[Garysam43]

Hello, I'm on WIN 7 Home Premium (32 bit). I see FINDGALA when I use IE9 search. Avast, Windows Defender, MBAM and others do not see it, nor does registry search. I'm seeing excessive startup and logon I/O activity. Yesterday, I ran Microsoft's Window FIXIT, supposedly to restore the hosts file, after reading that FINDGALA trashes this? Now the PC halts randomly, and cutting the power is the only fix to get going again. Please help. Thanks.......Gary

[Advertisements]

Hello Garysam43 and welcome to GeeksToGo

My nickname is WhiteHat and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.

• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
• Please do not try to fix anything without being asked
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
• I am currently reviewing your logs.

[WhiteHat]

Hello Garysam43 and welcome to GeeksToGo

My nickname is WhiteHat and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.

• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
• Please do not try to fix anything without being asked
• I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
• I am currently reviewing your logs.

[Garysam43]

Thank you WhiteHat.

[WhiteHat]

Hi,

# Step 1 #
Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• In Extra Registry, select Use SafeList
• Under the Custom Scan box paste this in
  

  netsvcs
  msconfig
  drives
  %SYSTEMDRIVE%\*.*
  %systemdrive%\drivers\*.exe
  %systemroot%\system32\drivers\*.* /90
  %PROGRAMFILES%\*.*
  HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs
  HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs
  CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

# Step 2 #
Download aswMBR.exe ( 4.8mb ) to your desktop.

Double click the aswMBR.exe to run it Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply

[Garysam43]

WhiteHat, here are the OTL logs:
OTL logfile created on: 6/18/2012 5:08:42 AM - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\Dad\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 68.97% Memory free
4.00 Gb Paging File | 3.20 Gb Available in Paging File | 79.90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.10 Gb Total Space | 37.20 Gb Free Space | 56.27% Space Free | Partition Type: NTFS
Drive D: | 74.53 Gb Total Space | 45.71 Gb Free Space | 61.33% Space Free | Partition Type: NTFS
Drive E: | 8.33 Gb Total Space | 1.27 Gb Free Space | 15.28% Space Free | Partition Type: NTFS

Computer Name: OURPC | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/18 05:04:21 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
PRC - [2012/05/03 14:07:40 | 000,217,256 | ---- | M] (Visicom Media Inc. (Powered by Panda Security)) -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
PRC - [2012/03/06 19:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/06 13:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/23 01:39:24 | 000,803,432 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - [2012/04/24 13:37:43 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/06 13:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/02/24 16:16:38 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/04/29 04:21:04 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\XAudio32.dll -- (HsfXAudioService)


========== Driver Services (SafeList) ==========

DRV - [2012/03/06 19:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/06 19:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/06 19:02:14 | 000,044,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2012/03/06 19:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/06 19:01:48 | 000,057,688 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/03/06 19:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/01/12 09:26:20 | 000,101,112 | R--- | M] (GFI Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/02/23 02:57:00 | 010,468,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/07/22 17:13:28 | 000,041,912 | ---- | M] (FSPro Labs) [File_System | Boot | Running] -- C:\Windows\System32\drivers\FSPFltd.sys -- (FSProFilter)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 18:13:47 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)
DRV - [2009/04/29 04:20:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio32.sys -- (XAudio)
DRV - [2009/02/13 06:58:30 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2009/02/13 06:56:32 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes,DefaultScope = {45751D25-4CDF-4ECB-AE06-6C79A5BBC31E}
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{45751D25-4CDF-4ECB-AE06-6C79A5BBC31E}: "URL" = http://findgala.com/...q={searchTerms}
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{88FB16D2-04EA-4ffe-8079-CFF68F1B9CE6}: "URL" = http://www.search-re...&ver=4.0.0.1550
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox...id=80116&lng=en
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledItems: [email protected]:1.3.4
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..keyword.URL: "http://blekko.com/ws...&u=USERGUID&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.2.72: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.2.72: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.2.72: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.2.72: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.2.72: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/02/16 06:58:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/03/29 04:58:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/14 06:03:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/16 06:58:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Sunbird 1.0b1\extensions\\Components: C:\Program Files\Mozilla Sunbird\components [2012/02/16 06:57:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/02/06 13:31:06 | 000,000,000 | ---D | M]

[2011/12/11 13:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions
[2010/04/29 16:11:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/12/11 13:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions\{718e30fb-e89b-41dd-9da7-e25a45638b28}
[2012/06/14 06:03:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\extensions
[2011/12/11 13:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Sunbird\Profiles\zyd2w965.default\extensions
[2011/05/26 09:14:41 | 000,002,569 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\askcom.xml
[2011/07/19 07:24:03 | 000,002,264 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\bing-zugo.xml
[2011/09/12 12:35:50 | 000,001,210 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\search.xml
[2012/02/17 08:09:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/29 04:58:26 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/04/24 13:37:43 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/16 07:14:01 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/09/30 06:54:43 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/05/09 08:38:11 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2011/11/09 09:37:39 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/06/17 13:49:08 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Free Download Manager) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O3 - HKLM\..\Toolbar: (no name) - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [Anti-phishing Domain Advisor] C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe (Visicom Media Inc. (Powered by Panda Security))
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-82361716-3830150136-294940581-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: albertsons.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: myalbertsons.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: mysupervalu.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: star401kplan.com ([karentkaczyk] * in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: supervalu.com ([]* in Trusted sites)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...tDetection2.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C152CCA5-F351-4D72-A386-E444466A89B8}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found


CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/06/18 05:04:17 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2012/06/17 14:27:03 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\SpeedMaxPc
[2012/06/17 14:27:03 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\DriverCure
[2012/06/17 14:26:54 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedMaxPc
[2012/06/17 14:12:31 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\tdsskiller
[2012/06/17 14:09:39 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\GooredFix Backups
[2012/06/17 14:09:02 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Dad\Desktop\GooredFix.exe
[2012/06/15 06:57:09 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools
[2012/06/15 06:51:37 | 000,203,088 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTSD.sys
[2012/06/15 06:51:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2012/06/15 06:51:06 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2012/06/15 06:51:04 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\TestApp
[2012/06/14 07:49:13 | 000,101,112 | R--- | C] (GFI Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012/06/14 06:35:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/14 06:34:55 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/06/14 06:34:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/06/14 06:33:14 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Dad\Desktop\mbam.exe
[2012/06/13 10:49:09 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\Wise Registry Cleaner
[2012/06/13 10:48:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wise Registry Cleaner
[2012/06/13 10:48:24 | 000,000,000 | ---D | C] -- C:\Program Files\Wise
[2012/06/13 10:03:56 | 000,000,000 | ---D | C] -- C:\ProgramData\blekko toolbars
[2012/06/13 10:03:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XdN Software
[2012/06/13 10:03:53 | 000,000,000 | ---D | C] -- C:\Program Files\XdN Software
[2012/06/13 10:03:26 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Local\blekkotb_031
[2012/06/13 10:03:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Anti-phishing Domain Advisor
[2012/06/13 09:07:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities
[2012/06/13 09:07:08 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\GlarySoft
[2012/06/13 09:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
[2012/06/13 07:24:39 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/06/13 07:24:37 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/06/13 07:24:37 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/06/13 07:24:36 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/06/13 07:24:34 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/06/13 07:24:34 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/06/13 07:24:32 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/06/13 07:23:20 | 002,343,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/06/13 07:23:03 | 000,514,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qdvd.dll
[2012/06/13 07:23:02 | 000,129,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpcorekmts.dll
[2012/06/13 07:23:02 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpwsx.dll
[2012/06/13 07:23:01 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdrmemptylst.exe
[2012/06/13 06:59:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/06/13 06:58:58 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

========== Files - Modified Within 30 Days ==========

[2012/06/18 05:04:21 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2012/06/18 04:56:00 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/18 04:56:00 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/18 04:54:48 | 000,000,308 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
[2012/06/18 04:48:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/18 04:48:20 | 1610,113,024 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/17 14:11:35 | 002,109,032 | ---- | M] () -- C:\Users\Dad\Desktop\tdsskiller.zip
[2012/06/17 14:09:05 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Dad\Desktop\GooredFix.exe
[2012/06/17 13:49:08 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/06/15 16:21:48 | 000,007,840 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2012/06/15 07:11:38 | 292,234,343 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/06/15 06:53:56 | 001,472,019 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2012/06/15 05:13:49 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/06/14 07:55:06 | 000,442,332 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.old
[2012/06/14 06:35:00 | 000,001,047 | ---- | M] () -- C:\Users\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:35:00 | 000,001,023 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:33:27 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Dad\Desktop\mbam.exe
[2012/06/14 06:24:46 | 001,008,141 | ---- | M] () -- C:\Users\Dad\Desktop\rkill.com
[2012/06/13 10:48:27 | 000,001,141 | ---- | M] () -- C:\Users\Public\Desktop\Wise Registry Cleaner.lnk
[2012/06/13 10:03:54 | 000,001,116 | ---- | M] () -- C:\Users\Public\Desktop\XdN Tweaker.lnk
[2012/06/13 07:38:00 | 000,371,192 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/06/13 07:33:20 | 000,623,940 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/13 07:33:20 | 000,106,316 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/13 07:17:51 | 000,015,602 | ---- | M] () -- C:\Users\Public\Documents\cc_20120613_071746.reg
[2012/06/13 07:02:13 | 000,046,870 | ---- | M] () -- C:\Users\Public\Documents\cc_20120613_070152.reg
[2012/06/13 06:58:09 | 000,007,627 | ---- | M] () -- C:\Users\Dad\AppData\Local\Resmon.ResmonCfg
[2012/05/29 08:32:04 | 000,002,175 | ---- | M] () -- C:\Users\Dad\Desktop\Kindle.lnk
[2012/05/21 05:36:32 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/05/21 05:36:32 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/06/17 14:11:27 | 002,109,032 | ---- | C] () -- C:\Users\Dad\Desktop\tdsskiller.zip
[2012/06/15 16:18:09 | 000,007,840 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2012/06/15 07:11:38 | 292,234,343 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/06/15 06:51:59 | 001,472,019 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2012/06/14 06:35:00 | 000,001,047 | ---- | C] () -- C:\Users\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:35:00 | 000,001,023 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:24:44 | 001,008,141 | ---- | C] () -- C:\Users\Dad\Desktop\rkill.com
[2012/06/13 10:48:27 | 000,001,141 | ---- | C] () -- C:\Users\Public\Desktop\Wise Registry Cleaner.lnk
[2012/06/13 10:03:54 | 000,001,116 | ---- | C] () -- C:\Users\Public\Desktop\XdN Tweaker.lnk
[2012/06/13 09:07:15 | 000,000,308 | ---- | C] () -- C:\Windows\tasks\GlaryInitialize.job
[2012/06/13 07:17:48 | 000,015,602 | ---- | C] () -- C:\Users\Public\Documents\cc_20120613_071746.reg
[2012/06/13 07:02:01 | 000,046,870 | ---- | C] () -- C:\Users\Public\Documents\cc_20120613_070152.reg
[2012/05/16 07:43:45 | 000,007,627 | ---- | C] () -- C:\Users\Dad\AppData\Local\Resmon.ResmonCfg
[2011/10/12 07:21:53 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/09/12 12:35:49 | 000,000,288 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\D54CA29F.reg
[2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\Users\Dad\AppData\Local\517aqq2h75674sh3hggnyr2175hq6fw02
[2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\ProgramData\517aqq2h75674sh3hggnyr2175hq6fw02
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\syry.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\rqda.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\rigo.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\olbr.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\miog.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\llmu.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\cowu.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\bujf.exe

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: ST380021A ATA Device
Partitions: 1
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: ST380815AS ATA Device
Partitions: 3
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE2 -
Interface type: USB
Media Type:
Model: Generic- Compact Flash USB Device
Partitions: 0
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE3 -
Interface type: USB
Media Type:
Model: Generic- SM/xD-Picture USB Device
Partitions: 0
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE4 -
Interface type: USB
Media Type:
Model: Generic- SD/MMC USB Device
Partitions: 0
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE5 -
Interface type: USB
Media Type:
Model: Generic- MS/MS-Pro USB Device
Partitions: 0
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 75.00GB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 0.00GB
Starting Offset: 1048576
Hidden sectors: 0


DeviceID: Disk #1, Partition #1
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 66.00GB
Starting Offset: 105906176
Hidden sectors: 0


DeviceID: Disk #1, Partition #2
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 8.00GB
Starting Offset: 71082869760
Hidden sectors: 0


< %SYSTEMDRIVE%\*.* >
[2009/06/10 17:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/06/10 17:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2012/06/18 04:48:20 | 1610,113,024 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/23 11:37:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/11/23 11:37:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2012/06/18 04:48:22 | 2146,820,096 | -HS- | M] () -- C:\pagefile.sys
[2012/06/15 13:32:55 | 000,000,388 | ---- | M] () -- C:\rkill.log
[2012/06/17 14:14:39 | 000,120,896 | ---- | M] () -- C:\TDSSKiller.2.7.40.0_17.06.2012_14.12.40_log.txt

< %systemdrive%\drivers\*.exe >

< %systemroot%\system32\drivers\*.* /90 >
[2012/06/15 06:53:56 | 001,472,019 | ---- | M] () -- C:\Windows\system32\drivers\Cat.DB
[2012/06/15 16:21:48 | 000,007,840 | ---- | M] () -- C:\Windows\system32\drivers\kgpcpy.cfg
[2012/05/11 11:14:20 | 000,203,088 | ---- | M] (PC Tools) -- C:\Windows\system32\drivers\PCTSD.sys
[2012/04/27 23:17:07 | 000,183,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\drivers\rdpwd.sys
[2012/03/30 06:23:11 | 001,291,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\drivers\tcpip.sys

< %PROGRAMFILES%\*.* >
[2009/07/14 00:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/04/24 13:37:40 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/04/24 13:37:40 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/04/24 13:37:40 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/04/24 13:37:42 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/04/24 13:37:42 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/04/24 13:37:42 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/04/06 18:13:23 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/04/06 18:13:23 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/04/06 18:13:23 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)

< HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/04/24 13:37:40 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/04/24 13:37:40 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/04/24 13:37:40 | 000,866,992 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/04/24 13:37:42 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/04/24 13:37:42 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/04/24 13:37:42 | 000,924,600 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/04/06 18:13:23 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/04/06 18:13:23 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/04/06 18:13:23 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2012/05/17 19:21:54 | 000,748,664 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:D74B6CF5

< End of report >
OTL Extras logfile created on: 6/18/2012 5:08:42 AM - Run 1
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\Dad\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 68.97% Memory free
4.00 Gb Paging File | 3.20 Gb Available in Paging File | 79.90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.10 Gb Total Space | 37.20 Gb Free Space | 56.27% Space Free | Partition Type: NTFS
Drive D: | 74.53 Gb Total Space | 45.71 Gb Free Space | 61.33% Space Free | Partition Type: NTFS
Drive E: | 8.33 Gb Total Space | 1.27 Gb Free Space | 15.28% Space Free | Partition Type: NTFS

Computer Name: OURPC | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [runas] -- cmd.exe /c takeown /f "%1" /r /d y && icacls "%1" /grant administrators:F /t (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0CF850F7-BBE5-43CF-AE7E-06D37C7A6CF0}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1921DFC5-DC00-4429-A8D2-5D7E372E7DF4}" = rport=139 | protocol=6 | dir=out | app=system |
"{1BF73C11-FA74-48B4-9CFE-C8E4C8AD92AD}" = rport=137 | protocol=17 | dir=out | app=system |
"{1CB0ECA6-61EF-45FB-8B19-A396440628C4}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1DF74B40-330D-48F9-AC80-62D802033041}" = rport=138 | protocol=17 | dir=out | app=system |
"{1E9096D5-9CB4-4929-A0A5-3D9E8CD1933A}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{314C2257-B698-4F64-BFC6-EB376A105F86}" = lport=10243 | protocol=6 | dir=in | app=system |
"{4223DC88-C2B1-4DB8-B3A8-3BD16118C6FF}" = lport=138 | protocol=17 | dir=in | app=system |
"{53B1E6A3-8A5C-46EC-9516-3270863D16C9}" = lport=445 | protocol=6 | dir=in | app=system |
"{5A536603-59AE-4E4F-9030-22C9F54BB226}" = rport=445 | protocol=6 | dir=out | app=system |
"{615021D3-C3CB-470D-BC1C-399013FE6E98}" = lport=2869 | protocol=6 | dir=in | app=system |
"{7DE3FA75-4D57-45BF-AD94-8E33CE561FAE}" = rport=10243 | protocol=6 | dir=out | app=system |
"{8658D806-5FBC-45FC-9DDA-605EFCF7E4B6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8C6542CD-3119-4F69-8453-E34DBBEA148E}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{94374C9D-33E9-46F6-8FE1-A0604EF9FC78}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{96E48D18-E2D7-4D00-B75D-C431941C8F98}" = lport=139 | protocol=6 | dir=in | app=system |
"{A39FEBE3-1610-4811-9EB8-A8A55AB0DD4C}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{B071D6FB-C4E8-4CEE-9200-09F4A24871BB}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{BB7E1135-A739-48A8-8A10-8725ADC4D025}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D8322782-9BDB-4547-85E8-DA4A0161AD04}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{E7929D93-EB84-4579-AFA4-A2EFC2D50360}" = lport=137 | protocol=17 | dir=in | app=system |
"{FD510105-A84A-415D-92C5-6CC246A1ADA5}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{FEDB232C-3854-4F84-A8E8-04C50F6C0243}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00DEEAE3-ACF6-47A7-9D1F-6D744F55E9F4}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{01A35726-5818-41DC-AD1B-2163FAFFB3EE}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{419D10B0-59AB-4F8A-819F-66D1A154FD27}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{52FB4696-C521-4FDF-A0BD-A7C6DD933608}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{610FD175-0945-4AB8-B416-D61C73B670A2}" = protocol=1 | dir=in | [email protected],-28543 |
"{76460D8F-6638-432E-B18F-538B0881ACB0}" = protocol=6 | dir=out | app=system |
"{83B90A6E-CFE3-45EF-8C23-B08A2EE6A43F}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{98BFBE11-EB7C-4A9C-AA0A-DE5F032AD53D}" = protocol=58 | dir=out | [email protected],-28546 |
"{996148A1-5A6C-436A-B1BD-CB081603643C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A3C53F64-3C15-4C20-99D8-AC0E1E2DAEDC}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{A5A62ED4-E0E5-41B4-B36A-5256BDE00BBF}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AC8BE58D-D0D0-449E-8585-10ECA8060969}" = protocol=1 | dir=out | [email protected],-28544 |
"{C065C2B9-F84D-44B4-A538-BF53EFC711B5}" = protocol=58 | dir=in | [email protected],-28545 |
"{D4BBB2A4-C3CB-414A-9780-9825C0DED5F7}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E015E596-060E-4428-9744-832B8A7D6CEB}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{E669642F-C7E9-4884-B925-D1BE2936FCF4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"TCP Query User{34F191B7-E9F1-40E2-8CA2-43AA7938AD2B}C:\program files\free download manager\fdmwi.exe" = protocol=6 | dir=in | app=c:\program files\free download manager\fdmwi.exe |
"TCP Query User{A50FE639-B6C8-466A-9B58-001E583B6549}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{D4C10D60-0D3D-4A7A-9B7C-0214CE8E6E4B}C:\program files\satellite direct\satellitedirect.exe" = protocol=6 | dir=in | app=c:\program files\satellite direct\satellitedirect.exe |
"TCP Query User{DB3B9870-90EA-4997-8085-95D85068D021}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"TCP Query User{ECFEFFFB-1383-46E0-8ED6-3A586DC96FAC}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{00A58D39-18AB-4CEB-AF69-717BD6D6A6C8}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{0D86AA1D-3AA2-4A07-A897-5EE0B13A1065}C:\program files\free download manager\fdmwi.exe" = protocol=17 | dir=in | app=c:\program files\free download manager\fdmwi.exe |
"UDP Query User{1E2026E7-2521-43BB-A7A7-214636EE1E6E}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{3A89A95A-CD3F-4091-A663-BCC3A576A0B8}C:\program files\satellite direct\satellitedirect.exe" = protocol=17 | dir=in | app=c:\program files\satellite direct\satellitedirect.exe |
"UDP Query User{DCEFCA76-B01C-4184-B536-0BAA21D26575}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{62687EAC-F27D-49AC-A0E2-3899B0459113}" = Hallmark Card Studio 2011 Deluxe
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9DBFEC34-FBF0-4BBF-8A90-BBDB514531A2}_is1" = Satellite Direct v2.8.1.1
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 267.24
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 267.24
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CEE2613D-3B53-4447-BA2D-E88C08272581}" = LibreOffice 3.3
"{E0570DE2-4B9D-47B6-A034-3B18829C0EAC}" = 2011 Hallmark Registration Bonus Pack
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Anti-phishing Domain Advisor" = Anti-phishing Domain Advisor
"avast" = avast! Free Antivirus
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Soft Data Fax Modem with SmartCP
"File Shredder_is1" = File Shredder 2.0
"Free Download Manager_is1" = Free Download Manager 3.7 RC1
"Glary Utilities_is1" = Glary Utilities 2.46.0.1518
"HDMI" = Intel® Graphics Media Accelerator Driver
"i-Fun Viewer_is1" = i-Fun Viewer
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"Mozilla Thunderbird 12.0.1 (x86 en-US)" = Mozilla Thunderbird 12.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"My Lockbox_is1" = My Lockbox 2.8.2
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"PhotoStitch" = Canon Utilities PhotoStitch
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 15.0" = RealPlayer
"RemoteCaptureDC" = Canon Utilities RemoteCapture DC
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"WinLiveSuite_Wave3" = Windows Live Essentials
"Wise Registry Cleaner_is1" = Wise Registry Cleaner 7.31
"XdN Tweaker" = XdN Tweaker 0.9.2.6
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Amazon Kindle" = Amazon Kindle

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/13/2012 6:57:39 AM | Computer Name = OURPC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 6/13/2012 7:31:20 AM | Computer Name = OURPC | Source = Microsoft-Windows-CAPI2 | ID = 4107
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. .

Error - 6/13/2012 9:24:31 AM | Computer Name = OURPC | Source = Application Error | ID = 1000
Description = Faulting application name: MsiExec.exe, version: 5.0.7601.17514, time
stamp: 0x4ce792c4 Faulting module name: QuickTime.qts_unloaded, version: 0.0.0.0,
time stamp: 0x4cf4536a Exception code: 0xc0000005 Fault offset: 0x63a8bb89 Faulting
process id: 0x544 Faulting application start time: 0x01cd4967da0cca1b Faulting application
path: C:\Windows\system32\MsiExec.exe Faulting module path: QuickTime.qts Report
Id: 1b996c7a-b55b-11e1-ad6b-001bfcd05fa1

Error - 6/13/2012 11:58:10 AM | Computer Name = OURPC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.

Error - 6/14/2012 7:48:50 AM | Computer Name = OURPC | Source = System Restore | ID = 8193
Description =

Error - 6/14/2012 7:48:51 AM | Computer Name = OURPC | Source = System Restore | ID = 8193
Description =

Error - 6/14/2012 8:01:16 AM | Computer Name = OURPC | Source = VSS | ID = 8194
Description =

Error - 6/15/2012 3:00:08 PM | Computer Name = OURPC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\program files\PC Tools\pc
tools security\networklayer\PCTCFFix64.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 6/15/2012 3:00:36 PM | Computer Name = OURPC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.

Error - 6/16/2012 4:08:38 PM | Computer Name = OURPC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17567,
time stamp: 0x4d6727a7 Faulting module name: fsshell.dll_unloaded, version: 0.0.0.0,
time stamp: 0x2a425e19 Exception code: 0xc0000005 Fault offset: 0x03ec33ec Faulting
process id: 0xb88 Faulting application start time: 0x01cd4be74c6c8dab Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: fsshell.dll Report Id: 0ef61571-b7ef-11e1-b839-001bfcd05fa1

Error - 6/17/2012 12:01:34 PM | Computer Name = OURPC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
- search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
in element "assemblyIdentity" is invalid.

[ Media Center Events ]
Error - 4/28/2011 5:43:11 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 5:43:11 AM - Error connecting to the internet. 5:43:11 AM - Unable
to contact server..

Error - 5/3/2011 7:02:48 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 7:02:48 AM - Error connecting to the internet. 7:02:48 AM - Unable
to contact server..

Error - 5/3/2011 8:03:14 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 8:03:13 AM - Error connecting to the internet. 8:03:13 AM - Unable
to contact server..

Error - 5/3/2011 9:03:38 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 9:03:38 AM - Error connecting to the internet. 9:03:38 AM - Unable
to contact server..

Error - 5/13/2011 6:46:23 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 6:46:22 AM - Error connecting to the internet. 6:46:23 AM - Unable
to contact server..

Error - 5/28/2011 7:52:56 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 7:52:56 AM - Error connecting to the internet. 7:52:56 AM - Unable
to contact server..

Error - 5/28/2011 8:53:18 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 8:53:18 AM - Error connecting to the internet. 8:53:18 AM - Unable
to contact server..

Error - 5/28/2011 9:53:36 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 9:53:36 AM - Error connecting to the internet. 9:53:36 AM - Unable
to contact server..

Error - 5/28/2011 11:29:31 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 11:29:31 AM - Error connecting to the internet. 11:29:31 AM - Unable
to contact server..

Error - 6/2/2011 8:09:21 AM | Computer Name = OURPC | Source = MCUpdate | ID = 0
Description = 8:09:21 AM - Error connecting to the internet. 8:09:21 AM - Unable
to contact server..

[ System Events ]
Error - 6/15/2012 1:33:04 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 6/15/2012 1:33:04 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 6/15/2012 1:33:04 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 6/15/2012 1:33:04 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 6/15/2012 1:33:04 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 6/15/2012 2:37:49 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is3srv

Error - 6/15/2012 4:16:32 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
is3srv

Error - 6/16/2012 8:17:59 PM | Computer Name = OURPC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 5:19:58 PM on ?6/?16/?2012 was unexpected.

Error - 6/17/2012 6:02:34 AM | Computer Name = OURPC | Source = EventLog | ID = 6008
Description = The previous system shutdown at 8:30:49 PM on ?6/?16/?2012 was unexpected.

Error - 6/17/2012 1:49:07 PM | Computer Name = OURPC | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Driver Helper Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >

[Garysam43]

Hi WhiteHat,. I ran aswMBR.exe, from the desktop. It ran fine, but the whole system froze at completion, B4 I could click on "save log".
Gary

[WhiteHat]

# Step 1 #

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL



# Step 2 #


Please reopen on your desktop.

• Under the box at the bottom, paste in the following
  
  

  :OTL
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}:  "URL" = http://search.mywebs...r={searchTerms}
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{45751D25-4CDF-4ECB-AE06-6C79A5BBC31E}:  "URL" = http://findgala.com/...q={searchTerms}
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{88FB16D2-04EA-4ffe-8079-CFF68F1B9CE6}:  "URL" = http://www.search-re...&ver=4.0.0.1550
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}:  "URL" = http://toolbar.inbox...id=80116&lng=en
  FF - prefs.js..browser.search.defaultengine: "Ask.com"
  FF - prefs.js..browser.search.defaultenginename: "Ask.com"
  FF - prefs.js..browser.search.order.1: "Ask.com"
  [2011/05/26 09:14:41 | 000,002,569 | ---- | M] () --  C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\askcom.xml
  [2011/07/19 07:24:03 | 000,002,264 | ---- | M] () --  C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\bing-zugo.xml
  [2011/09/12 12:35:50 | 000,001,210 | ---- | M] () --  C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\search.xml
  O3 -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\Toolbar\WebBrowser:  (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value  found.
  [2011/09/12 12:35:49 | 000,000,288 | ---- | C] () -- C:\Users\Dad\AppData\Roaming\D54CA29F.reg
  [2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\Users\Dad\AppData\Local\517aqq2h75674sh3hggnyr2175hq6fw02
  [2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\ProgramData\517aqq2h75674sh3hggnyr2175hq6fw02
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\syry.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\rqda.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\rigo.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\olbr.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\miog.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\llmu.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\cowu.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\Users\Dad\AppData\Local\bujf.exe
  
  :Commands
  [CREATERESTOREPOINT]
  [EMPTYTEMP]
  

• Then click the button at the top
• Let the program run unhindered, reboot the PC when it is done
• Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 3 #


Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

The report has the following format: MBRCheck_Date_Time.
For example: MBRCheck_05.13.12_22.35.11

[Garysam43]

I checked my Malwarebytes: it's 1.5, the free one, which I don't think is resident. It does not have a "Start with Windows" option. Then I ran OTL with your copy and paste info, it quit Windows almost immediately, from a command/DOS box which said something about a crash dump, then WIN did a shutdown/restart. When it came back up, Windows gave me a message that Windows had shutdown unexpectedly. Do you want me to run the MBRcheck.exe anyway?

[WhiteHat]

# Step 1 #

You will need Mozilla Firefox. If you don't have, you can get a portable version here

Open Mozilla Firefox and click in the Firefox button > Select options.

Under Download, select the option Always ask me where to save files > Ok.



# Step 2 #

Download Combofix from any of the links below but rename it to <G2GMR> before saving it to your desktop.

Link 1
Link 2
Link 3

Double click on G2GMR & follow the prompts.
Accept the disclaimer and allow to update if it asks





When finished, it produces a log for you.
Please include the C:\ComboFix.txt in your next reply.



Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

After the run you may have internet problems or access to somethng problems. Simply reboot the computer.

[Garysam43]

Here's the Comboxfix log. FYI, Findgala still takes over any IE9 search from the url box.
ComboFix 12-06-19.03 - Dad 06/19/2012 17:07:40.1.1 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2047.1225 [GMT -4:00]
Running from: c:\users\Dad\Desktop\G2GMR.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\RadioPI_4eEI
c:\users\Dad\AppData\Local\assembly\tmp
c:\users\Dad\AppData\Local\bujf.exe
c:\users\Dad\AppData\Local\llmu.exe
c:\users\Dad\AppData\Local\olbr.exe
c:\users\Dad\AppData\Local\rigo.exe
c:\users\Dad\AppData\Roaming\D54CA29F.reg
c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\bing-zugo.xml
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-19 to 2012-06-19 )))))))))))))))))))))))))))))))
.
.
2012-06-19 21:25 . 2012-06-19 21:25 -------- d-----w- c:\users\Dad\AppData\Local\temp
2012-06-19 21:25 . 2012-06-19 21:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-06-19 21:25 . 2012-06-19 21:25 -------- d-----w- c:\users\Mom\AppData\Local\temp
2012-06-19 21:25 . 2012-06-19 21:25 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-06-19 21:25 . 2012-06-19 21:25 -------- d-----w- c:\users\Gary\AppData\Local\temp
2012-06-19 21:25 . 2012-06-19 21:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-19 21:25 . 2012-06-19 21:25 -------- d-----w- c:\users\Bethany\AppData\Local\temp
2012-06-19 20:59 . 2012-06-19 20:59 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-19 20:59 . 2012-06-19 20:59 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-17 18:27 . 2012-06-17 18:27 -------- d-----w- c:\users\Dad\AppData\Roaming\SpeedMaxPc
2012-06-17 18:27 . 2012-06-17 18:27 -------- d-----w- c:\users\Dad\AppData\Roaming\DriverCure
2012-06-17 18:26 . 2012-06-17 18:34 -------- d-----w- c:\programdata\SpeedMaxPc
2012-06-16 20:58 . 2012-06-16 20:59 -------- d-----w- c:\users\DADUSER
2012-06-16 18:54 . 2012-05-15 05:43 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{947752D2-9B95-43F9-AC46-8ACF435ED28A}\mpengine.dll
2012-06-15 10:57 . 2012-06-15 20:25 -------- d-----w- c:\program files\PC Tools
2012-06-15 10:51 . 2012-05-11 15:14 203088 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-06-15 10:51 . 2012-06-15 20:25 -------- d-----w- c:\program files\Common Files\PC Tools
2012-06-15 10:51 . 2012-06-15 20:20 -------- d-----w- c:\programdata\PC Tools
2012-06-15 10:51 . 2012-06-15 10:51 -------- d-----w- c:\users\Dad\AppData\Roaming\TestApp
2012-06-14 11:49 . 2012-01-12 13:26 101112 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-06-14 10:34 . 2012-06-15 17:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-14 10:34 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 20:35 . 2012-06-13 20:36 -------- d-----w- c:\users\Mom\AppData\Local\blekkotb_031
2012-06-13 14:49 . 2012-06-13 14:56 -------- d-----w- c:\users\Dad\AppData\Roaming\Wise Registry Cleaner
2012-06-13 14:48 . 2012-06-13 14:48 -------- d-----w- c:\program files\Wise
2012-06-13 14:03 . 2012-06-14 10:03 -------- d-----w- c:\programdata\blekko toolbars
2012-06-13 14:03 . 2012-06-13 14:03 -------- d-----w- c:\program files\XdN Software
2012-06-13 14:03 . 2012-06-13 14:04 -------- d-----w- c:\users\Dad\AppData\Local\blekkotb_031
2012-06-13 14:03 . 2012-06-13 14:03 -------- d-----w- c:\programdata\Anti-phishing Domain Advisor
2012-06-13 13:07 . 2012-06-13 13:16 -------- d-----w- c:\users\Dad\AppData\Roaming\GlarySoft
2012-06-13 13:07 . 2012-06-13 13:07 -------- d-----w- c:\program files\Glary Utilities
2012-06-13 11:23 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 11:23 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 11:23 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll
2012-06-13 11:23 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 11:23 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 11:23 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 11:21 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 11:21 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 11:21 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 11:21 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-13 11:21 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 10:58 . 2012-06-13 10:59 -------- d-----w- c:\program files\CCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-21 09:36 . 2012-03-29 14:48 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-21 09:36 . 2011-05-14 11:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-31 04:39 . 2012-05-10 10:57 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-10 10:57 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:23 . 2012-05-10 10:57 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-06-19 20:59 . 2011-05-09 12:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-11 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-11 150552]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" -osboot
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-19 113120]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-24 1343400]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2010-07-22 41912]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2012-01-12 101112]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-03-06 57688]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-08-20 189440]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-06-13 13:43]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
Trusted Zone: albertsons.com
Trusted Zone: myalbertsons.com
Trusted Zone: mysupervalu.com
Trusted Zone: star401kplan.com\karentkaczyk
Trusted Zone: supervalu.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://blekko.com/ws/?source={SourceID}&tbp=url&toolbarid=blekkotb_031&u=USERGUID&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{28387537-e3f9-4ed7-860c-11e69af4a8a0} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-19 17:35:35
ComboFix-quarantined-files.txt 2012-06-19 21:35
.
Pre-Run: 39,510,024,192 bytes free
Post-Run: 39,019,474,944 bytes free
.
- - End Of File - - B4817CF25C8ABE484A88818A518358C9

[Garysam43]

WhiteHat - I thought of one other thing: I had a trial version of Malwarebytes Pro, which I uninstalled when it expired. For some reason, on "user" IDs only, right after logon, a message appears at bottom of screen saying Malwarebytes trial has expired, and then the PC freezes, and only cutting power brings it back. This does not happen on my admin ID ("DAD").

[WhiteHat]

# Step 1 #

• Run the OTL.exe. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open one notepad windows contains OTL.Txt. This is saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of this file and post him in your topic

# Step 2 #

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

The report has the following format: MBRCheck_Date_Time.
For example: MBRCheck_05.13.12_22.35.11

[Garysam43]

OTL Results:
OTL logfile created on: 6/21/2012 6:21:19 AM - Run 2
OTL by OldTimer - Version 3.2.49.0 Folder = C:\Users\Dad\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.35 Gb Available Physical Memory | 67.65% Memory free
4.00 Gb Paging File | 3.17 Gb Available in Paging File | 79.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 66.10 Gb Total Space | 36.22 Gb Free Space | 54.79% Space Free | Partition Type: NTFS
Drive D: | 74.53 Gb Total Space | 45.71 Gb Free Space | 61.33% Space Free | Partition Type: NTFS
Drive E: | 8.33 Gb Total Space | 1.27 Gb Free Space | 15.28% Space Free | Partition Type: NTFS

Computer Name: OURPC | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/18 05:04:21 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
PRC - [2012/05/03 14:07:40 | 000,217,256 | ---- | M] (Visicom Media Inc. (Powered by Panda Security)) -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
PRC - [2012/03/06 19:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/06 13:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/23 01:39:24 | 000,803,432 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - [2012/06/19 16:59:23 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/06 19:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/06 13:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010/02/24 16:16:38 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/04/29 04:21:04 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\XAudio32.dll -- (HsfXAudioService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Dad\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/03/06 19:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/06 19:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/06 19:02:14 | 000,044,376 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2012/03/06 19:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/06 19:01:48 | 000,057,688 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/03/06 19:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/01/12 09:26:20 | 000,101,112 | R--- | M] (GFI Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/02/23 02:57:00 | 010,468,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/07/22 17:13:28 | 000,041,912 | ---- | M] (FSPro Labs) [File_System | Boot | Running] -- C:\Windows\System32\drivers\FSPFltd.sys -- (FSProFilter)
DRV - [2009/07/13 19:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 18:13:47 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)
DRV - [2009/04/29 04:20:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio32.sys -- (XAudio)
DRV - [2009/02/13 06:58:30 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2009/02/13 06:56:32 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes,DefaultScope = {45751D25-4CDF-4ECB-AE06-6C79A5BBC31E}
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{45751D25-4CDF-4ECB-AE06-6C79A5BBC31E}: "URL" = http://findgala.com/...q={searchTerms}
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{88FB16D2-04EA-4ffe-8079-CFF68F1B9CE6}: "URL" = http://www.search-re...&ver=4.0.0.1550
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox...id=80116&lng=en
IE - HKU\S-1-5-21-82361716-3830150136-294940581-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledItems: [email protected]:1.3.4
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..keyword.URL: "http://blekko.com/ws...&u=USERGUID&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.2.72: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.2.72: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.2.72: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.2.72: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.2.72: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/02/16 06:58:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/03/29 04:58:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/19 16:59:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/16 06:58:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Sunbird 1.0b1\extensions\\Components: C:\Program Files\Mozilla Sunbird\components [2012/02/16 06:57:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/02/06 13:31:06 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/19 16:59:24 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/16 06:58:57 | 000,000,000 | ---D | M]

[2011/12/11 13:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions
[2010/04/29 16:11:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/12/11 13:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Extensions\{718e30fb-e89b-41dd-9da7-e25a45638b28}
[2012/06/14 06:03:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\extensions
[2011/12/11 13:12:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dad\AppData\Roaming\Mozilla\Sunbird\Profiles\zyd2w965.default\extensions
[2011/05/26 09:14:41 | 000,002,569 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\askcom.xml
[2011/09/12 12:35:50 | 000,001,210 | ---- | M] () -- C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\search.xml
[2012/02/17 08:09:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/29 04:58:26 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/06/19 16:59:24 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/16 07:14:01 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/06/19 16:59:20 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/05/09 08:38:11 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2012/06/19 16:59:20 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/06/19 17:25:19 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Free Download Manager) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [Anti-phishing Domain Advisor] C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe (Visicom Media Inc. (Powered by Panda Security))
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-82361716-3830150136-294940581-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: albertsons.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: myalbertsons.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: mysupervalu.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: star401kplan.com ([karentkaczyk] * in Trusted sites)
O15 - HKU\S-1-5-21-82361716-3830150136-294940581-1000\..Trusted Domains: supervalu.com ([]* in Trusted sites)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...tDetection2.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C152CCA5-F351-4D72-A386-E444466A89B8}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/19 17:35:45 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/06/19 17:35:38 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/06/19 17:35:38 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Local\temp
[2012/06/19 17:04:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/06/19 17:04:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/06/19 17:04:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/06/19 17:03:03 | 004,562,361 | R--- | C] (Swearware) -- C:\Users\Dad\Desktop\G2GMR.exe
[2012/06/18 05:29:43 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Dad\Desktop\aswMBR.exe
[2012/06/18 05:04:17 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2012/06/17 14:27:03 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\SpeedMaxPc
[2012/06/17 14:27:03 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\DriverCure
[2012/06/17 14:26:54 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedMaxPc
[2012/06/17 14:12:31 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\tdsskiller
[2012/06/17 14:09:39 | 000,000,000 | ---D | C] -- C:\Users\Dad\Desktop\GooredFix Backups
[2012/06/17 14:09:02 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Dad\Desktop\GooredFix.exe
[2012/06/15 06:57:09 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools
[2012/06/15 06:51:37 | 000,203,088 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTSD.sys
[2012/06/15 06:51:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2012/06/15 06:51:06 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2012/06/15 06:51:04 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\TestApp
[2012/06/14 07:49:13 | 000,101,112 | R--- | C] (GFI Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2012/06/14 06:35:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/14 06:34:55 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/06/14 06:34:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/06/14 06:33:14 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Dad\Desktop\mbam.exe
[2012/06/13 10:49:09 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\Wise Registry Cleaner
[2012/06/13 10:48:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wise Registry Cleaner
[2012/06/13 10:48:24 | 000,000,000 | ---D | C] -- C:\Program Files\Wise
[2012/06/13 10:03:56 | 000,000,000 | ---D | C] -- C:\ProgramData\blekko toolbars
[2012/06/13 10:03:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XdN Software
[2012/06/13 10:03:53 | 000,000,000 | ---D | C] -- C:\Program Files\XdN Software
[2012/06/13 10:03:26 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Local\blekkotb_031
[2012/06/13 10:03:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Anti-phishing Domain Advisor
[2012/06/13 09:07:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities
[2012/06/13 09:07:08 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\GlarySoft
[2012/06/13 09:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
[2012/06/13 06:59:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/06/13 06:58:58 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

========== Files - Modified Within 30 Days ==========

[2012/06/21 06:08:25 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/21 06:08:25 | 000,014,832 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/21 06:06:32 | 000,000,308 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
[2012/06/21 06:00:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/21 06:00:49 | 1610,113,024 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/19 17:25:19 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/06/19 17:03:12 | 004,562,361 | R--- | M] (Swearware) -- C:\Users\Dad\Desktop\G2GMR.exe
[2012/06/18 15:38:14 | 261,317,735 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/06/18 05:30:08 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Dad\Desktop\aswMBR.exe
[2012/06/18 05:04:21 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Dad\Desktop\OTL.exe
[2012/06/17 14:11:35 | 002,109,032 | ---- | M] () -- C:\Users\Dad\Desktop\tdsskiller.zip
[2012/06/17 14:09:05 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Dad\Desktop\GooredFix.exe
[2012/06/15 16:21:48 | 000,007,840 | ---- | M] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2012/06/15 06:53:56 | 001,472,019 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2012/06/15 05:13:49 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2012/06/14 07:55:06 | 000,442,332 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.old
[2012/06/14 06:35:00 | 000,001,047 | ---- | M] () -- C:\Users\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:35:00 | 000,001,023 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:33:27 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Dad\Desktop\mbam.exe
[2012/06/14 06:24:46 | 001,008,141 | ---- | M] () -- C:\Users\Dad\Desktop\rkill.com
[2012/06/13 10:48:27 | 000,001,141 | ---- | M] () -- C:\Users\Public\Desktop\Wise Registry Cleaner.lnk
[2012/06/13 10:03:54 | 000,001,116 | ---- | M] () -- C:\Users\Public\Desktop\XdN Tweaker.lnk
[2012/06/13 07:38:00 | 000,371,192 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/06/13 07:33:20 | 000,623,940 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/13 07:33:20 | 000,106,316 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/13 07:17:51 | 000,015,602 | ---- | M] () -- C:\Users\Public\Documents\cc_20120613_071746.reg
[2012/06/13 07:02:13 | 000,046,870 | ---- | M] () -- C:\Users\Public\Documents\cc_20120613_070152.reg
[2012/06/13 06:58:09 | 000,007,627 | ---- | M] () -- C:\Users\Dad\AppData\Local\Resmon.ResmonCfg
[2012/05/29 08:32:04 | 000,002,175 | ---- | M] () -- C:\Users\Dad\Desktop\Kindle.lnk

========== Files Created - No Company Name ==========

[2012/06/19 17:04:36 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/06/19 17:04:36 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/06/19 17:04:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/06/19 17:04:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/06/19 17:04:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/06/17 14:11:27 | 002,109,032 | ---- | C] () -- C:\Users\Dad\Desktop\tdsskiller.zip
[2012/06/15 16:18:09 | 000,007,840 | ---- | C] () -- C:\Windows\System32\drivers\kgpcpy.cfg
[2012/06/15 07:11:38 | 261,317,735 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/06/15 06:51:59 | 001,472,019 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2012/06/14 06:35:00 | 000,001,047 | ---- | C] () -- C:\Users\Dad\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:35:00 | 000,001,023 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2012/06/14 06:24:44 | 001,008,141 | ---- | C] () -- C:\Users\Dad\Desktop\rkill.com
[2012/06/13 10:48:27 | 000,001,141 | ---- | C] () -- C:\Users\Public\Desktop\Wise Registry Cleaner.lnk
[2012/06/13 10:03:54 | 000,001,116 | ---- | C] () -- C:\Users\Public\Desktop\XdN Tweaker.lnk
[2012/06/13 09:07:15 | 000,000,308 | ---- | C] () -- C:\Windows\tasks\GlaryInitialize.job
[2012/06/13 07:17:48 | 000,015,602 | ---- | C] () -- C:\Users\Public\Documents\cc_20120613_071746.reg
[2012/06/13 07:02:01 | 000,046,870 | ---- | C] () -- C:\Users\Public\Documents\cc_20120613_070152.reg
[2012/05/16 07:43:45 | 000,007,627 | ---- | C] () -- C:\Users\Dad\AppData\Local\Resmon.ResmonCfg
[2011/10/12 07:21:53 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\Users\Dad\AppData\Local\517aqq2h75674sh3hggnyr2175hq6fw02
[2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\ProgramData\517aqq2h75674sh3hggnyr2175hq6fw02
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\syry.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\rqda.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\miog.exe
[2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\cowu.exe

========== LOP Check ==========

[2011/02/22 14:22:35 | 000,000,000 | ---D | M] -- C:\Users\Bethany\AppData\Roaming\enchant
[2010/07/28 12:02:49 | 000,000,000 | ---D | M] -- C:\Users\Bethany\AppData\Roaming\Thunderbird
[2012/04/14 06:47:40 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Aaron Stewart
[2011/05/24 06:53:28 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Amazon
[2011/12/11 13:33:17 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\AMS Software
[2012/06/17 14:27:03 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\DriverCure
[2009/12/23 17:41:47 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\enchant
[2012/05/06 07:22:39 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Free Download Manager
[2011/07/17 13:06:14 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\FreeFLVConverter
[2012/06/13 09:16:02 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\GlarySoft
[2011/08/07 18:01:14 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\GrabPro
[2010/04/30 11:14:12 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\gtk-2.0
[2012/04/14 07:01:44 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Hulubulu
[2012/05/06 07:15:38 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\IObit
[2011/05/19 05:36:32 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\LibreOffice
[2012/05/08 06:28:55 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Orbit
[2011/12/09 08:14:59 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\PhotoCollageMax
[2011/06/26 09:17:58 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\ProgSense
[2012/06/17 14:27:03 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\SpeedMaxPc
[2010/04/30 11:32:20 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Sylpheed
[2012/06/15 06:51:04 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\TestApp
[2010/04/29 16:11:52 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Thunderbird
[2011/11/21 07:35:01 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Visan
[2011/07/15 13:09:57 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\WeatherBug
[2011/07/20 10:06:28 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Winff
[2012/06/13 10:56:35 | 000,000,000 | ---D | M] -- C:\Users\Dad\AppData\Roaming\Wise Registry Cleaner
[2010/11/07 17:07:17 | 000,000,000 | ---D | M] -- C:\Users\Gary\AppData\Roaming\Thunderbird
[2011/01/03 12:33:56 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\enchant
[2012/05/06 08:52:00 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\IObit
[2010/04/30 06:16:12 | 000,000,000 | ---D | M] -- C:\Users\Mom\AppData\Roaming\Thunderbird
[2012/06/21 06:06:32 | 000,000,308 | ---- | M] () -- C:\Windows\Tasks\GlaryInitialize.job
[2012/05/27 13:14:01 | 000,032,586 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:D74B6CF5

< End of report >

[Garysam43]

MBRCheck Results:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: HP-Pavilion
System Product Name: GG750AV-ABA a6100y
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 193):
0x8303E000 \SystemRoot\system32\ntkrnlpa.exe
0x83007000 \SystemRoot\system32\halmacpi.dll
0x80BCA000 \SystemRoot\system32\kdcom.dll
0x83608000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8368D000 \SystemRoot\system32\PSHED.dll
0x8369E000 \SystemRoot\system32\BOOTVID.dll
0x836A6000 \SystemRoot\system32\CLFS.SYS
0x836E8000 \SystemRoot\system32\CI.dll
0x83C23000 \SystemRoot\system32\drivers\Wdf01000.sys
0x83C94000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83CA2000 \SystemRoot\system32\drivers\ACPI.sys
0x83CEA000 \SystemRoot\system32\drivers\WMILIB.SYS
0x83CF3000 \SystemRoot\system32\drivers\msisadrv.sys
0x83CFB000 \SystemRoot\system32\drivers\pci.sys
0x83D25000 \SystemRoot\system32\drivers\vdrvroot.sys
0x83D30000 \SystemRoot\System32\drivers\partmgr.sys
0x83D41000 \SystemRoot\system32\drivers\volmgr.sys
0x83D51000 \SystemRoot\System32\drivers\volmgrx.sys
0x83D9C000 \SystemRoot\system32\drivers\intelide.sys
0x83DA3000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x83DB1000 \SystemRoot\System32\drivers\mountmgr.sys
0x83DC7000 \SystemRoot\system32\drivers\atapi.sys
0x83DD0000 \SystemRoot\system32\drivers\ataport.SYS
0x83DF3000 \SystemRoot\system32\drivers\amdxata.sys
0x83793000 \SystemRoot\system32\drivers\fltmgr.sys
0x83C00000 \SystemRoot\system32\drivers\fileinfo.sys
0x83C11000 \SystemRoot\System32\Drivers\FSPFltd.sys
0x837C7000 \SystemRoot\System32\Drivers\msrpc.sys
0x83E3D000 \SystemRoot\System32\Drivers\ksecdd.sys
0x83E50000 \SystemRoot\System32\Drivers\Ntfs.sys
0x83F7F000 \SystemRoot\System32\Drivers\cng.sys
0x83FDC000 \SystemRoot\System32\drivers\pcw.sys
0x83FEA000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x89206000 \SystemRoot\system32\drivers\ndis.sys
0x892BD000 \SystemRoot\system32\drivers\NETIO.SYS
0x892FB000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8942E000 \SystemRoot\System32\drivers\tcpip.sys
0x89579000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x895AA000 \SystemRoot\system32\drivers\volsnap.sys
0x895E9000 \SystemRoot\System32\Drivers\spldr.sys
0x89400000 \SystemRoot\System32\drivers\rdyboost.sys
0x89320000 \SystemRoot\System32\Drivers\mup.sys
0x895F1000 \SystemRoot\System32\drivers\hwpolicy.sys
0x89330000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x89362000 \SystemRoot\system32\DRIVERS\disk.sys
0x89373000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x893CA000 \SystemRoot\system32\drivers\cdrom.sys
0x8EA2E000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x8EAC8000 \SystemRoot\System32\Drivers\Null.SYS
0x8EACF000 \SystemRoot\System32\Drivers\Beep.SYS
0x8EAD6000 \??\C:\Windows\system32\drivers\SBREdrv.sys
0x8EAEE000 \SystemRoot\System32\drivers\vga.sys
0x8EAFA000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8EB1B000 \SystemRoot\System32\drivers\watchdog.sys
0x8EB28000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8EB30000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8EB38000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8EB40000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8EB4B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8EB59000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8EB70000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8EB7C000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8EB88000 \SystemRoot\system32\drivers\afd.sys
0x8EBE2000 \SystemRoot\System32\Drivers\aswrdr2.sys
0x83E00000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8EBEF000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8EBF8000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8EA00000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8EA1F000 \SystemRoot\system32\DRIVERS\netbios.sys
0x893E9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8E626000 \SystemRoot\system32\drivers\termdd.sys
0x8E637000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8E678000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8E682000 \SystemRoot\system32\drivers\mssmbios.sys
0x8E68C000 \SystemRoot\System32\drivers\discache.sys
0x8E698000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E6B0000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8E6BE000 \SystemRoot\System32\Drivers\aswSP.SYS
0x8E70F000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8E730000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x91002000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x919FD000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x8E742000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8FA3B000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8FA74000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8FA93000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x8FAC5000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8FAD0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8FB1B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8FB2A000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0x8FB76000 \SystemRoot\system32\DRIVERS\ks.sys
0x8FE36000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0x8FF38000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8FFED000 \SystemRoot\system32\drivers\modem.sys
0x8FE00000 \SystemRoot\system32\drivers\i8042prt.sys
0x8FE18000 \SystemRoot\system32\drivers\kbdclass.sys
0x8FE25000 \SystemRoot\system32\drivers\CompositeBus.sys
0x8FBAA000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8FBBC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8FBD4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8FA00000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8FA22000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8FBDF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8E600000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8E617000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8FE32000 \SystemRoot\system32\drivers\swenum.sys
0x837F2000 \SystemRoot\system32\drivers\umbus.sys
0x96C17000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x96C5B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x96C6C000 \SystemRoot\system32\drivers\HdAudio.sys
0x96CBC000 \SystemRoot\system32\drivers\portcls.sys
0x96CEB000 \SystemRoot\system32\drivers\drmk.sys
0x97638000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x98300000 \SystemRoot\System32\win32k.sys
0x978D5000 \SystemRoot\System32\drivers\Dxapi.sys
0x978DF000 \SystemRoot\System32\Drivers\crashdmp.sys
0x978EC000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x978F7000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x97900000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x97911000 \SystemRoot\system32\DRIVERS\monitor.sys
0x9791C000 \SystemRoot\system32\drivers\USBSTOR.SYS
0x97933000 \SystemRoot\system32\drivers\USBD.SYS
0x98560000 \SystemRoot\System32\TSDDD.dll
0x97935000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x9794C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x97957000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x9796A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x98590000 \SystemRoot\System32\cdd.dll
0x97971000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x9797C000 \SystemRoot\system32\drivers\luafv.sys
0x97997000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x979CA000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x979CD000 \SystemRoot\system32\drivers\WudfPf.sys
0x979E7000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x97600000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x96D04000 \SystemRoot\system32\drivers\HTTP.sys
0x97613000 \SystemRoot\system32\DRIVERS\bowser.sys
0x96D89000 \SystemRoot\System32\drivers\mpsdrv.sys
0x96D9B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x96DBE000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x89398000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9762C000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x9F437000 \SystemRoot\system32\drivers\peauth.sys
0x9F4CE000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9F4D8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9F4F9000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9F506000 \SystemRoot\system32\DRIVERS\XAudio32.sys
0x9F50E000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9F55E000 \SystemRoot\System32\DRIVERS\srv.sys
0x9F5B0000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x9F5D1000 \??\C:\Windows\system32\drivers\mbam.sys
0xA6EA7000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xA6EB0000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xA6EBE000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x77AA0000 \Windows\System32\ntdll.dll
0x482C0000 \Windows\System32\smss.exe
0x77CE0000 \Windows\System32\apisetschema.dll
0x00CE0000 \Windows\System32\autochk.exe
0x77C70000 \Windows\System32\difxapi.dll
0x77A00000 \Windows\System32\advapi32.dll
0x77950000 \Windows\System32\rpcrt4.dll
0x77830000 \Windows\System32\wininet.dll
0x77670000 \Windows\System32\iertutil.dll
0x77C60000 \Windows\System32\lpk.dll
0x775E0000 \Windows\System32\oleaut32.dll
0x77C20000 \Windows\System32\ws2_32.dll
0x77590000 \Windows\System32\Wldap32.dll
0x77C10000 \Windows\System32\nsi.dll
0x77BE0000 \Windows\System32\imagehlp.dll
0x77430000 \Windows\System32\ole32.dll
0x773E0000 \Windows\System32\gdi32.dll
0x77350000 \Windows\System32\clbcatq.dll
0x77230000 \Windows\System32\urlmon.dll
0x77210000 \Windows\System32\sechost.dll
0x771B0000 \Windows\System32\shlwapi.dll
0x770D0000 \Windows\System32\kernel32.dll
0x770C0000 \Windows\System32\normaliz.dll
0x77010000 \Windows\System32\msvcrt.dll
0x76FF0000 \Windows\System32\imm32.dll
0x76E50000 \Windows\System32\setupapi.dll
0x76DB0000 \Windows\System32\usp10.dll
0x76CE0000 \Windows\System32\msctf.dll
0x76C10000 \Windows\System32\user32.dll
0x75FC0000 \Windows\System32\shell32.dll
0x75F40000 \Windows\System32\comdlg32.dll
0x75F30000 \Windows\System32\psapi.dll
0x75F10000 \Windows\System32\devobj.dll
0x75EC0000 \Windows\System32\KernelBase.dll
0x75E90000 \Windows\System32\cfgmgr32.dll
0x75D70000 \Windows\System32\crypt32.dll
0x75CE0000 \Windows\System32\comctl32.dll
0x75CB0000 \Windows\System32\wintrust.dll
0x75CA0000 \Windows\System32\msasn1.dll

Processes (total 46):
0 System Idle Process
4 System
308 C:\Windows\System32\smss.exe
448 csrss.exe
504 C:\Windows\System32\wininit.exe
512 csrss.exe
568 C:\Windows\System32\services.exe
592 C:\Windows\System32\winlogon.exe
620 C:\Windows\System32\lsass.exe
628 C:\Windows\System32\lsm.exe
720 C:\Windows\System32\svchost.exe
800 C:\Windows\System32\nvvsvc.exe
828 C:\Windows\System32\svchost.exe
876 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1036 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1256 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1280 C:\Windows\System32\nvvsvc.exe
1396 C:\Windows\System32\svchost.exe
1484 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1728 C:\Windows\System32\spoolsv.exe
1804 C:\Windows\System32\svchost.exe
1884 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
1932 C:\Windows\System32\svchost.exe
2044 C:\Windows\System32\svchost.exe
516 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
1292 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
2184 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2380 WUDFHost.exe
2764 C:\Windows\System32\svchost.exe
2792 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2848 C:\Program Files\Windows Media Player\wmpnetwk.exe
3656 C:\Windows\System32\taskhost.exe
3812 C:\Windows\System32\dwm.exe
3848 C:\Windows\explorer.exe
4040 C:\Program Files\AVAST Software\Avast\AvastUI.exe
4048 C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe
4064 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
1812 C:\Windows\System32\svchost.exe
2724 C:\Windows\System32\wuauclt.exe
3312 dllhost.exe
3652 C:\Windows\System32\svchost.exe
3608 C:\Windows\System32\audiodg.exe
3080 C:\Users\Dad\Desktop\MBRCheck.exe
3948 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive1 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000010`8cde8400 (NTFS)

PhysicalDrive1 Model Number: ST380815AS, Rev: 3.CHF
PhysicalDrive0 Model Number: ST380021A, Rev: 3.19

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive1 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
74 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: 317A49A9E93F077F2D004734D2A7B6CA7E7B9495


Done!

[WhiteHat]

# Step 1 #

Please reopen on your desktop.

• Under the box at the bottom, paste in the following
  
  

  :OTL
  IE - HKLM\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}: "URL" = http://search.mywebs...r={searchTerms}
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{031949b3-28b6-43a4-90e2-dde1cfe21390}:  "URL" = http://search.mywebs...r={searchTerms}
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{45751D25-4CDF-4ECB-AE06-6C79A5BBC31E}:  "URL" = http://findgala.com/...q={searchTerms}
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{88FB16D2-04EA-4ffe-8079-CFF68F1B9CE6}:  "URL" = http://www.search-re...&ver=4.0.0.1550
  IE -  HKU\S-1-5-21-82361716-3830150136-294940581-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}:  "URL" = http://toolbar.inbox...id=80116&lng=en
  FF - prefs.js..browser.search.defaultengine: "Ask.com"
  FF - prefs.js..browser.search.defaultenginename: "Ask.com"
  FF - prefs.js..browser.search.order.1: "Ask.com"
  [2011/05/26 09:14:41 | 000,002,569 | ---- | M] () --  C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\askcom.xml
  [2011/09/12 12:35:50 | 000,001,210 | ---- | M] () --  C:\Users\Dad\AppData\Roaming\Mozilla\Firefox\Profiles\2pwyj0go.default\searchplugins\search.xml
  [2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\Users\Dad\AppData\Local\517aqq2h75674sh3hggnyr2175hq6fw02
  [2011/09/12 12:35:24 | 000,001,252 | -HS- | C] () -- C:\ProgramData\517aqq2h75674sh3hggnyr2175hq6fw02
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\syry.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\rqda.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\miog.exe
  [2011/09/12 12:35:24 | 000,000,000 | ---- | C] () -- C:\ProgramData\cowu.exe
  
  
  :Commands
  [CREATERESTOREPOINT]
  

• Then click the button at the top
• Let the program run unhindered, reboot the PC when it is done
• Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 2 #

• Run the OTL.exe. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open one notepad windows contains OTL.Txt. This is saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of this file and post him in your topic