[saskpc]

I have a problem identical to this thread: http://www.geekstogo...a-virus-solved/
All download (exe, msi, pdf, ...) have virus.
I have tried to disable all virus protection (avg, windows defender) no difference.
I have resetted internet explorer.
I did not follow any advice on the above mentionned post.
I have ran rkill and malware bytes in safe mode. They have not found anything.
I had to do it in safe mode as downloads work in safe mode.
I am sure it is a trojan or malware or virus. But would appreciate a guided step by step on how to clean it.
I looked back at my notes, and i manage to run spybot, it found 202 spyware but did not resolve the issue.
Thank you.

Edited by saskpc, 23 February 2013 - 09:42 AM.

[Advertisements]

Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Please note that I am currently in training as a GeekU Senior. My posts must be reviewed by an instructor, so there may be a slight delay.

I need to get a look at your system. Please try to download the program in Safe Mode.


Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Please check the box next to Scan All Users.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

[Buddierdl]

Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Please note that I am currently in training as a GeekU Senior. My posts must be reviewed by an instructor, so there may be a slight delay.

I need to get a look at your system. Please try to download the program in Safe Mode.


Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Please check the box next to Scan All Users.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

[saskpc]

Thank you for your quick reply.
I will be activly working on this issue today.
Tomorow I will not be able. But I will notify you before I leave for the weekend.
Before I post the content of the 2 text files I would like to mention a couple of thing I just noticed:
1 - The same problem is in safe mode. I was not able to download OTL from this computer, I used a usb stick.
2 - In normal mode, I cannot access a network folder, it right away ask for a name and password, and always says it is the wrong one. In safe mode, I can access the network without a problem.

OTL.txt:
OTL logfile created on: 2/23/2013 10:35:16 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Garfield\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.87 Gb Total Physical Memory | 2.46 Gb Available Physical Memory | 85.69% Memory free
5.73 Gb Paging File | 5.35 Gb Available in Paging File | 93.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 218.20 Gb Total Space | 178.36 Gb Free Space | 81.74% Space Free | Partition Type: NTFS
Drive E: | 7.26 Gb Total Space | 7.16 Gb Free Space | 98.69% Space Free | Partition Type: FAT32

Computer Name: GARFIELD-PC | User Name: Garfield | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/02/23 10:33:00 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Garfield\Desktop\OTL.exe
PRC - [2011/02/24 23:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SDWSCService)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SDUpdateService)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SDScannerService)
SRV - [2013/02/11 11:46:15 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/01/25 10:34:04 | 000,166,408 | ---- | M] (Microsoft Corp.) [Auto | Stopped] -- C:\Program Files\Microsoft\BingDesktop\BingDesktopUpdater.exe -- (BingDesktopUpdate)
SRV - [2011/04/22 13:56:50 | 000,984,392 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/04/18 17:39:42 | 007,398,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/03/09 19:24:44 | 002,708,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgfws.exe -- (avgfws)
SRV - [2011/02/08 05:33:42 | 000,269,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2011/01/14 13:35:56 | 000,196,912 | ---- | M] (Nitro PDF Software) [Auto | Stopped] -- C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe -- (NitroReaderDriverReadSpool)
SRV - [2010/07/14 17:55:29 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2010/06/30 09:09:02 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/05 06:30:10 | 000,229,458 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_41f81f5ce017c35c\stacsv.exe -- (STacSV)
SRV - [2009/11/29 21:41:08 | 000,060,928 | ---- | M] () [Auto | Stopped] -- C:\Program Files\STMicroelectronics\Accelerometer\InstallFilterService.exe -- (InstallFilterService)
SRV - [2009/11/03 23:45:46 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2009/11/03 23:45:44 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 19:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/03/02 12:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Stopped] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_41f81f5ce017c35c\AEstSrv.exe -- (AESTFilters)


========== Driver Services (SafeList) ==========

DRV - [2013/02/22 11:54:50 | 000,013,560 | ---- | M] (GFI Software) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\gfibto.sys -- (gfibto)
DRV - [2012/08/23 08:44:32 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2012/08/23 08:40:25 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2011/04/14 21:28:30 | 000,134,480 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/04/05 00:59:56 | 000,297,168 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/03/16 16:03:20 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/03/01 14:25:18 | 000,034,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/02/22 08:12:50 | 000,022,992 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/02/10 07:53:42 | 000,021,968 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/02/10 07:53:40 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/01/07 06:41:46 | 000,248,656 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/20 03:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/07/12 04:34:02 | 000,054,112 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
DRV - [2010/02/26 02:31:22 | 000,132,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Impcd.sys -- (Impcd)
DRV - [2010/02/02 16:36:34 | 000,232,960 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud)
DRV - [2010/01/05 06:30:10 | 000,423,424 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2009/09/16 22:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI)
DRV - [2009/08/09 21:06:08 | 000,171,520 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2009/07/13 17:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/06/15 12:05:16 | 000,143,968 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV - [2009/05/28 09:48:20 | 000,134,144 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CtAudDrv.sys -- (CtAudDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {9427041a-a8dc-4d06-9a68-93873486e957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebs...r={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2976654
IE - HKLM\..\SearchScopes\{F5B5E1CF-6504-45B9-BCC5-ADF76C11CEEB}: "URL" = http://www.bing.com/...rc=IE-SearchBox


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\SearchScopes,DefaultScope = {36377DD7-B3EB-42f5-986F-680BAF59BA9D}
IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}: "URL" = http://start.msn.ipl...q={searchTerms}
IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\SearchScopes\{7024EA2C-DEE0-4DAE-9D71-28664E9EEC58}: "URL" = http://search.condui...&ctid=CT3008668
IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "bing"
FF - prefs.js..browser.search.selectedEngine: "bing"
FF - prefs.js..browser.startup.homepage: "http://start.msn.ipl...lay.com/?o=shp"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll (Oberon-Media )
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/05/11 08:11:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/11/22 23:45:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/08/19 03:38:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Garfield\AppData\Roaming\Mozilla\Extensions
[2013/02/07 12:21:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\0i4i7dsx.default\extensions
[2012/09/04 12:19:41 | 000,000,000 | ---D | M] (Oberon GamesBar) -- C:\Users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\0i4i7dsx.default\extensions\[email protected]
[2012/04/15 15:55:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/12 22:39:39 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/03/12 22:38:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/27 17:53:34 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober11178282.xml
[2012/04/27 17:54:49 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober11253147.xml
[2012/04/29 15:11:36 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober11823346.xml
[2012/04/29 15:12:35 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober11882549.xml
[2012/04/29 15:13:25 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober11931752.xml
[2012/04/29 15:24:24 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober12591324.xml
[2012/04/29 15:24:52 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober12618998.xml
[2012/04/29 15:28:21 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober12827634.xml
[2012/04/29 15:30:47 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober12974322.xml
[2012/05/04 00:23:43 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober21322544.xml
[2012/05/04 00:26:35 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober21494348.xml
[2012/05/04 00:29:12 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober21650988.xml
[2012/05/04 00:29:44 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober21683390.xml
[2012/05/04 00:31:52 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober21811420.xml
[2012/05/04 00:35:19 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober22018137.xml
[2012/05/04 00:40:55 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober22354537.xml
[2012/05/04 00:41:39 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober22398030.xml
[2012/05/04 00:43:55 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober22534562.xml
[2012/04/25 12:14:22 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober3873738.xml
[2012/04/25 12:25:42 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober4554168.xml
[2012/04/25 12:41:19 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober5490455.xml
[2012/04/25 12:45:52 | 000,002,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bingober5763659.xml
[2012/03/12 22:38:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Bing (Enabled)
CHR - default_search_provider: search_url = http://www.bing.com/...q={searchTerms}
CHR - default_search_provider: suggest_url = http://api.bing.com/...uage={language}
CHR - homepage: http://ca.msn.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Garfield\AppData\Local\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Garfield\AppData\Local\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Garfield\AppData\Local\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Garfield\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1374_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Oberon com adapter (Enabled) = C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Garfield\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\Garfield\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Users\Garfield\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: AVG Safe Search = C:\Users\Garfield\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1374_0\
CHR - Extension: Gmail = C:\Users\Garfield\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2009/06/10 15:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (eBay Toolbar Helper) - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (eBay Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (Productivity 3.1 Toolbar) - {9427041a-a8dc-4d06-9a68-93873486e957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (eBay Toolbar) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (eBay Inc.)
O3 - HKLM\..\Toolbar: (Productivity 3.1 Toolbar) - {9427041a-a8dc-4d06-9a68-93873486e957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\Toolbar\WebBrowser: (Productivity 3.1 Toolbar) - {9427041A-A8DC-4D06-9A68-93873486E957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BingDesktop] C:\Program Files\Microsoft\BingDesktop\BingDesktop.exe (Microsoft Corp.)
O4 - HKLM..\Run: [DBRMTray] C:\dell\DBRM\Reminder\DbrmTrayicon.exe (Microsoft)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe (eBay Inc.)
O4 - HKLM..\Run: [Family Tree Builder Update] C:\Program Files\MyHeritage\Bin\FTBCheckUpdates.exe (MyHeritage)
O4 - HKLM..\Run: [FreeFallProtection] C:\Program Files\STMicroelectronics\Accelerometer\FF_Protection.exe ()
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [SDTray] C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O13 - gopher Prefix: missing
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Super%20Mah%20Jong%20Solitaire/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.253 65.87.230.4 65.87.230.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EA748932-003C-4288-A96C-43CEEB31ADFA}: DhcpNameServer = 192.168.1.253 65.87.230.4 65.87.230.5
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - File not found
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/02/23 10:34:48 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Garfield\Desktop\OTL.exe
[2013/02/22 14:05:14 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2013/02/22 12:17:13 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/02/22 11:57:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Downloaded Installations
[2013/02/22 11:54:50 | 000,044,424 | ---- | C] (GFI Software) -- C:\Windows\System32\sbbd.exe
[2013/02/22 11:54:50 | 000,013,560 | ---- | C] (GFI Software) -- C:\Windows\System32\drivers\gfibto.sys
[2013/02/22 11:54:50 | 000,000,000 | ---D | C] -- C:\Users\Garfield\AppData\Roaming\LavasoftStatistics
[2013/02/22 11:54:33 | 000,000,000 | ---D | C] -- C:\Users\Garfield\AppData\Roaming\Ad-Aware Antivirus
[2013/02/22 11:38:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2013/02/22 11:30:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2013/02/22 11:30:17 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2013/02/22 11:30:06 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2013/02/22 10:55:24 | 000,000,000 | ---D | C] -- C:\Users\Garfield\AppData\Roaming\Malwarebytes
[2013/02/22 10:55:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/02/22 10:55:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/02/22 10:55:16 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/02/22 10:55:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/02/22 10:55:09 | 000,000,000 | ---D | C] -- C:\Users\Garfield\AppData\Local\Programs
[2013/02/22 10:54:00 | 001,678,240 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Garfield\Desktop\rkill.exe
[2013/02/13 02:17:50 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/02/13 02:17:49 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/02/13 02:17:48 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/02/13 02:17:48 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/02/13 02:17:48 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/02/13 02:17:47 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/02/13 02:17:47 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/02/13 02:17:45 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/02/13 01:05:07 | 002,347,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/02/13 01:05:00 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/02/13 01:04:59 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/02/13 01:04:57 | 000,187,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\FWPKCLNT.SYS
[2013/02/13 01:04:26 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2013/02/11 11:47:19 | 000,000,000 | ---D | C] -- C:\Users\Garfield\AppData\Local\Macromedia
[2013/02/01 17:29:48 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TsUsbRedirectionGroupPolicyControl.exe
[2013/02/01 17:29:47 | 000,014,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\rdpvideominiport.sys
[2013/02/01 17:29:45 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
[2013/02/01 17:29:45 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RdpGroupPolicyExtension.dll
[2013/02/01 17:29:43 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\TsUsbFlt.sys
[2013/02/01 17:29:40 | 000,317,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wksprt.exe
[2013/02/01 17:29:40 | 000,269,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\aaclient.dll
[2013/02/01 17:29:40 | 000,221,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpudd.dll
[2013/02/01 17:29:40 | 000,192,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpendp_winip.dll
[2013/02/01 17:29:40 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TSWbPrxy.exe
[2013/02/01 17:29:40 | 000,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MsRdpWebAccess.dll
[2013/02/01 17:29:40 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tsgqec.dll
[2013/02/01 17:29:40 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\TsUsbGDCoInstaller.dll
[2013/02/01 17:29:40 | 000,016,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wksprtPS.dll
[2013/02/01 17:29:39 | 002,739,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpcorets.dll
[2013/02/01 17:28:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bing Desktop
[2013/01/25 02:34:49 | 000,000,000 | ---D | C] -- C:\Users\Garfield\AppData\Local\{6E6477BC-84AE-4126-AE4E-ABB61352402E}
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/02/23 10:33:00 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Garfield\Desktop\OTL.exe
[2013/02/23 10:00:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/02/23 10:00:22 | 2307,928,064 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/23 09:57:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/02/23 09:04:53 | 000,014,240 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/02/23 09:04:53 | 000,014,240 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/02/23 09:02:53 | 111,023,119 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2013/02/22 14:05:38 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/02/22 11:54:50 | 000,044,424 | ---- | M] (GFI Software) -- C:\Windows\System32\sbbd.exe
[2013/02/22 11:54:50 | 000,013,560 | ---- | M] (GFI Software) -- C:\Windows\System32\drivers\gfibto.sys
[2013/02/22 11:30:36 | 000,000,620 | ---- | M] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2013/02/22 11:30:36 | 000,000,616 | ---- | M] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2013/02/22 11:30:36 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2013/02/22 11:30:35 | 000,002,121 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2013/02/22 10:55:21 | 000,001,069 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/13 10:23:17 | 000,270,280 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/02/13 02:16:21 | 000,616,008 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/02/13 02:16:21 | 000,106,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/02/11 11:46:15 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/02/11 11:46:15 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/02/02 02:50:26 | 000,001,409 | ---- | M] () -- C:\Users\Garfield\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/02/22 11:30:36 | 000,000,620 | ---- | C] () -- C:\Windows\tasks\Check for updates (Spybot - Search & Destroy).job
[2013/02/22 11:30:36 | 000,000,616 | ---- | C] () -- C:\Windows\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2013/02/22 11:30:36 | 000,000,446 | ---- | C] () -- C:\Windows\tasks\Scan the system (Spybot - Search & Destroy).job
[2013/02/22 11:30:35 | 000,002,133 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2013/02/22 11:30:35 | 000,002,121 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2013/02/22 10:55:21 | 000,001,069 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/04 02:59:00 | 000,000,438 | ---- | C] () -- C:\Program Files\0520122590062.bat
[2012/05/01 02:29:51 | 000,000,432 | ---- | C] () -- C:\Program Files\0520122295136.bat
[2012/04/26 18:13:35 | 000,000,438 | ---- | C] () -- C:\Program Files\04201218133577.bat
[2012/04/04 19:09:30 | 000,000,439 | ---- | C] () -- C:\Program Files\04201219093083.bat
[2012/03/10 11:37:31 | 000,000,437 | ---- | C] () -- C:\Program Files\03201211373175.bat
[2012/03/10 09:26:59 | 000,000,258 | ---- | C] () -- C:\Windows\MyHeritage.INI
[2012/03/10 09:24:55 | 000,454,656 | ---- | C] () -- C:\Windows\System32\PaintX.dll
[2012/03/04 22:32:49 | 000,000,447 | ---- | C] () -- C:\Program Files\03201222324918.bat
[2012/02/22 09:44:59 | 000,000,437 | ---- | C] () -- C:\Program Files\0220129445971.bat
[2012/01/10 22:17:08 | 000,128,204 | ---- | C] () -- C:\Windows\System32\igcompkrng575.bin
[2012/01/10 22:17:04 | 000,105,608 | ---- | C] () -- C:\Windows\System32\igfcg575m.bin
[2012/01/10 22:17:02 | 000,867,020 | ---- | C] () -- C:\Windows\System32\igkrng575.bin
[2012/01/10 21:29:54 | 013,904,384 | ---- | C] () -- C:\Windows\System32\ig4icd32.dll
[2012/01/10 21:14:34 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2012/01/10 21:12:12 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IccLibDll.dll
[2011/11/16 09:30:30 | 000,000,467 | ---- | C] () -- C:\Program Files\1120119303080.bat
[2011/07/24 12:14:01 | 000,161,760 | ---- | C] () -- C:\Program Files\64res.dll
[2011/06/20 14:24:16 | 000,161,752 | ---- | C] () -- C:\Program Files\pares.dll
[2011/06/10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2011/05/19 00:16:16 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2011/03/16 00:14:08 | 000,000,064 | ---- | C] () -- C:\Windows\GPlrLanc.dat
[2010/07/14 17:55:09 | 000,061,224 | ---- | C] () -- C:\Users\Garfield\GoToAssistDownloadHelper.exe

========== ZeroAccess Check ==========

[2009/07/13 22:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 22:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 06:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 19:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Files - Unicode (All) ==========
[2011/05/20 17:28:12 | 000,000,017 | ---- | M] ()(C:\Windows\System32\??) -- C:\Windows\System32\挸ӝ
[2011/05/20 17:28:12 | 000,000,017 | ---- | C] ()(C:\Windows\System32\??) -- C:\Windows\System32\挸ӝ

========== Alternate Data Streams ==========

@Alternate Data Stream - 159 bytes -> C:\ProgramData\TEMP:8865824E
@Alternate Data Stream - 157 bytes -> C:\ProgramData\TEMP:C642810F
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:FDE7A038
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:F4BE8180
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:955A2D2C
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:7B227418
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:22D489B6
@Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:D5C2DDAE
@Alternate Data Stream - 151 bytes -> C:\ProgramData\TEMP:25FF8A61
@Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:E748547C
@Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:0768C7C3
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:C7EA4918
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:30C74695
@Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:A477A19D
@Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:8F88317C
@Alternate Data Stream - 148 bytes -> C:\ProgramData\TEMP:6CFD136C
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:FC289904
@Alternate Data Stream - 147 bytes -> C:\ProgramData\TEMP:9C0F8F95
@Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:20573823
@Alternate Data Stream - 144 bytes -> C:\ProgramData\TEMP:418054A0
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:0B352B60
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:901256DA
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:1BA9C8DC
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:A4C49A68
@Alternate Data Stream - 139 bytes -> C:\ProgramData\TEMP:65AAB2AD
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:24D72313
@Alternate Data Stream - 137 bytes -> C:\ProgramData\TEMP:C5B78274
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:EB4FEEF5
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:DE22D45C
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:BBD6565E
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:04E853D4
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:CBAF0C30
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:0B4227B4
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:CE5C755D
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:FEF919E6
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:E2B0AAB4
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:7991541F
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:B16047B8
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:799B8AA7
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:32B2B431
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:82376CD0
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:902F3E60
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:D4E0D1F1
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:8F09BC2E
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:228B2655
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:EC3A9923
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:108D3361
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:6F1F66C0
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:863F4B04
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:9CAD1FF9

< End of report >


Extra.txt:
OTL Extras logfile created on: 2/23/2013 10:35:16 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Garfield\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.87 Gb Total Physical Memory | 2.46 Gb Available Physical Memory | 85.69% Memory free
5.73 Gb Paging File | 5.35 Gb Available in Paging File | 93.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 218.20 Gb Total Space | 178.36 Gb Free Space | 81.74% Space Free | Partition Type: NTFS
Drive E: | 7.26 Gb Total Space | 7.16 Gb Free Space | 98.69% Space Free | Partition Type: FAT32

Computer Name: GARFIELD-PC | User Name: Garfield | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3745198013-423729411-3109601797-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{091579F7-D0EB-416D-84B6-1C8BA7E90281}" = rport=10243 | protocol=6 | dir=out | app=system |
"{19249BE4-EAE1-416F-98DE-DB654BE4E598}" = lport=2869 | protocol=6 | dir=in | app=system |
"{1E5960D8-C951-4A8B-8A43-3968EC391DF7}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{25BA4F80-81D4-4867-BE1C-EB4CB672E9C2}" = lport=445 | protocol=6 | dir=in | app=system |
"{3D85480B-B4AF-4064-8F07-ED1B96EF4943}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{42E24D02-F302-4589-B3F8-56CABF28BBED}" = rport=138 | protocol=17 | dir=out | app=system |
"{48EA6EE0-99A4-4598-A365-1F120E66621A}" = rport=445 | protocol=6 | dir=out | app=system |
"{55C642A6-64BD-49D8-968B-6E03859F2E24}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{619B5B79-2013-4A38-8527-9650EA2D48F1}" = lport=137 | protocol=17 | dir=in | app=system |
"{6720ABC4-30ED-429A-BBBA-998CF574B8E6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{6750EDB3-7209-4283-BF60-3AA66998801F}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{67D7DDA9-BBC7-4C33-89D6-C9B6C301BED8}" = lport=2869 | protocol=6 | dir=in | app=system |
"{722110E6-9825-47A9-BCEF-9727C4DD9A70}" = rport=137 | protocol=17 | dir=out | app=system |
"{7CCDC167-4856-4F18-95C1-FC1208E0D351}" = rport=139 | protocol=6 | dir=out | app=system |
"{7F8CDD1A-715A-4905-9CC8-43450F3E8456}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{8777560B-5EB4-4132-863E-D4A4EA739905}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{8C9D48A2-572F-40CC-ACDA-6860F7DD759D}" = lport=10243 | protocol=6 | dir=in | app=system |
"{90996A3E-68F7-4EF1-8DD6-B8C5F93339BB}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{96076E43-B429-44E3-A48A-DFA3FF76018C}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CF049F0F-5D7A-4ECF-89D9-3D1AD4EC2663}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{DAF8EF5D-113E-4A9C-B4B6-34049D50C393}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{DD7F6B19-8A03-4DBD-B661-BCB1E27ED3A5}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DDD2608D-9660-4932-A14C-28ECA6182580}" = lport=139 | protocol=6 | dir=in | app=system |
"{E5BD594B-6AA3-43FC-8D5C-7621892E6C83}" = lport=138 | protocol=17 | dir=in | app=system |
"{F0A7E187-C73A-49A5-9B44-7DAE766EE80B}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{061A866B-D23B-4613-94C0-ABBD740F6FF8}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{0A82A336-7822-4789-8827-70B33B013576}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{0AB2B630-04AA-4DB1-96BD-DE5394136181}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{140DAAD1-63F6-4658-9F86-BBF80EAC3B68}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{1475FCB4-08B2-4841-934F-0408F800F04D}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{199C5A9D-1C77-4695-82A8-9A4E2239B37F}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{1CC7C608-C106-4351-BD67-423E1127CF0B}" = protocol=58 | dir=out | [email protected],-28546 |
"{2623D745-733F-4A3C-B2BD-E16F6E819A19}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgmfapx.exe |
"{2C0EB7D6-7526-4F42-9239-673E48EB7B8B}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{2DC65F76-10E5-4D00-B3B1-E48AF8E2A7E8}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{3E4CA639-7FE0-4964-AAFF-4E3AB168F106}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{4C1BD14E-06C7-4D4F-BA3B-ADA33FF1D4FE}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe |
"{5CA54944-497F-4045-80C7-3E54EC5DC680}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{62348019-CED7-4BD5-A4A3-EA0629242AF2}" = protocol=58 | dir=in | [email protected],-28545 |
"{62CAD48C-ADE7-46F5-BDC9-D6F537A3BF02}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgdiagex.exe |
"{671D7624-BA50-47FF-A9D8-91F62D14A302}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{84AACDBD-CA2C-4D0F-8DC2-809C27CC7ED1}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgam.exe |
"{8674E516-A903-43AF-B983-2C9865D9DC14}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{8A46C277-5B5B-4A35-8C63-C747FE131474}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{9370A5A0-4E96-4393-8538-DAE64DD443E5}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A68C91AC-BA99-457F-9C0C-57657732F9C9}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{ACA7BCA4-A307-4F2B-83B7-D413030D4754}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgam.exe |
"{ADC1E520-0A99-43F6-9248-E98C243CF79D}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{BE291C45-BE09-46B1-99D8-1B0D20AFB6A7}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{BF22FF23-FB2E-4396-A38B-A305CF3B36D6}" = protocol=1 | dir=in | [email protected],-28543 |
"{D9169AB0-8B05-4341-8EB8-8DDD7CCD019D}" = protocol=6 | dir=out | app=system |
"{DEEC358F-E4B9-494D-BB3F-CD6801E07093}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\powerdvd.exe |
"{EB641D96-8D48-487A-8785-0FF07BA446FC}" = protocol=1 | dir=out | [email protected],-28544 |
"{F194003A-1354-44BC-B60A-C69951FD81A7}" = protocol=17 | dir=in | app=c:\program files\avg\avg10\avgnsx.exe |
"{F60151ED-F1D2-4DF2-AC9A-FB30E12FC2CE}" = protocol=6 | dir=in | app=c:\program files\avg\avg10\avgemcx.exe |
"{F935DA9C-587B-45C1-AA45-6281ACAD9C68}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{FA6A4476-DA9C-4A0E-9B05-630AA75E6088}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE 10.3
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{230E8DDC-FB78-4F9F-8461-22ED20DBC3BA}" = AVG 2011
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 26
"{2881063B-C58F-49EB-97FD-8BF58EC580F9}" = Nitro PDF Reader
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3138EAD3-700B-4A10-B617-B3F8096EE30D}" = Dell Edoc Viewer
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3DB5FD00-BB93-4AF3-B925-77DAA0E4E2F4}" = eBay Toolbar
"{3F32329A-CE69-45CB-9BC2-1E554A5A5868}" = AVG 2011
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7D095455-D971-4D4C-9EFD-9AF6A6584F3A}" = Bing Desktop
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-117870793}" = Mahjong Memoirs
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87434D51-51DB-4109-B68F-A829ECDCF380}" = Accelerometer
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{9B0DA03A-8334-4127-B788-CC44F2F462DB}" = Jewel Quest
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A7E279B1-BEC4-4C2C-A5C4-6EB7982FF0B5}" = Jewel Quest 2
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{ABA496C5-81F7-4B91-A347-A70FE48C116B}" = Jewel Quest Solitaire 2
"{AC474F86-9A17-4BCB-8B15-11ABFD5B7F95}" = Dell Backup and Recovery Manager
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.3
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet32
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C779648B-410E-4BBA-B75B-5815BCEFE71D}" = Safari
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D4225A14-873C-4611-B12D-DE4A25B3DDAB}" = Jewel Quest Solitaire
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE 10.3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver
"{F5266D28-E0B2-4130-BFC5-EE155AD514DC}" = Apple Application Support
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"AVG" = AVG 2011
"Dell Webcam Central" = Dell Webcam Central
"DW WLAN Card" = DW WLAN Card
"ESET Online Scanner" = ESET Online Scanner v3
"Family Tree Builder" = MyHeritage Family Tree Builder
"GoToAssist" = GoToAssist 8.0.0.514
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 11.0 (x86 en-US)" = Mozilla Firefox 11.0 (x86 en-US)
"Productivity_3.1 Toolbar" = Productivity 3.1 Toolbar
"SynTPDeinstKey" = Dell Touchpad
"WinLiveSuite" = Windows Live Essentials
"YTdetect" = Yahoo! Detect

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/14/2012 3:35:52 AM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/14/2012 6:20:15 PM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/16/2012 12:31:47 PM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/17/2012 3:30:08 AM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/18/2012 2:56:31 AM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/18/2012 5:08:24 PM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/19/2012 1:58:51 PM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/20/2012 2:03:49 PM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/21/2012 4:42:32 AM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 8/21/2012 9:39:05 PM | Computer Name = Garfield-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

[ Media Center Events ]
Error - 8/29/2010 5:13:35 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 3:13:34 AM - Error connecting to the internet. 3:13:34 AM - Unable
to contact server..

Error - 8/29/2010 6:16:40 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 4:16:40 AM - Error connecting to the internet. 4:16:40 AM - Unable
to contact server..

Error - 8/29/2010 7:19:45 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 5:19:45 AM - Error connecting to the internet. 5:19:45 AM - Unable
to contact server..

Error - 8/29/2010 8:22:50 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 6:22:50 AM - Error connecting to the internet. 6:22:50 AM - Unable
to contact server..

Error - 8/29/2010 9:25:55 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 7:25:55 AM - Error connecting to the internet. 7:25:55 AM - Unable
to contact server..

Error - 8/29/2010 10:29:00 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 8:29:00 AM - Error connecting to the internet. 8:29:00 AM - Unable
to contact server..

Error - 10/14/2010 8:01:17 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 6:01:13 AM - Error connecting to the internet. 6:01:13 AM - Unable
to contact server..

Error - 10/14/2010 9:04:21 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 7:04:21 AM - Error connecting to the internet. 7:04:21 AM - Unable
to contact server..

Error - 10/14/2010 10:07:26 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 8:07:26 AM - Error connecting to the internet. 8:07:26 AM - Unable
to contact server..

Error - 10/14/2010 11:10:31 AM | Computer Name = Garfield-PC | Source = MCUpdate | ID = 0
Description = 9:10:31 AM - Error connecting to the internet. 9:10:31 AM - Unable
to contact server..

[ System Events ]
Error - 2/23/2013 12:00:51 PM | Computer Name = Garfield-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2/23/2013 12:00:54 PM | Computer Name = Garfield-PC | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10000
Description = WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv.dll
Error
Code: 21

Error - 2/23/2013 12:01:01 PM | Computer Name = Garfield-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2/23/2013 12:01:01 PM | Computer Name = Garfield-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2/23/2013 12:01:01 PM | Computer Name = Garfield-PC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 2/23/2013 12:13:10 PM | Computer Name = Garfield-PC | Source = DCOM | ID = 10005
Description =

Error - 2/23/2013 12:13:10 PM | Computer Name = Garfield-PC | Source = DCOM | ID = 10005
Description =

Error - 2/23/2013 12:34:36 PM | Computer Name = Garfield-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 2/23/2013 12:34:36 PM | Computer Name = Garfield-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.

Error - 2/23/2013 12:34:37 PM | Computer Name = Garfield-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR1.


< End of report >

[Buddierdl]

One question while I review your logs...Are you able to run programs in normal mode (just not download them)?

[saskpc]

I started browser, quick time, adobe reader, i was also able to run malware byte in normal mode.
the anti virus is running fine in normal mode, and a scan revealed no threat.

[Buddierdl]

Hi saskpc,

Do you know anything about these numbered batch files:

C:\Program Files\0520122590062.bat
C:\Program Files\0520122295136.bat
C:\Program Files\04201218133577.bat
C:\Program Files\04201219093083.bat
C:\Program Files\03201211373175.bat
C:\Program Files\03201222324918.bat
C:\Program Files\0220129445971.bat
C:\Program Files\1120119303080.bat

If you don't know what they are, please navigate to C:\Program Files, right-click on one of the files, and select "Edit." A notepad window should open. Please paste the contents in your next reply.

Let's get started. Since you cannot download on your infected computer, we will need to continue using your flash drive to transfer files from your clean computer. To protect you clean computer, please run this program first (from your clean computer):

Download/Run Panda USB Vaccine:

Please download Panda USB Vaccine from here to the Desktop of your machine you intend to use for the transfers.

• Right-click on USBVaccineSetup.exe and and select Run as Administrator >> follow the prompts in the installation wizard.
• At the configuarion screen(settings)...
• Ensure both Run Panda USB Vaccine automatically when computer boots (/residnet mode) & Automatically vaccinate any newly inserted USB keyare selected >> plus NTFS support
• Now click on Next> >> ensure Launch Panda USB Vaccine is selected >> clcik on Finish.
• Insert your USB Drive in your machine...it will be automatically vaccinated.
• Close Panda USB Vaccine via right-clicking on the Panda USB Vaccine system tray icon and selecting Exit.

Note: You may uninstall Panda USB Vaccine when we have completed the Malware Removal process if you so wish. Though my advice would be to keep it installed.


Now, you can download the following tools to your flash drive from your clean computer in order to run the steps below. Please copy these tools from your flash drive to the desktop of the infected computer before running them as instructed.

Adwcleaner
RogueKiller



Step 1: Run OTL fix.

Please be aware that this fix will delete your temporary files. If the virus has "hidden" any of your files, please do not run the fix, but stop and let me know.

Start OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following

  :Commands
  [createrestorepoint]
  
  :OTL
  IE - HKLM\..\URLSearchHook: {9427041a-a8dc-4d06-9a68-93873486e957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
  IE - HKLM\..\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}: "URL" = http://search.mywebs...r={searchTerms}
  IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebs...r={searchTerms}
  IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2976654
  IE - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\SearchScopes\{7024EA2C-DEE0-4DAE-9D71-28664E9EEC58}: "URL" = http://search.condui...&ctid=CT3008668
  
  O2 - BHO: (Productivity 3.1 Toolbar) - {9427041a-a8dc-4d06-9a68-93873486e957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
  O3 - HKLM\..\Toolbar: (Productivity 3.1 Toolbar) - {9427041a-a8dc-4d06-9a68-93873486e957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
  O3 - HKU\S-1-5-21-3745198013-423729411-3109601797-1000\..\Toolbar\WebBrowser: (Productivity 3.1 Toolbar) - {9427041A-A8DC-4D06-9A68-93873486E957} - C:\Program Files\Productivity_3.1\prxtbProd.dll (Conduit Ltd.)
  
  :Files
  C:\Program Files\Productivity_3.1
  
  :Commands
  [emptytemp]

• Then click the Run Fix button at the top
• Let the program run unhindered.
• Post the log it produces in your next reply.

Step 2: Run adwCleaner.

Run AdwCleaner and select Delete



Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please attach that

Step 3: Run RogueKiller.

• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix

• The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Things I need in your next reply:

• Contents of bat file
• OTL fix log
• adwCleaner log
• RogueKiller log
• How is your computer running now? Can you download files?

[saskpc]

do you have roguekiller 32 bit link?

[saskpc]

i am leaving and will be back om this issue next monday.

[Buddierdl]

i am leaving and will be back om this issue next monday.

Thanks for letting me know.

Sorry about the download link for RogueKiller. Here is the 32-bit link.

[saskpc]

good morning.
Thank you for the new link.
I am back working on this issue today.
Will run the next steps you recommended and will post back the info you requested.

[Buddierdl]

[saskpc]

All the bat files are script about some game removal i think.
Here is the content:
0220129445971:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\Galaxy Quest" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\0220129445971.bat"

0520122295136:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\Trijinx" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\0520122295136.bat"

0520122590062:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\4 Elements II" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\0520122590062.bat"


1120119303080:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\Mahjongg Dimensions Deluxe - Tiles in Time" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\1120119303080.bat"

03201211373175:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\Awakening 3" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\03201211373175.bat"

03201222324918:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\Mah Jong Tiles Deluxe" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\03201222324918.bat"

04201218133577:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\Cubis Gold 2" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\04201218133577.bat"

04201219093083:
:tryDelete
IF EXIST "C:\Program Files\MSN Games\4 Elements II" GOTO WaitAndTryAgain
ping -n 2 localhost>NUL
for /f %%a in ('dir /b "C:\Program Files\MSN Games"') do ( GOTO End )
:EmptyLabel
echo "EMPTY"
rd /s /q "C:\Program Files\MSN Games"
IF EXIST "C:\Program Files\MSN Games" GOTO WaitAndTryAgain
GOTO End
:WaitAndTryAgain
ping -n 2 localhost>NUL
GOTO tryDelete
:End
Del /F /Q "C:\Program Files\04201219093083.bat"

I will attach all the log created by the software you requested.
here you have otl fix and adwcleaner

Attached Files

•  AdwCleanerS1.txt   3.92KB   84 downloads

[saskpc]

well I am having issue with uploading, it just post one of the 2 documents, so i will cut and paste all the reports here:
otl fis:
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{9427041a-a8dc-4d06-9a68-93873486e957} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9427041a-a8dc-4d06-9a68-93873486e957}\ deleted successfully.
C:\Program Files\Productivity_3.1\prxtbProd.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry key HKEY_USERS\S-1-5-21-3745198013-423729411-3109601797-1000\Software\Microsoft\Internet Explorer\SearchScopes\{7024EA2C-DEE0-4DAE-9D71-28664E9EEC58}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7024EA2C-DEE0-4DAE-9D71-28664E9EEC58}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9427041a-a8dc-4d06-9a68-93873486e957}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9427041a-a8dc-4d06-9a68-93873486e957}\ not found.
File C:\Program Files\Productivity_3.1\prxtbProd.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9427041a-a8dc-4d06-9a68-93873486e957} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9427041a-a8dc-4d06-9a68-93873486e957}\ not found.
File C:\Program Files\Productivity_3.1\prxtbProd.dll not found.
Registry value HKEY_USERS\S-1-5-21-3745198013-423729411-3109601797-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9427041A-A8DC-4D06-9A68-93873486E957} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9427041A-A8DC-4D06-9A68-93873486E957}\ not found.
File C:\Program Files\Productivity_3.1\prxtbProd.dll not found.
========== FILES ==========
C:\Program Files\Productivity_3.1 folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Garfield
->Temp folder emptied: 33158436 bytes
->Temporary Internet Files folder emptied: 1069887965 bytes
->Java cache emptied: 341484 bytes
->FireFox cache emptied: 289623005 bytes
->Google Chrome cache emptied: 7769898 bytes
->Apple Safari cache emptied: 3018752 bytes
->Flash cache emptied: 16133 bytes

User: GARTH
->Temp folder emptied: 434168 bytes
->Temporary Internet Files folder emptied: 54745382 bytes
->Flash cache emptied: 3508 bytes

User: Guest
->Temp folder emptied: 201446 bytes
->Temporary Internet Files folder emptied: 18380987 bytes
->Flash cache emptied: 57047 bytes

User: Public

User: SUE
->Temp folder emptied: 45575 bytes
->Temporary Internet Files folder emptied: 53314271 bytes
->Flash cache emptied: 57753 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 480605 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,461.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02232013_122958

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


adwcleaner:
# AdwCleaner v2.112 - Logfile created 02/23/2013 at 12:37:18
# Updated 10/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : Garfield - GARFIELD-PC
# Boot Mode : Normal
# Running from : C:\Users\Garfield\Desktop\adwcleaner0.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\Users\Garfield\AppData\Local\Conduit
Folder Deleted : C:\Users\Garfield\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Folder Deleted : C:\Users\Garfield\AppData\Local\OpenCandy
Folder Deleted : C:\Users\Garfield\AppData\LocalLow\AVG Security Toolbar
Folder Deleted : C:\Users\Garfield\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Garfield\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Garfield\AppData\LocalLow\Productivity_3.1
Folder Deleted : C:\Users\Garfield\AppData\Roaming\iWin
Folder Deleted : C:\Users\Garfield\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\SUE\AppData\LocalLow\AVG Security Toolbar

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\Productivity_3.1
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AVG Security Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9427041A-A8DC-4D06-9A68-93873486E957}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9427041A-A8DC-4D06-9A68-93873486E957}
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2273BD45-9747-41D0-B552-6CE3A3ED94DA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\IMsiDe1egate.Application.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1320680
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2976654
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3008668
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF1D67D4-72A7-4E7C-AEAB-FA5C7DE620E9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D2197103-35DD-4C54-ABCB-0980DC4D9B68}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2273BD45-9747-41D0-B552-6CE3A3ED94DA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Productivity_3.1 Toolbar
Key Deleted : HKLM\Software\Productivity_3.1
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

-\\ Mozilla Firefox v11.0 (en-US)

File : C:\Users\Garfield\AppData\Roaming\Mozilla\Firefox\Profiles\0i4i7dsx.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Garfield\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [3890 octets] - [23/02/2013 12:37:18]

########## EOF - C:\AdwCleaner[S1].txt - [3950 octets] ##########

rogue report 1:
RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Garfield [Admin rights]
Mode : Scan -- Date : 02/25/2013 12:43:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2556GSY +++++
--- User ---
[MBR] 110106d2079608d17b5663d850721eb3
[BSP] 9e750515bba1161521bb2a1807043c1b : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02252013_02d1243.txt >>
RKreport[1]_S_02252013_02d1243.txt



rogue report 2:
RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Garfield [Admin rights]
Mode : Remove -- Date : 02/25/2013 12:50:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK2556GSY +++++
--- User ---
[MBR] 110106d2079608d17b5663d850721eb3
[BSP] 9e750515bba1161521bb2a1807043c1b : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_02252013_02d1250.txt >>
RKreport[2]_S_02252013_02d1245.txt ; RKreport[3]_D_02252013_02d1250.txt



rogue report 3:
RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Garfield [Admin rights]
Mode : Shortcuts HJfix -- Date : 02/25/2013 12:52:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 4 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 132 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 137 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped

Finished : << RKreport[3]_SC_02252013_02d1252.txt >>
RKreport[2]_S_02252013_02d1245.txt ; RKreport[3]_SC_02252013_02d1252.txt



I will do some testing and will let you know how everything works.

Attached Files

•  RKreport3_D_02252013_02d1250.txt   1.45KB   108 downloads

Edited by saskpc, 25 February 2013 - 01:09 PM.

[saskpc]

Wish I had good news, but all download still seen as virus.

[Buddierdl]

Have you tried all of your browsers (IE, Chrome, and FF)? Does the same thing happen with each of them?