Hijacked with FBI virus

[Gryn]

My computer has been hijacked with the FBI virus.

It won't allow me to start-up in any of the safe modes (cursor, with or without internet).

I tried disconnnecting it from the internet with no change.

It is a 32-bit machine.

I need help to get on the computer and eliminate the virus.

I have another computer that I can I can use to access this forum, the internet, etc.

Thanks in advance!

[gringo_pr]

Hello Gryn

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• 
  
• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
    

  [*]Please do not attach logs or use code boxes, just copy and paste the text.

  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
    

  [*]Please read every post completely before doing anything.

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
    

  [*]Please provide feedback about your experience as we go.

  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
  
  

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• 
  
• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst64.exe or e:\frst.exe and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.

[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe

[*]Click the Search button

[*]It will make a log (Search.txt)

I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo

[Gryn]

Hello Gringo,

I think you have helped me in the past with other issues. Good to see you're still helping out!

Sorry I took so long to get back with you but I am here for the evening today.

So when I use F8 to get to the Advanced Options I do not have a "repair your computer" item.

I have the following:

- Safe Mode

- Safe Mode w/Networking

- Safe Mode w/command prompt

- Enable boot logging

- Enable VGA mode

- Last know good config

- Directory Services Restore Mode

- Debugging Mode

- Disable Auto restart

- Start Windows normally

- Reboot

- Return to OS choices

Where do I go from here?

[gringo_pr]

first I need to know what OS you are using xp , vista or win 7

[Gryn]

It's windows XP.

[gringo_pr]

Hello

Lets see if we can get this to run

• Download OTLPE from either location and save it to your desktop:
  http://oldtimer.geekstogo.com/OTLPEStd.exe
  http://ottools.noahdfear.net/OTLPEStd.exe
  
• Double click the OTLPENet icon on your desktop
  
• "Do you want to burn the CD?" choose Yes
  
• ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
  
• Place a blank CD in your CD-Rom
  
• Click to start the burn process
  
• You will see a dialog "Operation successfully completed"
  
• Boot the non-working computer using the boot CD you just created
  
• In order to do so, the computer must be set to boot from the CD first
  Note : For information click here
  
• Your system should now display a REATOGO-X-PE desktop.
  
• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
  
• OTL should now start.
  
• Push
  
• When finished, the file will be saved in drive C:\OTL.txt
  
• Copy this file to your USB drive.
  
• Please post the contents of the C:\OTL.txt file in your next reply.
  

Gringo

[Gryn]

I've just discovered that the laptop I'm using to troubleshoot (it's my computer issued by my employer) is locked out (I need administrator rights to be able to download anything). I'll need to get another computer. It will probably be tomorrow until I can get my daughter's laptop.

Are there specific times during which I can reach you?

[gringo_pr]

I will be on in the early afternoon briefly but will be on after 9pm all night

[Gryn]

OK. I'll try to get the CD burned and, hopefully, the OTL.txt log created and back to you tomorrow.

Unfortunately I will be leaving to go out of town for work tomorrow evening and won't return until Friday evening.

Can we leave this topic open until then so we can continue working this weekend?

[gringo_pr]

I will try to keep it open but if it does get closed just send me a pm and I will reopen it

gringo

[Gryn]

Gringo,

Good news. I was able to successfully download and run the REALTOGO software on the infected machines.

I will only be around until 6:00 today and then not again until this weekend.

I will contact you then.

Following is the OTL log you requested:

OTL logfile created on: 4/16/2013 4:39:22 PM - Run

OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 111.08 Gb Free Space | 47.70% Space Free | Partition Type: NTFS

Drive D: | 141.72 Gb Total Space | 99.29 Gb Free Space | 70.06% Space Free | Partition Type: NTFS

Drive G: | 7.30 Gb Total Space | 2.26 Gb Free Space | 31.00% Space Free | Partition Type: FAT32

Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (Yontoo Desktop Updater)

SRV - File not found [Auto] -- -- (wg4n)

SRV - File not found [Auto] -- -- (TdmService)

SRV - File not found [On_Demand] -- -- (GamesAppService)

SRV - File not found [Auto] -- -- (ceepwrsvc)

SRV - File not found [Auto] -- -- (Appn)

SRV - File not found [On_Demand] -- -- (AppMgmt)

