Jump to content

Welcome to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute.
Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
Create an Account Login to Account

Spyware/Malware on Windows 7


  • This topic is locked This topic is locked

#1
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
I am trying to clean up a kid's laptop. He is running Windows 7 Home Premium with SP1. I ran Spybot and cleared out a lot of stuff (also uninstalled 4 or 5 toolbars he had installed). The system is still running a little slow at the moment, and I tried uninstalling something called "Yontoo Layers Runtime 1.10.01" but get an error message from Tarma Installer "Setup Initialization Error" every time. Spybot isn't picking up anything else, but I want to check to be sure everything is off this system.

Here is the log from OTL:


OTL logfile created on: 10/2/2011 8:43:05 PM - Run 2
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Users\Julian\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.93 Gb Total Physical Memory | 2.44 Gb Available Physical Memory | 61.95% Memory free
7.86 Gb Paging File | 6.25 Gb Available in Paging File | 79.50% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 453.66 Gb Total Space | 419.68 Gb Free Space | 92.51% Space Free | Partition Type: NTFS

Computer Name: JULIAN-ONE | User Name: Julian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/02 18:46:16 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Users\Julian\Downloads\OTL.exe
PRC - [2011/09/29 19:58:15 | 000,137,536 | ---- | M] (Facebook Inc.) -- C:\Users\Julian\AppData\Local\Facebook\Update\FacebookUpdate.exe
PRC - [2011/09/10 06:28:50 | 002,338,656 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG10\avgtray.exe
PRC - [2011/08/18 01:33:06 | 007,390,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
PRC - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
PRC - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
PRC - [2009/08/20 17:26:00 | 000,244,480 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
PRC - [2009/08/20 17:25:50 | 000,062,720 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
PRC - [2009/08/18 02:42:34 | 001,157,640 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LManager.exe
PRC - [2009/07/15 15:15:22 | 000,630,784 | ---- | M] (Chicony) -- C:\Program Files (x86)\Video Web Camera\traybar.exe
PRC - [2009/07/03 18:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
PRC - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PRC - [2009/06/04 06:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
PRC - [2009/06/03 20:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009/04/15 23:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/30 16:38:02 | 000,412,728 | ---- | M] () -- C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\ppgooglenaclpluginchrome.dll
MOD - [2011/09/30 16:38:00 | 003,696,184 | ---- | M] () -- C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\pdf.dll
MOD - [2011/09/30 16:36:24 | 000,142,568 | ---- | M] () -- C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\avutil-51.dll
MOD - [2011/09/30 16:36:23 | 000,253,320 | ---- | M] () -- C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\avformat-53.dll
MOD - [2011/09/30 16:36:22 | 002,403,240 | ---- | M] () -- C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\avcodec-53.dll
MOD - [2011/09/30 14:07:32 | 006,338,720 | ---- | M] () -- C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\gcswf32.dll
MOD - [2011/02/10 07:55:18 | 001,148,256 | ---- | M] () -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
MOD - [2009/06/03 20:59:14 | 000,013,096 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/06/03 20:59:02 | 000,619,816 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2009/02/02 17:33:56 | 000,460,199 | ---- | M] () -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\sqlite3.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/08/05 21:30:58 | 000,844,320 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/03 18:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe -- (Updater Service)
SRV - [2011/08/18 01:33:06 | 007,390,560 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2009/08/20 17:25:50 | 000,062,720 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe -- (NTI IScheduleSvc)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/06/04 06:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe -- (Greg_Service)
SRV - [2009/05/22 11:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/04/28 20:21:18 | 000,436,736 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\XAudio64.dll -- (HsfXAudioService)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/05/27 19:05:26 | 000,118,864 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV:64bit: - [2011/04/05 00:59:54 | 000,377,936 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
DRV:64bit: - [2011/03/16 16:03:18 | 000,037,456 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
DRV:64bit: - [2011/03/10 23:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 23:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/03/01 14:25:18 | 000,041,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
DRV:64bit: - [2011/02/22 08:12:46 | 000,026,704 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV:64bit: - [2011/02/10 07:53:34 | 000,029,264 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV:64bit: - [2011/01/07 06:41:44 | 000,304,720 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
DRV:64bit: - [2010/11/20 06:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 04:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/08/25 19:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/01/13 16:37:18 | 007,675,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64) Intel®
DRV:64bit: - [2009/08/09 20:07:14 | 000,222,208 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 14:59:33 | 005,020,672 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/06/24 03:23:24 | 000,205,472 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2009/06/18 05:12:32 | 000,272,432 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/06/10 14:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 14:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 14:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/06 09:36:46 | 000,317,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a) Broadcom NetLink ™
DRV:64bit: - [2009/05/25 13:13:10 | 000,138,752 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV:64bit: - [2009/05/13 17:51:40 | 005,435,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NETw5v64.sys -- (netw5v64) Intel®
DRV:64bit: - [2009/05/05 16:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV:64bit: - [2009/05/05 16:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper)
DRV:64bit: - [2009/04/28 20:21:08 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\XAudio64.sys -- (XAudio)
DRV:64bit: - [2009/02/12 07:24:56 | 001,485,824 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_DPV.sys -- (HSF_DPV)
DRV:64bit: - [2009/02/12 07:20:56 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAXHWAZL.sys -- (CAXHWAZL)
DRV:64bit: - [2009/02/12 07:19:34 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2006/06/17 15:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/03/25 20:16:08 | 000,025,608 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\Drivers\DKbFltr.sys -- (DKbFltr) Dritek Keyboard Filter Driver (64-bit)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...34z1j5a4882v24r
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...34z1j5a4882v24r
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...34z1j5a4882v24r
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...34z1j5a4882v24r

