Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

MBR Alureon k RTK Infection? Daughters laptop. [Solved]

Started by The Wardog , Jul 15 2012 01:36 PM

  • This topic is locked This topic is locked

#1
The Wardog
Posted 15 July 2012 - 01:36 PM

The Wardog

    Member

  • Member
  • PipPip
  • 15 posts
Hello Everyone, I really need help on this one. Have read all the nearly all the posts and answer here and elsewhere. I have run OLT and have a Notepad log and Extra log from OLT. I have tried to run aswMBR from avast- will not execute. Tried tdsskiller same result. Attempted to run in Safemode/ same result.
Avast finds the file and attempts to delete and run a boot scan/ still there. Malwarebytes doesn't even see it. Hers's my report files.
Also one other popup report is for something about a redirect to something or other....puma.com and like 4 or 5 different websites. When it pops up again I will get a full address.

Thanks in Advance.

Attached Files


  • 0

Advertisements

#2
Nedklaw
Posted 15 July 2012 - 02:57 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hello, The Wardog! :wave:

:welcome: I'm Nedklaw and I'll be glad to help you with your malware issues. :)

I am currently still in training and my posts have to be approved by an expert so please expect a delay between my posts.

These instructions are specifically designed for The Wardog only. No one else should follow these instructions because it can cause serious damage to your computer.

Before we start to clean your computer of malware, please read through the following points to help me and you, and prevent damage to your computer:
  • Please completely read through all of the instructions given to you before attempting to follow them. Reading too lightly will cause you to miss important steps, which could have DESTRUCTIVE effects. If you can't perform a certain step or you are unsure about what to do, let me know!
  • Don't be afraid to ask questions! If you are unsure about anything, ask me! No question is considered stupid here!
  • Be patient with me, logs can take some time to research and my life can mean that I'm busy.
  • Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • NEVER fix anything in OTL or other programs on your own! This can be very dangerous and cause harm to your system.
  • Refrain from running any other tools apart from the ones I tell you to.
Note: You should save or print out my instructions for easy reference, as part of the fix may be in Safe Mode and you won't be able to access GeeksToGo.


I am currently reviewing your logs and I will post back soon.
  • 1

#3
The Wardog
Posted 15 July 2012 - 09:24 PM

The Wardog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank You, Nekdlaw. This has been a nightmare from first glance. I appreciate the help and your time.
  • 0

#4
Nedklaw
Posted 16 July 2012 - 12:17 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
I have a suspicion of what infection you have and I will use RogueKiller to confirm this.


Step 1

  • Download RogueKiller and save it on your desktop.
  • Quit all programs.
  • Start RogueKiller.exe.
  • Note: If RogueKiller has been blocked, do not hesitate to try several times. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.
  • Wait until the Prescan has finished.
  • Click on Scan.

    Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
  • The report has been created on the desktop.
  • Next click on ShortcutsFix.
  • The report has been created on the desktop.

Step 2

If you have the paid version of Malwarebytes 1.6 or later installed, please disable it for the duration of this run.

To disable MBAM

Open the scanner and select the Protection tab.
Remove the tick from Start protection module with Windows.
Reboot and then run OTL.

Posted Image


Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following: 

    :Commands 
[CREATERESTOREPOINT] 

:OTL 
O4:64bit: - HKLM..\Run: []  File not found
O4 - HKCU..\Run: [wIDpIbfvkBlefK.exe] C:\ProgramData\wIDpIbfvkBlefK.exe File not found
[2012/06/11 21:15:55 | 000,000,152 | ---- | C] () -- C:\ProgramData\-u9hQBDSo44WEWZr
[2012/06/11 21:15:55 | 000,000,000 | ---- | C] () -- C:\ProgramData\-u9hQBDSo44WEWZ
[2012/06/11 21:15:38 | 000,000,256 | ---- | C] () -- C:\ProgramData\u9hQBDSo44WEWZ

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post the log that appears upon reboot in your next reply.
  • If no log appears upon reboot, the OTL Fix log should be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.
  • Open OTL again and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Things I want to see in your next reply

  • All RKreport.txt files
  • OTL Fix Log
  • OTL.txt
  • 0

#5
The Wardog
Posted 16 July 2012 - 09:52 PM

The Wardog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ran RogueKiller. Opened and ran fine/ OTL ran but with a Not Responding message and then proceeded. Desktop repopulated with icons and background. Here are the RKreport.txt files.

