[17sheep]

Greetings!
I'm asking for help to review my system to find an infection or rule it out as the cause for frequent application crashes, mainly Firefox and Thunderbird, and OS, Windows 7, crashes.
Thank you for your help!
David

OTL logfile created on: 6/29/2011 6:46:05 PM - Run 1
OTL by OldTimer - Version 3.2.24.2 Folder = C:\Users\wooly7\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.04 Gb Available Physical Memory | 68.12% Memory free
5.99 Gb Paging File | 5.02 Gb Available in Paging File | 83.68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 141.51 Gb Free Space | 60.78% Space Free | Partition Type: NTFS
Drive E: | 465.76 Gb Total Space | 247.03 Gb Free Space | 53.04% Space Free | Partition Type: NTFS

Computer Name: SHED | User Name: wooly7 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/29 18:44:11 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\wooly7\Desktop\OTL.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/11 15:10:56 | 002,109,440 | ---- | M] (ContentWatch, Inc.) -- C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
PRC - [2011/02/11 15:08:56 | 000,354,112 | ---- | M] (ContentWatch, Inc.) -- C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
PRC - [2010/12/27 19:18:17 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Users\wooly7\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/06/16 16:42:58 | 000,839,680 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2010/05/21 00:28:00 | 011,312,128 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/05/21 00:27:58 | 011,318,784 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2010/03/23 13:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/09/25 23:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2009/07/13 20:14:24 | 000,157,184 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Defender\MpCmdRun.exe
PRC - [2008/09/11 00:06:56 | 000,984,352 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2008/09/10 22:37:36 | 000,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe


========== Modules (SafeList) ==========

MOD - [2011/06/29 18:44:11 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\wooly7\Desktop\OTL.exe
MOD - [2010/11/20 06:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/02/11 15:10:56 | 002,109,440 | ---- | M] (ContentWatch, Inc.) [Auto | Running] -- C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe -- (CwAltaService20)
SRV - [2010/06/26 06:36:14 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/03/23 13:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2009/09/25 23:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/09/10 22:37:36 | 000,024,576 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)


========== Driver Services (SafeList) ==========

DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 04:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/07/10 06:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/04/30 19:32:06 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/04/30 19:30:56 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/03/23 13:15:36 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/10/07 09:47:56 | 000,266,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/10/07 08:49:40 | 006,756,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam E3500(UVC)
DRV - [2009/07/13 18:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
DRV - [2009/07/13 17:02:50 | 000,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 61 AA D0 25 CB 14 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="

FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 07:25:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/07 09:25:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.11\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/06/23 15:42:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.11\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/06/25 20:29:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Extensions
[2010/06/25 20:27:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/06/12 19:23:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Firefox\Profiles\eq8bx4q8.default\extensions
[2011/03/24 06:21:25 | 000,000,000 | ---D | M] (WOT) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Firefox\Profiles\eq8bx4q8.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/03/26 07:25:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/12 20:17:37 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/06/25 21:42:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/18 05:43:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/08 08:16:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/14 11:35:45 | 000,000,000 | ---D | M] (XULRunner) -- C:\USERS\WOOLY7\APPDATA\LOCAL\{9E084360-A7E5-478C-8781-3A49F52F7925}
() (No name found) -- C:\USERS\WOOLY7\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\EQ8BX4Q8.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2011/03/18 12:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 16:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - HKCU..\Run: [SansaDispatch] C:\Users\wooly7\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Users\wooly7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000039 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000040 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/03/30 05:31:40 | 000,000,205 | ---- | M] () - E:\Autorun.inf -- [ NTFS ]
O33 - MountPoints2\{e3d730e6-819c-11df-a255-001aa09d51df}\Shell - "" = AutoRun
O33 - MountPoints2\{e3d730e6-819c-11df-a255-001aa09d51df}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/29 18:44:08 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Users\wooly7\Desktop\OTL.exe
[2011/06/28 17:48:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/06/16 22:48:29 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/16 22:48:28 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/06/16 22:48:28 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/06/16 22:48:27 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/29 18:44:11 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\wooly7\Desktop\OTL.exe
[2011/06/29 12:05:33 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/29 12:05:33 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/29 11:57:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/29 11:57:42 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs
[2011/06/29 11:57:38 | 350,502,069 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/06/29 11:57:35 | 2414,481,408 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/14 20:33:51 | 000,623,940 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/14 20:33:51 | 000,106,316 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/12 22:03:37 | 002,363,275 | ---- | M] () -- C:\Users\wooly7\Desktop\photo.JPG
[2011/06/12 19:25:56 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/09 21:12:22 | 000,002,048 | -H-- | M] () -- C:\Users\wooly7\Documents\Default.rdp
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/12 22:02:55 | 002,363,275 | ---- | C] () -- C:\Users\wooly7\Desktop\photo.JPG
[2011/05/04 19:40:51 | 000,000,120 | ---- | C] () -- C:\Users\wooly7\AppData\Local\Ebitazixo.dat
[2011/05/04 19:40:51 | 000,000,000 | ---- | C] () -- C:\Users\wooly7\AppData\Local\Ljoxuxilexexexi.bin
[2011/03/03 20:08:19 | 000,975,872 | ---- | C] () -- C:\Windows\System32\libxml2_CW.dll
[2011/03/03 20:08:19 | 000,151,552 | ---- | C] () -- C:\Windows\System32\libexpat.dll
[2011/03/03 20:08:17 | 002,916,352 | ---- | C] () -- C:\Windows\System32\wxmsw28u_core_vc_CW.dll
[2011/03/03 20:08:17 | 001,073,152 | ---- | C] () -- C:\Windows\System32\wxcode_msw28u_wxcurl_CW.dll
[2011/03/03 20:08:17 | 000,524,288 | ---- | C] () -- C:\Windows\System32\wxmsw28u_xrc_vc_CW.dll
[2011/03/03 20:08:17 | 000,499,712 | ---- | C] () -- C:\Windows\System32\wxmsw28u_html_vc_CW.dll
[2011/03/03 20:08:17 | 000,110,592 | ---- | C] () -- C:\Windows\System32\wxmsw28u_media_vc_CW.dll
[2011/03/03 20:08:17 | 000,081,920 | ---- | C] () -- C:\Windows\System32\wxcode_msw28u_wxjson_CW.dll
[2011/03/03 20:08:16 | 001,236,992 | ---- | C] () -- C:\Windows\System32\wxbase28u_vc_CW.dll
[2011/03/03 20:08:16 | 000,716,800 | ---- | C] () -- C:\Windows\System32\wxmsw28u_adv_vc_CW.dll
[2011/03/03 20:08:16 | 000,135,168 | ---- | C] () -- C:\Windows\System32\wxbase28u_xml_vc_CW.dll
[2011/03/03 20:08:16 | 000,135,168 | ---- | C] () -- C:\Windows\System32\wxbase28u_net_vc_CW.dll
[2011/02/02 14:13:49 | 000,000,061 | ---- | C] () -- C:\Windows\TaxACT10.ini
[2010/12/11 18:04:38 | 000,005,120 | ---- | C] () -- C:\Users\wooly7\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/16 21:43:19 | 000,000,085 | ---- | C] () -- C:\Users\wooly7\AppData\Roaming\WaveBreaker.ini
[2010/11/16 21:11:48 | 000,000,060 | ---- | C] () -- C:\Windows\System32\SYSWBDRV.SYS
[2010/11/16 19:46:03 | 000,000,077 | ---- | C] () -- C:\Windows\WaveBreaker.ini
[2010/11/06 15:36:25 | 000,000,095 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2010/10/21 18:33:47 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2010/10/07 17:40:42 | 000,064,000 | ---- | C] () -- C:\Windows\System32\esfw52.bin
[2010/06/25 21:33:48 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/03/23 13:26:48 | 000,201,512 | ---- | C] () -- C:\Windows\System32\vpnapi.dll
[2009/10/07 08:24:22 | 000,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2009/07/13 23:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 23:33:53 | 000,330,544 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 21:05:48 | 000,623,940 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 21:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 21:05:48 | 000,106,316 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 21:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 21:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 21:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 18:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2010/08/02 19:31:07 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\Amazon
[2011/04/15 16:58:09 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\Audacity
[2010/10/17 07:56:10 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\AVG10
[2010/10/07 18:42:24 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\EPSON
[2010/06/28 20:07:18 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\FileZilla
[2010/07/16 20:30:59 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\flightgear.org
[2011/03/02 19:30:45 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\fltk.org
[2011/02/23 13:11:30 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\gtk-2.0
[2010/11/30 22:09:36 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\MakeMusic
[2011/04/01 23:12:22 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\OpenDNS Updater
[2010/06/25 21:54:34 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\OpenOffice.org
[2010/11/19 20:02:59 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\SanDisk
[2010/06/25 20:27:49 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\Thunderbird
[2011/06/16 13:07:58 | 000,032,552 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 925 bytes -> C:\Users\wooly7\Documents\Fwd FUNNY---What's that again.eml:OECustomProperty

< End of report >

[Advertisements]

Hello 17sheep and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Let's do some scans...

Step 1

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Confirm deletion to all infection AVP finds
Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop


Step 3

Please don't forget to include these items in your reply:

• Malwarebytes log
• AVPTool log

It would be helpful if you could post each log in separate post

[maliprog]

Hello 17sheep and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Let's do some scans...

Step 1

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 2

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Confirm deletion to all infection AVP finds
Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop


Step 3

Please don't forget to include these items in your reply:

• Malwarebytes log
• AVPTool log

It would be helpful if you could post each log in separate post

[17sheep]

Greetings and thank you so much for your help!

Here is the mbam log. Also Here is a more detailed description of what has been happening:
I ran mbam when I went to bed and the system ran all night. I opened firefox to send you the log and after opening a couple of tabs it crashed, I tried again and it crashed again. I tried IE and it crashed, then the system blue screened. It would not boot so I tried the recovery steps. I believe this has been repeated fairly often over the last month or so. This is our home machine so often I'm not here to see it but my wife explains what has happened. This morning however I went through the process and this time caught the following error during the repair process;
StartRep.exe
The instruction at 0x73ccf28e referenced memory at 0x08816b27. The memory could not be written.
Click on OK to terminat the program.
Based on this information I removed two memory modules I had installed over 6 months ago. I'm not sure that is the problem but wanted you to know I had made that change.
The Kapersky scan is running now so I will post it's log later today.
Thanks again,
David




Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6985

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

6/30/2011 6:57:03 AM
mbam-log-2011-06-30 (06-57-03).txt

Scan type: Quick scan
Objects scanned: 148616
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\wooly7\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\wooly7\AppData\Roaming\Adobe\plugs\mmc47877611.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

[17sheep]

Here is the Kapersky log. Only found one file on an external drive used for backups. Thanks again for your help. David

Autoscan: completed 4 hours ago (events: 4, objects: 637548, time: 06:40:07)
6/30/2011 7:04:24 AM Task started
6/30/2011 9:01:47 AM Detected: Trojan.JS.Agent.buq E:\Seagate Backup\SHED\History\Level2\C\Users\wooly7\AppData\Local\Mozilla\Firefox\Profiles\eq8bx4q8.default\Cache\4\1B\B7AE3d01/eq8bx4q8
6/30/2011 1:44:29 PM Untreated: Trojan.JS.Agent.buq E:\Seagate Backup\SHED\History\Level2\C\Users\wooly7\AppData\Local\Mozilla\Firefox\Profiles\eq8bx4q8.default\Cache\4\1B\B7AE3d01/eq8bx4q8 Write not supported
6/30/2011 1:44:31 PM Task completed

[maliprog]

Hi 17sheep,

I don't see any major infection that can cause this behavior. Let's do some more scans.

Step 1

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\\ComboFix.txt log in your next reply.

Step 2

Download aswMBR.exe ( 511KB ) to your desktop.

• Double click the aswMBR.exe to run it
• Click the "Scan" button to start scan
• On completion of the scan click save log, save it to your desktop and post in your next reply

Step 3

Please don't forget to include these items in your reply:

• aswMBR log
• Combofix log

It would be helpful if you could post each log in separate post

[17sheep]

Thanks again for your help!

ComboFix 11-06-30.03 - wooly7 07/01/2011 6:47.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1022.390 [GMT -5:00]
Running from: c:\users\wooly7\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\wooly7\AppData\Roaming\Adobe\plugs
c:\users\wooly7\AppData\Roaming\Adobe\shed
E:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-01 to 2011-07-01 )))))))))))))))))))))))))))))))
.
.
2011-07-01 11:59 . 2011-07-01 11:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-30 12:02 . 2011-06-30 12:02 -------- d-----w- c:\programdata\Kaspersky Lab
2011-06-30 11:49 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-30 11:49 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 11:49 . 2011-06-20 13:57 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8F624E2A-EFE1-44D9-9893-6824E4D6F2AF}\mpengine.dll
2011-06-28 22:48 . 2011-06-29 17:33 -------- d-----w- c:\program files\Microsoft Security Client
2011-06-17 03:48 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-17 03:48 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-17 03:48 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-17 03:41 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-17 03:41 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-17 03:41 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-17 03:41 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-17 03:41 . 2011-04-27 02:17 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 03:41 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 03:41 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 03:40 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-17 03:40 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-17 03:40 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-05 03:37 . 2011-06-05 03:37 -------- d-----w- c:\windows\system32\config\systemprofile\ContentWatch
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-13 00:25 . 2011-05-22 22:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 00:14 . 2010-06-26 00:58 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-05-14 19:18 . 2011-05-05 00:40 0 ----a-w- c:\users\wooly7\AppData\Local\Ljoxuxilexexexi.bin
2011-05-08 14:04 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-08 13:05 . 2011-05-08 13:05 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-08 13:05 . 2011-05-08 13:05 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-08 13:05 . 2011-05-08 13:05 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-08 13:05 . 2011-05-08 13:05 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-08 13:05 . 2011-05-08 13:05 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-08 13:05 . 2011-05-08 13:05 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-08 13:05 . 2011-05-08 13:05 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-08 13:05 . 2011-05-08 13:05 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-05-08 13:05 . 2011-05-08 13:05 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-05-08 13:05 . 2011-05-08 13:05 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-05-08 13:05 . 2011-05-08 13:05 367104 ----a-w- c:\windows\system32\html.iec
2011-05-08 13:05 . 2011-05-08 13:05 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-08 13:05 . 2011-05-08 13:05 152064 ----a-w- c:\windows\system32\wextract.exe
2011-05-08 13:05 . 2011-05-08 13:05 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-05-08 13:05 . 2011-05-08 13:05 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-08 13:05 . 2011-05-08 13:05 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-05-08 13:05 . 2011-05-08 13:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-08 13:05 . 2011-05-08 13:05 11776 ----a-w- c:\windows\system32\mshta.exe
2011-05-08 13:05 . 2011-05-08 13:05 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-22 19:14 . 2011-05-26 02:10 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-09 06:02 . 2011-05-22 22:06 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02 . 2011-05-22 22:06 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56 . 2011-05-22 22:06 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-03-18 17:53 . 2011-03-26 12:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\users\wooly7\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-12-28 79872]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\users\wooly7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
_uninst_setup_9.0.0.722_30.06.2011_15-07.exe.lnk - c:\users\wooly7\AppData\Local\Temp\_uninst_setup_9.0.0.722_30.06.2011_15-07.exe.bat [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2010-6-28 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-26 1343400]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2011-02-11 2109440]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 48930171
*NewlyCreated* - 48930172
*NewlyCreated* - SETUP_9.0.0.722_30.06.2011_15-07DRV
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\cwalsp.dll
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
FF - ProfilePath - c:\users\wooly7\AppData\Roaming\Mozilla\Firefox\Profiles\eq8bx4q8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-01 07:09:00
ComboFix-quarantined-files.txt 2011-07-01 12:08
.
Pre-Run: 153,181,659,136 bytes free
Post-Run: 153,222,729,728 bytes free
.
- - End Of File - - DAB1380B4CF3A1531599BA98735D2D9D

[17sheep]

aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-07-01 07:18:34
-----------------------------
07:18:34.649 OS Version: Windows 6.1.7601 Service Pack 1
07:18:34.649 Number of processors: 2 586 0xF0D
07:18:34.665 ComputerName: SHED UserName:
07:18:36.412 Initialize success
07:20:48.708 AVAST engine defs: 11070101
07:21:22.872 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
07:21:22.872 Disk 0 Vendor: WDC_WD2500JS-75NCB3 10.02E04 Size: 238418MB BusType: 3
07:21:24.900 Disk 0 MBR read successfully
07:21:24.900 Disk 0 MBR scan
07:21:24.900 Disk 0 Windows 7 default MBR code
07:21:26.928 Disk 0 scanning sectors +488263545
07:21:27.006 Disk 0 scanning C:\Windows\system32\drivers
07:21:37.770 Service scanning
07:21:38.831 Disk 0 trace - called modules:
07:21:38.877 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
07:21:38.877 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8551f9c8]
07:21:38.893 3 CLASSPNP.SYS[875a459e] -> nt!IofCallDriver -> [0x850ad918]
07:21:38.893 5 ACPI.sys[870c23d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8509b908]
07:21:40.001 AVAST engine scan C:\Windows
07:55:32.076 AVAST engine scan C:\Users\wooly7
08:01:19.660 AVAST engine scan C:\ProgramData
08:03:02.324 Scan finished successfully
16:32:10.673 Disk 0 MBR has been saved successfully to "C:\Users\wooly7\Desktop\MBR.dat"
16:32:10.688 The log file has been saved successfully to "C:\Users\wooly7\Desktop\aswMBRLog.txt"

[maliprog]

Please test your system after these two steps and let me know how is it doing.

Step 1

• Go to Start -> My Computer
• Right click on C: disk and clik on Properties
• Click on tab Tools and click on Check now... button
• Check Automatically fix system errors and Scan for and attempt recovery of bad sectors
• Click Start button
• Confirm schedule disk check next time computer starts with Yes button
• Restart your system and wait while system checks your disk for errors

Step 2

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

[17sheep]

Greetings!

Disk check found no issues. We've used it 3 days now without issues. I believe I'll chalk this one up to bad memory.

Thanks again for your help!
David

[maliprog]

Hi 17sheep,

Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update

• Click Start, click Run, type sysdm.cpl, and then press ENTER.
• Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
• Click OK button

2. Delete Temp files

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.

[maliprog]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.