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...34z1j5a4882v24r
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://search.condui...&ctid=CT2776682
IE - HKCU\..\URLSearchHook: {90eee664-34b1-422a-a782-779af65cdf6d} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8064.0206: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Julian\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Julian\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Julian\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG10\Firefox4\ [2011/09/14 18:10:44 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Web Search (Enabled)
CHR - default_search_provider: search_url = http://www.searchqu....q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\gcswf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Julian\AppData\Local\Google\Chrome\Application\14.0.835.187\pdf.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Julian\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Julian\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Xmarks Bookmark Sync = C:\Users\Julian\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\1.0.16_0\
CHR - Extension: Aperture Science Network Interface = C:\Users\Julian\AppData\Local\Google\Chrome\User Data\Default\Extensions\iagkbagihjgoddclmakgfolcdpkihngc\1_0\
CHR - Extension: AVG Safe Search = C:\Users\Julian\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\
CHR - Extension: Poppit = C:\Users\Julian\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
CHR - Extension: Facebook Notifications = C:\Users\Julian\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmameahlembdcigphohgiodcgjomcgeo\1.22_0\

O1 HOSTS File: ([2009/06/10 14:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3:64bit: - HKLM\..\Toolbar: (no name) - !{51a86bb3-6602-4c85-92a5-130ee4864f13} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - !{a6bf16ab-42a1-4bc5-965d-5e407e449aaa} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{51a86bb3-6602-4c85-92a5-130ee4864f13} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - !{a6bf16ab-42a1-4bc5-965d-5e407e449aaa} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {9565115D-C7D6-46D3-BD63-B67B481A4368} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files (x86)\Video Web Camera\traybar.exe (Chicony)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKCU..\Run: [Facebook Update] C:\Users\Julian\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{00BC4D36-12D6-4016-8BC0-DB5C01069066}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3684E32D-4846-436A-B1F8-95238FCB0EFA}: DhcpNameServer = 168.95.1.1
O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgppa.dll (AVG Technologies CZ, s.r.o.)
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgchsva.exe /sync)
O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG10\avgrsa.exe /sync /restart)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/02 20:15:04 | 000,000,000 | R--D | C] -- C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 8
[2011/10/02 19:45:43 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Local\Magentic
[2011/10/02 19:43:15 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SPReview
[2011/10/02 19:41:56 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\EventProviders
[2011/10/02 19:37:26 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2011/10/02 18:59:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/10/02 18:58:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/10/02 18:58:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2011/10/02 10:32:59 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Local\Adobe
[2011/10/01 13:58:33 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess
[2011/10/01 13:42:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Amnesia - The Dark Descent Demo
[2011/10/01 13:41:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Amnesia - The Dark Descent Demo
[2011/10/01 13:40:04 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Local\IM
[2011/10/01 13:39:40 | 000,000,000 | ---D | C] -- C:\ProgramData\IncrediMail
[2011/10/01 13:39:40 | 000,000,000 | ---D | C] -- C:\ProgramData\IM
[2011/10/01 12:59:33 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/10/01 12:50:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Premium
[2011/10/01 12:50:35 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
[2011/10/01 12:48:56 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Roaming\FreeTorrentDownloader
[2011/10/01 12:48:54 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeTorrentDownloader
[2011/10/01 12:48:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\FreeTorrentDownloader
[2011/10/01 12:31:26 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Roaming\GetRightToGo
[2011/10/01 12:26:15 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Local\Ilivid Player
[2011/10/01 12:24:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows iLivid Toolbar
[2011/10/01 12:24:37 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Local\PackageAware
[2011/09/29 19:58:15 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Local\Facebook
[2011/09/27 01:26:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ConduitEngine
[2011/09/27 01:26:29 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Local\Conduit
[2011/09/27 01:26:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Yontoo Layers Runtime
[2011/09/27 01:26:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer
[2011/09/22 17:31:34 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Roaming\Applied Acoustics Systems
[2011/09/22 16:57:15 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Roaming\SynthMaker
[2011/09/22 16:54:40 | 000,057,344 | ---- | C] (NexiTech, Inc.) -- C:\Windows\SysWow64\Wnaspint.dll
[2011/09/22 16:54:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acoustica Mixcraft 5
[2011/09/22 16:54:40 | 000,000,000 | ---D | C] -- C:\Users\Julian\AppData\Roaming\Acoustica
[2011/09/22 16:53:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Acoustica Shared Effects
[2011/09/22 16:52:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VST
[2011/09/22 16:52:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Acoustica Mixcraft 5
[2011/09/22 16:52:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Acoustica
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/02 20:21:03 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/02 20:21:03 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/02 20:20:34 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/10/02 20:20:34 | 000,615,360 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/10/02 20:20:34 | 000,103,702 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/10/02 20:14:47 | 000,001,448 | ---- | M] () -- C:\Users\Julian\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/10/02 20:13:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/02 20:12:52 | 3166,158,848 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/02 20:07:25 | 000,343,552 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/10/02 20:03:00 | 000,000,932 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001UA.job
[2011/10/02 20:03:00 | 000,000,910 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001Core.job
[2011/10/02 20:01:58 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/10/02 20:01:56 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2011/10/02 20:01:02 | 000,000,116 | ---- | M] () -- C:\Windows\wininit.ini
[2011/10/02 19:47:00 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001UA.job
[2011/10/02 18:59:07 | 000,001,269 | ---- | M] () -- C:\Users\Julian\Desktop\Spybot - Search & Destroy.lnk
[2011/10/02 18:54:06 | 133,960,784 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm
[2011/10/02 16:12:40 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001Core.job
[2011/10/01 12:47:53 | 000,002,416 | ---- | M] () -- C:\Users\Julian\Desktop\Google Chrome.lnk
[2011/09/14 18:10:44 | 000,000,960 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2011.lnk
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/02 20:01:58 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2011/10/02 20:01:56 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2011/10/02 20:01:02 | 000,000,116 | ---- | C] () -- C:\Windows\wininit.ini
[2011/10/02 18:59:07 | 000,001,269 | ---- | C] () -- C:\Users\Julian\Desktop\Spybot - Search & Destroy.lnk
[2011/09/29 19:58:21 | 000,000,932 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001UA.job
[2011/09/29 19:58:20 | 000,000,910 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001Core.job
[2010/08/25 19:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 19:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 19:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2009/08/28 04:27:15 | 000,134,592 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2009/08/28 03:39:59 | 000,000,000 | ---- | C] () -- C:\Windows\Setup.INI
[2009/08/28 03:32:24 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2009/07/13 22:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 19:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 19:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 17:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 14:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2011/09/22 16:54:40 | 000,000,000 | ---D | M] -- C:\Users\Julian\AppData\Roaming\Acoustica
[2011/09/22 17:31:34 | 000,000,000 | ---D | M] -- C:\Users\Julian\AppData\Roaming\Applied Acoustics Systems
[2011/08/24 17:09:30 | 000,000,000 | ---D | M] -- C:\Users\Julian\AppData\Roaming\AVG10
[2011/10/01 12:55:18 | 000,000,000 | ---D | M] -- C:\Users\Julian\AppData\Roaming\FreeTorrentDownloader
[2011/10/01 12:37:31 | 000,000,000 | ---D | M] -- C:\Users\Julian\AppData\Roaming\GetRightToGo
[2011/09/22 16:57:15 | 000,000,000 | ---D | M] -- C:\Users\Julian\AppData\Roaming\SynthMaker
[2011/10/02 20:03:00 | 000,000,910 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001Core.job
[2011/10/02 20:03:00 | 000,000,932 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1635989667-4051049385-3299628342-1001UA.job
[2009/07/13 22:08:49 | 000,005,372 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