Report #1

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: April [Admin rights]
Mode: Scan -- Date: 07/16/2012 21:54:38

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 7 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : wIDpIbfvkBlefK.exe (C:\ProgramData\wIDpIbfvkBlefK.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-266757346-149079058-799995861-1000[...]\Run : wIDpIbfvkBlefK.exe (C:\ProgramData\wIDpIbfvkBlefK.exe) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543232L9A300 ATA Device +++++
--- User ---
[MBR] d2f041275e4d8a15eff7d1378ced7c3b
[BSP] 1443d842b4cab0996f235e857ef3b6bd : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31619072 | Size: 289805 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] ffcfa556e1c8c2c9085035b2ca6955d7
[BSP] 1443d842b4cab0996f235e857ef3b6bd : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 15360 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31619072 | Size: 289805 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625139712 | Size: 1 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt



Report #2

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: April [Admin rights]
Mode: Remove -- Date: 07/16/2012 21:56:22

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : wIDpIbfvkBlefK.exe (C:\ProgramData\wIDpIbfvkBlefK.exe) -> DELETED
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Users\April\Pictures\Story\Me\My Castles and Isle\Tiger Demon.jpg)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543232L9A300 ATA Device +++++
--- User ---
[MBR] d2f041275e4d8a15eff7d1378ced7c3b
[BSP] 1443d842b4cab0996f235e857ef3b6bd : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31619072 | Size: 289805 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] ffcfa556e1c8c2c9085035b2ca6955d7
[BSP] 1443d842b4cab0996f235e857ef3b6bd : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 15360 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31619072 | Size: 289805 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625139712 | Size: 1 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



Report #3

RogueKiller V7.6.3 [07/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User: April [Admin rights]
Mode: Shortcuts HJfix -- Date: 07/16/2012 21:58:20

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 4 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 124 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 72 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 99 / Fail 0
Backup: [FOUND] Success 13 / Fail 0

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



OTL Moved Files

All processes killed
========== COMMANDS ==========
System Restore Service not available.
========== OTL ==========
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\wIDpIbfvkBlefK.exe not found.
C:\ProgramData\-u9hQBDSo44WEWZr moved successfully.
C:\ProgramData\-u9hQBDSo44WEWZ moved successfully.
C:\ProgramData\u9hQBDSo44WEWZ moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
c:\Users\April\Downloads\cmd.bat deleted successfully.
c:\Users\April\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: April
->Temp folder emptied: 205251368 bytes
->Temporary Internet Files folder emptied: 37962877 bytes
->Java cache emptied: 9263208 bytes
->FireFox cache emptied: 111077429 bytes
->Flash cache emptied: 3086266 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mark
->Temp folder emptied: 127071 bytes
->Temporary Internet Files folder emptied: 76871801 bytes
->Java cache emptied: 13717400 bytes
->FireFox cache emptied: 111216682 bytes
->Flash cache emptied: 4881 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 58998815 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 35782663 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 633.00 mb


OTL by OldTimer - Version 3.2.54.0 log created on 07162012_221304

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\fb_2956.lck scheduled to be moved on reboot.

PendingFileRenameOperations files...
[2012/07/16 22:06:43 | 000,262,144 | ---- | M] () C:\Windows\temp\fb_2956.lck : Unable to obtain MD5

Registry entries deleted on Reboot...

OTL.TXT

OTL logfile created on: 7/16/2012 10:24:53 PM - Run 2
OTL by OldTimer - Version 3.2.54.0 Folder = c:\Users\April\Downloads
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.93 Gb Total Physical Memory | 2.59 Gb Available Physical Memory | 65.82% Memory free
8.04 Gb Paging File | 6.51 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 283.01 Gb Total Space | 171.91 Gb Free Space | 60.74% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 8.03 Gb Free Space | 53.50% Space Free | Partition Type: NTFS

Computer Name: APRIL-PC | User Name: April | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/15 12:23:27 | 000,596,480 | ---- | M] (OldTimer Tools) -- c:\Users\April\Downloads\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 11:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/07/03 11:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2009/06/23 18:23:48 | 000,600,944 | ---- | M] () -- C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2009/01/05 17:19:10 | 000,824,560 | ---- | M] (Dell Inc.) -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
PRC - [2009/01/05 17:19:10 | 000,480,496 | ---- | M] (Dell Inc.) -- C:\Program Files (x86)\Dell Remote Access\ezi_ra.exe
PRC - [2008/12/18 13:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/11/11 11:07:00 | 000,442,536 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe
PRC - [2008/05/23 14:06:08 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/07/03 11:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2009/03/20 03:26:10 | 000,268,288 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe -- (STacSV)
SRV:64bit: - [2009/03/20 03:25:42 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2008/12/22 05:35:16 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\WLTRYSVC.EXE -- (wltrysvc)
SRV:64bit: - [2008/12/18 13:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/07/13 12:33:16 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/11/16 11:23:44 | 000,377,344 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- winhttp.dll -- (WinHttpAutoProxySvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/23 18:23:48 | 000,600,944 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2009/06/23 18:23:48 | 000,600,944 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe -- (ioloFileInfoList)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/01/05 17:19:10 | 000,824,560 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe -- (hnmsvc)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/07/03 11:21:52 | 000,958,400 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012/07/03 11:21:52 | 000,355,856 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012/07/03 11:21:52 | 000,071,064 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012/07/03 11:21:52 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2012/07/03 11:21:52 | 000,044,272 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (AswRdr)
DRV:64bit: - [2012/07/03 11:21:51 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012/02/29 08:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2010/08/25 20:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/04/11 00:03:32 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/03/20 03:26:24 | 000,477,696 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\stwrt64.sys -- (STHDA)
DRV:64bit: - [2009/02/10 04:40:28 | 000,158,592 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\OA008Ufd.sys -- (OA008Ufd)
DRV:64bit: - [2009/02/10 04:40:26 | 000,310,784 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\OA008Vid.sys -- (OA008Vid)
DRV:64bit: - [2008/12/22 05:34:48 | 000,022,520 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BCM42RLY.sys -- (BCM42RLY)
DRV:64bit: - [2008/12/17 04:22:04 | 001,526,776 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\bcmwl664.sys -- (BCM43XX)
DRV:64bit: - [2008/12/09 14:26:50 | 000,023,464 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\elrawdsk.sys -- (ElRawDisk)
DRV:64bit: - [2008/11/26 02:08:48 | 000,126,464 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV:64bit: - [2008/11/26 01:56:58 | 000,261,680 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2008/10/28 10:48:20 | 000,160,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CtClsFlt.sys -- (CtClsFlt)
DRV:64bit: - [2008/10/08 04:49:52 | 000,252,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\k57nd60a.sys -- (k57nd60a) Broadcom NetLink ™
DRV:64bit: - [2008/09/16 04:11:04 | 000,057,856 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rixdpx64.sys -- (rismxdp)
DRV:64bit: - [2008/09/16 04:11:00 | 000,062,976 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rimmpx64.sys -- (rimmptsk)
DRV:64bit: - [2008/09/16 04:10:58 | 000,055,296 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rimspx64.sys -- (rimsptsk)
DRV:64bit: - [2008/06/18 16:48:54 | 000,029,184 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\packet.sys -- (Packet)
DRV:64bit: - [2008/01/20 21:46:55 | 000,317,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express) Intel®
DRV:64bit: - [2007/11/14 03:00:00 | 000,053,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2006/11/02 02:48:50 | 002,488,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\..\SearchScopes,DefaultScope = {2828E3BB-31BC-4E2B-B8E3-C8C64D068CE4}
IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\..\SearchScopes\{2828E3BB-31BC-4E2B-B8E3-C8C64D068CE4}: "URL" = http://www.bing.com/...ferrer:source?}
IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKU\S-1-5-21-266757346-149079058-799995861-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.att.net/"
FF - prefs.js..keyword.URL: "http://www.bing.com/...?FORM=IEFM1&q="
FF - prefs.js..network.proxy.type: 4
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/11 13:10:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/13 12:33:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/04/29 21:44:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/07/13 12:33:17 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/04/29 21:44:55 | 000,000,000 | ---D | M]

[2009/12/14 21:34:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\April\AppData\Roaming\Mozilla\Extensions
[2009/12/14 21:34:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\April\AppData\Roaming\Mozilla\Extensions\[email protected]
[2012/05/02 11:54:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\April\AppData\Roaming\Mozilla\Firefox\Profiles\ysqkp2be.default\extensions
[2010/08/18 12:08:36 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\April\AppData\Roaming\Mozilla\Firefox\Profiles\ysqkp2be.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/13 14:02:32 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\April\AppData\Roaming\Mozilla\Firefox\Profiles\ysqkp2be.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}(17)
[2010/03/09 16:36:48 | 000,001,827 | ---- | M] () -- C:\Users\April\AppData\Roaming\Mozilla\Firefox\Profiles\ysqkp2be.default\searchplugins\bing.xml
[2012/06/11 21:05:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/02/07 21:55:30 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2012/07/11 13:10:15 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/07/13 12:33:17 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/04/25 23:26:54 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2012/06/11 21:05:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/06/11 21:05:00 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2010/03/10 09:46:54 | 000,381,004 | R--- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13114 more lines...
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg64.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKU\S-1-5-21-266757346-149079058-799995861-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3:64bit: - HKU\S-1-5-21-266757346-149079058-799995861-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\SysNative\WLTRAY.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe ()
O4 - HKLM..\Run: [Dell PC TuneUp Startup] C:\Program Files (x86)\iolo\Common\Lib\ioloLManager.exe (iolo technologies, LLC)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-266757346-149079058-799995861-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\April\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = File not found
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = File not found
O4 - Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-266757346-149079058-799995861-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-266757346-149079058-799995861-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-266757346-149079058-799995861-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-266757346-149079058-799995861-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp64.dll (PC Tools Research Pty Ltd.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp64.dll (PC Tools Research Pty Ltd.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp64.dll (PC Tools Research Pty Ltd.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000022 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp64.dll (PC Tools Research Pty Ltd.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000023 - C:\Windows\SysNative\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files (x86)\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Windows\SysWow64\wpclsp.dll (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {682C59F5-478C-4421-9070-AD170D143B77} http://www.dell.com/...t/Ode/pcd86.cab (Launcher Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C81BE7CB-CFB2-4F93-A990-E564930CD795}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\April\Pictures\Story\Me\My Castles and Isle\Tiger Demon.jpg
O24 - Desktop BackupWallPaper: C:\Users\April\Pictures\Story\Me\My Castles and Isle\Tiger Demon.jpg
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{edbaf62d-dc62-11de-a0bd-002219ee60f9}\Shell - "" = AutoRun
O33 - MountPoints2\{edbaf62d-dc62-11de-a0bd-002219ee60f9}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-266757346-149079058-799995861-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/16 22:13:04 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/16 21:56:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012/07/16 21:56:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LimeWire
[2012/07/16 21:56:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell PC TuneUp
[2012/07/16 21:54:18 | 000,000,000 | ---D | C] -- C:\Users\April\Desktop\RK_Quarantine
[2012/07/15 10:05:44 | 000,000,000 | ---D | C] -- C:\Users\April\Desktop\tdsskiller
[2012/07/15 09:45:04 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\April\Desktop\aswMBR.exe
[2012/07/13 19:04:28 | 000,000,000 | ---D | C] -- C:\Windows\Microsoft Antimalware
[2012/07/13 13:48:49 | 000,000,000 | ---D | C] -- C:\Users\April\Documents\Virus Program
[2012/07/13 11:39:12 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{57B538D5-4E29-4645-AD27-18BCEB333B33}
[2012/07/13 11:39:00 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{A03409DA-ADFC-42EE-B598-22B07F66B47B}
[2012/07/12 12:41:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/12 09:13:42 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{82AB4950-E14B-4300-8B12-46CA965EFD75}
[2012/07/12 09:12:12 | 000,000,000 | ---D | C] -- C:\Windows\en
[2012/07/12 09:05:33 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2012/07/12 08:57:24 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{A670C229-344C-46FC-AB78-4CD574814F0A}
[2012/07/12 08:57:08 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{7D2FFDD7-1B00-4939-BCBA-100ED254873C}
[2012/07/11 13:11:34 | 000,025,232 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012/07/11 13:11:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012/07/11 13:11:33 | 000,355,856 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012/07/11 13:11:24 | 000,044,272 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2012/07/11 13:11:23 | 000,059,728 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012/07/11 13:11:19 | 000,958,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012/07/11 13:11:16 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/07/11 13:11:16 | 000,071,064 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012/07/11 13:10:02 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/07/11 13:10:01 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012/07/11 13:09:26 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/07/11 13:09:26 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/07/11 11:25:37 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{0FCF35CF-B09B-44C7-B5F0-5B26ED0320C2}
[2012/07/11 11:25:22 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{A8107BD0-95B8-48FE-A7CE-EBEEDA30F024}
[2012/07/11 10:51:07 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{1CA03D1B-8541-4799-969B-137A1DCBFEA6}
[2012/07/11 10:50:57 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{7361FABF-AD25-4F84-9076-AB2099CD725F}
[2012/07/11 10:50:24 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{40BE345E-5512-4EE2-B7E3-F969B9607DB2}
[2012/07/11 10:50:12 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{32D2FC9B-B5D6-4A43-9726-16C454FFEB3E}
[2012/07/11 10:27:14 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{A67C42B1-A08D-42FC-B836-02575101AD07}
[2012/07/11 10:26:54 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{6ADA0642-86F6-4676-B567-AD5AB4DA6138}
[2012/07/11 10:16:39 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{8C1550C9-3E4A-49ED-8C58-D1E8249A778F}
[2012/07/10 12:02:27 | 000,000,000 | ---D | C] -- C:\Users\April\AppData\Local\{476892E1-9ABC-4956-82F5-35117B6B00E7}
[2009/07/23 16:35:24 | 008,653,312 | ---- | C] (Dell, Inc. ) -- C:\Users\April\AppData\Roaming\DataSafeDotNet.exe

========== Files - Modified Within 30 Days ==========

[2012/07/16 22:22:25 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/16 22:22:04 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/16 22:22:04 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/16 22:21:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/16 22:21:51 | 4224,540,672 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/16 22:19:56 | 000,000,642 | ---- | M] () -- C:\Users\April\Desktop\07162012_221304 - Shortcut.lnk
[2012/07/16 21:39:01 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/15 11:56:24 | 000,000,035 | ---- | M] () -- C:\Users\April\AppData\Roaming\mbam.context.scan
[2012/07/15 11:19:35 | 000,001,356 | ---- | M] () -- C:\Users\April\AppData\Local\d3d9caps.dat
[2012/07/15 09:45:22 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\April\Desktop\aswMBR.exe
[2012/07/13 15:42:34 | 000,768,726 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/07/13 15:42:34 | 000,649,154 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/07/13 15:42:34 | 000,122,978 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/07/13 13:56:28 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2012/07/13 13:48:03 | 000,002,052 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/07/12 12:41:13 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/12 08:53:33 | 000,282,240 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/07/11 13:11:34 | 000,001,787 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/07/03 11:21:52 | 000,958,400 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012/07/03 11:21:52 | 000,355,856 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012/07/03 11:21:52 | 000,071,064 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012/07/03 11:21:52 | 000,059,728 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012/07/03 11:21:52 | 000,044,272 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2012/07/03 11:21:51 | 000,025,232 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012/07/03 11:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/07/03 11:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012/07/03 11:21:18 | 000,285,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe

========== Files Created - No Company Name ==========

[2012/07/16 22:19:56 | 000,000,642 | ---- | C] () -- C:\Users\April\Desktop\07162012_221304 - Shortcut.lnk
[2012/07/16 21:57:00 | 000,000,903 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2012/07/16 21:56:59 | 000,002,073 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3 World Adventures.lnk
[2012/07/16 21:56:59 | 000,002,047 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3 Generations.lnk
[2012/07/16 21:56:59 | 000,002,037 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3 Late Night.lnk
[2012/07/16 21:56:59 | 000,002,029 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3 Ambitions.lnk
[2012/07/16 21:56:59 | 000,001,983 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3 Pets.lnk
[2012/07/16 21:56:59 | 000,001,913 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3.lnk
[2012/07/16 21:56:59 | 000,001,780 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/07/16 21:56:59 | 000,001,758 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2012/07/16 21:56:59 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Dell PC TuneUp.lnk
[2012/07/16 21:56:59 | 000,000,850 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2012/07/16 21:56:59 | 000,000,633 | ---- | C] () -- C:\Users\April\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
[2012/07/15 17:16:04 | 4224,540,672 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/15 11:56:24 | 000,000,035 | ---- | C] () -- C:\Users\April\AppData\Roaming\mbam.context.scan
[2012/07/13 13:48:03 | 000,002,052 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/07/12 12:41:13 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/11 13:11:34 | 000,001,787 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/07/11 13:11:16 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2011/06/21 14:24:31 | 000,005,120 | ---- | C] () -- C:\Users\April\AppData\Local\Databases.db
[2011/05/03 15:07:39 | 000,022,060 | ---- | C] () -- C:\Users\April\AppData\Roaming\UserTile.png
[2011/04/06 13:30:52 | 000,764,132 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/02/07 21:56:34 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/08/25 20:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 20:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 20:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/08/25 19:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/08/25 19:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2010/06/24 16:51:37 | 000,000,632 | R-S- | C] () -- C:\Users\April\ntuser.pol
[2010/03/05 19:47:40 | 000,009,102 | --S- | C] () -- C:\Users\April\AppData\Local\nO4L
[2010/01/16 12:13:21 | 000,000,212 | ---- | C] () -- C:\Users\April\AppData\Roaming\wklnhst.dat
[2010/01/13 21:51:41 | 000,001,356 | ---- | C] () -- C:\Users\April\AppData\Local\d3d9caps.dat
[2009/06/12 19:27:23 | 000,000,732 | ---- | C] () -- C:\Users\April\AppData\Local\d3d9caps64.dat
[2009/06/08 21:42:11 | 000,005,120 | ---- | C] () -- C:\Users\April\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2012/05/09 21:08:03 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\.minecraft
[2012/01/09 19:50:49 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\FrostWire
[2011/03/14 22:59:45 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\iolo
[2011/11/25 11:51:02 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\LimeWire
[2012/07/11 10:55:48 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\PCDr
[2011/05/03 15:07:38 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\PeerNetworking
[2011/07/09 09:46:38 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\SecondLife
[2010/01/16 12:13:25 | 000,000,000 | ---D | M] -- C:\Users\April\AppData\Roaming\Template
[2009/08/16 09:51:20 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\iolo
[2012/06/16 01:10:45 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\PCDr
[2012/01/21 22:00:21 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\SecondLife
[2012/07/16 22:21:00 | 000,032,550 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:5D432CE3
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8

< End of report >


Again, I can't say Thank You Enough! We have some progress at the least.
  • 0

#6
Nedklaw
Posted 17 July 2012 - 09:14 AM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Your very welcome and your thanks is appreciated!!!

3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625139712 | Size: 1 Mo

RogueKiller flagged up the hidden partition containing the rootkit.


Step 1

If you have the paid version of Malwarebytes 1.6 or later installed, please disable it for the duration of this run.

To disable MBAM

Open the scanner and select the Protection tab.
Remove the tick from Start protection module with Windows.
Reboot and then run OTL.

Posted Image


Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following: 

    :Commands 
[CREATERESTOREPOINT] 

:OTL
[2012/07/16 21:56:59 | 000,000,633 | ---- | C] () -- C:\Users\April\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post the log that appears upon reboot in your next reply.
  • If no log appears upon reboot, the OTL Fix log should be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.

Step 2

You will need a USB drive and another computer which is clean of infection.

Download GETxPUD.exe to the desktop of your clean computer.
  • Run GETxPUD.exe.
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat.
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer.
  • Boot the Sick computer with the CD you just burned.
  • The computer must be set to boot from the CD.
  • Gently tap F12 and choose to boot from the CD.
  • Follow the prompts.
  • A Welcome to xPUD screen will appear.
  • Press File.
  • Expand mnt.
  • sda1,2...usually corresponds to your HDD.
  • sdb1 is likely your USB.
  • Click on the folder that represents your USB drive (sdb1).
  • Press Tool at the top.
  • Choose Open Terminal.
  • Type the following:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter.
  • After it has finished a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin.
  • Zip the mbr.bin file and attach it to your next reply.

Things I want to see in your next reply

  • OTL Fix Log
  • mbr.bin
  • 0

#7
The Wardog
Posted 17 July 2012 - 02:21 PM

The Wardog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
How do I know when the mbr.bin file is finished? Also I didn't have a sdb1 folder? I unplugged the USB drive and then I had a file. If I need to start over I will. Won't be able to run everything until later this evening.
  • 0

#8
Nedklaw
Posted 17 July 2012 - 03:15 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
What folders are listed when you expand mnt?
  • 0

#9
The Wardog
Posted 17 July 2012 - 10:01 PM

The Wardog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi, Here goes again. Had the bin file on the USB drive. Here is the OTL scan files.

All processes killed
========== COMMANDS ==========
System Restore Service not available.
========== OTL ==========
C:\Users\April\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
c:\Users\April\Downloads\cmd.bat deleted successfully.
c:\Users\April\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: April
->Temp folder emptied: 74929 bytes
->Temporary Internet Files folder emptied: 8164163 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 27514983 bytes
->Flash cache emptied: 732 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mark
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 262144 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 34.00 mb


OTL by OldTimer - Version 3.2.54.0 log created on 07172012_143006

Files\Folders moved on Reboot...
File\Folder C:\Windows\temp\fb_2660.lck not found!

PendingFileRenameOperations files...
File C:\Windows\temp\fb_2660.lck not found!

Registry entries deleted on Reboot...

Next post has mbr.bin file off working laptop.
  • 0

#10
The Wardog
Posted 17 July 2012 - 10:06 PM

The Wardog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi, Just checked my USB and have the bin file, So here goes. I will attach and hopefully we have the info you need.

Attached Files

  • Attached File  mbr.zip   574bytes   80 downloads

  • 0

Advertisements

#11
Nedklaw
Posted 18 July 2012 - 12:02 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Step 1

Please download and extract the following file to your USB drive: Attached File  mbr.zip   564bytes   113 downloads

  • Boot from the xPUD CD.
  • Press File.
  • Expand mnt.
  • Click on the folder that represents your USB drive (sdb1).
  • Press Tool at the top.
  • Choose Open Terminal.
  • Type the following:

    dd if=mbr.bin of=/dev/sda bs=512 count=1

  • Press Enter.
  • Rebbot your computer.

Step 2

  • Boot back into Normal Mode.
  • Quit all programs.
  • Start RogueKiller.exe.
  • Note: If RogueKiller has been blocked, do not hesitate to try several times. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.
  • Wait until the Prescan has finished.
  • Click on Scan.

    Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.

Things I want to see in your next reply

  • The RKreport.txt file
  • 0

#12
The Wardog
Posted 19 July 2012 - 10:42 AM

The Wardog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi, Nekdlaw.
Not sure if I screwed up or not. Ran the xPUD with the mbr.zip, computer would not reboot. Starts and goes to pword entry and get Blue screen that pops up really fast and cycles back pword page over and over again. I ran attempted process again/ Now it's running a Ckdisk before it will
reboot. No change/ still just cycles thru to user/ password page. Enter password and then it cycles back Windows Error Recovery and Safemode page.
How can I catch the page with the Blue screen and it's directions or are we screwed all the way round?
  • 0

#13
Nedklaw
Posted 21 July 2012 - 06:08 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

Download the following two programmes to your desktop:

1. WiNToBootic
2. Windows Vista 64bit RC


Extract WiNToBoot to your desktop.
Insert a USB drive of at least 4GB.
Run WiNToBoot.

Posted Image


Drag and drop the Windows 7 ISO to the programme in the space indicated.
Tick the Format box and accept the warnings.
Press Do it!.

You will see it progressing.

Posted Image


It will let you know when it is done.


Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB.
Note: If you are not sure how to do that follow the instructions here.


When you reboot you will see this. Click Repair your computer.

Posted Image


Select your operating system.

Posted Image


Select Startup Repair.

Posted Image


Reboot your computer and see if your computer runs normally.
  • 0

#14
The Wardog
Posted 22 July 2012 - 09:12 PM

The Wardog

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
No change, same cycle thru system and back. I can boot into SAFE MODES that Includes With Network. But otherwise same symptoms. Should I attempt a system restore to an earlier setting? Will wait for answer before doing anything.
  • 0

#15
Nedklaw
Posted 23 July 2012 - 08:20 AM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Boot up from the USB as before. Click Repair your computer.

Posted Image


Select your operating system.

Posted Image


Select Command Prompt.

Posted Image


Type each of the following commands into the black box and press Enter after each one:

bootrec /fixmbr
bootrec /fixboot

Reboot your computer and see if your computer runs normally.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP