Inactive Google redirect and other random pop-ups

[Inactive] Google redirect and other random pop-ups

Hello,

When trying to use Google I always get sent to the wrong site when clicking a link. Also, when browsing the web I get random pop-ups from sites I know do not have pop-ups.

I am using Windows Vista and Firefox.

Here are my DDS logs:

DDS (Ver_09-12-01.01) - NTFSx86
Run by John at 5:44:30.46 on Tue 01/19/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6002.2.1252.1.1033.18.2046.1173 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\RssReader\RssReader.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\John\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [RssReader] c:\program files\rssreader\RssReader.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe "
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\0023.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\exeng1ud.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\users\john\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-28 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-28 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-10-30 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-30 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-10-3 1153368]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-21 66592]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-18 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-6-19 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-8 42752]
S3 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-10-9 91392]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-19 10:29:47 0 d-----w- c:\programdata\RegAce
2010-01-19 10:29:45 0 d-----w- c:\program files\RegAce
2010-01-19 07:24:30 0 d-----w- c:\program files\TrendMicro
2010-01-18 15:12:15 0 d-----w- c:\users\john\appdata\roaming\Malwarebytes
2010-01-18 15:12:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-18 15:12:10 0 d-----w- c:\programdata\Malwarebytes
2010-01-18 15:12:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 15:12:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 09:44:09 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-18 09:43:57 0 d-----w- c:\users\john\appdata\roaming\SUPERAntiSpyware.com
2010-01-18 09:43:57 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-18 09:43:23 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-18 08:48:44 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-18 08:44:12 338 ----a-w- c:\users\john\appdata\roaming\settings.dat
2010-01-14 09:38:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-14 09:38:20 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 03:03:32 0 d-----w- c:\program files\SystemRequirementsLab
2010-01-12 02:55:34 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-01-11 08:01:42 0 d-----w- c:\program files\WiiScrubber
2010-01-04 01:04:22 0 d---a-w- c:\program files\r4ysauto
2010-01-03 21:17:32 0 d-----w- c:\users\john\appdata\roaming\AccurateRip
2010-01-03 21:17:26 0 d-----w- c:\program files\Exact Audio Copy
2010-01-03 21:13:50 0 d-----w- c:\program files\LAME
2010-01-02 09:30:09 0 d-----w- c:\programdata\Apple Computer
2010-01-02 09:29:19 0 d-----w- c:\programdata\Apple
2009-12-30 14:39:21 0 d-----w- c:\users\john\appdata\roaming\Intuit
2009-12-30 14:39:12 0 d-----w- c:\program files\common files\AnswerWorks 5.0
2009-12-30 14:34:43 0 d-----w- c:\programdata\Intuit
2009-12-30 14:34:38 0 d-----w- c:\program files\common files\Intuit
2009-12-30 14:34:14 0 d-----w- c:\program files\TurboTax
2009-12-30 07:36:38 0 d-----w- c:\windows\system32\RTCOM

==================== Find3M ====================

2010-01-12 08:12:14 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-12 08:12:14 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-12 08:12:14 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-30 07:35:25 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-12-11 06:17:14 795104 ----a-w- c:\windows\system32\dpinst.exe
2009-12-11 06:17:14 219752 ----a-w- c:\windows\system32\nvcod187.dll
2009-12-10 18:31:10 1539104 ----a-w- c:\windows\system32\RtkPgExt.dll
2009-12-10 18:31:04 56864 ----a-w- c:\windows\system32\RtkCoInst.dll
2009-12-10 18:31:04 367136 ----a-w- c:\windows\system32\RtkApoApi.dll
2009-12-10 18:30:58 2796576 ----a-w- c:\windows\system32\RtkAPO.dll
2009-12-10 16:33:34 2975904 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2009-12-09 03:03:42 811776 ----a-w- c:\windows\boinc.scr
2009-12-04 17:26:12 297376 ----a-w- c:\windows\system32\FMAPO.dll
2009-12-04 14:43:54 132368 ----a-w- c:\windows\system32\MaxxAudioAPO.dll
2009-11-24 16:40:20 838176 ----a-w- c:\windows\RtlExUpd.dll
2009-11-24 08:55:08 345328 ----a-w- c:\windows\system32\SRSTSXT.dll
2009-11-24 08:55:08 185584 ----a-w- c:\windows\system32\SRSTSHD.dll
2009-11-24 08:55:08 173296 ----a-w- c:\windows\system32\SRSHP360.dll
2009-11-24 08:55:08 140528 ----a-w- c:\windows\system32\SRSWOW.dll
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-21 01:33:00 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-21 01:33:00 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 01:33:00 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-21 01:33:00 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-20 02:42:56 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-18 17:42:48 311568 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2009-11-18 17:42:48 1938704 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2009-11-18 17:42:48 1783056 ----a-w- c:\windows\system32\WavesLib.dll
2009-11-17 17:13:36 96160 ----a-w- c:\windows\system32\AERTARen.dll
2009-11-17 17:10:14 146336 ----a-w- c:\windows\system32\AERTACap.dll
2009-11-14 04:24:00 1323624 ----a-w- c:\windows\system32\nvsvcr.dll
2009-11-13 14:16:02 73216 ----a-w- c:\windows\system32\RTEEL32A.dll
2009-11-13 14:16:02 59392 ----a-w- c:\windows\system32\RTEEG32A.dll
2009-11-13 14:16:02 348160 ----a-w- c:\windows\system32\RTEEP32A.dll
2009-11-13 14:16:02 165376 ----a-w- c:\windows\system32\RTEED32A.dll
2009-11-03 21:43:29 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-03 21:42:10 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 16:33:54 1716297 ----a-w- c:\windows\system32\InetClnt.dll
2009-11-03 16:33:52 52424 ----a-w- c:\windows\fonts\QT2M_P.TTF
2009-11-03 16:33:52 35632 ----a-w- c:\windows\fonts\QT2_I.TTF
2009-11-03 16:33:52 35064 ----a-w- c:\windows\fonts\QT2C_P.TTF
2009-11-03 16:33:52 32764 ----a-w- c:\windows\fonts\QT2C_B.TTF
2009-11-03 16:33:52 32012 ----a-w- c:\windows\fonts\QT2C_I.TTF
2009-11-03 16:33:52 31276 ----a-w- c:\windows\fonts\QT2_B.TTF
2009-11-03 16:33:52 30892 ----a-w- c:\windows\fonts\QT2_P.TTF
2009-11-03 16:33:52 28532 ----a-w- c:\windows\fonts\OCRA2_P.TTF
2009-11-03 16:33:52 24612 ----a-w- c:\windows\fonts\OCRBMT.TTF
2009-11-03 16:33:52 20900 ----a-w- c:\windows\fonts\QT2PI_P.TTF
2009-10-30 12:07:12 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-29 05:40:26 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-06-18 14:38:39 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 5:45:23.58 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vistaâ„¢ Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 9/28/2009 6:53:39 PM
System Uptime: 1/19/2010 5:04:22 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | M3N-HD/HDMI
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2200/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 255.256 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 19.66 GiB free.
E: is FIXED (NTFS) - 279 GiB total, 79.917 GiB free.
F: is FIXED (NTFS) - 149 GiB total, 20.111 GiB free.
G: is FIXED (NTFS) - 93 GiB total, 93.054 GiB free.
H: is FIXED (NTFS) - 466 GiB total, 24.217 GiB free.
I: is CDROM ()
J: is FIXED (NTFS) - 932 GiB total, 3.841 GiB free.
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================


µTorrent
32 Bit HP CIO Components Installer
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
AIO_CDA_ProductContext
AIO_CDA_Software
AIO_Scan
Apple Application Support
Apple Software Update
AVG Free 9.0
BOINC
BufferChm
C7100
c7100_Help
clrmamepro
Cool & Quiet
Copy
Coupon Printer for Windows
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DHTML Editing Component
DocProc
DocProcQFolder
eSupportQFolder
Exact Audio Copy 0.99pb5
Fax
GetDiz 4.5
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart.All-In-One Driver Software 8.0 .A
HP Product Assistant
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
ImgBurn
iSEEK AnswerWorks English Runtime
Java(TM) 6 Update 17
Junk Mail filter update
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Money 2007 Home & Business
Microsoft Money Shared Libraries
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation 4.2.0
Motorola Software Update
Mozilla Firefox (3.5.7)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
OpenOffice.org 3.1
QuickTime
Realtek High Definition Audio Driver
Scan
Secunia PSI
SolutionCenter
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
System Requirements Lab
Toolbox
TrayApp
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
Unity Web Player
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.0.3
WebReg
Windows Live Essentials
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver

==== End Of File ===========================

I thank you in advance for your help,
JSMedina

 

Hi. Please run MalwareBytes Anti-Malware and update it.
Run a full scan when done and remove what the scan finds.
Reboot the computer and post the MBA-M log please.

Download HijackThis Executable 2.0.2 from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

 

Here are the log files you asked for.

Malwarebytes' Anti-Malware 1.44
Database version: 3597
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

1/19/2010 10:09:16 AM
mbam-log-2010-01-19 (10-09-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 214116
Time elapsed: 51 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:59 AM, on 1/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\RssReader\RssReader.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\BOINC\boinc.exe
C:\ProgramData\BOINC\projects\www.chess960athome.org_alpha\chess960_1.26_windows_intelx86.exe
C:\Windows\system32\cmd.exe
C:\ProgramData\BOINC\slots\7\engine_r7.exe
C:\Users\John\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe "
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\system32\0023.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4951 bytes

 

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\Windows\system32\0023.DLL

 

I went to Jotti's to try and scan the file but the file is not in my system32 directory. I did a search of my C: drive and still not found.

 

Can you make sure that you have hidden files/folders set to show by going to the Control Panel > Folder Options and on the 'View' Tab, put a check in the radio button next to the 'Show hidden files and folders.'
Apply the setting and then see if the file can be found.

 

I went and made sure I had 'Show hidden files and folders' checked and looked for the file again. I still cannot locate it.

 

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

Here's my ComboFix log and a new HJT log

ComboFix 10-01-19.03 - John 01/19/2010 23:57:23.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2046.1238 [GMT -5:00]
Running from: c:\users\John\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\program files\temp
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\WORK.DAT

.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-20 02:30 . 2010-01-20 02:30 83 ----a-w- c:\programdata\BOINC\slots\1\pthreadGCE2.dll
2010-01-20 02:30 . 2010-01-20 02:30 80 ----a-w- c:\programdata\BOINC\slots\1\mingwm10.dll
2010-01-20 02:30 . 2010-01-20 02:30 79 ----a-w- c:\programdata\BOINC\slots\1\perl510.dll
2010-01-20 02:30 . 2010-01-20 02:30 106 ----a-w- c:\programdata\BOINC\slots\1\freehalboinc_1.25_windows_intelx86.exe
2010-01-20 02:24 . 2010-01-20 02:24 98 ----a-w- c:\programdata\BOINC\slots\6\trajtou-cu111_5.40_windows_intelx86.exe
2010-01-19 21:52 . 2010-01-20 03:18 -------- d-----w- c:\users\John\AppData\Local\Adobe
2010-01-19 20:13 . 2010-01-19 11:08 1872884 ----a-w- c:\programdata\BOINC\slots\3\cygwin1.dll
2010-01-19 20:13 . 2010-01-19 11:06 536064 ----a-w- c:\programdata\BOINC\slots\3\7za.exe
2010-01-19 20:13 . 2010-01-19 11:09 4281156 ----a-w- c:\programdata\BOINC\slots\3\mdrun.exe
2010-01-19 20:13 . 2010-01-19 11:06 591360 ----a-w- c:\programdata\BOINC\slots\3\cygblas.dll
2010-01-19 20:13 . 2010-01-19 11:07 1687506 ----a-w- c:\programdata\BOINC\slots\3\tpbconv.exe
2010-01-19 20:13 . 2010-01-19 11:07 1000960 ----a-w- c:\programdata\BOINC\slots\3\cygiconv-2.dll
2010-01-19 20:13 . 2010-01-19 11:06 158208 ----a-w- c:\programdata\BOINC\slots\3\cygreadline6.dll
2010-01-19 20:13 . 2010-01-19 20:13 102 ----a-w- c:\programdata\BOINC\slots\3\mdrun_0.739_windows_intelx86.exe
2010-01-19 20:13 . 2010-01-19 11:06 800768 ----a-w- c:\programdata\BOINC\slots\3\cygfftw3-3.dll
2010-01-19 20:13 . 2010-01-19 11:06 242688 ----a-w- c:\programdata\BOINC\slots\3\cygncurses-8.dll
2010-01-19 20:13 . 2010-01-19 11:05 31744 ----a-w- c:\programdata\BOINC\slots\3\cygintl-8.dll
2010-01-19 19:25 . 2010-01-19 19:27 1735680 ----a-w- c:\programdata\BOINC\projects\freehal.net_freehal_at_home\freehalboinc_1.25_windows_intelx86.exe
2010-01-19 13:17 . 2010-01-19 13:17 72 ----a-w- c:\programdata\BOINC\slots\9\devil.dll
2010-01-19 13:17 . 2010-01-19 13:17 71 ----a-w- c:\programdata\BOINC\slots\9\ilut.dll
2010-01-19 13:17 . 2010-01-19 13:17 70 ----a-w- c:\programdata\BOINC\slots\9\ilu.dll
2010-01-19 13:17 . 2010-01-19 13:17 105 ----a-w- c:\programdata\BOINC\slots\12\tcape-crossing_5.63_windows_intelx86.exe
2010-01-19 12:36 . 2010-01-19 12:36 96 ----a-w- c:\programdata\BOINC\slots\8\amiloide_1.57_windows_intelx86.exe
2010-01-19 12:36 . 2010-01-19 12:36 82 ----a-w- c:\programdata\BOINC\slots\8\autodock4.exe
2010-01-19 12:36 . 2010-01-19 12:36 76 ----a-w- c:\programdata\BOINC\slots\8\7z.exe
2010-01-19 12:36 . 2010-01-19 12:36 73 ----a-w- c:\programdata\BOINC\slots\8\cygwin1.dll
2010-01-19 12:18 . 2010-01-19 12:18 159744 ----a-w- c:\programdata\BOINC\projects\boinc.almeregrid.nl\vtwns_t460x64-SET2B_unzip.exe
2010-01-19 11:05 . 2010-01-19 11:09 4281156 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\mdrun_s_0.739_windows_intelx86.exe
2010-01-19 11:05 . 2010-01-19 11:08 1872884 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygwin1_0.739_windows_intelx86.dll
2010-01-19 11:05 . 2010-01-19 11:07 1687506 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\tpbconv_0.739_windows_intelx86.exe
2010-01-19 11:05 . 2010-01-19 11:07 1000960 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygiconv-2_0.739_windows_intelx86.dll
2010-01-19 11:05 . 2010-01-19 11:07 885760 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\mdrun_0.739_windows_intelx86.exe
2010-01-19 11:05 . 2010-01-19 11:06 800768 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygfftw3-3_0.739_windows_intelx86.dll
2010-01-19 11:05 . 2010-01-19 11:06 536064 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\7za_0.739_windows_intelx86.exe
2010-01-19 11:05 . 2010-01-19 11:06 591360 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygblas_0.739_windows_intelx86.dll
2010-01-19 11:05 . 2010-01-19 11:06 242688 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygncurses-8_0.739_windows_intelx86.dll
2010-01-19 11:05 . 2010-01-19 11:06 158208 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygreadline6_0.739_windows_intelx86.dll
2010-01-19 11:05 . 2010-01-19 11:05 31744 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygintl-8_0.739_windows_intelx86.dll
2010-01-19 10:29 . 2010-01-19 10:29 -------- d-----w- c:\programdata\RegAce
2010-01-19 10:29 . 2010-01-19 10:33 -------- d-----w- c:\program files\RegAce
2010-01-19 07:24 . 2010-01-19 07:24 -------- d-----w- c:\program files\TrendMicro
2010-01-19 03:50 . 2010-01-19 03:50 104 ----a-w- c:\programdata\BOINC\slots\0\minirosetta_2.05_windows_intelx86.exe
2010-01-18 16:21 . 2010-01-18 16:24 10018816 ----a-w- c:\programdata\BOINC\projects\boinc.bakerlab.org_rosetta\minirosetta_2.05_windows_intelx86.exe
2010-01-18 15:12 . 2010-01-18 15:12 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2010-01-18 15:12 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-18 15:12 . 2010-01-18 15:12 -------- d-----w- c:\programdata\Malwarebytes
2010-01-18 15:12 . 2010-01-18 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-18 15:12 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 13:20 . 2009-12-22 14:44 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-01-18 09:45 . 2010-01-18 09:45 52224 ----a-w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-18 09:45 . 2010-01-19 08:03 117760 ----a-w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-18 09:44 . 2010-01-18 09:44 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-01-18 09:43 . 2010-01-19 08:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-18 09:43 . 2010-01-18 09:43 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
2010-01-18 09:43 . 2010-01-18 09:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-17 21:32 . 2010-01-17 21:32 89 ----a-w- c:\programdata\BOINC\slots\14\abc_sieve_2.00_windows_intelx86.exe
2010-01-17 00:33 . 2010-01-17 00:33 111 ----a-w- c:\programdata\BOINC\slots\5\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-16 19:57 . 2010-01-16 19:57 76 ----a-w- c:\programdata\BOINC\slots\2\msvcr71.dll
2010-01-16 19:57 . 2010-01-16 19:57 76 ----a-w- c:\programdata\BOINC\slots\2\msvcp71.dll
2010-01-16 15:39 . 2010-01-16 15:42 11293390 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R6_3.01_windows_intelx86__S5R6sse2.exe
2010-01-14 09:38 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-14 09:38 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-14 02:03 . 2010-01-14 02:04 821248 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\graphics_1.068_windows_intelx86.exe
2010-01-14 02:03 . 2010-01-14 02:04 885760 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\autodock_mgl_1.068_windows_intelx86.exe
2010-01-12 03:03 . 2010-01-12 03:03 -------- d-----w- c:\program files\SystemRequirementsLab
2010-01-12 03:03 . 2010-01-12 03:03 -------- d-----w- c:\users\John\AppData\Roaming\SystemRequirementsLab
2010-01-12 03:03 . 2010-01-12 03:03 290816 ----a-w- c:\users\John\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-01-12 03:03 . 2010-01-12 03:03 290816 ----a-w- c:\users\John\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-01-12 03:03 . 2010-01-12 03:03 290816 ----a-w- c:\users\John\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-01-12 03:03 . 2010-01-12 03:03 290816 ----a-w- c:\users\John\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-01-12 02:55 . 2010-01-12 02:55 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-01-11 08:01 . 2010-01-11 08:06 -------- d-----w- c:\program files\WiiScrubber
2010-01-10 19:38 . 2010-01-10 19:38 108 ----a-w- c:\programdata\BOINC\slots\4\collatz_2.00_windows_intelx86__sse.exe
2010-01-05 11:29 . 2010-01-05 11:29 167936 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\unzip_1.061_windows_intelx86.exe
2010-01-04 01:04 . 2010-01-04 01:06 -------- d---a-w- c:\program files\r4ysauto
2010-01-03 21:35 . 2010-01-08 06:26 -------- d-----w- c:\users\John\AppData\Roaming\vlc
2010-01-03 21:17 . 2010-01-03 21:34 -------- d-----w- c:\users\John\AppData\Roaming\AccurateRip
2010-01-03 21:17 . 2010-01-03 21:17 -------- d-----w- c:\program files\Exact Audio Copy
2010-01-03 21:13 . 2010-01-03 21:13 -------- d-----w- c:\program files\LAME
2010-01-03 07:44 . 2010-01-03 07:44 98 ----a-w- c:\programdata\BOINC\slots\16\wrapper_2.14_windows_intelx86.exe
2010-01-03 07:44 . 2009-07-31 19:53 555384 ----a-w- c:\programdata\BOINC\slots\16\dnetc.exe
2010-01-02 09:30 . 2010-01-02 09:30 -------- d-----w- c:\program files\QuickTime
2010-01-02 09:30 . 2010-01-02 09:30 -------- d-----w- c:\programdata\Apple Computer
2010-01-02 09:29 . 2010-01-02 09:29 -------- d-----w- c:\program files\Common Files\Apple
2010-01-02 09:29 . 2010-01-02 09:29 -------- d-----w- c:\programdata\Apple
2010-01-02 09:29 . 2010-01-02 09:29 -------- d-----w- c:\program files\Apple Software Update
2010-01-02 05:37 . 2010-01-02 05:44 5003776 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cyglapack_1.057_windows_intelx86.dll
2010-01-02 05:37 . 2010-01-02 05:43 4327498 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\grompp_1.057_windows_intelx86.exe
2010-01-02 05:37 . 2010-01-02 05:43 1872884 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygwin1_1.058_windows_intelx86.dll
2010-01-02 05:37 . 2010-01-02 05:42 2117632 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\python25_1.057_windows_intelx86.dll
2010-01-02 05:37 . 2010-01-02 05:42 4281156 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\mdrun_s_1.057_windows_intelx86.exe
2010-01-02 05:37 . 2010-01-02 05:41 1280000 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\7za_1.057_windows_intelx86.exe
2010-01-02 05:37 . 2010-01-02 05:39 476425 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\autogrid_1.057_windows_intelx86.exe
2010-01-02 05:37 . 2010-01-02 05:39 348160 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\MSVCR71_1.057_windows_intelx86.DLL
2010-01-02 05:37 . 2010-01-02 05:39 591360 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygblas_1.057_windows_intelx86.dll
2010-01-02 05:37 . 2010-01-02 05:38 455621 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\autodock_1.057_windows_intelx86.exe
2010-01-02 05:37 . 2010-01-02 05:38 135168 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\zip_1.057_windows_intelx86.exe
2009-12-30 14:39 . 2009-12-30 14:39 -------- d-----w- c:\users\John\AppData\Roaming\Intuit
2009-12-30 14:39 . 2009-12-30 14:39 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2009-12-30 14:34 . 2009-12-30 14:36 -------- d-----w- c:\programdata\Intuit
2009-12-30 14:34 . 2009-12-30 14:34 -------- d-----w- c:\users\John\AppData\Local\IsolatedStorage
2009-12-30 14:34 . 2009-12-30 14:38 -------- d-----w- c:\program files\Common Files\Intuit
2009-12-30 14:34 . 2009-12-30 14:34 -------- d-----w- c:\program files\TurboTax
2009-12-30 07:36 . 2009-12-30 07:36 -------- d-----w- c:\windows\system32\RTCOM
2009-12-27 05:38 . 2009-12-27 05:40 2775594 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\wrapper_1.53_windows_intelx86.exe
2009-12-27 05:38 . 2009-12-27 05:39 181248 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\simupillar_1.53_windows_intelx86.exe
2009-12-27 05:38 . 2009-12-27 05:39 158720 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\nextstage_1.53_windows_intelx86.exe
2009-12-27 05:38 . 2009-12-27 05:39 165888 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\nexttolueno_1.53_windows_intelx86.exe
2009-12-27 05:38 . 2009-12-27 05:39 203264 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\simutolueno_1.53_windows_intelx86.exe
2009-12-27 05:38 . 2009-12-27 05:39 164864 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\unzip_1.53_windows_intelx86.exe
2009-12-27 05:38 . 2009-12-27 05:39 84480 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\zip_1.53_windows_intelx86.exe
2009-12-22 14:45 . 2009-12-22 14:44 4043544 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2009-12-22 14:45 . 2009-12-31 13:50 3966744 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-21 12:45 . 2009-12-21 12:45 422912 ----a-w- c:\programdata\BOINC\projects\www.primegrid.com\primegrid_ap26_1.04_windows_intelx86.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 05:06 . 2009-09-29 02:03 -------- d-----w- c:\programdata\BOINC
2010-01-20 04:26 . 2009-09-28 20:48 -------- d-----w- c:\program files\RssReader
2010-01-20 04:05 . 2009-09-28 20:44 -------- d-----w- c:\program files\clrmamepro
2010-01-20 02:35 . 2009-09-28 20:50 -------- d-----w- c:\users\John\AppData\Roaming\uTorrent
2010-01-18 08:53 . 2010-01-18 08:44 338 ----a-w- c:\users\John\AppData\Roaming\settings.dat
2010-01-17 13:19 . 2009-09-30 06:44 -------- d-----w- c:\programdata\NOS
2010-01-16 04:01 . 2009-09-28 20:50 -------- d-----w- c:\program files\uTorrent
2010-01-14 09:41 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-14 09:34 . 2009-10-16 15:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-14 07:39 . 2009-09-28 20:43 -------- d-----w- c:\program files\OfflineList
2010-01-12 08:15 . 2009-09-29 01:49 -------- d-----w- c:\programdata\NVIDIA
2010-01-12 08:13 . 2009-10-08 05:45 1356 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2010-01-10 17:29 . 2009-11-16 12:58 1 ----a-w- c:\users\John\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-03 14:20 . 2009-10-03 05:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 05:44 . 2010-01-01 05:37 4327498 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\grompp_1.14_windows_intelx86.exe
2010-01-01 05:44 . 2010-01-01 05:37 4281156 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\mdrun_s_1.10_windows_intelx86.exe
2010-01-01 05:42 . 2010-01-01 05:37 5003776 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cyglapack_1.01_windows_intelx86.dll
2010-01-01 05:41 . 2010-01-01 05:37 2117632 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\python25_1.04_windows_intelx86.dll
2010-01-01 05:41 . 2010-01-01 05:37 1872884 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygwin1_1.01_windows_intelx86.dll
2010-01-01 05:40 . 2010-01-01 05:37 455621 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\autodock_1.01_windows_intelx86.exe
2010-01-01 05:40 . 2010-01-01 05:37 821248 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\graphics_1.01_windows_intelx86.exe
2010-01-01 05:39 . 2010-01-01 05:37 591360 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\cygblas_1.01_windows_intelx86.dll
2010-01-01 05:39 . 2010-01-01 05:37 348160 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\MSVCR71_1.01_windows_intelx86.DLL
2010-01-01 05:39 . 2010-01-01 05:37 476425 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\autogrid_1.01_windows_intelx86.exe
2010-01-01 05:39 . 2010-01-01 05:37 885760 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\autodock_mgl_beta_1.14_windows_intelx86.exe
2010-01-01 05:39 . 2010-01-01 05:37 1280000 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\7za_1.01_windows_intelx86.exe
2010-01-01 05:38 . 2010-01-01 05:37 167936 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\unzip_1.01_windows_intelx86.exe
2010-01-01 05:37 . 2010-01-01 05:37 135168 ----a-w- c:\programdata\BOINC\projects\boinc.drugdiscoveryathome.com\zip_1.01_windows_intelx86.exe
2009-12-30 14:39 . 2009-09-28 19:59 55712 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-30 07:35 . 2009-09-28 20:10 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-12-30 07:35 . 2009-09-28 20:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 04:11 . 2009-10-01 07:30 -------- d-----w- c:\program files\torrentzip
2009-12-16 00:24 . 2009-12-16 00:21 9969664 ----a-w- c:\programdata\BOINC\projects\ralph.bakerlab.org\minirosetta_2.03_windows_intelx86.exe
2009-12-13 08:34 . 2009-09-30 17:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-13 08:33 . 2009-09-30 17:10 38784 ----a-w- c:\users\John\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-13 08:33 . 2009-09-30 17:10 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-12 00:20 . 2009-12-12 00:19 2134016 ----a-w- c:\programdata\BOINC\projects\isaac.ssl.berkeley.edu_alpha\python26.dll
2009-12-12 00:19 . 2009-12-12 00:19 479232 ----a-w- c:\programdata\BOINC\projects\isaac.ssl.berkeley.edu_alpha\msvcm80.dll
2009-12-12 00:19 . 2009-12-12 00:19 632656 ----a-w- c:\programdata\BOINC\projects\isaac.ssl.berkeley.edu_alpha\msvcr80.dll
2009-12-12 00:19 . 2009-12-12 00:19 554832 ----a-w- c:\programdata\BOINC\projects\isaac.ssl.berkeley.edu_alpha\msvcp80.dll
2009-12-12 00:19 . 2009-12-12 00:19 102400 ----a-w- c:\programdata\BOINC\projects\isaac.ssl.berkeley.edu_alpha\pymw_1.07_windows_intelx86.exe
2009-12-11 07:48 . 2009-12-11 07:48 284646 ----a-r- c:\users\John\AppData\Roaming\Microsoft\Installer\{49714B44-18D3-4904-AFF5-F30CB5538E5E}\BOINCMGRLink_B65C4A4D2B2A46CCA2D918164C6297B8.exe
2009-12-11 07:48 . 2009-12-11 07:48 284646 ----a-r- c:\users\John\AppData\Roaming\Microsoft\Installer\{49714B44-18D3-4904-AFF5-F30CB5538E5E}\ARPPRODUCTICON.exe
2009-12-11 07:48 . 2009-09-29 02:03 -------- d-----w- c:\program files\BOINC
2009-12-11 06:17 . 2009-12-18 06:03 795104 ----a-w- c:\windows\system32\dpinst.exe
2009-12-11 06:17 . 2009-12-18 06:03 219752 ----a-w- c:\windows\system32\nvcod187.dll
2009-12-11 00:00 . 2009-12-10 23:59 1833984 ----a-w- c:\programdata\BOINC\projects\boinc.umiacs.umd.edu\garli_5.12_windows_intelx86.exe
2009-12-10 18:31 . 2009-12-30 07:35 1539104 ----a-w- c:\windows\system32\RtkPgExt.dll
2009-12-10 18:31 . 2009-12-30 07:35 56864 ----a-w- c:\windows\system32\RtkCoInst.dll
2009-12-10 18:31 . 2009-12-30 07:35 367136 ----a-w- c:\windows\system32\RtkApoApi.dll
2009-12-10 18:30 . 2009-12-30 07:35 2796576 ----a-w- c:\windows\system32\RtkAPO.dll
2009-12-10 16:33 . 2009-12-30 07:35 2975904 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2009-12-09 03:03 . 2009-12-09 03:03 811776 ----a-w- c:\windows\boinc.scr
2009-12-08 12:53 . 2009-11-21 09:49 -------- d-----w- c:\users\John\AppData\Roaming\ImgBurn
2009-12-05 06:26 . 2009-12-05 06:24 6707342 ----a-w- c:\programdata\BOINC\projects\registro.ibercivis.es\cuanticables_1.04_windows_intelx86.exe
2009-12-04 17:26 . 2009-12-30 07:35 297376 ----a-w- c:\windows\system32\FMAPO.dll
2009-12-04 14:43 . 2009-12-30 07:35 132368 ----a-w- c:\windows\system32\MaxxAudioAPO.dll
2009-12-03 10:52 . 2009-12-03 10:51 1732096 ----a-w- c:\programdata\BOINC\projects\freehal.net_freehal_at_home\freehalboinc_20091202.205859_windows_intelx86.exe
2009-12-02 05:45 . 2009-12-02 05:45 466944 ----a-w- c:\programdata\BOINC\projects\pirates.spy-hill.net\hello_6.07_windows_intelx86.exe
2009-11-27 02:10 . 2009-11-27 02:00 20190183 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_windows_intelx86.exe
2009-11-27 02:10 . 2009-11-27 02:00 19724316 ----a-w- c:\programdata\BOINC\projects\einstein.phys.uwm.edu\einsteinbinary_ABP1_3.12_graphics_windows_intelx86.exe
2009-11-24 16:40 . 2009-12-30 07:35 838176 ----a-w- c:\windows\RtlExUpd.dll
2009-11-24 08:55 . 2009-12-30 07:35 345328 ----a-w- c:\windows\system32\SRSTSXT.dll
2009-11-24 08:55 . 2009-12-30 07:35 185584 ----a-w- c:\windows\system32\SRSTSHD.dll
2009-11-24 08:55 . 2009-12-30 07:35 173296 ----a-w- c:\windows\system32\SRSHP360.dll
2009-11-24 08:55 . 2009-12-30 07:35 140528 ----a-w- c:\windows\system32\SRSWOW.dll
2009-11-23 23:04 . 2009-10-09 13:21 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-11-21 09:47 . 2009-11-21 09:47 -------- d-----w- c:\program files\ImgBurn
2009-11-21 06:40 . 2009-12-12 09:36 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-12 09:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-12 09:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-12 09:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-21 02:34 . 2009-11-27 06:23 76392 ----a-w- c:\windows\system32\OpenCL.dll
2009-11-21 02:34 . 2009-11-27 06:23 11515752 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-11-21 02:34 . 2009-11-27 06:23 9333352 ----a-w- c:\windows\system32\nvd3dum.dll
2009-11-21 02:34 . 2009-11-27 06:23 14064232 ----a-w- c:\windows\system32\nvoglv32.dll
2009-11-21 02:34 . 2009-11-27 06:23 4001384 ----a-w- c:\windows\system32\nvcuda.dll
2009-11-21 02:34 . 2009-11-27 06:23 2243176 ----a-w- c:\windows\system32\nvcuvid.dll
2009-11-21 02:34 . 2009-11-27 06:23 1989224 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-11-21 02:34 . 2009-11-27 06:23 182888 ----a-w- c:\windows\system32\nvcod.dll
2009-11-21 02:34 . 2009-11-27 06:23 1249896 ----a-w- c:\windows\system32\nvapi.dll
2009-11-21 02:34 . 2009-11-27 06:23 11381352 ----a-w- c:\windows\system32\nvcompiler.dll
2009-11-21 02:34 . 2009-11-20 08:30 182888 ----a-w- c:\windows\system32\nvcod178.dll
2009-11-21 02:34 . 2009-09-27 20:12 592488 ----a-w- c:\windows\system32\nvudisp.exe
2009-11-21 01:33 . 2009-11-21 01:33 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-21 01:33 . 2009-11-21 01:33 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-21 01:33 . 2009-11-21 01:33 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-21 01:33 . 2009-11-21 01:33 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-20 02:42 . 2009-09-28 20:03 592488 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-11-19 06:23 . 2009-11-19 06:23 565248 ----a-w- c:\programdata\BOINC\projects\goldbach.pl\uppercase_5.11_windows_intelx86.exe
2009-11-18 17:42 . 2009-12-30 07:35 1783056 ----a-w- c:\windows\system32\WavesLib.dll
2009-11-18 17:42 . 2009-12-30 07:35 311568 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2009-11-18 17:42 . 2009-12-30 07:35 1938704 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2009-11-17 17:13 . 2009-12-30 07:35 96160 ----a-w- c:\windows\system32\AERTARen.dll
2009-11-17 17:10 . 2009-12-30 07:35 146336 ----a-w- c:\windows\system32\AERTACap.dll
2009-11-15 13:01 . 2009-11-15 13:01 507904 ----a-w- c:\programdata\BOINC\projects\escatter11.fullerton.edu_nfs\lasievef_1.07_windows_intelx86.exe
2009-11-14 04:24 . 2009-11-14 04:24 1323624 ----a-w- c:\windows\system32\nvsvcr.dll
2009-11-13 14:16 . 2009-12-30 07:35 73216 ----a-w- c:\windows\system32\RTEEL32A.dll
2009-11-13 14:16 . 2009-12-30 07:35 59392 ----a-w- c:\windows\system32\RTEEG32A.dll
2009-11-13 14:16 . 2009-12-30 07:35 348160 ----a-w- c:\windows\system32\RTEEP32A.dll
2008-06-18 14:38 . 2008-06-18 14:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RssReader "= "c:\program files\RssReader\RssReader.exe" [2007-02-03 925696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-06-18 1008184]
"AVG9_TRAY "= "c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-31 2033432]
"boincmgr "= "c:\program files\BOINC\boincmgr.exe" [2009-12-09 4813568]
"boinctray "= "c:\program files\BOINC\boinctray.exe" [2009-12-09 58112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "= 0 (0x0)
"ConsentPromptBehaviorUser "= 0 (0x0)
"EnableLUA "= 0 (0x0)
"EnableUIADesktopToggle "= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2 "=hex(b):40,48,cf,e1,6f,41,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3559495990-3592183081-672357354-1000]
"EnableNotificationsRef "=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [9/28/2009 9:37 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [9/28/2009 9:37 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/30/2009 7:04 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/30/2009 7:04 AM 285392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/3/2009 12:42 AM 1153368]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [8/21/2009 7:24 PM 66592]
R3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\System32\drivers\motfilt.sys [1/29/2009 4:11 PM 6016]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [6/18/2008 9:30 AM 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [6/19/2009 3:59 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/29/2009 4:18 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [5/8/2009 10:56 AM 42752]
S3 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [10/9/2009 8:22 AM 91392]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\exeng1ud.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\users\John\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 00:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-20 00:10:09
ComboFix-quarantined-files.txt 2010-01-20 05:10

Pre-Run: 271,124,254,720 bytes free
Post-Run: 271,091,662,848 bytes free

- - End Of File - - D31EE95CBA09744F7C0DA8965F104AB5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:11 AM, on 1/20/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\RssReader\RssReader.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Microsoft Money 2007\MNYCoreFiles\mnybbsvc.exe
C:\Windows\explorer.exe
C:\Users\John\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe "
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4165 bytes

 

Is the MarketResearch something that you installed?

How is the PC now?

 

I don't remember ever installing something called MarketResearch.

As for the PC, the pop-ups and redirects are still happening

 

Please download [color= "#FF0000"]GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/7).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

Here's the GooredFix log:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 05:49 on 20/01/2010 (John)
Firefox version 3.5.7 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:49 28/09/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [21:35 08/11/2009]

C:\Users\John\Application Data\Mozilla\Firefox\Profiles\exeng1ud.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [01:12 30/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b} "= "c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:17 29/09/2009]
"{3f963a5b-e555-4543-90e2-c3908898db71} "= "C:\Program Files\AVG\AVG9\Firefox" [12:04 30/10/2009]

-=E.O.F=-

 

If you never installed Marketresearch, I suggest you uninstall it.

==

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

 

I tried to uninstall MarketResearch but there are no files associated with it. I checked in the registry and there are entries pointing to files that are no longer there.

Here's my gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-20 10:16:14
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\John\AppData\Local\Temp\kxldypog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[804] ole32.dll!CoCreateInstance 77259EA6 5 Bytes JMP 0087000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74727817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7477A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7472BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7471F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747275E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7471E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74758395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7472DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7471FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7471FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747171CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [747ACAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7474C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7471D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74716853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7471687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1820] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74722AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\ProgramData\BOINC\projects\server1.almeregrid.nl_testgrid\correlizer_5.12_windows_intelx86.exe 148614 bytes executable
File C:\ProgramData\BOINC\projects\server1.almeregrid.nl_testgrid\job_1.12.xml 290 bytes
File C:\ProgramData\BOINC\projects\server1.almeregrid.nl_testgrid\wrapper_5.12_windows_intelx86.exe 921600 bytes

---- EOF - GMER 1.0.15 ----

 

Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

 

Here's my Silent Runners log:

"Silent Runners.vbs ", revision 60, http://www.silentrunners.org/
Operating System: Windows Vista SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"RssReader" = "C:\Program Files\RssReader\RssReader.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide "
"AVG9_TRAY" = "C:\PROGRA~1\AVG\AVG9\avgtray.exe" [ "AVG Technologies CZ, s.r.o."]
"boincmgr" = " "C:\Program Files\BOINC\boincmgr.exe" /a /s" [ "Space Sciences Laboratory"]
"boinctray" = " "C:\Program Files\BOINC\boinctray.exe" " [ "Space Sciences Laboratory"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub "
-> {HKLM...CLSID} = "Adobe PDF Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" [ "Adobe Systems Incorporated"]

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter "
-> {HKLM...CLSID} = "AVG Safe Search "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgssie.dll" [ "AVG Technologies CZ, s.r.o."]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection "
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]

{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\(Default) = "Search Helper "
-> {HKLM...CLSID} = "Search Helper "
\InProcServer32\(Default) = "C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll" [MS]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper "
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" [ "Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class "
-> {HKLM...CLSID} = "DesktopContext Class "
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" [ "NVIDIA Corporation"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG Shell Extension "
-> {HKLM...CLSID} = "AVG Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgse.dll" [ "AVG Technologies CZ, s.r.o."]

"{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9}" = "NVIDIA Play On My TV Context Menu Extension "
-> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension "
\InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" [ "NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension "
-> {HKLM...CLSID} = "7-Zip Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" [ "Igor Pavlov"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper "
-> {HKLM...CLSID} = "NVIDIA CPL Extension "
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" [ "NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class "
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [ "SuperAdBlocker.com"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> linkscanner\CLSID = "{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} "
-> {HKLM...CLSID} = "XPLPPFilter Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgpp.dll" [ "AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000} "
-> {HKLM...CLSID} = "7-Zip Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" [ "Igor Pavlov"]

AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgse.dll" [ "AVG Technologies CZ, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\(Default) = "SUPERAntiSpyware Context Menu "
-> {HKLM...CLSID} = "SASContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL" [ "SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3} "
-> {HKLM...CLSID} = "MBAMShlExt Class "
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" [ "Malwarebytes Corporation"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000} "
-> {HKLM...CLSID} = "7-Zip Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" [ "Igor Pavlov"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

{CA8ACAFA-5FBB-467B-B348-90DD488DE003}\(Default) = "SUPERAntiSpyware Context Menu "
-> {HKLM...CLSID} = "SASContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL" [ "SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000} "
-> {HKLM...CLSID} = "7-Zip Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" [ "Igor Pavlov"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

NvCplDesktopContext\(Default) = "{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} "
-> {HKLM...CLSID} = "NVIDIA CPL Context Menu Extension "
\InProcServer32\(Default) = "C:\Windows\system32\nvshext.dll" [ "NVIDIA Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = " "C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll" " [ "Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG9 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\AVG\AVG9\avgse.dll" [ "AVG Technologies CZ, s.r.o."]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3} "
-> {HKLM...CLSID} = "MBAMShlExt Class "
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" [ "Malwarebytes Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [ "Alexander Roshal"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile "


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\

"DEPOff" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\web\Wallpaper\img22.jpg "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Windows\web\Wallpaper\img22.jpg "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\boinc.scr" [ "Space Sciences Laboratory"]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

HPGGPhotoEventHandler\
"Provider" = "HP Photosmart Essential "
"InvokeProgID" = "HP.acquireautoplayG "
"InvokeVerb" = "open "
HKLM\SOFTWARE\Classes\HP.acquireautoplayG\shell\open\DropTarget\CLSID = "{F3A39B00-BE67-4d7d-BED7-53E9C510EC5B} "
-> {HKLM...CLSID} = "HP AcquireAutoPlay2 Class "
\InProcServer32\(Default) = "C:\Program Files\HP\Photosmart Essential\AcquireAutoPlay.dll" [empty string]

ImgBurnBluRayBurningOnArrival_BuildImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleBluRayBurningOnArrival_BuildImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BuildImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /OUTPUTMODE DEVICE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnBluRayBurningOnArrival_BurnImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleBluRayBurningOnArrival_BurnImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BurnImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /OUTPUTMODE DEVICE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /OUTPUTMODE DEVICE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BuildImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BuildImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /OUTPUTMODE DEVICE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BurnImage "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BurnImage\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1" " [ "LIGHTNING UK!"]

ImgBurnPlayBluRayOnArrival_ReadDisc\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "PlayBluRayOnArrival_ReadDisc "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayBluRayOnArrival_ReadDisc\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1" " [ "LIGHTNING UK!"]

ImgBurnPlayCDAudioOnArrival_ReadDisc\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "PlayCDAudioOnArrival_ReadDisc "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayCDAudioOnArrival_ReadDisc\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1" " [ "LIGHTNING UK!"]

ImgBurnPlayDVDMovieOnArrival_ReadDisc\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "PlayDVDMovieOnArrival_ReadDisc "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayDVDMovieOnArrival_ReadDisc\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1" " [ "LIGHTNING UK!"]

ImgBurnPlayHDDVDOnArrival_ReadDisc\
"Provider" = "ImgBurn "
"InvokeProgID" = "ImgBurn.AutoPlay.1 "
"InvokeVerb" = "PlayHDDVDOnArrival_ReadDisc "
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayHDDVDOnArrival_ReadDisc\command\(Default) = " "C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1" " [ "LIGHTNING UK!"]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player "
"InvokeProgID" = "VLC.CDAudio "
"InvokeVerb" = "play "
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = " "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1" [ "the VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player "
"InvokeProgID" = "VLC.DVDMovie "
"InvokeVerb" = "play "
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = " "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1" [ "the VideoLAN Team"]


Windows Sidebar Gadgets:
------------------------

C:\Users\John\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
%PROGRAMFILES%\windows sidebar\gadgets\Clock.gadget
%PROGRAMFILES%\windows sidebar\gadgets\SlideShow.Gadget
%PROGRAMFILES%\windows sidebar\gadgets\RSSFeeds.Gadget


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"Secunia PSI Logon Task" -> launches: "C:\Program Files\Secunia\PSI\psi.exe --start-in-tray" [ "Secunia"]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" [ "Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C} "
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler "
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060} "
-> {HKLM...CLSID} = "Certificate Services Client Task Handler "
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060} "
-> {HKLM...CLSID} = "Certificate Services Client Task Handler "
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060} "
-> {HKLM...CLSID} = "Certificate Services Client Task Handler "
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]
"Uploader" -> launches: "%windir%\system32\WSqmCons.exe -u" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic
"Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E} "
-> {HKLM...CLSID} = "HotStart User Agent "
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61} "
-> {HKLM...CLSID} = "Transient Multi-Monitor Manager "
\InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543} "
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class "
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f} "
-> {HKLM...CLSID} = "Nap ITask Handler Implementation "
\InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
"ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Shell
"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2} "
-> {HKLM...CLSID} = "CrawlStartPages Task Handler "
\InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
"WSHReset" -> (HIDDEN!) launches: "%systemroot%\system32\netsh.exe interface tcp set heuristic wsh=default" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1} "
-> {HKLM...CLSID} = "MsCtfMonitor task handler "
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1} "
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler "
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Wired
"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 18


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\
"ButtonText" = "Blog This "
"MenuText" = "&Blog This in Windows Live Writer "
"CLSIDExtension" = "{5F7B1267-94A9-47F5-98DB-E99415F33AEC} "
-> {HKLM...CLSID} = "BlogThisToolbarButton Class "
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll" [MS]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration "
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F} "
-> {HKLM...CLSID} = "Spybot-S&D IE Protection "
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG Free E-mail Scanner, avg9emc, " "C:\Program Files\AVG\AVG9\avgemc.exe" " [ "AVG Technologies CZ, s.r.o."]
AVG Free WatchDog, avg9wd, " "C:\Program Files\AVG\AVG9\avgwdsvc.exe" " [ "AVG Technologies CZ, s.r.o."]
Computer Browser, Browser, "C:\Windows\system32\svchost.exe -k netsvcs" { "C:\Windows\System32\browser.dll" [MS]}
Net Driver HPZ12, Net Driver HPZ12, "C:\Windows\System32\svchost.exe -k HPZ12" { "C:\Windows\system32\HPZinw12.dll" [ "Hewlett-Packard"]}
Pml Driver HPZ12, Pml Driver HPZ12, "C:\Windows\System32\svchost.exe -k HPZ12" { "C:\Windows\system32\HPZipm12.dll" [ "Hewlett-Packard"]}
SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" [ "Safer Networking Ltd."]
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" { "C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" { "C:\Windows\System32\wiaservc.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPL Language Monitor\Driver = "zsdepl.dcl" [ "Number Five Software"]
PCL hpz3l4v2\Driver = "hpz3l4v2.dll" [ "Hewlett-Packard Company"]


---------- (launch time: 2010-01-21 01:07:53)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 43 seconds, including 10 seconds for message boxes)

 

Curiouser and curiouser. Nothing bad there that I can see.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

==

Download Delete Domains from here and run it. It will delete all entries from the trusted and restricted zone.

==

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with [color= "blue"]Kaspersky Online Scanner[/color]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet [color= "#3333FF"]Explorer 7[/color] users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • [color= "#6666CC"]Extended[/color]
  • Scan Options:
    • [color= "#6666CC"]Scan Archives[/color]
    • [color= "#6666CC"]Scan Mail Bases[/color]
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the [color= "Navy"]Scan is completed [/color]window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the [color= "Navy"]Save as [/color]prompt, [color= "navy"]Save in[/color] area, select: Desktop
In the [color= "navy"]File name[/color] area, use KScan, or something similar
In [color= "navy"]Save as type[/color], click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the [color= "Navy"]Kaspersky Online Scanner Report [/color]in your reply.

 

I did the first two steps with no problems, but I cannot complete the Kaspersky Online Scan because my system keeps on rebooting before it can finish. These are the errors it gives me:

The process C:\Windows\system32\services.exe (JOHN-PC) has initiated the restart of computer JOHN-PC on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x30006
Shutdown Type: restart
Comment: Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly

The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.


Are these errors part of this same virus?

 

It could be caused by a virus.

See if you can complete one of these;

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

​

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Panda Active Scan ​

• Trend Micro HouseCall ​

• F-Secure Online Virus Scanner ​

====

Do you have your Operating System disc?