered* - SymEvent
*Deregistered* - SYMTDI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-25 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-09-12 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Cindy\AppData\Roaming\Move Networks
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-LSI Soft Modem - c:\windows\agrsmdel

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ThreatFire]
"AlternateImagePath "=" "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
"MSCurrentCountry "=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'lsass.exe'(540)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2011-01-25 18:05:12
ComboFix-quarantined-files.txt 2011-01-26 00:05

Pre-Run: 163,387,392,000 bytes free
Post-Run: 163,316,928,512 bytes free

- - End Of File - - 21722FE338AA28614A52F5D56ED7C642

broni · 2011/01/25

I don't see any antivirus program running.
What's the story there?

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
Driver::
EMCD
GQRIEDDK
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

cilygo · 2011/01/25

I had Avast then my husband took it off and put Kaspersky, took that off and then put on Threatfire. He said it was the only one that caught the rootkit. I haven't messed with it because I posted here for help and didn't want to mess anything else up.

ComboFix 11-01-23.03 - Cindy 01/25/2011 19:49:33.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2815.1677 [GMT -6:00]
Running from: c:\users\Cindy\Downloads\ComboFix.exe
Command switches used :: c:\users\Cindy\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_EMCD
-------\Service_GQRIEDDK

((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 )))))))))))))))))))))))))))))))
.

2011-01-26 02:03 . 2011-01-26 02:03 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-01-26 02:03 . 2011-01-26 02:03 -------- d-----w- c:\users\Kids\AppData\Local\temp
2011-01-26 02:03 . 2011-01-26 02:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-26 02:03 . 2011-01-26 02:03 -------- d-----w- c:\users\Brad\AppData\Local\temp
2011-01-26 00:05 . 2011-01-26 02:08 -------- d-----w- c:\users\Cindy\AppData\Local\temp
2011-01-25 11:17 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{22FC7E68-6C22-41F8-8F43-5AB71FCFB631}\mpengine.dll
2011-01-25 02:49 . 2011-01-25 02:49 -------- d-----w- c:\programdata\Blizzard Entertainment
2011-01-24 18:42 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-24 18:42 . 2011-01-24 18:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-24 18:42 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-24 18:32 . 2011-01-24 18:32 -------- d-----w- c:\programdata\Malwarebytes
2011-01-24 18:01 . 2011-01-24 18:01 -------- d-----w- c:\program files\SIW
2011-01-24 17:27 . 2011-01-24 17:27 -------- d-----w- c:\programdata\PC Tools
2011-01-24 17:27 . 2011-01-24 17:27 -------- d-----w- c:\programdata\NVIDIA
2011-01-24 01:42 . 2011-01-24 01:42 -------- d-----w- c:\program files\trend micro
2011-01-24 01:42 . 2011-01-24 01:42 -------- d-----w- C:\rsit
2011-01-24 00:54 . 2011-01-24 00:54 -------- d-----w- c:\program files\Cobian Backup 10
2011-01-22 08:34 . 2010-01-14 22:08 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2011-01-22 08:34 . 2010-01-14 22:08 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2011-01-22 08:34 . 2010-01-14 22:08 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2011-01-22 08:34 . 2011-01-22 08:35 -------- d-----w- c:\program files\ThreatFire
2011-01-22 07:42 . 2011-01-24 15:29 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-01-17 00:39 . 2011-01-17 00:39 -------- d-----w- c:\users\Cindy\AppData\Roaming\Malwarebytes
2011-01-12 14:14 . 2010-10-16 04:34 573440 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 14:14 . 2010-10-16 04:33 372736 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 14:14 . 2010-10-16 04:33 352256 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 14:14 . 2010-10-16 04:33 987136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 14:14 . 2010-10-16 04:33 208896 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-10 21:36 . 2011-01-10 21:36 -------- d-----w- c:\program files\MSECache
2011-01-06 03:19 . 2011-01-06 03:19 -------- d-----w- C:\Sierra
2010-12-30 03:25 . 2011-01-22 14:25 -------- d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-24 01:55 . 2010-10-11 14:40 47360 ----a-w- c:\users\Cindy\AppData\Roaming\pcouffin.sys
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-13 00:53 . 2010-05-06 18:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-11 20:01 . 2010-11-11 20:01 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2010-11-11 20:01 . 2010-11-11 20:01 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2010-11-11 20:00 . 2010-11-11 20:00 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2010-11-04 05:52 . 2010-12-16 04:30 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48 . 2010-12-16 04:30 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41 . 2010-12-16 04:30 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08 . 2010-12-16 04:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41 . 2010-12-16 04:30 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40 . 2010-12-16 04:30 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40 . 2010-12-16 04:30 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39 . 2010-12-16 04:30 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34 . 2010-12-16 04:30 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34 . 2010-12-16 04:30 179712 ----a-w- c:\windows\system32\schtasks.exe
.

((((((((((((((((((((((((((((( SnapShot@2011-01-25_23.58.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:55 . 2011-01-25 22:29 46622 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2011-01-26 02:08 46622 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-05 14:59 . 2011-01-26 02:08 10758 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-819319508-579725924-201858301-1000_UserData.bin
- 2009-12-05 06:15 . 2011-01-25 22:26 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-05 06:15 . 2011-01-26 02:07 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-05 06:15 . 2011-01-26 02:07 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-05 06:15 . 2011-01-25 22:26 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2011-01-25 22:26 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2011-01-26 02:07 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-05 15:01 . 2011-01-26 02:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-05 15:01 . 2011-01-25 23:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-05 15:01 . 2011-01-25 23:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-05 15:01 . 2011-01-26 02:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-01-25 22:26 . 2011-01-25 22:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-01-25 22:26 . 2011-01-26 02:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-01-25 22:26 . 2011-01-26 02:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-01-25 22:26 . 2011-01-25 22:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612} "= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612} "= "c:\program files\Freecorder\tbFree.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl "= "RtHDVCpl.exe" [2008-07-23 6183456]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Freecorder FLV Service "= "c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 167936]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"ThreatFire "= "c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 5 (0x5)
"ConsentPromptBehaviorUser "= 3 (0x3)
"EnableUIADesktopToggle "= 0 (0x0)
"PromptOnSecureDesktop "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2009-07-14 01:14 144384 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 21:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 17:56 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-02-17 08:30 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2010-11-19 19:38 193880 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC207_Monitor]
2007-12-11 01:55 323584 ----a-w- c:\windows\PixArt\Pac207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-11-11 19:55 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1343400]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]
R4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [2010-01-21 78104]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-12 691696]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-01-14 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-01-14 59664]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [2010-09-23 67584]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-08-16 552448]
S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-01-14 33552]

--- Other Services/Drivers In Memory ---

*Deregistered* - eeCtrl
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - IDSVix86
*Deregistered* - SymEFA
*Deregistered* - SymEvent
*Deregistered* - SYMTDI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-26 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-09-12 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Cindy\AppData\Roaming\Move Networks
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ThreatFire]
"AlternateImagePath "=" "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
"MSCurrentCountry "=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'lsass.exe'(540)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'Explorer.exe'(2804)
c:\program files\ThreatFire\TfWah.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\ThreatFire\TFService.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\windows defender\MpCmdRun.exe
.
**************************************************************************
.
Completion time: 2011-01-25 20:16:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-26 02:16
ComboFix2.txt 2011-01-26 00:05

Pre-Run: 163,367,620,608 bytes free
Post-Run: 163,170,234,368 bytes free

- - End Of File - - 9AE22114F99F1598235C5AD47FDF63FC

broni · 2011/01/25

Very well.
ThreatFire is not an AV program, btw.

Combofix log looks good, so now you're ready to install some AV program.
I suggest one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

When done....

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

cilygo · 2011/01/26

OTL logfile created on: 1/26/2011 9:44:03 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Cindy\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 285.09 Gb Total Space | 157.64 Gb Free Space | 55.29% Space Free | Partition Type: NTFS
Drive E: | 13.00 Gb Total Space | 5.63 Gb Free Space | 43.32% Space Free | Partition Type: NTFS
Computer Name: CINDYSCOMPUTER | User Name: Cindy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/01/26 08:37:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Cindy\Downloads\OTL.exe
PRC - [2011/01/13 02:47:34 | 003,396,624 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/01/13 02:47:33 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/11/19 13:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
PRC - [2010/09/23 09:49:08 | 000,067,584 | ---- | M] (CobianSoft, Luis Cobian) -- C:\Program Files\Cobian Backup 10\cbVSCService.exe
PRC - [2010/08/24 03:38:18 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2010/06/26 12:09:18 | 000,167,936 | ---- | M] (Applian Technologies, Inc.) -- C:\Program Files\Freecorder\FLVSrvc.exe
PRC - [2009/10/30 23:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/13 19:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/03/27 22:10:56 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2009/01/14 16:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/07/23 12:25:32 | 006,183,456 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
========== Modules (SafeList) ==========
MOD - [2011/01/26 08:37:23 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Cindy\Downloads\OTL.exe
MOD - [2011/01/13 02:47:35 | 000,189,728 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
MOD - [2010/08/20 23:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2009/07/13 19:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 19:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 19:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 19:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 19:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 19:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 19:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 19:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 19:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 19:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
========== Win32 Services (SafeList) ==========
SRV - [2011/01/13 02:47:33 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/11/19 13:29:00 | 004,916,568 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Running] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2010/11/11 13:57:04 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 13:57:02 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 13:55:56 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/09/23 09:49:08 | 000,067,584 | ---- | M] (CobianSoft, Luis Cobian) [Auto | Running] -- C:\Program Files\Cobian Backup 10\cbVSCService.exe -- (cbVSCService)
SRV - [2010/08/24 03:38:18 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/04/28 06:44:02 | 000,704,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/26 14:14:15 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/21 13:12:42 | 000,078,104 | ---- | M] (iWin Inc.) [Disabled | Stopped] -- C:\Program Files\iWin Games\iWinTrusted.exe -- (iWinTrusted)
SRV - [2009/07/13 19:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 19:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 19:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 19:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 19:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 19:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 19:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 19:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 19:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 19:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 19:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 19:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 19:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 19:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 19:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 19:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 19:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 19:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 19:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/03/27 22:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2009/01/14 16:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
========== Driver Services (SafeList) ==========
DRV - [2011/01/13 02:41:16 | 000,294,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/01/13 02:40:16 | 000,047,440 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/01/13 02:37:30 | 000,023,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/01/13 02:37:19 | 000,051,280 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2011/01/13 02:37:09 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/12 12:54:39 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/07/10 04:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/06/23 08:10:54 | 000,275,048 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2010/04/28 06:44:02 | 000,054,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\fssfltr.sys -- (fssfltr)
DRV - [2009/12/11 01:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/09/02 03:09:24 | 000,176,128 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/08/13 15:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/07/13 19:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 19:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 19:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 19:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 19:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 19:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 19:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 19:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 19:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 19:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 19:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 19:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 19:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 19:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 19:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 19:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 19:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 19:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 19:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 19:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 19:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 19:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 19:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 19:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 19:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 19:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 19:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 19:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 19:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 19:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 19:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 19:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 19:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 19:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 19:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 19:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 19:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 19:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 19:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 18:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 18:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 18:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 17:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 17:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 17:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 17:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 17:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 17:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\umpass.sys -- (UmPass)
DRV - [2009/07/13 17:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 17:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 17:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 17:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 17:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 17:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 17:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 17:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 17:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 16:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 16:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 16:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 16:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 16:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 16:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 16:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 16:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 16:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/04 19:43:16 | 000,330,264 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2008/07/23 12:28:32 | 002,152,344 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/02/13 17:17:26 | 000,618,112 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PFC027.SYS -- (PAC207)
DRV - [2008/01/25 06:02:02 | 000,140,832 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2007/08/16 12:49:48 | 000,552,448 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKLM\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll (Conduit Ltd.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
IE - HKU\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKU\S-1-5-21-819319508-579725924-201858301-1000\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-819319508-579725924-201858301-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.defaultengine: "Ask.com "
FF - prefs.js..browser.search.defaultenginename: "Ask.com "
FF - prefs.js..browser.search.order.1: "Ask.com "
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm "
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm "
FF - prefs.js..browser.search.param.yahoo-type: "${8} "
FF - prefs.js..browser.search.selectedEngine: "Google "
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ "
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100127023632
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - HKLM\software\mozilla\Firefox\Extensions\\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}: C:\Program Files\SpeedBit Video Downloader\SPFireFox
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/24 10:23:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/24 10:23:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
[2011/01/24 11:44:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Cindy\AppData\Roaming\Mozilla\Extensions
[2011/01/25 19:35:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\extensions
[2010/12/12 12:49:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\extensions\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}
[2010/09/05 21:16:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/09 14:13:06 | 000,002,568 | ---- | M] () -- C:\Users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\searchplugins\askcom.xml
[2010/12/03 10:16:01 | 000,001,218 | ---- | M] () -- C:\Users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\searchplugins\kikin-search.xml
[2011/01/25 19:35:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/03/10 13:46:44 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/05/06 12:39:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/02 21:17:53 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2011/01/12 08:38:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/04/23 20:51:21 | 000,000,000 | ---D | M] (Move Media Player) -- C:\USERS\CINDY\APPDATA\ROAMING\MOVE NETWORKS
[2009/11/19 16:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/19 16:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
[2009/08/03 15:07:42 | 000,373,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\npOGAPlugin.dll
O1 HOSTS File: ([2011/01/25 20:07:40 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-819319508-579725924-201858301-1000\..\Toolbar\WebBrowser: (Freecorder Toolbar) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - C:\Program Files\Freecorder\tbFree.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-819319508-579725924-201858301-1000\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Freecorder FLV Service] C:\Program Files\Freecorder\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-819319508-579725924-201858301-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\System32\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)
Drivers32: msacm.avis - C:\Windows\System32\ff_acm.acm ()
Drivers32: msacm.clmp3enc - C:\Program Files\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\System32\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\Windows\System32\ff_vfw.dll ()
Drivers32: VIDC.IV41 - C:\Windows\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.VP60 - C:\Windows\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\Windows\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)
========== Files/Folders - Created Within 30 Days ==========
[2011/01/26 09:12:25 | 000,294,608 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/01/26 09:12:25 | 000,017,744 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/01/26 09:12:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/01/26 09:12:24 | 000,023,632 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/01/26 09:12:23 | 000,047,440 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/01/26 09:12:22 | 000,051,280 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/01/26 09:12:14 | 000,188,216 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/01/26 09:12:14 | 000,038,848 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/01/26 09:12:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2011/01/25 20:16:23 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/01/25 20:14:27 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/01/25 19:44:06 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/01/25 18:05:26 | 000,000,000 | ---D | C] -- C:\Users\Cindy\AppData\Local\temp
[2011/01/25 17:38:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/01/25 17:38:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/01/25 17:38:20 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/01/25 17:37:54 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/01/25 17:37:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/24 20:49:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2011/01/24 12:42:11 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/01/24 12:42:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/24 12:42:07 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/01/24 12:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/01/24 12:32:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/01/24 12:01:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SIW
[2011/01/24 12:01:25 | 000,000,000 | ---D | C] -- C:\Program Files\SIW
[2011/01/24 11:27:51 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2011/01/23 19:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2011/01/23 19:42:06 | 000,000,000 | ---D | C] -- C:\rsit
[2011/01/23 18:54:19 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2011/01/22 03:52:49 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/01/22 01:42:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2011/01/22 01:04:46 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/01/16 18:39:45 | 000,000,000 | ---D | C] -- C:\Users\Cindy\AppData\Roaming\Malwarebytes
[2011/01/10 15:36:08 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2011/01/05 21:19:08 | 000,000,000 | ---D | C] -- C:\Sierra
[2010/12/29 21:25:50 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/10/11 08:40:51 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Cindy\AppData\Roaming\pcouffin.sys
========== Files - Modified Within 30 Days ==========
[2011/01/26 09:37:57 | 000,016,400 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/01/26 09:37:57 | 000,016,400 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/01/26 09:35:32 | 000,623,940 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/01/26 09:35:32 | 000,106,316 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/01/26 09:28:38 | 000,000,312 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
[2011/01/26 09:28:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/01/26 09:28:04 | 2213,990,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/26 09:24:50 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2011/01/26 09:12:25 | 000,001,963 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/01/25 20:07:40 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/01/25 15:20:30 | 009,555,209 | ---- | M] () -- C:\Users\Cindy\Documents\TheNews.wma
[2011/01/25 15:01:12 | 009,546,229 | ---- | M] () -- C:\Users\Cindy\Documents\PreDropoff.wma
[2011/01/25 14:23:39 | 000,795,219 | ---- | M] () -- C:\Users\Cindy\Documents\test.wma
[2011/01/25 13:49:04 | 010,004,209 | ---- | M] () -- C:\Users\Cindy\Documents\GettingNews.wma
[2011/01/25 13:34:44 | 001,131,969 | ---- | M] () -- C:\Users\Cindy\Documents\DropOff.wma
[2011/01/23 22:08:39 | 000,000,020 | ---- | M] () -- C:\Users\Cindy\defogger_reenable
[2011/01/23 19:55:48 | 000,047,360 | ---- | M] (VSO Software) -- C:\Users\Cindy\AppData\Roaming\pcouffin.sys
[2011/01/23 19:55:48 | 000,007,887 | ---- | M] () -- C:\Users\Cindy\AppData\Roaming\pcouffin.cat
[2011/01/23 19:55:48 | 000,001,144 | ---- | M] () -- C:\Users\Cindy\AppData\Roaming\pcouffin.inf
[2011/01/15 12:56:48 | 000,156,196 | ---- | M] () -- C:\Users\Cindy\Documents\BOGO_US_2.pdf
[2011/01/13 19:20:25 | 153,112,576 | ---- | M] () -- C:\ERD.ISO
[2011/01/13 02:47:35 | 000,038,848 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/01/13 02:47:32 | 000,188,216 | ---- | M] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
[2011/01/13 02:41:16 | 000,294,608 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
[2011/01/13 02:40:16 | 000,047,440 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2011/01/13 02:37:30 | 000,023,632 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2011/01/13 02:37:19 | 000,051,280 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2011/01/13 02:37:09 | 000,017,744 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2011/01/06 19:21:11 | 000,003,482 | ---- | M] () -- C:\Users\Cindy\Documents\Document.rtf
[2011/01/06 13:11:18 | 000,002,635 | ---- | M] () -- C:\Users\Cindy\AppData\Roaming\SAS7_000.DAT
[2011/01/05 21:08:00 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/01/05 21:08:00 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/01/01 22:33:18 | 000,322,048 | ---- | M] () -- C:\Users\Cindy\Documents\Doc1.doc
[2010/12/31 17:34:42 | 000,016,173 | ---- | M] () -- C:\Users\Cindy\Documents\CSE_Handbook.pdf
[2010/12/29 13:22:05 | 000,000,632 | RHS- | M] () -- C:\Users\Cindy\ntuser.pol
========== Files Created - No Company Name ==========
[2011/01/26 09:12:25 | 000,001,963 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/01/25 17:38:20 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/01/25 17:38:20 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/01/25 17:38:20 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/01/25 17:38:20 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/01/25 17:38:20 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/01/25 15:20:30 | 009,555,209 | ---- | C] () -- C:\Users\Cindy\Documents\TheNews.wma
[2011/01/25 15:01:12 | 009,546,229 | ---- | C] () -- C:\Users\Cindy\Documents\PreDropoff.wma
[2011/01/25 14:22:24 | 000,795,219 | ---- | C] () -- C:\Users\Cindy\Documents\test.wma
[2011/01/25 13:49:04 | 010,004,209 | ---- | C] () -- C:\Users\Cindy\Documents\GettingNews.wma
[2011/01/25 13:34:44 | 001,131,969 | ---- | C] () -- C:\Users\Cindy\Documents\DropOff.wma
[2011/01/23 22:08:25 | 000,000,020 | ---- | C] () -- C:\Users\Cindy\defogger_reenable
[2011/01/15 12:56:54 | 000,156,196 | ---- | C] () -- C:\Users\Cindy\Documents\BOGO_US_2.pdf
[2011/01/13 19:19:30 | 153,112,576 | ---- | C] () -- C:\ERD.ISO
[2011/01/06 19:21:11 | 000,003,482 | ---- | C] () -- C:\Users\Cindy\Documents\Document.rtf
[2011/01/05 21:08:00 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2011/01/05 21:08:00 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2011/01/01 22:33:18 | 000,322,048 | ---- | C] () -- C:\Users\Cindy\Documents\Doc1.doc
[2010/12/31 17:35:50 | 000,016,173 | ---- | C] () -- C:\Users\Cindy\Documents\CSE_Handbook.pdf
[2010/10/17 01:36:52 | 000,108,032 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/10/16 21:16:05 | 000,000,067 | ---- | C] () -- C:\Windows\Easy DVD Creator.INI
[2010/10/15 07:53:45 | 000,000,031 | ---- | C] () -- C:\Windows\System32\i4fvi3misd3gfosini.dll
[2010/10/11 08:41:30 | 000,000,033 | ---- | C] () -- C:\Users\Cindy\AppData\Roaming\pcouffin.log
[2010/10/11 08:40:51 | 000,007,887 | ---- | C] () -- C:\Users\Cindy\AppData\Roaming\pcouffin.cat
[2010/10/11 08:40:51 | 000,001,144 | ---- | C] () -- C:\Users\Cindy\AppData\Roaming\pcouffin.inf
[2010/09/12 13:27:42 | 000,002,635 | ---- | C] () -- C:\Users\Cindy\AppData\Roaming\SAS7_000.DAT
[2010/08/16 21:32:48 | 000,000,017 | ---- | C] () -- C:\Users\Cindy\AppData\Local\resmon.resmoncfg
[2010/07/29 13:37:37 | 000,039,866 | ---- | C] () -- C:\Users\Cindy\AppData\Local\FASTWiz.log
[2010/07/29 12:36:50 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/02/21 11:21:12 | 000,001,013 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2010/02/19 13:49:17 | 000,008,926 | ---- | C] () -- C:\Users\Cindy\AppData\Roaming\wklnhst.dat
[2009/12/05 09:20:38 | 000,000,036 | ---- | C] () -- C:\Users\Cindy\AppData\Local\housecall.guid.cache
[2009/12/03 08:27:30 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/09/19 12:32:17 | 000,000,858 | ---- | C] () -- C:\Windows\wininit.ini
[2009/09/18 13:49:25 | 000,000,408 | ---- | C] () -- C:\Windows\System32\Remover.ini
[2009/09/17 05:22:15 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/16 12:06:59 | 000,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/13 17:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2007/10/25 23:02:54 | 000,000,566 | ---- | C] () -- C:\Windows\System32\SP207.INI
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1997/06/13 19:56:08 | 000,056,832 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll
========== LOP Check ==========
[2011/01/24 09:30:00 | 000,000,000 | ---D | M] -- C:\Users\Cindy\AppData\Roaming\DAEMON Tools Lite
[2010/09/12 12:45:01 | 000,000,000 | ---D | M] -- C:\Users\Cindy\AppData\Roaming\GlarySoft
[2010/11/19 21:43:33 | 000,000,000 | ---D | M] -- C:\Users\Cindy\AppData\Roaming\gtk-2.0
[2010/06/04 20:43:17 | 000,000,000 | ---D | M] -- C:\Users\Cindy\AppData\Roaming\KendallHunt
[2010/02/19 13:49:19 | 000,000,000 | ---D | M] -- C:\Users\Cindy\AppData\Roaming\Template
[2009/12/05 00:34:53 | 000,000,000 | ---D | M] -- C:\Users\Cindy\AppData\Roaming\TomTom
[2011/01/26 09:28:38 | 000,000,312 | ---- | M] () -- C:\Windows\Tasks\GlaryInitialize.job
[2010/12/26 00:16:28 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.* >
[2009/06/10 15:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/07/13 19:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2009/12/05 02:09:59 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011/01/25 20:16:16 | 000,018,322 | ---- | M] () -- C:\ComboFix.txt
[2009/06/10 15:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/09/21 14:58:44 | 000,000,079 | ---- | M] () -- C:\DVDPATH.TXT
[2011/01/13 19:20:25 | 153,112,576 | ---- | M] () -- C:\ERD.ISO
[2011/01/26 09:28:04 | 2213,990,400 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/05 21:08:00 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/04/02 01:26:35 | 000,000,165 | ---- | M] () -- C:\Labelprint.log
[2011/01/05 21:08:00 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/11/30 00:02:44 | 000,230,432 | ---- | M] () -- C:\PA207.DAT
[2011/01/26 09:28:06 | 2951,991,296 | -HS- | M] () -- C:\pagefile.sys
[2009/05/29 17:39:53 | 000,000,163 | ---- | M] () -- C:\power2go.log
[2009/04/02 01:17:05 | 000,000,426 | ---- | M] () -- C:\RHDSetup.log
[2010/10/20 20:32:34 | 000,010,506 | ---- | M] () -- C:\StarBurn.log
< %systemroot%\Fonts\*.com >
[2009/07/13 22:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/13 22:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/13 22:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/13 22:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont
< %systemroot%\Fonts\*.dll >
< %systemroot%\Fonts\*.ini >
[2009/06/10 15:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini
< %systemroot%\Fonts\*.ini2 >
< %systemroot%\Fonts\*.exe >
< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2007/03/28 12:57:34 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\hpzpp5ha.dll
[2009/07/13 19:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2007/04/09 12:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\mdippr.dll
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll
[2009/07/13 19:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll
< %systemroot%\REPAIR\*.bak1 >
< %systemroot%\REPAIR\*.ini >
< %systemroot%\system32\*.jpg >
< %systemroot%\*.jpg >
< %systemroot%\*.png >
< %systemroot%\*.scr >
[2011/01/13 02:47:35 | 000,038,848 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2010/04/16 23:04:40 | 000,306,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR
< %systemroot%\*._sy >
< %APPDATA%\Adobe\Update\*.* >
< %ALLUSERSPROFILE%\Favorites\*.* >
< %APPDATA%\Microsoft\*.* >
< %PROGRAMFILES%\*.* >
[2009/07/13 22:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini
< %APPDATA%\Update\*.* >
< %systemroot%\*. /mp /s >
< %systemroot%\System32\config\*.sav >
< %PROGRAMFILES%\bak. /s >
< %systemroot%\system32\bak. /s >
< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2009/07/13 22:46:35 | 000,000,442 | -HS- | M] () -- C:\ProgramData\Start Menu\desktop.ini
< %systemroot%\system32\config\systemprofile\*.dat /x >
< %systemroot%\*.config >
< %systemroot%\system32\*.db >
< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2009/09/24 19:54:30 | 000,000,286 | -HS- | M] () -- C:\Users\Cindy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop (1).ini
[2009/12/05 08:53:44 | 000,000,221 | -HS- | M] () -- C:\Users\Cindy\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
< %USERPROFILE%\Desktop\*.exe >
< %PROGRAMFILES%\Common Files\*.* >
< %systemroot%\*.src >
< %systemroot%\install\*.* >
< %systemroot%\system32\DLL\*.* > < %systemroot%\system32\HelpFiles\*.* >
< %systemroot%\system32\rundll\*.* >
< %systemroot%\winn32\*.* >
< %systemroot%\Java\*.* >
< %systemroot%\system32\test\*.* >
< %systemroot%\system32\Rundll32\*.* >
< %systemroot%\AppPatch\Custom\*.* >
< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >
< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >
< %PROGRAMFILES%\Internet Explorer\*.tmp >
< %PROGRAMFILES%\Internet Explorer\*.dat >
< %USERPROFILE%\My Documents\*.exe >
< %USERPROFILE%\*.exe >
< %systemroot%\ADDINS\*.* >
[2009/06/10 15:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf
< %systemroot%\assembly\*.bak2 >
< %systemroot%\Config\*.* >
< %systemroot%\REPAIR\*.bak2 >
< %systemroot%\SECURITY\Database\*.sdb /x >
< %systemroot%\SYSTEM\*.bak2 >
< %systemroot%\Web\*.bak2 >
< %systemroot%\Driver Cache\*.* >
< %PROGRAMFILES%\Mozilla Firefox\0*.exe >
< %ProgramFiles%\Microsoft Common\*.* >
< %ProgramFiles%\TinyProxy. >
< %USERPROFILE%\Favorites\*.url /x >
[2010/08/03 15:27:56 | 000,000,402 | -HS- | M] () -- C:\Users\Cindy\Favorites\desktop.ini
< %systemroot%\system32\*.bk >
< %systemroot%\*.te >
< %systemroot%\system32\system32\*.* >
< %ALLUSERSPROFILE%\*.dat /x >
[2010/02/21 11:21:26 | 000,001,013 | ---- | M] () -- C:\ProgramData\hpzinstall.log
< %systemroot%\system32\drivers\*.rmv >
< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >
< dir /b "%systemroot%\*.exe" | find /i " " /c >
< %PROGRAMFILES%\Microsoft\*.* >
< %systemroot%\System32\Wbem\proquota.exe >
< %PROGRAMFILES%\Mozilla Firefox\*.dat >
< %USERPROFILE%\Cookies\*.txt /x >
< %SystemRoot%\system32\fonts\*.* >
< %systemroot%\system32\winlog\*.* >
< %systemroot%\system32\Language\*.* >
< %systemroot%\system32\Settings\*.* >
< %systemroot%\system32\*.quo >
< %SYSTEMROOT%\AppPatch\*.exe >
< %SYSTEMROOT%\inf\*.exe >
< %SYSTEMROOT%\Installer\*.exe >
< %systemroot%\system32\config\*.bak2 >
< %systemroot%\system32\Computers\*.* >
< %SystemRoot%\system32\Sound\*.* >
< %SystemRoot%\system32\SpecialImg\*.* >
< %SystemRoot%\system32\code\*.* >
< %SystemRoot%\system32\draft\*.* >
< %SystemRoot%\system32\MSSSys\*.* >
< %ProgramFiles%\Javascript\*.* >
< %systemroot%\pchealth\helpctr\System\*.exe /s >

cilygo · 2011/01/26

< %systemroot%\Web\*.exe >
< %systemroot%\system32\msn\*.* >
< %systemroot%\system32\*.tro >
< %AppData%\Microsoft\Installer\msupdates\*.* >
< %ProgramFiles%\Messenger\*.* >
< %systemroot%\system32\systhem32\*.* >
< %systemroot%\system\*.exe >
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

OTL Extras logfile created on: 1/26/2011 9:44:03 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Cindy\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 285.09 Gb Total Space | 157.64 Gb Free Space | 55.29% Space Free | Partition Type: NTFS
Drive E: | 13.00 Gb Total Space | 5.63 Gb Free Space | 43.32% Space Free | Partition Type: NTFS

Computer Name: CINDYSCOMPUTER | User Name: Cindy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1 ",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1BD07DF4-FB06-41BA-B896-B2DA59000C96}" = Windows Live Toolbar
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 23
"{28FA3609-B6E2-4BCA-B089-F5122AC417C5}" = Belkin N Wireless USB Adapter Setup
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2C4E2E4E-A7C9-4CCB-BF03-FE6EBD5D4AB7}" = Windows Mobile Device Updater Component
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{37C5A56A-00EA-347B-B7A1-5628BED56702}" = Google Talk Plugin
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D3E663D-4E7E-4577-A560-7ECDDD45548A}" = PVSonyDll
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{5FA60CD6-1D0E-4080-99F6-E506FE7CBE9B}" = PC Camer@
"{626C034B-50B8-47BD-AF93-EEFD0FA78FF4}" = Character Builder
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74DC0593-6BC6-4001-AD5F-D810AFB68D86}" = HP Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{9F479685-180E-4C05-9400-D59292A1B29C}" = Windows Live Movie Maker
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A6B90148-02C5-4fd3-8D7A-EF2386835CB9}" = F4100_Help
"{A6C265BE-E2C1-483e-843D-6B4C1E912AE0}" = F4100
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB67580-257C-45FF-B8F4-C8C30682091A}_is1" = SIW version 2010.07.14
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4509BCE-7BAD-4a8c-B1AE-4D0CE7467C42}" = F4100_doccd
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BB77DC4C-B818-4FD4-8D1D-5D3B617B78B4}" = LeapFrog My Pals Plugin
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C6359569-E03E-4CDC-98E8-CDD080C6EEB5}" = LeapFrog Connect
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{CA50045C-5119-48e7-9BA7-6B317379857A}" = DJ_AIO_Software
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skypeâ„¢ 4.2
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E548726E-F4E8-459f-BAB8-45551BC071E9}" = DJ_AIO_ProductContext
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1B1BB41-2494-4FC2-BEF7-9C282B6815A8}" = Image Resizer Powertoy Clone for Windows
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{FA8A44D7-3E8A-4034-9C4F-088FA6B72BC4}" = HP Deskjet All-In-One Software 9.0
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Agere Systems Soft Modem" = Agere Systems PCI-SV92PP Soft Modem
"Audacity_is1" = Audacity 1.2.6
"avast5" = avast! Free Antivirus
"CobBackup10" = Cobian Backup 10
"conduitEngine" = Conduit Engine
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"CutePDF Writer Installation" = CutePDF Writer 2.8
"DancePraise_is1" = Dance Praise
"ffdshow_is1" = ffdshow v1.1.3562 [2010-09-07]
"Freecorder Toolbar" = Freecorder Toolbar
"Freecorder4.1" = Freecorder
"Glary Utilities_is1" = Glary Utilities 2.31.0.1098
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"InstallShield_{5FA60CD6-1D0E-4080-99F6-E506FE7CBE9B}" = PC Camer@
"iWinArcade" = iWin Games (remove only)
"Jewel Quest II" = Jewel Quest II (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MyPalsPlugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"ST6UNST #1" = Hero Editor V1.03
"TomTom HOME" = TomTom HOME 2.7.6.2056
"UPCShell" = LeapFrog Connect
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"World of Warcraft" = World of Warcraft
"Yahoo! Messenger" = Yahoo! Messenger
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-819319508-579725924-201858301-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

broni · 2011/01/26

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
FF - prefs.js..browser.search.defaultengine:  "Ask.com "
FF - prefs.js..browser.search.defaultenginename:  "Ask.com "
FF - prefs.js..browser.search.order.1:  "Ask.com "
[2010/11/09 14:13:06 | 000,002,568 | ---- | M] () -- C:\Users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\searchplugins\askcom.xml
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

cilygo · 2011/01/26

All processes killed
========== OTL ==========
Prefs.js: "Ask.com" removed from browser.search.defaultengine
Prefs.js: "Ask.com" removed from browser.search.defaultenginename
Prefs.js: "Ask.com" removed from browser.search.order.1
C:\Users\Cindy\AppData\Roaming\Mozilla\Firefox\Profiles\2v94qpkj.default\searchplugins\askcom.xml moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Brad
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Cindy
->Temp folder emptied: 1794753 bytes
->Temporary Internet Files folder emptied: 2233148 bytes
->FireFox cache emptied: 76888675 bytes
->Flash cache emptied: 4508 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kids
->Temp folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 96425 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 482772 bytes

Total Files Cleaned = 78.00 mb

[EMPTYFLASH]

User: All Users

User: Brad

User: Cindy
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Kids

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.20.6 log created on 01262011_154130

Files\Folders moved on Reboot...
C:\Users\Cindy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UDG2JUK1\background_button_green_full[1].png moved successfully.
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
++++++++++++++++++++++++

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 23
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 9.4.1
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
``````````End of Log````````````

No log for online scanner

broni · 2011/01/26

SecurityCheck reports some Norton's leftovers.
Please, run this tool to remove them: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

==============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

cilygo · 2011/01/26

I have done what you posted but somehow lost the log in the reboot. Will this have fixed the mbr code faked error I had earlier? Thanks for all your help. I really appreciate it.

broni · 2011/01/26

Which log did you lose?
OTL?
If so, re-run the fix.

If there are no other ill effects, we won't do anything about MBR.

cilygo · 2011/01/27

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Brad
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Cindy
->Temp folder emptied: 13090 bytes
->Temporary Internet Files folder emptied: 37365 bytes
->FireFox cache emptied: 24727314 bytes
->Flash cache emptied: 456 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kids
->Temp folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 26090 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 6909 bytes

Total Files Cleaned = 24.00 mb

[EMPTYFLASH]

User: All Users

User: Brad

User: Cindy
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Kids

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.20.6 log created on 01272011_095143

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

broni · 2011/01/27

It doesn't look like OTL reset restore points.
Please, do it manually.
Turn system restore off.
Restart computer.
Turn system restore on.
If you're not sure how to do it: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

12. Please, let me know, how your computer is doing.
Click to expand...

Whenever ready....

cilygo · 2011/01/28

Apparently, system restore was turned off already and when I went to turn it on, there was this error message:

There was an unexpected error in the property page: The filename, directory name, or volume label syntax is incorrect. (0x8007007B) Please close the property page and try again.

Under protection settings

Available Drives Protection

PQSERVICE (E Off
OS (C (System) Off
OS (C (Missing) On
OS (C (Missing) On

When I go to Backup my files I also encounter this error:
Microsoft Windows Backup has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available. Error code 0x81000031

Log in or Sign up

Solved Please Help Malware/keylogger/virus?

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Please Help Malware/keylogger/virus?

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

broni Moderator Malware Analyst

cilygo Inactive Thread Starter

Share This Page

Useful Searches