Advertisement


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hello Dragnsfire and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://search.condui...&ctid=CT2776682
    CHR - default_search_provider: search_url = http://www.searchqu....q={searchTerms}
    IE - HKCU\..\URLSearchHook: {90eee664-34b1-422a-a782-779af65cdf6d} - No CLSID value found
    O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
    O3:64bit: - HKLM\..\Toolbar: (no name) - !{51a86bb3-6602-4c85-92a5-130ee4864f13} - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - !{a6bf16ab-42a1-4bc5-965d-5e407e449aaa} - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - !{51a86bb3-6602-4c85-92a5-130ee4864f13} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - !{a6bf16ab-42a1-4bc5-965d-5e407e449aaa} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {46897C77-E7A6-4C33-BFFB-E9C2E2718942} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {9565115D-C7D6-46D3-BD63-B67B481A4368} - No CLSID value found.

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Step 3

Please don't forget to include these items in your reply:

  • OTL fix log
  • Malwarebytes log
It would be helpful if you could post each log in separate post
  • 0

#3
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
First log from OTL:


All processes killed
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Restore| /E : value set successfully!
Unable to fix default_search_provider items.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{90eee664-34b1-422a-a782-779af65cdf6d} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90eee664-34b1-422a-a782-779af65cdf6d}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.
File C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\!{51a86bb3-6602-4c85-92a5-130ee4864f13} deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\!{a6bf16ab-42a1-4bc5-965d-5e407e449aaa} deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\!{51a86bb3-6602-4c85-92a5-130ee4864f13} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\!{a6bf16ab-42a1-4bc5-965d-5e407e449aaa} deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{99079a25-328f-4bd4-be04-00955acaa0a7} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
File C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46897C77-E7A6-4C33-BFFB-E9C2E2718942}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9565115D-C7D6-46D3-BD63-B67B481A4368} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9565115D-C7D6-46D3-BD63-B67B481A4368}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Julian
->Temp folder emptied: 22135692 bytes
->Temporary Internet Files folder emptied: 135270289 bytes
->Google Chrome cache emptied: 354964035 bytes
->Flash cache emptied: 36110 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1216 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 2240782 bytes

Total Files Cleaned = 491.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Julian
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.29.1 log created on 10032011_135234

Files\Folders moved on Reboot...
C:\Users\Julian\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
  • 0

#4
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
Second log from Malwarebytes:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7859

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/3/2011 2:05:22 PM
mbam-log-2011-10-03 (14-05-22).txt

Scan type: Quick scan
Objects scanned: 174280
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#5
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hi Dragnsfire,

Looking good. Let's continue:

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post
  • 0

#6
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
I can't attach the file--says it's too big. Did I do something wrong?
  • 0

#7
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Make sure that you have Detected threads report. If you have this file you can ZIP it then attach it to me.
  • 0

#8
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
There is nothing in the Detected Threats report area.
  • 0

#9
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hi Dragnsfire,

Nice! How is your system now? Any problems?
  • 0

#10
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
Yes, I still can't remove Yontoo Layers Runtime 1.10.01 from my programs. It comes up with a setup initialization error, but looks like it runs something.
  • 0
<

Advertisement


#11
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Let's try this:

  • Download Revo Uninstaller (free edition) from here
  • Save the file to your Desktop
  • Double click the file to open and install it
  • Find the programs you wish to remove and double click them to begin the removal process
  • Make sure you do the advanced uninstall as it removes the whole program
When you get the error relating to the .exe just ignore it and continue with the removal process as I think the installation maybe corrupted.
  • 0

#12
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
It gave me the same error and didn't uninstall, but shows all the registry entries that are leftover. What, out of all of these, should I be deleting? Everything?

Uninstall Registry.JPG
  • 0

#13
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Please select both instances of this key {889DF117-14D1-44EE-9F31-C5FB5D47F68B} and remove all entries under this two keys. Place check marks as I did in picture bellow.

That should do it.

Attached Thumbnails

  • Uninstall Registry.JPG

  • 0

#14
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 35 posts
And, next screen... left over files and folders.

Leftovers.JPG
  • 0

#15
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hi Dragnsfire,

You can select all and remove them. These are all files related to Yontoo Layers Runtime 1.10.01.
  • 0

Advertisement




Similar Topics: Spyware/Malware on Windows 7     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured