Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

May have Trojan or spyware, help appreciated! [Solved]


  • This topic is locked This topic is locked

#16
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hello,

Thank you thank you thank you!!! :D

You are welcome. :)

Just wanted to mention that when I open up IE to go any page, AVG (which I have now re enabled) keeps alerting me of tracking cookies, yieldmanager. So something is hiding somewhere.

Tracking Cookies are not viruses. See the AVG FAQ page here
It will explain what they are and how to set IE and AVG.

OK. Let's see if we can reinstall PC TuneUp and then I would suggest that you uninstall it. See the information below on Registry Cleaning Tools. It may help you decide if you want to keep the program. Instructions have been included to uninstall it if you so choose.

Then we are gonna run one last OTL fix to clean up the file that ESET found and it there are no further issues we'll be ready to wrap this puppy up.

Do you have the original installation file for AVG PC TuneUP? If you do we're all set.
If you don't have it, go to the following AVG page
Under the Installation Files section click the (avg_pct_stf_all_2012_27.exe) link to download the file. Save it to the desktop.

Once you have the installation file:

Make sure you are logged into Windows using an account with Administrator privileges. Close all windows and browsers.

1. Open Windows Explorer and navigate to the following folder:

C:\Program Files\AVG\AVG PC Tuneup

2. Delete the unins00*.exe file.
3. Close Windows Explorer and get back to the desktop.
4. Double-click the original AVG PC Tuneup installation file or the avg_pct_stf_all_2012_27.exe file on your Desktop
5. Follow the installation wizard and finish the installation process.
This should reinstall PC TuneUp

Registry Cleaning Tools

GeeksToGo does not recommend the use of registry cleaners at all:
A registry cleaner will not increase your system's speed or performance, and has the potential to break your registry to the point that your PC is no longer bootable.
We strongly advise that people stay away from any of the registry cleaners out there.
Go HERE to get more information about why registry cleaners aren't needed.

Uninstall AVG PC TuneUp

1. Please click the Start Orb, click Control Panel. Under the Programs heading click Uninstall a program
2. In the list of programs installed, locate the following program(s):

AVG PC TuneUp
AVG PC TuneUp Language Pack (en-US)
NOTE: Uninstalling PC TuneUp may automatically uninstall the language pack. After you have uninstalled PC TuneUp if the language pack in still in the Programs list, click it and uninstall it.

3. Vista/7 users: right click the program and click Uninstall
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files\AVG\AVG PC TuneUp

2. Close Windows Explorer.


Step-1.

Posted Image OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMAND
[CREATERESTOREPOINT]

:FILES
C:\Users\Paul\Downloads\sharpfolio.zip PHP/Kryptik.AB trojan

:COMMANDS
[EMPTYTEMP]


Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Please re-open Posted Image on your desktop.
3. Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).
10. Run OTL again and click the Posted Image button. Post the log it produces in your next reply.


Step-2.

Update Adobe Reader

Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy.
  • Go to Start > Control Panel > Add/Remove Programs
  • Windows Vista /7 Users: Click the Start Orb and click Control Panel. Under the Programs heading click Uninstall a program
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, download the latest version of Adobe Reader from Here.
  • Remove the check mark next to Yes, install McAfee Security Scan Plus-optional box.
  • Click the Download Now button to download Adobe Reader and follow the directions.
Alternative Option: After uninstalling Adobe Reader, you could try installing Foxit Reader from HERE. Foxit Reader is a much smaller program. It has fewer add-ons therefore loads more quickly.


Step-3.

Things For Your Next Post:
1. Let me know how things went with PC TuneUp
2. The OTL fixes log
3. The new OTL.txt log
4. Let me know how the Adobe update went
5. How is the comouter running now?
  • 0

Advertisements


#17
Mrscoffeecup

Mrscoffeecup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi,


the file you gave me to look for in AVG Tune Up doesn't exist, it's just not there.
I installed pc tune up again and removed that one, but there is another pc tuneup that can't be removed, it keeps saying unistall manager stopped working.

I am at a loss now and very discouraged,nothing is working. Am I better just to wipe the hard drive? Also, I'm not sure if I should open another topic or not, but the adware that is/was on my computer is on my Iphone 4s now. I haven't synced it since I realised there was a virus on my pc, and I know a lot of people say it's not possible, but there is definitely adware when I use safari on my iPhone.
This must be some trojan I've encountered.

Back to avg, I tried manually deleting the folder and it says I don't have permission, and there is no option to run as admin. Is this a virus pretending to be avg??
  • 0

#18
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

Hi,


the file you gave me to look for in AVG Tune Up doesn't exist, it's just not there.

I didn't give you a file to look for.

I installed pc tune up again and removed that one, but there is another pc tuneup that can't be removed, it keeps saying unistall manager stopped working.

You have two different PC Tuneup programs on the computer?

I am at a loss now and very discouraged,nothing is working.

You're gonna have to be a little more specific here. What isn't working?

Am I better just to wipe the hard drive?

That depends on whether or not we can sort the problems out, but I didn't see anything in the log that would require that.

Also, I'm not sure if I should open another topic or not, but the adware that is/was on my computer is on my Iphone 4s now. I haven't synced it since I realised there was a virus on my pc, and I know a lot of people say it's not possible, but there is definitely adware when I use safari on my iPhone.
This must be some trojan I've encountered.

You can try the Smartphone Virus / Mobile Malware forum. I don't know anything about mobile devices.

Back to avg, I tried manually deleting the folder and it says I don't have permission, and there is no option to run as admin. Is this a virus pretending to be avg??

Do you mean the AVG antivirus program?
  • 0

#19
Mrscoffeecup

Mrscoffeecup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi,

The file you asked me to delete in avg, that's the file I was talking about, sorry I wasn't more specific!! I couldn't delete it because it wasn't there :)

I have one pc tuneup on the pc, and that's the one that can't be removed. I've tried running as admin but to no avail, it seems as though it can't be deleted.

I was referencing avg pc tuneup in regards to the possibility of it being a virus.

I'm just running the OTL fix as we speak and I'll post the logs as soon as they're ready!!

Thanks :)
  • 0

#20
Mrscoffeecup

Mrscoffeecup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello again :)


So first up, my 5 year old accidentally deleted the OTL fix log :(

I ran another scan though and I'm posting that log. It took me a few goes to get the scan to complete, but I hope it's alright now.

I'm so sorry, after all this hard work!!

If there's anything else I can add, please let me know!

I managed to delete PC Tuneup too, and the computer *seems* to be running as normal, but I'll wait for your go ahaed before I commence using it as before.

Thanks Godawgs!!!


OTL logfile created on: 1/11/2012 5:32:55 PM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Paul\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.25 Gb Total Physical Memory | 1.94 Gb Available Physical Memory | 59.59% Memory free
6.72 Gb Paging File | 5.38 Gb Available in Paging File | 80.03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.04 Gb Total Space | 79.97 Gb Free Space | 27.76% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 4.21 Gb Free Space | 42.15% Space Free | Partition Type: NTFS
Drive F: | 20.09 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: SARAH | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/30 14:03:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe
PRC - [2012/10/09 11:28:30 | 000,692,152 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
PRC - [2012/09/29 19:54:26 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/09/28 13:32:09 | 000,114,688 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\Optus Mobile Broadband.exe
PRC - [2012/08/13 04:24:48 | 005,167,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
PRC - [2012/07/31 04:37:02 | 002,596,984 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/07/26 04:23:08 | 000,758,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/06/13 04:48:24 | 001,255,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2012/03/19 06:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2012/02/14 05:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 05:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/04/01 20:17:08 | 000,067,400 | ---- | M] (Microsoft Corporation) -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
PRC - [2011/02/22 08:17:32 | 000,066,560 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\System32\nlssrv32.exe
PRC - [2010/09/30 04:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
PRC - [2010/08/26 18:48:00 | 000,285,152 | ---- | M] () -- C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
PRC - [2010/08/26 18:47:00 | 004,577,760 | ---- | M] () -- C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
PRC - [2010/08/19 19:52:14 | 000,241,664 | ---- | M] (Huawei Technologies Co., Ltd.) -- C:\ProgramData\DatacardService\DCSHelper.exe
PRC - [2010/08/19 19:52:04 | 000,229,376 | ---- | M] () -- C:\ProgramData\DatacardService\DCService.exe
PRC - [2009/04/11 17:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/17 08:22:20 | 004,907,008 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe
PRC - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () -- C:\Windows\System32\PSIService.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/28 13:32:09 | 000,114,688 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\Optus Mobile Broadband.exe
MOD - [2010/09/10 11:03:10 | 000,159,744 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\SMSPlugin.dll
MOD - [2010/08/26 18:47:00 | 004,577,760 | ---- | M] () -- C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
MOD - [2010/03/15 12:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2010/02/03 12:31:02 | 000,282,624 | ---- | M] () -- C:\Program Files\NETGEAR\WNA3100\WifiSvcLib.dll
MOD - [2009/11/26 11:55:34 | 000,552,960 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\atcomm.dll
MOD - [2009/11/26 11:55:34 | 000,151,552 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\DetectDev.dll
MOD - [2009/11/26 11:55:34 | 000,135,168 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\LocaleMgrPlugin.dll
MOD - [2009/11/26 11:55:34 | 000,090,112 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\FileManager.dll
MOD - [2009/11/26 11:55:34 | 000,090,112 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\DialUpPlugin.dll
MOD - [2009/11/26 11:55:34 | 000,061,440 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\XCodec.dll
MOD - [2009/11/26 11:55:34 | 000,061,440 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\DeviceOperate.dll
MOD - [2009/11/26 11:55:34 | 000,057,344 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\ConfigFilePlugin.dll
MOD - [2009/11/26 11:55:34 | 000,032,768 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\NotifyServicePlugin.dll
MOD - [2009/11/26 11:55:34 | 000,014,848 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\isaputrace.dll
MOD - [2009/09/19 12:08:04 | 000,118,784 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\NetInfoPlugin.dll
MOD - [2009/08/29 17:18:34 | 000,888,832 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\NDISAPI.dll
MOD - [2009/07/31 12:26:22 | 000,172,032 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\DeviceMgrUIPlugin.dll
MOD - [2009/07/30 23:01:08 | 000,110,592 | ---- | M] () -- C:\Program Files\Optus Mobile Broadband\DeviceMgrPlugin.dll
MOD - [2002/07/04 10:38:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ArcSoft\Software Suite\PhotoImpression\Share\PIHook.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2012/10/09 12:28:25 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/29 19:54:26 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/29 19:54:26 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/08/13 04:24:48 | 005,167,736 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/02/14 05:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/10/01 08:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 08:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/04/01 20:17:08 | 000,067,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe -- (MsDepSvc)
SRV - [2011/02/22 08:17:32 | 000,066,560 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\System32\nlssrv32.exe -- (nlsX86cc)
SRV - [2010/09/30 04:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor9.0)
SRV - [2010/08/26 18:48:00 | 000,285,152 | ---- | M] () [Auto | Running] -- C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe -- (WSWNA3100)
SRV - [2010/08/19 19:52:04 | 000,229,376 | ---- | M] () [Auto | Running] -- C:\ProgramData\DatacardService\DCService.exe -- (DCService.exe)
SRV - [2008/01/19 18:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2007/05/31 12:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 12:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\Windows\System32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\usbser_lowerflt.sys -- (upperdev)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\massfilter.sys -- (massfilter)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - File not found [Kernel | Auto | Stopped] -- -- (adfs)
DRV - [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/08/24 16:43:18 | 000,301,920 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2012/07/26 04:21:30 | 000,237,408 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/04/19 05:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/01/31 05:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/12/23 14:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/12/23 14:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2011/12/23 14:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsfilterx.sys -- (AVGIDSFilter)
DRV - [2011/12/23 14:32:00 | 000,139,856 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2011/10/01 08:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV - [2011/10/01 08:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2011/10/01 08:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV - [2011/10/01 08:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV - [2011/08/02 17:38:44 | 000,018,432 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netaapl.sys -- (Netaapl)
DRV - [2010/08/27 14:53:46 | 000,116,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2010/08/07 18:48:42 | 000,106,880 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2010/07/27 16:25:48 | 000,072,832 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ew_jubusenum.sys -- (huawei_enumerator)
DRV - [2010/07/27 10:52:02 | 000,102,784 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ew_hwusbdev.sys -- (ew_hwusbdev)
DRV - [2010/07/16 11:04:16 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2010/06/21 16:07:20 | 000,078,720 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swiwdmbus.sys -- (swiwdmbus)
DRV - [2010/06/21 15:47:14 | 000,156,544 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swumxa3.sys -- (SWUMXA3)
DRV - [2010/06/21 15:46:50 | 000,201,088 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swnc8ua3.sys -- (SWNC8UA3)
DRV - [2010/02/03 12:21:56 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009/11/06 09:37:20 | 000,699,896 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcmwlhigh6.sys -- (BCMH43XX)
DRV - [2009/05/25 17:01:00 | 000,069,098 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\jl2005c.sys -- (JL2005C)
DRV - [2007/09/17 09:07:00 | 007,624,192 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/04/29 19:42:24 | 000,228,224 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)
DRV - [2007/03/23 21:29:32 | 000,060,768 | ---- | M] (2Wire, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2007/01/19 19:20:54 | 000,021,728 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\SCMNdisP.sys -- (SCMNdisP)
DRV - [2006/11/02 18:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/10/19 05:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/08/05 11:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/07/24 17:05:00 | 000,005,632 | ---- | M] () [File_System | System | Running] -- C:\Windows\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2005/02/23 15:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)
DRV - [2003/09/20 09:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pfc.sys -- (pfc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...ie7&rlz=1I7DAAU


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..\SearchScopes\{7BF39D85-F6C0-4D55-AA9E-354D98E05232}: "URL" = http://au.search.yah...f-8&fr=chr-yie8
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..\SearchScopes\{8E02D41C-5924-4816-9490-33CCD28BEB72}: "URL" = http://search.avg.co...}&ychte=au&nt=1
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..\SearchScopes\{D4395A68-EC0A-4AB4-A6BC-355E67975B7D}: "URL" = http://www.flickr.co...q={searchTerms}
IE - HKU\S-1-5-21-3766550063-913140356-267790273-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@csi.business.gov.au/CsiPlugin: C:\Program Files\Common-Use Signing Interface\bin\npCsiPlugin.dll (Commonwealth Government of Australia)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/wpi,version=1.4: C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/09/11 09:12:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/03 10:53:19 | 000,000,000 | ---D | M]

[2010/10/03 00:33:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\mozilla\Extensions
[2010/10/03 00:33:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\mozilla\Extensions\[email protected]
[2009/02/21 12:16:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Paul\AppData\Roaming\mozilla\Extensions\[email protected]

O1 HOSTS File: ([2012/10/30 20:49:11 | 000,000,875 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3766550063-913140356-267790273-1000..\Run: [Mobile Partner] C:\Program Files\Optus Mobile Broadband\Optus Mobile Broadband.exe ()
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..Trusted Domains: modthesims.info ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-3766550063-913140356-267790273-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{240A7F65-CAC9-408C-9A3F-95FD2AEC47CE}: DhcpNameServer = 10.4.85.135 10.4.176.231
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{36DECCF4-4B5C-481A-93A7-6A5B2DF65257}: DhcpNameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{38DE3DDE-AE25-46E9-92EA-BA55DDCE6BFA}: DhcpNameServer = 198.142.0.51 61.88.88.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5A973CA7-C2C5-4870-B413-727AF81EA57D}: DhcpNameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{65EDAF65-0BB3-43CC-AE3C-0CE14CD8B58C}: DhcpNameServer = 198.142.0.51 61.88.88.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{92F8F3AC-362C-4FC5-8459-FA7C4D26009A}: NameServer = 198.142.0.51 61.88.88.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E0C30011-0E0B-491A-A1D7-E91CF8B7640C}: DhcpNameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EBBAE300-C89E-45AB-A9CF-28E61D33B73D}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (C:\PROGRA~1\GOOGLE\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Paul\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Paul\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 08:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/08/20 03:49:08 | 000,126,976 | R--- | M] () - F:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2010/09/14 22:01:18 | 000,000,047 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{0ce5726c-0913-11e2-8a31-001e101f9843}\Shell - "" = AutoRun
O33 - MountPoints2\{0ce5726c-0913-11e2-8a31-001e101f9843}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- [2010/08/20 03:49:08 | 000,126,976 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/01 14:43:28 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\ElevatedDiagnostics
[2012/11/01 14:42:10 | 000,347,424 | ---- | C] (Microsoft Corporation) -- C:\Users\Paul\Desktop\MicrosoftFixit.WinSecurity.Run.exe
[2012/11/01 14:41:58 | 000,347,424 | ---- | C] (Microsoft Corporation) -- C:\Users\Paul\Desktop\MicrosoftFixit.WindowsFirewall.Run.exe
[2012/11/01 14:17:41 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\MigWiz
[2012/11/01 13:22:34 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2012/11/01 13:21:39 | 000,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2012/11/01 13:21:08 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Users\Paul\Desktop\msicuu2.exe
[2012/11/01 08:43:16 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/11/01 08:26:04 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012/10/30 14:03:02 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe
[2012/10/29 19:59:12 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{13EBD0E5-DC9A-455D-AA4B-D9B3A5B4D507}
[2012/10/29 16:47:36 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{32898108-06FE-44D9-BB4A-DD92EF5F9171}
[2012/10/28 22:00:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/28 22:00:19 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/10/28 21:12:03 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\Temp(72)
[2012/10/28 21:12:03 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/10/28 20:42:01 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\SUPERAntiSpyware.com
[2012/10/28 20:41:29 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/10/28 20:41:29 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/10/28 13:15:28 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\Malwarebytes
[2012/10/28 13:15:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/10/28 13:15:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/10/28 11:31:11 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\AVG
[2012/10/28 11:29:56 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG
[2012/10/28 11:29:50 | 000,000,000 | -HSD | C] -- C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
[2012/10/24 07:47:01 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2012/10/24 07:46:49 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2012/10/24 07:46:49 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2012/10/24 07:46:49 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2012/10/22 10:21:51 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{1300AB69-50A9-4A64-846D-B3FFAEDC45BE}
[2012/10/20 08:54:49 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{86974068-D347-4947-9155-BC9E9B9CC64B}
[2012/10/19 09:03:44 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Roaming\Nico Mak Computing
[2012/10/19 09:03:41 | 000,017,224 | ---- | C] (WinZip Computing, S.L.(WinZip Computing)) -- C:\Windows\System32\roboot.exe
[2012/10/19 09:03:40 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip Registry Optimizer
[2012/10/18 18:57:22 | 000,000,000 | ---D | C] -- C:\ProgramData\wxDownload
[2012/10/18 18:55:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Premium
[2012/10/18 18:54:55 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
[2012/10/17 14:10:02 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{D14BAD02-FBF0-49C4-B382-3FD951F784D0}
[2012/10/15 16:00:44 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{DD19C2CF-A542-4DB6-9990-E9944B217548}
[2012/10/13 20:53:04 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{7D433DC4-590E-4487-AE94-1D28CB6538AE}
[2012/10/10 23:19:43 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2012/10/10 23:19:39 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2012/10/10 23:19:39 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2012/10/08 22:32:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/10/08 22:30:35 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/10/08 22:30:34 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/10/08 22:30:34 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2012/10/04 20:35:31 | 000,000,000 | ---D | C] -- C:\Users\Paul\AppData\Local\{189C5C47-DA35-481E-A761-DB662A8B6A9F}
[2011/03/10 10:25:56 | 001,228,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Users\Paul\Photoshop_12_LS1.exe
[2008/03/11 14:26:55 | 000,092,064 | ---- | C] (MCCI) -- C:\Users\Paul\mqdmmdm.sys
[2008/03/11 14:26:55 | 000,079,328 | ---- | C] (MCCI) -- C:\Users\Paul\mqdmserd.sys
[2008/03/11 14:26:55 | 000,066,656 | ---- | C] (MCCI) -- C:\Users\Paul\mqdmbus.sys
[2008/03/11 14:26:55 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Users\Paul\usbsermptxp.sys
[2008/03/11 14:26:55 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Users\Paul\usbsermpt.sys
[2008/03/11 14:26:55 | 000,009,232 | ---- | C] (MCCI) -- C:\Users\Paul\mqdmmdfl.sys
[2008/03/11 14:26:55 | 000,006,208 | ---- | C] (MCCI) -- C:\Users\Paul\mqdmcmnt.sys
[2008/03/11 14:26:55 | 000,005,936 | ---- | C] (MCCI) -- C:\Users\Paul\mqdmwhnt.sys
[2008/03/11 14:26:55 | 000,004,048 | ---- | C] (MCCI) -- C:\Users\Paul\mqdmcr.sys
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/01 17:28:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/11/01 17:05:05 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2012/11/01 17:05:02 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/01 17:05:02 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/01 17:05:02 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/11/01 17:04:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/01 17:03:45 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/11/01 16:36:03 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/01 14:42:10 | 000,347,424 | ---- | M] (Microsoft Corporation) -- C:\Users\Paul\Desktop\MicrosoftFixit.WinSecurity.Run.exe
[2012/11/01 14:41:58 | 000,347,424 | ---- | M] (Microsoft Corporation) -- C:\Users\Paul\Desktop\MicrosoftFixit.WindowsFirewall.Run.exe
[2012/11/01 13:21:08 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Users\Paul\Desktop\msicuu2.exe
[2012/11/01 08:18:24 | 099,046,039 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/10/30 20:49:11 | 000,000,875 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/10/30 14:03:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Paul\Desktop\OTL.exe
[2012/10/30 13:56:34 | 003,721,104 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/10/29 19:39:08 | 000,881,854 | ---- | M] () -- C:\Users\Paul\Desktop\SecurityCheck.exe
[2012/10/29 07:46:54 | 000,001,828 | ---- | M] () -- C:\Users\Paul\AppData\Roaming\wklnhst.dat
[2012/10/28 22:00:21 | 000,000,868 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/25 08:35:10 | 000,041,472 | ---- | M] () -- C:\Users\Paul\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/10/24 07:46:40 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2012/10/24 07:46:40 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2012/10/24 07:46:40 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2012/10/24 07:46:40 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2012/10/24 07:46:39 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2012/10/24 07:46:39 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2012/10/20 18:10:14 | 000,454,298 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjg.avm
[2012/10/20 07:58:07 | 000,646,002 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/10/20 07:58:07 | 000,123,514 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/10/11 17:19:54 | 000,001,626 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/10/09 12:28:24 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/10/09 12:28:24 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/10/09 11:13:36 | 000,001,626 | ---- | M] () -- C:\Users\Paul\Desktop\iTunes (2).lnk
[2012/10/08 22:32:14 | 000,001,626 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/10/07 19:00:50 | 000,001,846 | ---- | M] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\SpongeBob SquarePants Snapshots.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/01 13:22:34 | 000,002,367 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Install Clean Up.lnk
[2012/10/29 19:39:08 | 000,881,854 | ---- | C] () -- C:\Users\Paul\Desktop\SecurityCheck.exe
[2012/10/28 22:00:21 | 000,000,868 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/11 17:19:54 | 000,001,626 | ---- | C] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/10/09 11:13:36 | 000,001,626 | ---- | C] () -- C:\Users\Paul\Desktop\iTunes (2).lnk
[2012/10/08 22:32:14 | 000,001,626 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/10/07 19:00:50 | 000,001,846 | ---- | C] () -- C:\Users\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\SpongeBob SquarePants Snapshots.lnk
[2012/06/07 21:21:01 | 000,002,554 | ---- | C] () -- C:\Windows\WAVEMIX.INI
[2011/09/10 11:40:50 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2011/08/10 01:02:09 | 000,024,441 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\UserTile.png
[2011/07/26 18:26:46 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2011/07/26 18:26:46 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2011/07/26 18:26:46 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2011/07/26 18:26:46 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2011/07/15 23:38:23 | 000,000,025 | ---- | C] () -- C:\Windows\CDESP1410E.ini
[2011/06/29 20:52:44 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/06/28 19:25:17 | 000,154,004 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2011/03/30 09:17:10 | 000,316,928 | ---- | C] () -- C:\Windows\System32\HDREfexProFC32.dll
[2011/03/11 11:44:17 | 020,938,448 | -H-- | C] () -- C:\Users\Paul\PhotoshopElements_9_LS15.7z.part
[2011/03/11 11:44:16 | 000,000,044 | ---- | C] () -- C:\Users\Paul\PhotoshopElements_9_LS15.exe
[2011/03/10 10:25:57 | 1026,293,791 | ---- | C] () -- C:\Users\Paul\Photoshop_12_LS1.7z
[2011/02/22 08:17:34 | 000,316,928 | ---- | C] () -- C:\Windows\System32\SilverEfexPro2FC32.dll
[2009/09/01 20:40:39 | 000,003,970 | ---- | C] () -- C:\Users\Paul\.recently-used.xbel
[2008/07/29 18:35:18 | 000,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt
[2008/07/11 15:17:28 | 000,000,680 | ---- | C] () -- C:\Users\Paul\AppData\Local\d3d9caps.dat
[2008/07/08 18:55:13 | 000,001,828 | ---- | C] () -- C:\Users\Paul\AppData\Roaming\wklnhst.dat
[2008/03/18 17:45:49 | 000,001,260 | ---- | C] () -- C:\ProgramData\dldf
[2008/03/11 14:26:55 | 000,009,913 | ---- | C] () -- C:\Users\Paul\MCCI_MDM.INF
[2008/03/11 14:26:55 | 000,009,232 | ---- | C] () -- C:\Users\Paul\USB_MOT_BRIT.INF
[2008/03/11 14:26:55 | 000,007,201 | ---- | C] () -- C:\Users\Paul\USBMOT2000.INF
[2008/03/11 14:26:55 | 000,006,989 | ---- | C] () -- C:\Users\Paul\MCCI_BUS.INF
[2008/03/11 14:26:55 | 000,006,209 | ---- | C] () -- C:\Users\Paul\USBMOT2000XP.INF
[2008/03/11 14:26:55 | 000,005,880 | ---- | C] () -- C:\Users\Paul\USB_CMCS_2000.INF
[2008/03/11 14:26:55 | 000,005,813 | ---- | C] () -- C:\Users\Paul\USB_MOT_A1000.INF
[2008/03/11 14:26:55 | 000,004,477 | ---- | C] () -- C:\Users\Paul\MCCI_SDM.INF
[2008/01/15 19:26:59 | 000,041,472 | ---- | C] () -- C:\Users\Paul\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/11/02 23:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 04:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 17:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 17:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/10/30 13:51:51 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\948 Series
[2011/06/29 13:58:45 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Alien Skin
[2012/11/01 08:26:06 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\AVG
[2012/01/21 07:53:05 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\AVG2012
[2011/03/13 11:07:20 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Canon
[2011/04/04 20:58:13 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/12/06 22:59:23 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
[2010/04/20 16:11:52 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/07/16 00:02:14 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\EPSON
[2012/10/30 13:51:52 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\gtk-2.0
[2011/07/19 14:58:34 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\HDREfexPro
[2012/05/08 20:29:54 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\HDRsoft
[2012/10/19 09:10:37 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Nico Mak Computing
[2011/07/19 15:23:39 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Nik Software
[2008/04/28 16:10:51 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Nokia
[2012/04/19 09:49:19 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Origin
[2012/01/07 14:14:30 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Panasonic
[2008/04/21 18:36:55 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\PC Suite
[2011/08/10 01:02:09 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\PeerNetworking
[2012/10/30 13:51:52 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\PhotoScape
[2010/04/18 14:59:21 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Publish Providers
[2011/08/10 01:37:37 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Samsung
[2011/02/27 13:49:12 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Sierra Wireless
[2011/07/19 15:01:58 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\SilverEfexPro2
[2012/01/07 14:25:02 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\SoftGrid Client
[2010/04/18 16:02:41 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Sony
[2011/03/23 10:12:05 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2008/07/08 18:55:15 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Template
[2011/05/18 10:31:53 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\TP
[2011/02/28 13:37:54 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Visan
[2010/10/03 00:49:23 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Vivox
[2011/08/10 01:05:00 | 000,000,000 | ---D | M] -- C:\Users\Paul\AppData\Roaming\Windows Live Writer

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:0B4227B4

< End of report >

Edited by Mrscoffeecup, 01 November 2012 - 12:48 AM.

  • 0

#21
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi MrsC,

So first up, my 5 year old accidentally deleted the OTL fix log :(

Kidz....they do the darnedest things. :lol: Sounds like you have a handful. The report should still be on the system.
Please go to the C:\_OTL\MovedFiles folder and look for a file named mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run). It should be the file with the newest date and time stamp.

I'm so sorry, after all this hard work!!

Nothing to be sorry about. The last OTL log looks good. There are a couple of entries I want to clean up but they don't have anything to do with malware. We wil take care of those while we are cleaning up the tools we have used. And I can't see anything else in the OTL log. The MBAM log was clean. ESET found one file but it was in a compressed .zip file.
Malware removal is just an extended and sometime tedious process. And the removal tools sometime get interfered with by programs on th system, like SpyBot, as we have seen here.

If there's anything else I can add, please let me know!

I managed to delete PC Tuneup too, and the computer *seems* to be running as normal, but I'll wait for your go ahaed before I commence using it as before.

That's what you can add. Please tell me how you managed to get PC Tuneup uninstalled.
I'm asking for my own education. If I run into this again and there is an easier way to get the program uninstalled it will save someone else the anguish you went through.

Also, did you get Adobe Reader updated? If you didn't, see Step 2 in Post 16 for the directions.

As for the iphone....if you looked in the forum I gave you the link to you've noticed that malware removal on mobile devices is in it's infancy, but the Techs are researching and learning all the time and if anyone can help my money is on them.
  • 0

#22
Mrscoffeecup

Mrscoffeecup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi!!

Ok so I found the OTL fix file folder, but when I click on it, it says the file is empty...I'm really not sure how else to look for it so I'll wait for your instructions :)

Re: Adobe reader, I tried to update it, but it kept saying no update available. I tried downloading an update directly from Adobe, but I must've downloaded the wrong one, because it told me I was running a different version *sigh*.

Onto better news!! Avg Pc Tuneup was a nightmare to get rid of!! It kept interfering with all the scan processes and generally was immovable, and it had changed itself to only display German (which I can't read lol). How I ended up getting rid of it was with Windows Install Clean Up.
This removed the existing unistall problems, allowing me to delete the files manually, as it wasn't showing up in the unistall programs section of the control panel. *phew*

I have completely removed AVG and Spybot from my pc, as they've both been pretty useless this past week, and I am now running malwarebytes and kaspersky :)

And you are not kidding about Malware removal being tedious haha!! But really, I've learned things I have never known before about my computer.

I will reread the directions re adobe reader and see how I go.

you mentioned there were a couple of files that needed cleaning up? Will you be able to do that without the fix log? :( I hope so!!

Thanks so much for your endless patience thus far, it is so cool that you help people do this :)
  • 0

#23
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi :)

Ok so I found the OTL fix file folder, but when I click on it, it says the file is empty...I'm really not sure how else to look for it so I'll wait for your instructions :)

Don't worry about it.

I have completely removed AVG and Spybot from my pc,...

Personally I think that is a good call. All registry monitoring and cleanup programs like PC Tuneup should be avoided...period. And all antispyware programs that run in the background eventually have these problems. We quit using Spybot a long time ago because it caused this type of problem. SuperAntiSpyware is another antispyware program that users were having a devil of a time getting it to uninstall. The only problem I've encountered with MBAM (MalwareBytes) was when something in the program code screwed up when folks activated the trial period for the Pro version. It didn't remove the things necessary to take it out of the registry startup key when it reverted back to the FREE version. I use and we recommend MalwareBytes....the FREE version. It doesn't run in the background. You just need to run a Quick scan with it as often as you want and run a FULL scan every week. Just update the program before running the scans.

you mentioned there were a couple of files that needed cleaning up? Will you be able to do that without the fix log? :( I hope so!!

Yep, we will just run the fix. I won't need a log.

Onto better news!! Avg Pc Tuneup was a nightmare to get rid of!! It kept interfering with all the scan processes and generally was immovable, and it had changed itself to only display German (which I can't read lol). How I ended up getting rid of it was with Windows Install Clean Up.
This removed the existing unistall problems, allowing me to delete the files manually, as it wasn't showing up in the unistall programs section of the control panel. *phew*

I was gonna use a program named Revo Uninstall. I'm glad the Windows Install Cleanup Utility did the job but you need to be aware that Microsoft discontinued that utility program when Vista came out because it was causing compatibility issues with Vista.
In the future I would recommend Revo Uninstaller and if you need any assistance running it just come to G2G and ask. We'll be glad to help.

Thanks so much for your endless patience thus far, it is so cool that you help people do this :)

You're very welcome and we do this cause we've all been in the same kind of situation that caused you to come here.

I will be back a little later with instructions to clean up the tools we have used. This is very important. The tools are updated pretty frequenty to keep up with malware changes and old versions of the tools are pretty pointless to keep.

We can tackle the Adobe updating problem at that point if you wish.
  • 0

#24
Mrscoffeecup

Mrscoffeecup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Excellent, I will be avidly awaiting your response :)

Just something to mention though, when I accessed this page from my pc, kaspersky alerted me that the URL was a phishing URL and not to proceed. Is this just kaspersky being overly cautious?
  • 0

#25
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
MrsC,

Just something to mention though, when I accessed this page from my pc, kaspersky alerted me that the URL was a phishing URL and not to proceed. Is this just kaspersky being overly cautious?

That is :rofl: It's a false positive from Kaspersky. It happens from time to time with various AV programs. I will pass it along to people who can contact Kaspersky.

OK! Well done. :thumbsup: Here is the best part of the process! The mullygrubs are gone! That's a technical term for your log(s) appear to be clean! If you have no further issues with your computer, please proceed with the housekeeping procedures outlined below.
The first thing we need to do is to remove all the tools that we have used. This is so that should you ever be re-infected, you will download updated versions.

If you didn't uninstall ESET after you ran the program we will do that now.

Step-1.

Uninstall ESET

1. Please click the Start Orb, click Control Panel. Under the Programs heading click Uninstall a program
2. In the list of programs installed, locate the following program(s):

ESET on line Scanner

3. Click on each program to highlight it and click Change/Remove. (Vista/7 users: right click the program and click Uninstall
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files\ESET

2. Close Windows Explorer.

Step-2.

OTL Cleanup
1. Please copy all of the text in the code box below. To do this, highlight everything inside the code box , right click and click Copy.
  • :COMMANDS
    [CREATERESTOREPOINT]
    
    :OTL
    SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    O33 - MountPoints2\{0ce5726c-0913-11e2-8a31-001e101f9843}\Shell - "" = AutoRun
    O33 - MountPoints2\{0ce5726c-0913-11e2-8a31-001e101f9843}\Shell\AutoRun\command - "" = F:\AutoRun.exe -- 
    
    :FILES
    ipconfig /flushdns /c
    
    :COMMANDS
    [EMPTYTEMP]
    
  • Please re-open Posted Image on your desktop.
  • Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
  • Click the Posted Image button.
  • Let the program run unhindered. When finished click the OK button and close the log that appears.
  • NOTE: I do not need to review the log produced.
  • OTL may ask to reboot the machine. Please do so if asked.
2. Please re-open Posted Image on your desktop.
  • Be sure all other programs are closed as this step will require a reboot.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.
The above process will remove most/all of the tools used and logs created during the cleanup process. After it is finished, OTL will remove itself. This is so that if you are ever infected again you will download the most current copy of the tool.

Step-3.

Delete the following Files and Folders (If present)

MBR.dat
SecurityCheck.exe
Checkup.txt

Delete any other .bat, .log, .reg, .txt, and any other files created during this process, and left on the desktop and empty the Recycle Bin.

Step-4.

Make a Fresh Restore Point, Clear the Old Restore Points, and Re-enable System Restore

The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

For Vista and Windows 7:
  • Click the Start Orb. Click Control Panel. Click System and Maintenance
  • Click System
  • In the left column under Tasks, click Advance System Settings and accept the warning if you get one
  • Click the System Protection Tab
  • In the Available Disks box put a ckeck mark in the box next to OS (?:) (System). Your drive letter will be shown in place of the ?

    Note: It may take some time for the system to populate the Available Disks box, so be patient.
  • Click the Create button at the bottom
  • Type in a name fo the restore point, i.e: Clean
  • Click Create
  • A small System Protection window will come up telling you a Restore Point is being created.
  • Another System Protection window will come up telling you the Restore Point has been created, click OK
  • Click OK again.
  • Close the Control Panel
Now we can purge the old Restore Points
  • Click Start(Windows 7 Orb), click Run (or press the Windows key and R together) to bring up the Run box.
  • Type, or Copy and Paste the following in the Run box:
    cleanmgr
  • Click OK
    A Disk Cleanup Options popup will open
    Posted Image
  • Click Files from all users on this computer

    A Drive Selection popup will open
    NOTE: You will not see this window unless you have more than one drive or partition on your computer.
    Posted Image
    If you chose Files from all users on this computer above, then click on Continue for UAC prompt.
  • Select the system drive, C:\ and click OK.
  • For a few moments the system will make some calculations
    Posted Image
  • The Disk Cleanup Window will open:
    Posted Image
  • Click the More Options tab.
  • Click the Clean up button under the System Restore and Shadow Copies section. (See screenshot below)
    Posted Image
  • In the Disk Cleanup dialog box, click Delete (See screenshot below).
    Posted Image
  • You will get a Disk Cleanup confirmation (See screenshot below)
    Posted Image
  • Click Delete Files, and then click OK.
Step-5.

Reset Hidden Files and Folders

For Vista and Windows 7
1. Click Start,click Control Panel.
2. Click Folder Options.... NOTE: If you are in the Category view, click Appearance, then Folder Options
3. On the Folder Options window click the View tab.
4. In the Advanced settings: box, Under Hidden files and folders, click the Do not show hidden files and folders button.
5. Click the Hide protected operating system files (Recommended) box.
6. Click Apply and then OK



Preventing Re-Infection

Below, I have included a number of recommendations for how to protect your computer against future malware infections.

:Keep Windows Updated:-Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Vista and Windows 7 Users:
1. Click Start> All Programs, from the list find Windows Update and click it.

:Turn On Automatic Updates:

Vista and Windows 7
1. Click Start> Control Panel. Click Security. Under Windows Update, Click Turn automatic on or off.
2. On the next page, under Important Updates, Click the Drop down arrow on the right side of the box and Click Install Updates Automatically(recommended).
If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your task bar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

: Keep Java Updated :
  • Click the Start button
  • Click Control Panel
  • Double Click Java - Looks like a coffee cup. You may have to switch to Classical View on the upper left of the Control Panel to see it.
  • Click the Update tab
  • Click Update Now
  • Allow any updates to be downloaded and installed
: Keep Adobe Reader Updated :
  • Open Adobe Reader
  • Click Help on the menu at the top
  • Click Check for Updates
  • Allow any updates to be downloaded and installed
NOTE: Whether you use Adobe Reader, Acrobat or Foxit Reader to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Click Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. Click OK Close program. It's the same for Foxit Reader except Preferences is under the Tools menu, and you uncheck Enable Javascript Actions.

:Web Browsers:

:Make your Internet Explorer more secure:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
5. Change the Download signed ActiveX controls to "Prompt"
6. Change the Download unsigned ActiveX controls to "Disable"
7. Change the Initialise and script ActiveX controls not marked as safe to "Disable"
8. Change the Installation of desktop items to "Prompt"
9. Change the Launching programs and files in an IFRAME to "Prompt"
10. When all these settings have been made, click on the OK button.
11. If it prompts you as to whether or not you want to save the settings, click the Yes button.
12. Next press the Apply button and then the OK to exit the Internet Properties page.

:Alternate Browsers:

If you use Firefox, I highly recommend these add-ons to keep your PC even more secure.
  • NoScript - for blocking ads and other potential website attacks
  • WebOfTrust - a safe surfing tool for your browser. Traffic-light rating symbols show which websites you can trust when you search, shop and surf on the Web.
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
:Install the MVPs Hosts File: (Only needed for Firefox)
  • MVPS Hosts file-replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

Preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running a full scan at least once a month. Run Quick Scans at least once a week. Download the Free versions. And update the definitions before running scans.

========Anti Spyware========
  • Malwarebytes-Free Version- a powerful tool to search for and eliminate malware found on your computer.
  • SUPERAntiSpyware Free Edition-another scanning tool to find and eliminate malware.
  • SpywareBlaster-to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard-to catch and block spyware before it can execute. A tutorial can be found here.
  • WinPatrol - will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. Help file and tutorial can be found here.

It's a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

========TEMP File Cleaners========
  • TFC by OldTimer Recommended-A very powerful cleaning program for 32 and 64 bit OS. Note: You may have this already as part of the fixes you have run.
  • CleanUP-Click the Download CleanUP! link. There is also a Learn how to use CleanUP! link on this page.
:BACKUPS:
  • Keep a backup of your important files.-Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT-(Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

:Keep Installed Programs Up to Date:

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
Download and install the program and run it monthly:
Filehippo Update Checker

Finally, please read How did I Get Infected in the First Place(by Mr. Tony Klein and dvk01)

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

Normally I keep this open For 24 hours or so, but if you need help with the Adobe update let me know and we will get that done before closing the topic.

Stay Safe :wave:
godawgs
  • 0

Advertisements


#26
Mrscoffeecup

Mrscoffeecup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello!!!

Sorry for the delayed response, I started watching the first season of Breaking Bad and lost track of time!!

I have followed all the steps you laid out for me, and Adobe Reader *seems* to be updated, (it tells me no updates are avail) so I assume that means I'm up to date?

Otherwise, everything seems to be running fine. Computer is a little slow at start up,but I have different programs running now so that may be it.

Out of curiosity, what kind of Trojan did I have on the computer?

I can't thank you enough for your help Godawgs, if you're ever in Australia, let me know and I'll buy you a drink :thumbsup:
  • 0

#27
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
The PHP/Kryptic.AB trojan was in the compressed sharpfolio.zip file. Sharpfolio arrears to be related to Word Press themes. But it was probably downloaded from a questionable site. Since it was in a .zip file, it would have had to be extracted and run.

The big thing I saw was that the Hosts file had been hijacked and a proxy had been put in it.

...if you're ever in Australia, let me know and I'll buy you a drink :thumbsup:

Will do...I hope that comes with shrimp on the barbie ;)

If you ever need us again just give a yell :yes:
  • 0

#28
Mrscoffeecup

Mrscoffeecup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Wow, I downloaded the sharpfolio months and months ago!! And it was for wordpress, you're right :)

The computer appears to be running as normal today so I'm thrilled, thank you :thumbsup:

Ps, I've literally never had a shrimp on the barbie, ever :lol: but I make a mean lasagne!

Thanks again Godawgs, you've been awesome!
  • 0

#29
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
You are more than welcome. Stay safe!
  • 0

#30
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP