Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google redirect, jemacpv redirect, random BSOD [Solved]


  • This topic is locked This topic is locked

#1
DoctorScience

DoctorScience

    Member

  • Member
  • PipPip
  • 43 posts
Symptoms: Google always redirects in Chrome, sometimes in IE, occasionally in Firefox. In FF from time to time I'll be on a page and all of a sudden a link to delivery.jemacpv.* pops up and then opens a tab to a "news" site. I've blocked *.jemacpv.* with the BlockSite add-on and now I only get occasional dead tabs.

I've run the following without identifying anything:
  • MalWareBytes complete scan
  • AVG complete scan
  • TDSSkiller
  • Goredfix

Herewith my OTL log:

OTL logfile created on: 1/11/2012 10:41:51 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Public\Downloads
Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 1.46 Gb Available Physical Memory | 45.00% Memory free
6.73 Gb Paging File | 4.78 Gb Available in Paging File | 71.04% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 134.09 Gb Total Space | 52.91 Gb Free Space | 39.46% Space Free | Partition Type: NTFS
Drive D: | 88.68 Gb Total Space | 17.35 Gb Free Space | 19.56% Space Free | Partition Type: NTFS
Drive E: | 10.00 Gb Total Space | 6.75 Gb Free Space | 67.48% Space Free | Partition Type: NTFS

Computer Name: GALADRIEL | User Name: Mary Ellen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/11 22:41:02 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Public\Downloads\OTL.exe
PRC - [2011/12/12 23:20:56 | 003,305,760 | ---- | M] (Akamai Technologies, Inc) -- C:\Users\Mary Ellen\AppData\Local\Akamai\netsession_win.exe
PRC - [2011/12/03 01:22:12 | 002,415,456 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/11/20 23:04:51 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/10/12 05:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 19:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/30 11:18:30 | 002,358,656 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
PRC - [2011/08/15 05:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 05:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/05/25 15:07:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Users\Mary Ellen\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2010/05/04 11:07:22 | 000,503,080 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe
PRC - [2010/03/11 14:06:06 | 000,193,824 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2009/05/21 09:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/05/08 09:48:58 | 003,866,624 | ---- | M] () -- C:\Program Files\MONyog\bin\MONyog.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/08/04 14:45:16 | 005,779,456 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
PRC - [2008/01/19 02:33:37 | 000,397,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Mail\WinMail.exe
PRC - [2008/01/19 02:33:12 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetsrv\inetinfo.exe
PRC - [2007/07/23 01:27:00 | 004,452,352 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/05/25 12:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe
PRC - [2006/10/20 18:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2003/08/21 02:00:00 | 000,028,672 | ---- | M] (http://www.SteveMiller.net) -- C:\Program Files\My Programs\PureText.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/05 04:48:44 | 000,411,120 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\ppgooglenaclpluginchrome.dll
MOD - [2012/01/05 04:48:43 | 003,767,792 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\pdf.dll
MOD - [2012/01/05 04:47:19 | 000,122,880 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\avutil-51.dll
MOD - [2012/01/05 04:47:18 | 000,222,208 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\avformat-53.dll
MOD - [2012/01/05 04:47:17 | 001,746,432 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\avcodec-53.dll
MOD - [2011/11/20 23:04:51 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/10/13 21:35:12 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\c1c06a392871267db27f7cbc40e1c4fb\System.Xml.ni.dll
MOD - [2011/10/13 21:33:56 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\f9c36ea806e77872dce891c77b68fac3\System.ni.dll
MOD - [2011/10/13 21:23:57 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll
MOD - [2009/08/23 12:58:06 | 000,094,208 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2007/09/20 18:34:58 | 000,129,024 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (stllssvr)
SRV - [2011/12/14 15:34:44 | 003,316,000 | ---- | M] () [Auto | Running] -- c:\program files\common files\akamai/netsession_win_b427739.dll -- (Akamai)
SRV - [2011/11/07 15:15:48 | 001,044,816 | ---- | M] (Flexera Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/10/12 05:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/30 11:18:30 | 002,358,656 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe -- (TeamViewer6)
SRV - [2011/08/02 05:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2010/05/04 11:07:22 | 000,503,080 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010/04/21 13:15:51 | 000,374,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/04/21 13:15:51 | 000,374,272 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/03/11 14:06:06 | 000,193,824 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2009/09/09 11:13:26 | 000,055,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe -- (MsDepSvc)
SRV - [2009/05/08 09:48:58 | 003,866,624 | ---- | M] () [Auto | Running] -- C:\Program Files\MONyog\bin\MONyog.exe -- (MONyog)
SRV - [2009/04/11 01:28:17 | 000,052,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Stopped] -- C:\Program Files\Spybot Search Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/08/13 17:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/08/04 14:45:16 | 005,779,456 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [2008/01/19 02:33:12 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/05/25 12:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) [Auto | Running] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc)
SRV - [2007/03/19 13:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)


========== Driver Services (SafeList) ==========

DRV - [2012/01/10 16:38:06 | 000,023,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hitmanpro36.sys -- (hitmanpro35)
DRV - [2011/10/07 05:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 05:21:16 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 05:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 05:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 00:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 00:14:02 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 00:14:00 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/07/11 00:13:58 | 000,134,736 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2009/07/29 19:04:30 | 000,129,888 | ---- | M] (Paragon) [Kernel | System | Running] -- C:\Windows\System32\drivers\Uim_IM.sys -- (Uim_IM)
DRV - [2009/07/29 19:04:30 | 000,032,048 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | System | Running] -- C:\Windows\System32\drivers\UimBus.sys -- (UimBus)
DRV - [2009/04/11 00:06:26 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2009/03/30 02:09:28 | 000,239,336 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\RsFx0103.sys -- (RsFx0103)
DRV - [2009/03/24 17:43:26 | 000,040,560 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\hotcore3.sys -- (hotcore3)
DRV - [2008/01/19 01:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/06/21 01:09:08 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/05/31 05:14:40 | 007,478,976 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/12/18 20:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\packet.sys -- (Packet)
DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/10/05 18:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=us&ibd=0071113
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========



FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/wpi,version=1.4: C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll ()
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Mary Ellen\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Mary Ellen\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/12/23 10:00:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: D:\FireFox2\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: D:\FireFox2\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/30 11:04:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/30 11:04:00 | 000,000,000 | ---D | M]

[2008/06/23 10:15:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Extensions
[2012/01/08 22:29:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions
[2011/07/13 09:49:54 | 000,000,000 | ---D | M] (Delicious Bookmarks) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
[2008/06/25 20:32:25 | 000,000,000 | ---D | M] (del.icio.us) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{5a2b4e34-ce62-42e9-a658-06ba4490adf8}
[2011/05/19 12:48:19 | 000,000,000 | ---D | M] (Live HTTP Headers) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
[2011/10/06 11:27:40 | 000,000,000 | ---D | M] (CopyAllUrls) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{960BE052-4847-422b-9AD6-8631D3D0A607}
[2011/12/23 18:00:25 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/09/25 09:03:33 | 000,000,000 | ---D | M] (BlockSite) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2011/11/12 09:46:08 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2007/11/18 15:11:12 | 000,000,000 | ---D | M] ("Header Monitor") -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{ed04d48b-30e0-46ce-9f8e-f2fab9947648}
[2011/06/09 19:47:17 | 000,000,000 | ---D | M] (JavaScript Debugger) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}
[2011/01/26 13:17:26 | 000,000,000 | ---D | M] (AFOM Addon) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\[email protected]
[2010/03/02 21:12:01 | 000,000,000 | ---D | M] ("DapperFox") -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\[email protected]
[2011/09/28 23:35:45 | 000,000,000 | ---D | M] (Disconnect) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\[email protected]
[2011/11/12 09:46:02 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\[email protected]
[2011/12/16 17:58:59 | 000,000,000 | ---D | M] (TACO with Abine) -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\extensions\[email protected]
[2011/06/03 18:40:16 | 000,001,820 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\searchplugins\bing.xml
[2010/01/29 22:59:04 | 000,004,898 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\searchplugins\google-images.xml
[2006/11/20 22:03:04 | 000,001,679 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\searchplugins\IMDB-1.xml
[2006/10/26 22:22:18 | 000,001,679 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\searchplugins\imdb.xml
[2008/08/18 01:18:24 | 000,002,109 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Roaming\Mozilla\Firefox\Profiles\8caseicc.default\searchplugins\youtube-video-search.xml
[2011/11/30 11:04:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/25 11:28:36 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/12/23 10:00:06 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
() (No name found) -- C:\USERS\MARY ELLEN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8CASEICC.DEFAULT\EXTENSIONS\{4CC4A13B-94A6-7568-370D-5F9DE54A9C7F}.XPI
() (No name found) -- C:\USERS\MARY ELLEN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8CASEICC.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\USERS\MARY ELLEN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8CASEICC.DEFAULT\EXTENSIONS\[email protected]
() (No name found) -- C:\USERS\MARY ELLEN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8CASEICC.DEFAULT\EXTENSIONS\[email protected]
() (No name found) -- C:\USERS\MARY ELLEN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\8CASEICC.DEFAULT\EXTENSIONS\[email protected]
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/04/14 04:08:00 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.5.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.250.6 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U25 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\Application\16.0.912.75\pdf.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: AOL Media Playback Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: WPI Detector 1.4 (Enabled) = C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: AdBlock = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.9_0\
CHR - Extension: AVG Safe Search = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\
CHR - Extension: Gmail = C:\Users\Mary Ellen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

Hosts file not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (IE Developer Toolbar BHO) - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [Akamai NetSession Interface] C:\Users\Mary Ellen\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKCU..\Run: [Corel Photo Downloader] "c:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup File not found
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [EPSON18F106 (Epson Stylus NX420)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIGCA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [PureText] C:\Program Files\My Programs\PureText.exe (http://www.SteveMiller.net)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Users\Mary Ellen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Mary Ellen\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Mary Ellen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PureText.exe - Shortcut.lnk = C:\Program Files\My Programs\PureText.exe (http://www.SteveMiller.net)
O9 - Extra Button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: ed.gov ([fafsa] https in Trusted sites)
O15 - HKCU\..Trusted Domains: iis.net ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([office] http in Trusted sites)
O15 - HKCU\..Trusted Domains: microsoft.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: thawte.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: verisign.com ([digitalid] https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D85E079C-05D8-4ABD-8C1B-B34DEE204AA3}: DhcpNameServer = 192.168.1.1 71.250.0.12
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: D:\ME Pictures\SGA\stargate_springtime_by_mercscilla-d3fvfff.jpg
O24 - Desktop BackupWallPaper: D:\ME Pictures\SGA\stargate_springtime_by_mercscilla-d3fvfff.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{fbfeb11e-c809-11e0-853e-001aa09a7baa}\Shell - "" = AutoRun
O33 - MountPoints2\{fbfeb11e-c809-11e0-853e-001aa09a7baa}\Shell\AutoRun\command - "" = H:\TLBootstrap_WPP.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/11 19:26:13 | 000,000,000 | ---D | C] -- C:\Users\Mary Ellen\Desktop\GooredFix Backups
[2012/01/11 19:08:17 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/11 19:07:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/01/11 19:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/01/11 15:46:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/01/11 15:46:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot Search Destroy
[2012/01/11 15:46:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/01/10 21:37:09 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/01/10 21:37:09 | 000,000,000 | ---D | C] -- C:\Users\Mary Ellen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/01/10 16:19:56 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/01/10 15:29:24 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/01/09 23:13:06 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Public\Documents\tdsskiller.exe
[2012/01/09 14:04:13 | 000,000,000 | ---D | C] -- C:\symbols
[2012/01/09 13:51:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Debugging Tools for Windows (x86)
[2012/01/09 13:51:03 | 000,000,000 | ---D | C] -- C:\Program Files\Debugging Tools for Windows (x86)
[2012/01/09 13:49:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Windows SDK v7.1
[2010/04/13 15:25:10 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\Mary Ellen\AppData\Roaming\pcouffin.sys
[8 C:\Users\Mary Ellen\Documents\*.tmp files -> C:\Users\Mary Ellen\Documents\*.tmp -> ]
[1 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/11 22:43:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/11 22:31:05 | 000,002,401 | ---- | M] () -- C:\Users\Mary Ellen\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2012/01/11 22:24:33 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/11 22:09:59 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2498126754-284654439-1429999899-1000UA.job
[2012/01/11 21:47:24 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 21:47:24 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/11 21:47:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/11 21:47:12 | 3487,748,096 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/11 21:47:10 | 257,612,363 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/01/11 19:07:50 | 000,000,735 | ---- | M] () -- C:\Users\Mary Ellen\Desktop\NTREGOPT.lnk
[2012/01/11 19:07:50 | 000,000,716 | ---- | M] () -- C:\Users\Mary Ellen\Desktop\ERUNT.lnk
[2012/01/11 18:21:21 | 086,549,387 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/01/11 16:07:49 | 000,023,537 | ---- | M] () -- C:\Users\Mary Ellen\Documents\Spybot - Search & Destroy scan report.pdf
[2012/01/11 15:46:38 | 000,001,029 | ---- | M] () -- C:\Users\Mary Ellen\Desktop\Spybot - Search & Destroy.lnk
[2012/01/11 15:10:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2498126754-284654439-1429999899-1000Core.job
[2012/01/11 01:41:01 | 009,051,028 | ---- | M] () -- C:\Users\Mary Ellen\Documents\RedOwl.zip
[2012/01/11 00:26:58 | 000,005,074 | ---- | M] () -- C:\Users\Mary Ellen\Desktop\Attach.zip
[2012/01/11 00:15:01 | 000,000,000 | ---- | M] () -- C:\Users\Mary Ellen\defogger_reenable
[2012/01/10 21:37:09 | 000,001,958 | ---- | M] () -- C:\Users\Mary Ellen\Desktop\HiJackThis.lnk
[2012/01/10 18:53:25 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2498126754-284654439-1429999899-1000.job
[2012/01/10 18:16:41 | 000,471,704 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2012/01/10 16:38:06 | 000,023,624 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro36.sys
[2012/01/10 12:44:36 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2012/01/09 22:22:12 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Public\Documents\tdsskiller.exe
[2012/01/08 08:15:28 | 000,000,000 | ---- | M] () -- C:\Windows\System32\null
[2012/01/08 02:07:22 | 000,128,512 | ---- | M] () -- C:\Users\Mary Ellen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/07 01:12:02 | 000,002,110 | ---- | M] () -- C:\Users\Mary Ellen\Desktop\Google Chrome.lnk
[2012/01/07 01:12:02 | 000,002,072 | ---- | M] () -- C:\Users\Mary Ellen\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/01/03 08:43:13 | 000,853,134 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/03 08:43:13 | 000,184,110 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/27 15:29:11 | 000,048,075 | ---- | M] () -- C:\Users\Public\Documents\Vermskog.gif
[2011/12/23 12:27:04 | 002,276,840 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/23 10:00:14 | 000,000,844 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
[2011/12/18 20:54:43 | 000,417,020 | ---- | M] () -- C:\Users\Public\Documents\Tractatus_de_butyro46-55.pdf
[2011/12/16 13:11:49 | 000,236,529 | ---- | M] () -- C:\Users\Mary Ellen\Documents\200+ useful Keyboard Shortcuts for Word 2010.pdf
[8 C:\Users\Mary Ellen\Documents\*.tmp files -> C:\Users\Mary Ellen\Documents\*.tmp -> ]
[1 C:\Users\Public\Documents\*.tmp files -> C:\Users\Public\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\ProgramData\pevadudu
[2012/01/11 19:07:50 | 000,000,735 | ---- | C] () -- C:\Users\Mary Ellen\Desktop\NTREGOPT.lnk
[2012/01/11 19:07:50 | 000,000,716 | ---- | C] () -- C:\Users\Mary Ellen\Desktop\ERUNT.lnk
[2012/01/11 16:07:47 | 000,023,537 | ---- | C] () -- C:\Users\Mary Ellen\Documents\Spybot - Search & Destroy scan report.pdf
[2012/01/11 15:46:38 | 000,001,029 | ---- | C] () -- C:\Users\Mary Ellen\Desktop\Spybot - Search & Destroy.lnk
[2012/01/11 13:21:46 | 3487,748,096 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/11 01:40:53 | 009,051,028 | ---- | C] () -- C:\Users\Mary Ellen\Documents\RedOwl.zip
[2012/01/11 00:26:58 | 000,005,074 | ---- | C] () -- C:\Users\Mary Ellen\Desktop\Attach.zip
[2012/01/11 00:15:01 | 000,000,000 | ---- | C] () -- C:\Users\Mary Ellen\defogger_reenable
[2012/01/10 21:37:09 | 000,001,958 | ---- | C] () -- C:\Users\Mary Ellen\Desktop\HiJackThis.lnk
[2012/01/10 15:30:30 | 000,023,624 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro36.sys
[2011/12/27 15:32:49 | 000,048,075 | ---- | C] () -- C:\Users\Public\Documents\Vermskog.gif
[2011/12/18 20:56:38 | 000,417,020 | ---- | C] () -- C:\Users\Public\Documents\Tractatus_de_butyro46-55.pdf
[2011/12/16 13:11:44 | 000,236,529 | ---- | C] () -- C:\Users\Mary Ellen\Documents\200+ useful Keyboard Shortcuts for Word 2010.pdf
[2011/02/01 17:15:43 | 000,000,088 | RHS- | C] () -- C:\ProgramData\A790E581A6.sys
[2011/02/01 17:15:42 | 000,002,516 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/04/26 13:38:08 | 000,001,322 | ---- | C] () -- C:\Windows\ntbackup.ini
[2010/04/13 15:27:30 | 000,001,057 | ---- | C] () -- C:\Users\Mary Ellen\AppData\Roaming\vso_ts_preview.xml
[2010/04/13 15:25:10 | 000,087,608 | ---- | C] () -- C:\Users\Mary Ellen\AppData\Roaming\inst.exe
[2010/04/13 15:25:10 | 000,007,887 | ---- | C] () -- C:\Users\Mary Ellen\AppData\Roaming\pcouffin.cat
[2010/04/13 15:25:10 | 000,001,144 | ---- | C] () -- C:\Users\Mary Ellen\AppData\Roaming\pcouffin.inf
[2010/01/11 20:54:00 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/11/11 10:41:44 | 000,000,000 | ---- | C] () -- C:\Users\Mary Ellen\AppData\Local\prvlcl.dat
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/10 18:49:10 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/10 18:49:10 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/07/10 18:48:25 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/07/07 06:03:48 | 000,000,190 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2008/12/24 03:02:43 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/12/10 17:31:24 | 000,000,002 | ---- | C] () -- C:\Windows\msoffice.ini
[2008/11/20 22:17:12 | 000,118,784 | ---- | C] () -- C:\Windows\System32\myodbc3i.exe
[2008/11/20 22:17:12 | 000,106,496 | ---- | C] () -- C:\Windows\System32\myodbc3m.exe
[2008/09/01 07:51:08 | 000,000,028 | ---- | C] () -- C:\Windows\pdf995.ini
[2008/08/27 14:00:42 | 000,166,912 | ---- | C] () -- C:\Windows\System32\libmcrypt.dll
[2008/08/23 16:48:52 | 000,000,418 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2008/08/15 01:10:29 | 000,050,075 | ---- | C] () -- C:\Windows\php.ini
[2008/05/26 10:07:57 | 000,131,072 | ---- | C] () -- C:\Windows\gswin32c.exe
[2008/01/12 17:47:37 | 000,007,592 | ---- | C] () -- C:\Users\Mary Ellen\AppData\Local\d3d9caps.dat
[2007/12/17 20:53:41 | 002,035,712 | ---- | C] () -- C:\Windows\System32\libmySQL.dll
[2007/12/17 16:01:11 | 000,048,899 | ---- | C] () -- C:\Windows\firstphp.ini
[2007/11/19 21:56:06 | 000,051,716 | ---- | C] () -- C:\Windows\System32\pdf995mon.dll
[2007/11/19 21:56:06 | 000,000,084 | ---- | C] () -- C:\Windows\wpd99.drv
[2007/11/18 14:41:26 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/11/18 14:13:58 | 000,000,472 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/11/18 13:45:17 | 000,128,512 | ---- | C] () -- C:\Users\Mary Ellen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/13 10:47:55 | 000,000,859 | ---- | C] () -- C:\Windows\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
[2006/11/09 23:45:20 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/02 07:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:43 | 002,276,840 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:33:01 | 000,853,134 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,184,110 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/09/28 23:33:21 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\Abine
[2009/07/16 16:41:13 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\acccore
[2007/11/18 15:33:56 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\aignes
[2010/10/28 18:47:39 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\Amazon
[2011/09/23 07:49:03 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\AVG2012
[2011/03/29 19:08:23 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\calibre
[2011/06/09 13:48:53 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2012/01/11 22:25:31 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\Dropbox
[2012/01/10 16:03:10 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\FileZilla
[2011/06/24 19:07:12 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\GSplit
[2008/12/10 14:54:44 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\gtk-2.0
[2008/11/17 15:59:08 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\IsolatedStorage
[2011/02/01 18:34:27 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\Jasc
[2011/06/17 15:36:49 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\MySQL
[2009/06/22 14:25:32 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\NCH Swift Sound
[2011/03/23 20:59:22 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\NexusFont
[2007/11/27 13:22:14 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\pdf995
[2010/05/30 21:21:02 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\SmartDraw
[2011/04/17 14:48:08 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\Spesoft Free CD Ripper
[2011/10/22 13:24:05 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\TeamViewer
[2010/05/14 10:37:41 | 000,000,000 | ---D | M] -- C:\Users\Mary Ellen\AppData\Roaming\Vso
[2010/07/19 13:19:58 | 000,000,686 | ---- | M] () -- C:\Windows\Tasks\Backup All.job
[2009/08/03 14:41:48 | 000,000,704 | ---- | M] () -- C:\Windows\Tasks\Daily Backkup.job
[2012/01/11 19:17:05 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/01/27 07:02:17 | 000,000,302 | ---- | M] () -- C:\Windows\Tasks\vrydoidt.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\Public\Documents\Billable Time.jpg:Roxio EMC Stream
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:62E2D794
@Alternate Data Stream - 1033 bytes -> C:\Users\Public\Documents\IDOC Notification - Your Next Step for Financial Aid.eml:OECustomProperty
@Alternate Data Stream - 1009 bytes -> C:\Users\Public\Documents\IDOC Reminder - Your Next Step for Financial Aid.eml:OECustomProperty

< End of report >

HALP.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there I believe I know what the infection is but I would like to confirm it first

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#3
DoctorScience

DoctorScience

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Thanks enormously for getting back to me so quickly!

I'm about to start that, but it says "this application can use the Avast! Free Antivirus for scanning. It is recommended to download it for better detection results. Would you like to download the latest Avast! virus definitions?"

And there is nothing showing on my black screen after "Initialize success", where yours shows "AVAST engine defs".

Should I DL the Avast definitions, or not?
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
It is recommended that you download the definitions as it will then run a quick 20 minute scan of your system for all malware
  • 0

#5
DoctorScience

DoctorScience

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Here is the log:
----------------
aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-12 17:52:15
-----------------------------
17:52:15.061 OS Version: Windows 6.0.6002 Service Pack 2
17:52:15.061 Number of processors: 2 586 0xF0B
17:52:15.061 ComputerName: GALADRIEL UserName:
17:52:16.823 Initialize success
17:52:52.802 AVAST engine defs: 12011201
17:53:30.762 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:53:30.778 Disk 0 Vendor: ST3250820AS 3.ADG Size: 238418MB BusType: 3
17:53:30.794 Disk 0 MBR read successfully
17:53:30.794 Disk 0 MBR scan
17:53:30.809 Disk 0 Windows VISTA default MBR code
17:53:30.809 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
17:53:30.840 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
17:53:30.856 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 137310 MB offset 21084160
17:53:30.872 Disk 0 Partition - 00 0F Extended LBA 90811 MB offset 302295105
17:53:30.887 Disk 0 Partition - 00 05 Extended 90811 MB offset 302295167
17:53:30.934 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 90811 MB offset 302295168
17:53:30.950 Disk 0 scanning sectors +488278016
17:53:31.074 Disk 0 scanning C:\Windows\system32\drivers
17:53:33.040 File: C:\Windows\system32\drivers\avgldx86.sys **INFECTED** Win32:Aluroot-B [Rtk]
17:53:41.979 Disk 0 trace - called modules:
17:53:41.994 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8681cff0]<<
17:53:42.010 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852e3ac8]
17:53:42.010 3 CLASSPNP.SYS[8aba98b3] -> nt!IofCallDriver -> [0x867e72d8]
17:53:42.010 \Driver\00001135[0x8679f978] -> IRP_MJ_CREATE -> 0x8681cff0
17:53:44.308 AVAST engine scan C:\Windows
17:53:47.444 AVAST engine scan C:\Windows\system32
17:56:28.001 AVAST engine scan C:\Windows\system32\drivers
17:56:29.093 File: C:\Windows\system32\drivers\avgldx86.sys **INFECTED** Win32:Aluroot-B [Rtk]
17:56:39.608 AVAST engine scan C:\Users\Mary Ellen
18:49:52.085 AVAST engine scan C:\ProgramData
19:05:48.053 Scan finished successfully
19:06:46.460 Disk 0 MBR has been saved successfully to "C:\Users\Mary Ellen\Desktop\MBR.dat"
19:06:46.491 The log file has been saved successfully to "C:\Users\Mary Ellen\Desktop\aswMBR.txt"

----------------------

as the scan was finishing up, I got 3 alerts from AVG in quick succession, saying it had blocked a threat from "tubeni.com/enterpoint.php?use_sh=3"
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
AVG is infected, so we will try to disinfect it... As a prelude to that could you download a fresh copy of AVG to your desktop.. Do not install it yet

Then download the AVG removal toolto your desktop

Download Combofix to your desktop
Download ComboFix from one of the following locations:
Link 1
Link 2

Disconnect from the internet and uninstall AVG via programmes and features
Reboot
Then run the AVG removal tool
Reboot
Remain disconnected from the net

Install Combofix

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Then re-install AVG prior to connecting to the net
  • 0

#7
DoctorScience

DoctorScience

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
ComboFix's "searching for infected files, this should only take 10 minutes or maybe 20" window has been up for over 2 hours. Should I worry?
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK stop combofix please, we will go a different route

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
  • 0

#9
DoctorScience

DoctorScience

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I ran TDSSKiller already, and it claimed to find nothing. Should I run it again anyway?
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OOps didn't see that, then no

Could you delete the current copy of combofix from your desktop and download then run a fresh copy

If it still hangs then go to the next step

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image
Megaupload
  • 0

Advertisements


#11
DoctorScience

DoctorScience

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
When I deleted the old copy of ComboFix, it said my Recycle Bin is corrupt.

I DLed a new copy of CF and am trying to run it. It says it detects active AVG running. AFAIK AVG has been deleted. Last time I said "OK, run it anyway", but now I wonder. What should I do?
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That is probably the malware/infected bit of AVG

Although not the ideal situation could you run combofix from safe mode
  • 0

#13
DoctorScience

DoctorScience

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I'm in safe mode and I'm still getting the "CF has detected active SVG" message. SHould I run it anyway?
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes try it one more time - if it stalls then go direct to AVPTool, the main part I will be interested in is the analysis section
  • 0

#15
DoctorScience

DoctorScience

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
it says "Access denied, admin privileges needed. Use an Admin command prompt to run those commands." Doesn't say which commands. I'm running CF as an Admin already.

Now we're at the scanning for infected files stage. How much later are you going to be on? I know it's getting late over there ...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP