1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved system check virus?

Discussion in 'Malware and Virus Removal Archive' started by gpb59, 2012/01/28.

Page 1 of 4
  1. 2012/01/28
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    [Resolved] system check virus?

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.28.06

    Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Gary :: GARY-PC [administrator]

    Protection: Disabled

    1/28/2012 6:16:33 PM
    mbam-log-2012-01-28 (18-16-33).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 196561
    Time elapsed: 12 minute(s), 6 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NOS (Trojan.FakeMS) -> Data: C:\Users\Gary\AppData\Roaming\877F24.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Users\Gary\AppData\Roaming\877F24.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Users\Gary\AppData\Local\Temp\1EC4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Gary\AppData\Local\Temp\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-28 19:12:10
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000058 WDC_WD32 rev.01.0
    Running: 6qpc7g2v.exe; Driver: C:\Users\Gary\AppData\Local\Temp\kwldqpob.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[848] USER32.dll!GetWindowInfo 7661428E 5 Bytes JMP 6C92C909 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[848] USER32.dll!TrackPopupMenu 766214F3 5 Bytes JMP 6C92CEBD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1580] ntdll.dll!LdrLoadDll 77BD9378 5 Bytes JMP 6C7AB750 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
    aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-28 19:13:06
    -----------------------------
    19:13:06.747 OS Version: Windows 6.0.6002 Service Pack 2
    19:13:06.747 Number of processors: 2 586 0x6B02
    19:13:06.748 ComputerName: GARY-PC UserName: Gary
    19:13:07.820 Initialize success
    19:13:32.317 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
    19:13:32.319 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
    19:13:32.331 Disk 0 MBR read successfully
    19:13:32.334 Disk 0 MBR scan
    19:13:32.338 Disk 0 unknown MBR code
    19:13:32.392 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293303 MB offset 63
    19:13:32.467 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11938 MB offset 600686415
    19:13:32.497 Disk 0 scanning sectors +625137345
    19:13:32.702 Disk 0 scanning C:\Windows\system32\drivers
    19:13:43.037 Service scanning
    19:13:43.985 Modules scanning
    19:13:49.313 Disk 0 trace - called modules:
    19:13:49.331 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    19:13:49.331 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f27620]
    19:13:49.331 3 CLASSPNP.SYS[807388b3] -> nt!IofCallDriver -> [0x84a4c5e8]
    19:13:49.331 5 acpi.sys[806156bc] -> nt!IofCallDriver -> \Device\00000058[0x84e71c90]
    19:13:49.331 Scan finished successfully
    19:14:14.367 Disk 0 MBR has been saved successfully to "C:\Users\Gary\Desktop\MBR.dat "
    19:14:14.373 The log file has been saved successfully to "C:\Users\Gary\Desktop\aswMBR.txt "


    .
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 3/24/2009 3:31:59 PM
    System Uptime: 1/28/2012 5:46:53 PM (2 hours ago)
    .
    Motherboard: PEGATRON CORPORATION | | Acacia
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 286 GiB total, 26.164 GiB free.
    D: is FIXED (NTFS) - 12 GiB total, 1.588 GiB free.
    E: is CDROM ()
    J: is FIXED (NTFS) - 298 GiB total, 6.484 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0075
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0075
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0000
    Manufacturer: Microsoft
    Name: isatap.lv.cox.net
    PNP Device ID: ROOT\*ISATAP\0000
    Service: tunnel
    .
    ==== System Restore Points ===================
    .
    RP979: 1/21/2012 8:11:19 AM - Scheduled Checkpoint
    RP980: 1/27/2012 7:48:32 AM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Acrobat.com
    ActiveCheck component for HP Active Support Library
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.3
    AIM 7
    AnswerWorks 5.0 English Runtime
    Any Video Converter 2.7.6
    AOL Uninstaller (Choose which Products to Remove)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Auslogics BoostSpeed
    AVG 2011
    Bonjour
    Compatibility Pack for the 2007 Office system
    Conduit Engine
    D3DX10
    dBpoweramp AAC Encoder
    dBpoweramp FLAC Codec
    dBpoweramp m4a Codec
    dBpoweramp m4a Utilities
    dBpoweramp m4b Audio book Encoder
    dBpoweramp Monkeys Audio Codec
    dBpoweramp Music Converter
    dBpoweramp Shorten Codec
    Dell Touchpad
    DING!
    Download Updater (AOL LLC)
    Driver Performer
    Enhanced Multimedia Keyboard Solution
    Exact Audio Copy 0.99pb5
    FoxTab Music Converter
    Google Chrome
    Google Update Helper
    Hardware Diagnostic Tools
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Demo
    HP MediaSmart DVD
    HP MediaSmart Music/Photo/Video
    HP MediaSmart SmartMenu
    HP Picasso Media Center Add-In
    HP Recovery Manager RSS
    HP Total Care Setup
    HP Update
    HPAsset component for HP Active Support Library
    iLivid
    ImagXpress
    ImgBurn
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 13
    Java(TM) 6 Update 29
    Java(TM) 6 Update 7
    Junk Mail filter update
    Juno Preloader
    K-Lite Codec Pack 8.1.0 (Basic)
    LabelPrint
    LightScribe Template Labeler
    magicJack
    magicJack Recovery Tool 1.0
    Malwarebytes Anti-Malware version 1.60.0.1800
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Live Search Toolbar
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 60 day trial
    Microsoft Office Live Add-in 1.5
    Microsoft Office Outlook Connector
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Edition 2003
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Works
    mkw Audio Compression Toolkit
    mkw Runtime Libraries
    Mozilla Firefox 9.0.1 (x86 en-US)
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee Reveal
    My HP Games
    MyAshampoo Toolbar
    Nero 8 Essentials
    Nero Online Upgrade
    Nero StartSmart OEM
    neroxml
    NetZero Preloader
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    PeerGuardian 2.0
    PictureMover
    PowerDirector
    PowerISO
    Prism Video File Converter
    Python 2.5.2
    Quicken 2011
    QuickTime
    R-Studio 4.2
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Segoe UI
    Skype web features
    Skypeâ„¢ 4.1
    Soft Data Fax Modem with SmartCP
    SPORE Creature Creator Trial Edition
    StartNow Toolbar
    The Rosetta Stone
    Uniblue DriverScanner
    Uniblue PowerSuite
    Uniblue RegistryBooster
    Uniblue SpeedUpMyPC
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    uTorrentBar Toolbar
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebEx
    Winamp
    Winamp Detector Plug-in
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR archiver
    Xilisoft AVI to DVD Converter
    Xilisoft ISO Pro
    Xilisoft Video Converter Ultimate
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/28/2012 5:48:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments " " in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    1/28/2012 5:47:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/28/2012 5:47:54 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86 Avgmfx86 SCDEmu spldr Wanarpv6
    1/28/2012 5:47:54 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    1/28/2012 5:47:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments " " in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/28/2012 5:47:37 PM, Error: EventLog [6008] - The previous system shutdown at 5:40:00 PM on 1/28/2012 was unexpected.
    1/28/2012 5:40:20 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/28/2012 5:40:20 PM, Error: Service Control Manager [7000] - The Nero BackItUp Scheduler 4.0 service failed to start due to the following error: The system cannot find the path specified.
    1/28/2012 5:26:40 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    1/24/2012 8:12:23 PM, Error: nvstor32 [5] - A parity error was detected on \Device\RaidPort0.
    1/21/2012 7:16:30 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    1/21/2012 7:16:30 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/21/2012 7:16:30 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments " " in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    .
    ==== End Of File ===========================
     
    gpb59,
    #1
  2. 2012/01/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    I still need DDS.txt log.
     
    broni,
    #2


  3. to hide this advert.

  4. 2012/01/28
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    BTW, i did this all in safe mode, now i restarted again in safe mode and there's nothing on the desktop, what should i do now?
     
    gpb59,
    #3
  5. 2012/01/28
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    other than, computer and recycle bin
     
    gpb59,
    #4
  6. 2012/01/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    What happens when you start in normal mode?

    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.
     
    broni,
    #5
  7. 2012/01/28
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    i get a bunch of windows that open that say windows-delayed write failed. Another window that says system check opens and starts scanning. I also get message like hard drive clusters damaged, running extremely low on memory, file indexation process failed.
     
    gpb59,
    #6
  8. 2012/01/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. Stay in Safe Mode for now.

    Give me missing DDS.txt log and run UnHide.
     
    broni,
    #7
  9. 2012/01/28
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    Ok, they're back, but I guess I didn't save the dds.txt . should i run that again?
     
    gpb59,
    #8
  10. 2012/01/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes, please.
     
    broni,
    #9
  11. 2012/01/28
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by Gary at 20:49:12 on 2012-01-28
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1846 [GMT -8:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Lavasoft\Ad-Aware\AWSC.exe
    C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\AOL\1325011021\ee\aolsoftware.exe
    C:\Program Files\AOL Desktop 9.7\waol.exe
    C:\Program Files\AOL Desktop 9.7\shellmon.exe
    C:\Windows\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    mStart Page = hxxp://www.yahoo.com/
    mDefault_Page_URL = hxxp://www.yahoo.com/
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mURLSearchHooks: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyAs.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
    mURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
    BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
    BHO: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyAs.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
    TB: MyAshampoo Toolbar: {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - c:\program files\myashampoo\tbMyAs.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTor.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.0.0.7\AVG Secure Search_toolbar.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [cdloader] "c:\users\gary\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [jLyiTUCQBK.exe] c:\programdata\jLyiTUCQBK.exe
    uRun: [AOL Fast Start] "c:\program files\aol desktop 9.7\AOL.EXE" -b
    mRun: [KBD] c:\program files\hewlett-packard\kbd\KbdStub.EXE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe "
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe "
    mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: DisableStartupSound = 1 (0x1)
    mPolicies-system: DisableStatusMessages = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: etrade.com\us
    Trusted Zone: magicjack.com\my
    Trusted Zone: talk4free.com\reg
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    TCP: Interfaces\{DEFE736B-C868-43F1-8A26-556BABDE9FA1} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\gary\appdata\roaming\mozilla\firefox\profiles\05lzepug.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/p?k=pf_5
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FTB&o=41648106&locale=en_US&apn_uid=57D92367-F4B5-4F7C-BD49-E7E52BDD3A45&apn_ptnrs=9C&apn_sauid=193CD7D7-2D18-49D5-A34C-E5511A0DFFFD&apn_dtid=YYYYYYYYUS&&q=
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff6.dll
    FF - component: c:\program files\avg\avg10\firefox4\components\avgssff7.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\05lzepug.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
    FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\05lzepug.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko5.dll
    FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\05lzepug.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko6.dll
    FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\05lzepug.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko7.dll
    FF - component: c:\users\gary\appdata\roaming\mozilla\firefox\profiles\05lzepug.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-28 64512]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-4 297168]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2012-1-1 197224]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
    S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
    S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-28 136176]
    S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-28 652872]
    S2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-10-25 244960]
    S2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\10.0.6\ToolbarUpdater.exe [2012-1-18 909152]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-4-16 167264]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-12-2 39272]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-28 136176]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-28 20464]
    S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2008-9-9 20640]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
    .
    =============== Created Last 30 ================
    .
    2012-01-29 02:25:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2012-01-29 02:15:32 -------- d-----w- c:\users\gary\appdata\roaming\Malwarebytes
    2012-01-29 02:15:03 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-29 02:15:02 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-29 02:15:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-29 01:23:08 360448 ----a-w- c:\programdata\nv4bl3vb4fAGSS.exe
    2012-01-29 01:16:58 448512 ----a-w- c:\programdata\jLyiTUCQBK.exe
    2012-01-28 13:44:46 -------- d-----w- c:\users\gary\appdata\local\{487CBB95-E67F-442A-8A5E-5F33E4D9C8BA}
    2012-01-28 01:43:40 -------- d-----w- c:\users\gary\appdata\local\{12652BAE-B684-4BEB-B117-BAE3BA5B2F47}
    2012-01-27 13:42:46 -------- d-----w- c:\users\gary\appdata\local\{7EB8DA84-9C91-4DED-B413-2430BE677C07}
    2012-01-27 13:42:23 -------- d-----w- c:\users\gary\appdata\local\{0307B57E-4E43-4433-BB99-6FDB8BCC02B5}
    2012-01-21 14:09:29 -------- d-----w- c:\program files\iPod
    2012-01-21 13:00:23 -------- d-----w- c:\users\gary\appdata\local\{EA4B0606-FE08-45CC-BAB3-807775DE8A2A}
    2012-01-21 00:59:27 -------- d-----w- c:\users\gary\appdata\local\{D18B2DE3-51AB-4D50-BD79-392152A65E47}
    2012-01-20 12:58:24 -------- d-----w- c:\users\gary\appdata\local\{0F45755D-7DC8-4E3B-B7D6-B6285541AB31}
    2012-01-20 00:57:43 -------- d-----w- c:\users\gary\appdata\local\{53E7C0CE-7EAE-493A-B12F-1313BABAF69C}
    2012-01-20 00:57:13 -------- d-----w- c:\users\gary\appdata\local\{CBA7EE0A-FB9B-46C3-9061-F675960528C4}
    2012-01-18 11:16:30 -------- d-----w- c:\windows\system32\cache
    2012-01-16 05:07:59 -------- d-----w- c:\users\gary\appdata\local\{3983CC05-AEEC-4955-A6BD-8976432C1DC2}
    2012-01-15 17:06:56 -------- d-----w- c:\users\gary\appdata\local\{86B6C37F-EFC8-4475-B855-D9D7120B473A}
    2012-01-15 17:06:25 -------- d-----w- c:\users\gary\appdata\local\{40EEF1DF-8355-47DC-B1E2-8958CB3EC828}
    2012-01-14 14:30:41 -------- d-----w- c:\users\gary\appdata\local\{2313C564-BD9E-4465-BB33-F20FADBFD076}
    2012-01-14 02:29:43 -------- d-----w- c:\users\gary\appdata\local\{85A11210-44C6-468D-8CA3-EDF5555FD660}
    2012-01-13 14:28:51 -------- d-----w- c:\users\gary\appdata\local\{8C05144F-9809-4FF4-BD21-DB70ECF66491}
    2012-01-13 02:27:59 -------- d-----w- c:\users\gary\appdata\local\{06E614F0-FAAB-40F6-A2F7-05E6E652ED80}
    2012-01-12 14:27:06 -------- d-----w- c:\users\gary\appdata\local\{2912EA18-006D-49A4-B4A8-65288AF37A7F}
    2012-01-12 02:26:14 -------- d-----w- c:\users\gary\appdata\local\{74D4399E-DC32-41FA-9DA1-A6B100A4F41E}
    2012-01-11 14:25:23 -------- d-----w- c:\users\gary\appdata\local\{2D301C10-ABBE-4708-A6B1-0878DF6DD876}
    2012-01-11 14:24:52 -------- d-----w- c:\users\gary\appdata\local\{57455693-E542-4AA1-9227-E087F191607A}
    2012-01-11 02:54:28 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-11 02:54:28 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-11 02:54:27 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 02:54:26 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 02:54:26 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-11 02:54:25 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2012-01-11 02:54:24 497152 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 02:54:24 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 02:24:04 -------- d-----w- c:\users\gary\appdata\local\{98D06C1F-FFCE-46C5-BDA3-7F9A2CFB1DD3}
    2012-01-10 14:23:04 -------- d-----w- c:\users\gary\appdata\local\{9652DBF2-C815-4D42-96EE-DE823B9DC4E4}
    2012-01-10 02:22:09 -------- d-----w- c:\users\gary\appdata\local\{7A2B9059-495F-4D45-8F95-CE45B30A0CDE}
    2012-01-09 14:21:15 -------- d-----w- c:\users\gary\appdata\local\{6509306A-003F-435D-A1A9-9FD6A75616D5}
    2012-01-09 02:20:22 -------- d-----w- c:\users\gary\appdata\local\{1A468FC3-FFC0-4569-8DDB-6CF924E2E486}
    2012-01-09 02:19:59 -------- d-----w- c:\users\gary\appdata\local\{54C09C49-5C7D-4BC7-84C8-9DD8F72D941D}
    2012-01-04 00:52:38 -------- d-----w- c:\users\gary\appdata\local\{55455E80-1276-440A-847B-84F58F9DE8ED}
    2012-01-03 12:51:42 -------- d-----w- c:\users\gary\appdata\local\{60243138-B782-407A-9CFF-8912D673D214}
    2012-01-03 00:50:47 -------- d-----w- c:\users\gary\appdata\local\{D7A71A95-2DD2-4276-85E5-D5BEE1FE93C9}
    2012-01-02 12:49:53 -------- d-----w- c:\users\gary\appdata\local\{7084FCFC-1B42-4880-A4C2-E8BEE454D7CA}
    2012-01-02 00:49:00 -------- d-----w- c:\users\gary\appdata\local\{C2DF94D1-5C0F-4C59-B118-E82D58478249}
    2012-01-02 00:48:29 -------- d-----w- c:\users\gary\appdata\local\{F034D03C-6715-46CC-A7DF-0F3CD1EC702B}
    2012-01-01 18:03:46 -------- d-----w- C:\MSI862d9.tmp
    2012-01-01 18:03:24 -------- d-----w- C:\MSI80c41.tmp
    2012-01-01 17:25:03 -------- d-----w- C:\MSI4ec23.tmp
    2012-01-01 17:23:26 -------- d-----w- C:\MSI359e3.tmp
    2012-01-01 16:58:20 -------- d-----w- c:\windows\system32\sda
    2012-01-01 16:57:58 9888360 ----a-w- c:\windows\system32\RtsUStoricon.dll
    2012-01-01 16:57:58 313960 ----a-w- c:\windows\system32\RtsUStor.dll
    2012-01-01 16:57:58 197224 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
    2012-01-01 16:55:34 -------- d-----w- c:\program files\NVIDIA Corporation
    2012-01-01 16:55:02 215656 ----a-w- c:\windows\system32\NVCOSMB.DLL
    2012-01-01 16:45:47 -------- d-----w- C:\MSI6d210.tmp
    2012-01-01 12:47:54 -------- d-----w- c:\users\gary\appdata\local\{1FC3D25E-7E1E-4B2B-A509-0C546FAF0782}
    2012-01-01 00:47:01 -------- d-----w- c:\users\gary\appdata\local\{378F97C1-84B4-4845-86C6-E9C08587DF2F}
    2012-01-01 00:46:31 -------- d-----w- c:\users\gary\appdata\local\{879B5137-4FC8-4517-AC4D-B99F9F5814CA}
    2012-01-01 00:29:46 175616 ----a-w- c:\windows\system32\unrar.dll
    2012-01-01 00:29:45 -------- d-----w- c:\program files\K-Lite Codec Pack
    2012-01-01 00:02:17 -------- d-----w- c:\users\gary\appdata\local\{85A80A9A-208C-4D60-8973-061CC61205F4}
    2011-12-31 23:54:13 -------- d-----w- c:\users\gary\appdata\roaming\NCH Software
    2011-12-31 23:54:13 -------- d-----w- c:\program files\NCH Software
    2011-12-31 23:52:17 -------- d-----w- c:\program files\StartNow Toolbar
    2011-12-31 23:51:51 -------- d-----w- c:\program files\Ask.com
    2011-12-31 23:51:32 -------- d-----w- c:\program files\FoxTabMusicConverter
    2011-12-30 23:51:28 -------- d-----w- c:\users\gary\appdata\local\{D4BDB2D3-1866-4BD9-A2E3-8BDB60A445D0}
    2011-12-30 11:50:32 -------- d-----w- c:\users\gary\appdata\local\{64D56158-DB30-4039-A8CD-13841E9F6CE2}
    .
    ==================== Find3M ====================
    .
    2012-01-01 16:55:02 600680 ----a-w- c:\windows\system32\nvuninst.exe
    2011-12-27 18:35:39 58696 ----a-w- c:\windows\system32\AOLParconLink.exe
    2011-12-14 20:51:17 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-12-14 20:51:16 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-11-27 14:57:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-11-03 20:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    .
    ============= FINISH: 20:49:33.55 ===============
     
    gpb59,
    #10
  12. 2012/01/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're running two AV programs, Lavasoft Ad-Watch Live! Anti-Virus and AVG.
    One of them has to go.
    I suggest Lavasoft goes.

    ===========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    =============================================================

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
    broni,
    #11
  13. 2012/01/29
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 306a70bb88e51c06c67244ab8a2237bf

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
    gpb59,
    #12
  14. 2012/01/29
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    ListParts by Farbar
    Ran by Gary on 29-01-2012 at 13:17:58
    Windows Vista (X86)
    Running From: C:\Users\Gary\Desktop
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 35%
    Total physical RAM: 2941.83 MB
    Available physical RAM: 1907.04 MB
    Total Pagefile: 8974.31 MB
    Available Pagefile: 8325.95 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1980.25 MB

    ======================= Partitions =========================

    1 Drive c: (HP) (Fixed) (Total:286.43 GB) (Free:41.6 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
    2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:11.66 GB) (Free:1.59 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    4 Drive j: (HD-PFU2) (Fixed) (Total:298.09 GB) (Free:6.48 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B
    Disk 1 Online 298 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 286 GB 32 KB
    Partition 2 Primary 12 GB 286 GB

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C HP NTFS Partition 286 GB Healthy System (partition with boot components)

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D FACTORY_IMA NTFS Partition 12 GB Healthy

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 298 GB 32 KB

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 J HD-PFU2 NTFS Partition 298 GB Healthy Pagefile



    ****** End Of Log ******
     
    gpb59,
    #13
  15. 2012/01/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #14
  16. 2012/01/29
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    should I disable the windows firewall? Also I don't think AVG is running but I'm not sure
     
    gpb59,
    #15
  17. 2012/01/29
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    the combofix said avg is running so I'm using that appremover now
     
    gpb59,
    #16
  18. 2012/01/29
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    ComboFix 12-01-29.02 - Gary 01/29/2012 14:12:49.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2510 [GMT -8:00]
    Running from: c:\users\Gary\Desktop\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\StartNow Toolbar
    c:\program files\StartNow Toolbar\ReactivateFF.exe
    c:\program files\StartNow Toolbar\ReactivateIE.exe
    c:\program files\StartNow Toolbar\Resources\images\engine_images.png
    c:\program files\StartNow Toolbar\Resources\images\engine_maps.png
    c:\program files\StartNow Toolbar\Resources\images\engine_news.png
    c:\program files\StartNow Toolbar\Resources\images\engine_videos.png
    c:\program files\StartNow Toolbar\Resources\images\engine_web.png
    c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png
    c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png
    c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png
    c:\program files\StartNow Toolbar\Resources\images\icon_games.png
    c:\program files\StartNow Toolbar\Resources\images\icon_msn.png
    c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png
    c:\program files\StartNow Toolbar\Resources\images\icon_travel.png
    c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png
    c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png
    c:\program files\StartNow Toolbar\Resources\installer.xml
    c:\program files\StartNow Toolbar\Resources\skin\chevron_button.png
    c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
    c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
    c:\program files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
    c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_background.png
    c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_left.png
    c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
    c:\program files\StartNow Toolbar\Resources\skin\separator.png
    c:\program files\StartNow Toolbar\Resources\skin\splitter.png
    c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
    c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
    c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
    c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
    c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
    c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
    c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
    c:\program files\StartNow Toolbar\Resources\toolbar.xml
    c:\program files\StartNow Toolbar\Resources\update.xml
    c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
    c:\program files\StartNow Toolbar\Toolbar32.dll
    c:\program files\StartNow Toolbar\ToolbarBroker.exe
    c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe
    c:\program files\StartNow Toolbar\uninstall.dat
    c:\programdata\~nv4bl3vb4fAGSS
    c:\programdata\~nv4bl3vb4fAGSSr
    c:\programdata\jLyiTUCQBK.exe
    c:\programdata\nv4bl3vb4fAGSS
    c:\programdata\nv4bl3vb4fAGSS.exe
    c:\users\Gary\AppData\Roaming\Desktopicon
    c:\users\Gary\AppData\Roaming\Desktopicon\config.ini
    c:\users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
    c:\users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
    c:\users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\05lzepug.default\searchplugins\bing-zugo.xml
    c:\users\Gary\Taskmgr.exe
    c:\windows\system32\Cache
    c:\windows\system32\Cache\1342d0ee7861b433.fb
    c:\windows\system32\Cache\272512937d9e61a4.fb
    c:\windows\system32\Cache\287204568329e189.fb
    c:\windows\system32\Cache\28bc8f716fd76a47.fb
    c:\windows\system32\Cache\2c53092c95605355.fb
    c:\windows\system32\Cache\3917078cb68ec657.fb
    c:\windows\system32\Cache\590ba23ce359fd0c.fb
    c:\windows\system32\Cache\610289e025a3ee9a.fb
    c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
    c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
    c:\windows\system32\Cache\a8556537add6dfc5.fb
    c:\windows\system32\Cache\ad10a52aff5e038d.fb
    c:\windows\system32\Cache\c4d28dca2e7648be.fb
    c:\windows\system32\Cache\d201ef9910cd39de.fb
    c:\windows\system32\Cache\d2e94710a5708128.fb
    c:\windows\system32\Cache\d79b9dfe81484ec4.fb
    c:\windows\system32\Cache\e0de16f883bea794.fb
    J:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_Updater Service for StartNow Toolbar
    -------\Service_Updater Service for StartNow Toolbar
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-29 02:25 . 2012-01-01 18:06 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2012-01-29 02:15 . 2012-01-29 02:15 -------- d-----w- c:\users\Gary\AppData\Roaming\Malwarebytes
    2012-01-29 02:15 . 2012-01-29 03:40 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-29 02:15 . 2012-01-29 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-29 02:15 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-21 14:09 . 2012-01-21 14:09 -------- d-----w- c:\program files\iPod
    2012-01-15 00:10 . 2012-01-16 15:15 -------- d-----w- c:\users\Administrator
    2012-01-11 02:54 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-11 02:54 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-11 02:54 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-01-01 18:03 . 2012-01-01 18:03 -------- d-----w- C:\MSI862d9.tmp
    2012-01-01 18:03 . 2012-01-01 18:03 -------- d-----w- C:\MSI80c41.tmp
    2012-01-01 17:25 . 2012-01-01 17:25 -------- d-----w- C:\MSI4ec23.tmp
    2012-01-01 17:23 . 2012-01-01 17:23 -------- d-----w- C:\MSI359e3.tmp
    2012-01-01 16:57 . 2012-01-01 16:57 197224 ----a-w- c:\windows\system32\drivers\RtsUStor.sys
    2012-01-01 16:55 . 2012-01-01 16:55 -------- d-----w- c:\program files\NVIDIA Corporation
    2012-01-01 16:45 . 2012-01-01 16:45 -------- d-----w- C:\MSI6d210.tmp
    2012-01-01 00:29 . 2012-01-01 00:30 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-12-31 23:54 . 2011-12-31 23:54 -------- d-----w- c:\programdata\NCH Software
    2011-12-31 23:54 . 2011-12-31 23:55 -------- d-----w- c:\users\Gary\AppData\Roaming\NCH Software
    2011-12-31 23:54 . 2011-12-31 23:54 -------- d-----w- c:\program files\NCH Software
    2011-12-31 23:51 . 2011-12-31 23:51 -------- d-----w- c:\program files\Ask.com
    2011-12-31 23:51 . 2011-12-31 23:51 -------- d-----w- c:\program files\FoxTabMusicConverter
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-01 16:57 . 2012-01-01 16:57 9888360 ----a-w- c:\windows\system32\RtsUStoricon.dll
    2012-01-01 16:57 . 2012-01-01 16:57 313960 ----a-w- c:\windows\system32\RtsUStor.dll
    2012-01-01 16:55 . 2012-01-01 16:55 215656 ----a-w- c:\windows\system32\NVCOSMB.DLL
    2012-01-01 16:55 . 2008-11-10 05:25 600680 ----a-w- c:\windows\system32\nvuninst.exe
    2011-12-27 18:35 . 2011-12-27 18:40 58696 ----a-w- c:\windows\system32\AOLParconLink.exe
    2011-12-14 20:51 . 2008-11-10 05:31 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-12-14 20:51 . 2008-11-10 05:51 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-12-14 11:38 . 2011-12-14 11:38 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-12-10 15:29 . 2011-12-10 15:29 485576 ----a-w- c:\users\Gary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
    2011-11-27 14:57 . 2011-07-25 12:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-25 15:59 . 2012-01-11 02:54 376320 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:37 . 2011-12-14 02:54 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 17:47 . 2012-01-11 02:54 66560 ----a-w- c:\windows\system32\packager.dll
    2011-11-08 14:42 . 2011-12-14 02:54 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-03 22:47 . 2011-12-14 11:05 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-11-03 22:40 . 2011-12-14 11:05 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 22:39 . 2011-12-14 11:05 1127424 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 22:31 . 2011-12-14 11:05 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-11-03 20:06 . 2011-08-29 01:49 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-12-25 01:08 . 2011-11-20 15:43 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-11-29 22:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    2012-01-18 11:16 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
    2010-11-29 22:26 3908192 ----a-w- c:\program files\MyAshampoo\tbMyAs.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-11-18 03:29 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} "= "c:\program files\MyAshampoo\tbMyAs.dll" [2010-11-29 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D} "= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} "= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
    "{95B7759C-8C7F-4BF1-B163-73684A933233} "= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-18 1811296]
    "{D4027C7F-154A-4066-A1AD-4243D8127440} "= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-11-18 1515688]
    .
    [HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
    [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{A1E75A0E-4397-4BA8-BB50-E19FB66890F4} "= "c:\program files\MyAshampoo\tbMyAs.dll" [2010-11-29 3908192]
    "{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} "= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]
    "{30F9B915-B755-4826-820B-08FBA6BD249D} "= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4}]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "cdloader "= "c:\users\Gary\AppData\Roaming\mjusbsp\cdloader2.exe" [2011-08-23 50592]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Messenger (Yahoo!) "= "c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2011-11-24 6497592]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "AOL Fast Start "= "c:\program files\AOL Desktop 9.7\AOL.EXE" [2011-12-14 42320]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KBD "= "c:\program files\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
    "HP Health Check Scheduler "= "c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
    "DVDAgent "= "c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
    "Apoint "= "c:\program files\DellTPad\Apoint.exe" [2011-10-02 292208]
    "APSDaemon "= "c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "vProt "= "c:\program files\AVG Secure Search\vprot.exe" [2012-01-18 939872]
    "ROC_roc_dec12 "= "c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-18 928096]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2012-01-17 421736]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AppRemover2 "= "wscript.exe" [2009-04-11 155648]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)
    "DisableStartupSound "= 1 (0x1)
    "DisableStatusMessages "= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1 "=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 20:06]
    .
    2012-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-28 12:34]
    .
    2012-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-28 12:34]
    .
    2012-01-27 c:\windows\Tasks\HPCeeScheduleForGary.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-11-10 19:12]
    .
    2012-01-27 c:\windows\Tasks\PCDRScheduledMaintenance.job
    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: etrade.com\us
    Trusted Zone: magicjack.com\my
    Trusted Zone: talk4free.com\reg
    TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
    FF - ProfilePath - c:\users\Gary\AppData\Roaming\Mozilla\Firefox\Profiles\05lzepug.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/p?k=pf_5
    FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FTB&o=41648106&locale=en_US&apn_uid=57D92367-F4B5-4F7C-BD49-E7E52BDD3A45&apn_ptnrs=9C&apn_sauid=193CD7D7-2D18-49D5-A34C-E5511A0DFFFD&apn_dtid=YYYYYYYYUS&&q=
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-jLyiTUCQBK.exe - c:\programdata\jLyiTUCQBK.exe
    HKLM-RunOnce-AppRemover - wscript.exe c:\users\Gary\AppData\Local\Temp\AppRemover_RunBatchSilently.vbs
    AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-29 14:25
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
    "ImagePath "= "\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Lavasoft\Ad-Aware\AAWService.exe
    c:\windows\system32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-29 14:29:51 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-29 22:29
    .
    Pre-Run: 45,007,237,120 bytes free
    Post-Run: 72,154,177,536 bytes free
    .
    - - End Of File - - D10A4B26348934DDE40E6CFA40CF8004


    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/29/2012 at 14:35:05.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:



    Rkill completed on 01/29/2012 at 14:35:07.
     
    gpb59,
    #17
  19. 2012/01/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Firewall, never.

    Did you uninstall AVG as the instructions say?
    If yes run Combofix and disregard any warnings.
     
    broni,
    #18
  20. 2012/01/29
    gpb59

    gpb59 Well-Known Member Thread Starter

    Joined:
    2012/01/28
    Messages:
    320
    Likes Received:
    0
    yes I uninstalled the AVG, combo fix and rkill logs are above
     
    gpb59,
    #19
  21. 2012/01/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Ask Toolbar, typical foistware.

    Combofix log looks good.

    How is computer doing?

    You can reinstall AVG now (assuming Lavasoft has been uninstalled previously).

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #20
Page 1 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...