SRV - [2013/04/07 13:28:05 | 000,042,504 | ---- | M] (COMPANYVERS_NAME) [Auto] -- C:\Program Files\ReadingFanatic_6x\bar\1.bin\6xbarsvc.exe -- (ReadingFanatic_6xService)

SRV - [2013/04/05 06:57:04 | 002,569,168 | ---- | M] () [Auto] -- C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe -- (BrowserProtect)

SRV - [2012/09/12 17:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)

SRV - [2012/08/23 13:37:16 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)

SRV - [2011/10/08 00:50:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)

SRV - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)

SRV - [2010/02/19 07:44:44 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand] -- C:\Program Files\Common Files\Roxio Shared\VHStoDVD\SharedCOM\RoxMediaDBVHS.exe -- (RoxMediaDBVHS)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - [2013/04/11 19:44:59 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)

DRV - [2009/06/19 17:59:52 | 000,533,752 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM)

DRV - [2009/06/19 17:58:56 | 000,572,280 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA)

DRV - [2008/11/25 04:37:50 | 004,952,576 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

DRV - [2008/08/18 06:54:24 | 000,145,952 | R--- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nvgts.sys -- (nvgts)

DRV - [2008/07/31 23:36:26 | 000,022,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)

DRV - [2008/07/31 23:36:20 | 000,054,784 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)

DRV - [2008/04/14 01:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)

DRV - [2004/08/14 14:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\User_ON_C\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = http://portal.wowway.net/

IE - HKU\User_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.wowway.net/

IE - HKU\User_ON_C\..\URLSearchHook: {421fb3de-4b9f-48e5-abf1-f96f8aaca70a} - Reg Error: Key error. File not found

IE - HKU\User_ON_C\..\URLSearchHook: {f897eb0e-a3a4-46c3-80eb-2729699d8892} - File not found

IE - HKU\User_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\User_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@Musicnotes.com/Musicnotes Viewer,version=1.18.6: C:\Program Files\Musicnotes\npmusicn.dll (Musicnotes, Inc.)

FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll (Oberon-Media )

FF - HKLM\Software\MozillaPlugins\@Sibelius.com/Scorch Plugin,version=6.1.5.22: C:\Program Files\Musicnotes\NPSibelius.dll ()

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: File not found

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009/09/02 22:49:25 | 000,000,000 | ---D | M]

[2013/04/07 13:24:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

Hosts file not found

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Search Assistant BHO) - {2d948797-8fe3-4508-9b6f-4bf349a9ea34} - C:\Program Files\ReadingFanatic_6x\bar\1.bin\6xSrcAs.dll (MindSpark)

O2 - BHO: (ShopAtHome.com Toolbar) - {66516A07-F617-488A-90CF-4E690CFB3C5F} - File not found

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)

O2 - BHO: (delta Helper Object) - {C1AF5FA5-852C-4C90-812E-A7F75E011D87} - C:\Program Files\Delta\delta\1.8.10.0\bh\delta.dll (Delta-search.com)

O2 - BHO: (GamesBarBHO Class) - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll (Oberon Media Ltd.)

O2 - BHO: (Toolbar BHO) - {f149b372-5830-4d88-b8f6-2853d12c1af5} - C:\Program Files\ReadingFanatic_6x\bar\1.bin\6xbar.dll (MindSpark)

O2 - BHO: (SmileBox EN Toolbar) - {f897eb0e-a3a4-46c3-80eb-2729699d8892} - File not found

O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)

O3 - HKLM\..\Toolbar: (ShopAtHome.com Toolbar) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - File not found

O3 - HKLM\..\Toolbar: (GamesBar) - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll (Oberon Media Ltd.)

O3 - HKLM\..\Toolbar: (Delta Toolbar) - {82E1477C-B154-48D3-9891-33D83C26BCD3} - C:\Program Files\Delta\delta\1.8.10.0\deltaTlbr.dll (Delta-search.com)

O3 - HKLM\..\Toolbar: (ReadingFanatic) - {b36151d1-7770-4480-87e4-f89fb54e173d} - C:\Program Files\ReadingFanatic_6x\bar\1.bin\6xbar.dll (MindSpark)

O3 - HKLM\..\Toolbar: (SmileBox EN Toolbar) - {f897eb0e-a3a4-46c3-80eb-2729699d8892} - File not found

O3 - HKU\User_ON_C\..\Toolbar\WebBrowser: (ShopAtHome.com Toolbar) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - File not found

O3 - HKU\User_ON_C\..\Toolbar\WebBrowser: (ReadingFanatic) - {B36151D1-7770-4480-87E4-F89FB54E173D} - C:\Program Files\ReadingFanatic_6x\bar\1.bin\6xbar.dll (MindSpark)

O3 - HKU\User_ON_C\..\Toolbar\WebBrowser: (SmileBox EN Toolbar) - {F897EB0E-A3A4-46C3-80EB-2729699D8892} - File not found

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKLM..\Run: [MigAutoPlay] C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe ()

O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()

O4 - HKLM..\Run: [ReadingFanatic Search Scope Monitor] C:\Program Files\ReadingFanatic_6x\bar\1.bin\6xSrchMn.exe (MindSpark)

O4 - HKLM..\Run: [ReadingFanatic_6x Browser Plugin Loader] C:\Program Files\ReadingFanatic_6x\bar\1.bin\6xbrmon.exe (VER_COMPANY_NAME)

O4 - HKU\UpdatusUser_ON_C..\Run: [firedogadvisor] File not found

O4 - HKU\User_ON_C..\Run: [Open Download Manager] C:\Program Files\OpenDownloaderManager\odm.exe (OpenDownloadManager.com)

O4 - HKU\User_ON_C..\Run: [searchEngineProtection] C:\Program Files\GamesBar\SearchEngineProtection.exe (Oberon Media )

O4 - HKU\User_ON_C..\Run: [Yontoo Desktop] C:\Documents and Settings\User\Application Data\Yontoo\YontooDesktop.exe (Yontoo LLC)

O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\UpdatusUser_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\User_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\User_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\User_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra 'Tools' menuitem : GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - Reg Error: Value error. File not found

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Bejeweled%203/Images/stg_drm.ocx (SpinTop DRM Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251932999515 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1354297280500 (MUWebControl Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)

O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)

O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Bejeweled%203/Images/armhelper.ocx (ArmHelper Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.2 64.233.217.3

O20 - AppInit_DLLs: (c:\docume~1\alluse~1\applic~1\browse~1\261125~1.80\{c16c1~1\browse~1.dll) - C:\Documents and Settings\All Users\Application Data\BrowserProtect\2.6.1125.80\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.dll ()

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/09/03 06:51:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/01/10 15:17:10 | 000,000,050 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - G:\AUTOEXEC.BAT -- [ FAT32 ]

O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2013/04/11 20:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HitmanPro

[2013/04/10 21:56:10 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2013/04/07 13:29:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\ReadingFanatic_6x

[2013/04/07 13:29:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\IAC

[2013/04/07 13:28:04 | 000,000,000 | ---D | C] -- C:\Program Files\ReadingFanatic_6x

[2013/04/07 13:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Delta

[2013/04/07 13:24:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Open Download Manager

[2013/04/07 13:24:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Start Menu\Programs\OpenDownloaderManager

[2013/04/07 13:24:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\searchplugins

[2013/04/07 13:24:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Extensions

[2013/04/07 13:24:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Start Menu\Programs\BrowserProtect

[2013/04/07 13:24:27 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo

[2013/04/07 13:24:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Yontoo

[2013/04/07 13:24:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer

[2013/04/07 13:24:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BrowserProtect

[2013/04/07 13:24:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\BabSolution

[2013/04/07 13:24:11 | 000,000,000 | ---D | C] -- C:\Program Files\Delta

[2013/04/07 13:24:07 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2013/04/07 13:23:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Babylon

[2013/04/07 13:23:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Babylon

[2013/04/07 13:23:55 | 000,000,000 | ---D | C] -- C:\Program Files\OpenDownloaderManager

[2013/03/22 22:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth

========== Files - Modified Within 30 Days ==========

[2013/04/15 21:59:43 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D8494A2B-1A55-47E3-B87C-F9D35C4482B9}.job

[2013/04/15 21:56:49 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2013/04/15 21:56:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2013/04/15 19:58:20 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2013/04/12 17:55:59 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job

[2013/04/12 17:27:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2013/04/11 19:44:59 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2013/04/11 19:00:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule.job

[2013/04/10 21:37:35 | 000,160,256 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe

[2013/04/10 12:30:23 | 000,110,592 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2013/04/10 12:04:24 | 000,717,654 | ---- | M] () -- C:\Documents and Settings\User\My Documents\lindsey4.bmp

[2013/04/10 11:46:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\Ÿ9Ÿ9

[2013/04/09 18:11:01 | 000,248,192 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid

[2013/04/06 11:59:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2013/04/01 22:57:57 | 001,096,864 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2025429265-343818398-682003330-1004-0.dat

[2013/04/01 22:57:57 | 000,248,242 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

[2013/04/01 22:31:43 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2012.lnk

[2013/03/22 22:28:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth

[2013/03/19 06:17:34 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2011.lnk

[2013/03/17 19:55:37 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\User\Application Data\skype.ini

[2013/03/17 19:46:50 | 000,000,283 | ---- | M] () -- C:\Documents and Settings\User\Application Data\$h.bat

========== Files Created - No Company Name ==========

[2013/04/10 21:37:39 | 000,160,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe

[2013/04/10 12:48:56 | 000,717,654 | ---- | C] () -- C:\Documents and Settings\User\My Documents\lindsey4.bmp

[2013/03/17 19:14:47 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\User\Application Data\skype.ini

[2013/03/17 19:09:48 | 000,000,283 | ---- | C] () -- C:\Documents and Settings\User\Application Data\$h.bat

[2013/02/05 23:49:45 | 000,108,300 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\zobqawocqbjogdl

[2013/01/13 12:46:50 | 000,003,550 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\6o4v7yr6ikfw18072u

[2013/01/13 12:46:50 | 000,003,550 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6o4v7yr6ikfw18072u

[2013/01/12 15:19:06 | 000,000,439 | ---- | C] () -- C:\Program Files\0112201314190610.bat

[2013/01/09 21:27:26 | 000,751,078 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp

[2013/01/09 21:27:09 | 000,114,890 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg

[2012/11/30 18:03:06 | 000,056,284 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2012/10/06 22:44:34 | 083,023,306 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\4e0b82c3.pad

[2012/04/27 19:43:57 | 000,000,069 | ---- | C] () -- C:\WINDOWS\spwdra.INI

[2012/04/06 20:10:25 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2012/04/06 19:44:43 | 000,000,031 | ---- | C] () -- C:\Documents and Settings\User\Application Data\0DADA0.dat

[2012/02/14 19:06:30 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012/01/15 16:09:25 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll

[2012/01/06 00:05:33 | 001,096,864 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2025429265-343818398-682003330-1004-0.dat

[2012/01/06 00:05:29 | 000,248,242 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

[2012/01/05 20:07:24 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc

[2011/12/11 21:52:29 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin

[2011/12/11 21:52:29 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin

[2011/12/11 21:52:29 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin

[2011/12/11 21:52:11 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data

[2011/12/03 14:00:28 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~TZgq6iowFS4dXh

[2011/12/03 14:00:28 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~TZgq6iowFS4dXhr

[2011/12/03 13:50:23 | 000,000,408 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\TZgq6iowFS4dXh

[2011/11/12 00:05:51 | 000,000,020 | ---- | C] () -- C:\WINDOWS\popcinfot.dat

[2011/11/12 00:05:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat

[2010/01/29 17:41:58 | 000,019,517 | ---- | C] () -- C:\WINDOWS\hpqins13.dat

[2009/10/31 22:53:03 | 000,110,592 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/09/08 21:42:39 | 000,001,230 | ---- | C] () -- C:\WINDOWS\checkip.dat

[2009/09/04 12:27:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI

[2009/09/03 20:57:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Ÿ9Ÿ9

[2009/09/03 07:00:51 | 000,004,984 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin

[2009/09/03 07:00:29 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini

[2009/09/03 07:00:08 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys

[2009/09/03 07:00:00 | 000,023,629 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2009/09/03 07:00:00 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2009/09/03 06:52:57 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2009/09/03 06:49:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2009/09/03 02:23:01 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2009/09/03 02:21:56 | 000,289,296 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2009/09/02 22:25:51 | 000,166,716 | ---- | C] () -- C:\WINDOWS\hpoins31.dat

[2009/09/02 22:25:51 | 000,001,691 | ---- | C] () -- C:\WINDOWS\hpomdl31.dat

[2009/01/21 12:08:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll

[2009/01/21 12:08:00 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe

[2009/01/21 12:08:00 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll

[2009/01/21 12:08:00 | 001,346,080 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe

[2009/01/21 12:08:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll

[2009/01/21 12:08:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll

[2009/01/21 12:08:00 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe

[2009/01/21 12:08:00 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe

[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2008/04/14 08:00:00 | 000,472,894 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2008/04/14 08:00:00 | 000,075,988 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2013/04/07 13:24:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\BabSolution

[2013/04/07 13:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Babylon

[2012/03/04 11:11:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Catalina Marketing Corp

[2011/10/04 11:30:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

[2013/04/07 13:24:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Delta

[2010/02/06 23:19:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Facebook

[2009/09/03 22:41:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\HotSync

[2009/09/03 22:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Leadertech

[2012/11/13 23:35:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Oberon Media

[2013/04/15 22:06:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Open Download Manager

[2012/06/27 18:59:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\PriceGong

[2013/04/07 13:29:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\ReadingFanatic_6x

[2012/01/07 18:39:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\ShopAtHomeToolbar

[2011/12/17 20:48:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\SpinTop

[2010/04/03 14:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\WeatherBug

[2013/04/11 20:26:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Yontoo

[2013/03/16 17:11:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

[2013/04/07 13:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon

[2013/04/07 13:24:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BrowserProtect

[2013/02/05 23:50:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ckdvprqzusajtmx

[2012/04/06 19:56:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F4D562C8000083BB6A47CF24D151FC84

[2012/11/16 18:29:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GamesBar

[2010/01/14 17:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gogii

[2013/04/11 20:03:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro

[2009/09/03 22:42:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync

[2012/05/09 08:11:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games

[2010/06/13 19:11:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes

[2012/11/13 23:36:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Media

[2009/11/02 22:42:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pixela

[2011/11/12 00:06:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games

[2011/12/31 15:52:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure

[2013/04/07 13:24:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer

[2012/11/15 22:17:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2012/01/15 16:09:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall

[2011/11/12 13:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent

[2011/12/29 17:21:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

[2013/04/11 19:00:00 | 000,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\RMSchedule.job

[2013/04/15 21:59:43 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D8494A2B-1A55-47E3-B87C-F9D35C4482B9}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AA4982C6

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B9A60C8F

@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F4A0A6B

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F4A7B6A

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

[gringo_pr]

Hello Gryn

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

• Double-click OTL.exe to start the program.
  
• Copy and Paste the following code into the text box.
  

  
  :OTL
  O4 - HKLM..\Run: [MigAutoPlay] C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe ()
  [2013/01/13 12:46:50 | 000,003,550 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\6o4v7yr6ikfw18072u
  [2013/01/13 12:46:50 | 000,003,550 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6o4v7yr6ikfw18072u
  [2013/01/09 21:27:26 | 000,751,078 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
  [2013/01/09 21:27:09 | 000,114,890 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
  [2011/12/03 14:00:28 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~TZgq6iowFS4dXh
  [2011/12/03 14:00:28 | 000,000,184 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~TZgq6iowFS4dXhr
  [2011/12/03 13:50:23 | 000,000,408 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\TZgq6iowFS4dXh
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [PURITY]
  [emptyjava]
  [EMPTYFLASH]
  [reboot]
  

  
  

• Then click the Run Fix button at the top.
  
• Click .
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
  Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles
  It will be named - mmddyyyy_hhmmss.log
  Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.
  

Let me know How things are doing

Gringo

[gringo_pr]

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

[Gryn]

Gringo,

I'm back from out-of-town now.

I ran the OTL script.

It disabled the FBI virus so that my infected machine was able to boot-up and I am able to access programs now (I am responding to you now on that machine).

Below is the OTL log you requested:

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MigAutoPlay deleted successfully.

C:\Documents and Settings\All Users\Application Data\MigAutoPlay.exe moved successfully.

C:\Documents and Settings\User\Local Settings\Application Data\6o4v7yr6ikfw18072u moved successfully.

C:\Documents and Settings\All Users\Application Data\6o4v7yr6ikfw18072u moved successfully.

C:\Documents and Settings\All Users\Application Data\1.bmp moved successfully.

C:\Documents and Settings\All Users\Application Data\1.jpg moved successfully.

C:\Documents and Settings\All Users\Application Data\~TZgq6iowFS4dXh moved successfully.

C:\Documents and Settings\All Users\Application Data\~TZgq6iowFS4dXhr moved successfully.

C:\Documents and Settings\All Users\Application Data\TZgq6iowFS4dXh moved successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

C:\cmd.bat deleted successfully.

C:\cmd.txt deleted successfully.

========== COMMANDS ==========

Error: Unable to interpret <[emptyjava]> in the current context!

[EMPTYFLASH]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 3787692 bytes

->Temporary Internet Files folder emptied: 765095728 bytes

->Flash cache emptied: 8092 bytes

User: UpdatusUser

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: User

->Temp folder emptied: 4452884412 bytes

->Temporary Internet Files folder emptied: 76489797 bytes

->Java cache emptied: 2707743 bytes

->Flash cache emptied: 56487 bytes

Total Flash Files Cleaned = 5,056.00 mb

OTLPE by OldTimer - Version 3.1.48.0 log created on 04202013_105248

[gringo_pr]

Hello Gryn

These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.

-AdwCleaner-

• Please download

AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
  
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile with your next answer.
  
• You can find the logfile at C:\AdwCleaner[s1].txt as well.
  

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  
  • Quit all programs that you may have started.
    
  • Please disconnect any USB or external drives from the computer before you run this scan!
    
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    
  • For Windows XP, double-click to start.
    
  • Wait until Prescan has finished ...
    
  • Then Click on "Scan" button
    
  • Wait until the Status box shows "Scan Finished"
    
  • click on "delete"
    
  • Wait until the Status box shows "Deleting Finished"
    
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    
  • The log should be found in RKreport[1].txt on your Desktop
    
  • Exit/Close RogueKiller+
    

Gringo

[Gryn]

Gringo,

I was able to download AdwCleaner but not able to run it completely. It stalled about 1/4 of the way through deleting.

I am not able to download RogueKiller. When I click on the link you sent it takes me to Tigzy's website. When I click on Tools/RogueKiller nothing happens.

[gringo_pr]

Hello Gryn

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?
  

Gringo

[Gryn]

Gringo,

None of the 3 links you provided worked but I was able to go to bleepingcomputer.com, find ComboFix, and run it.

Computer performance is still OK.

Below is the log:

ComboFix 13-04-20.02 - User 04/20/2013 15:51:05.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1463 [GMT -4:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\4e0b82c3.pad

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\User\Application Data\0DADA0.dat

c:\documents and settings\User\Application Data\skype.ini

c:\windows\$NtUninstallKB17627$

c:\windows\$NtUninstallKB17627$\3778175007

c:\windows\$NtUninstallKB17627$\381702683\@

c:\windows\$NtUninstallKB17627$\381702683\cfg.ini

c:\windows\$NtUninstallKB17627$\381702683\Desktop.ini

c:\windows\$NtUninstallKB17627$\381702683\L\kqknkasx

c:\windows\$NtUninstallKB17627$\381702683\U\00000001.@

c:\windows\$NtUninstallKB17627$\381702683\U\00000002.@

c:\windows\$NtUninstallKB17627$\381702683\U\00000004.@

c:\windows\$NtUninstallKB17627$\381702683\U\80000000.@

c:\windows\$NtUninstallKB17627$\381702683\U\80000004.@

c:\windows\$NtUninstallKB17627$\381702683\U\80000032.@

c:\windows\$NtUninstallKB17627$\381702683\version

c:\windows\system32\dds_trash_log.cmd

.

.

((((((((((((((((((((((((( Files Created from 2013-03-20 to 2013-04-20 )))))))))))))))))))))))))))))))

.

.

2013-04-20 17:14 . 2013-04-20 17:14 83 ----a-w- c:\windows\DeleteOnReboot.bat

2013-04-20 14:55 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe

2013-04-20 14:52 . 2013-04-20 14:52 -------- d-----w- C:\_OTL

2013-04-20 14:11 . 2013-04-10 03:08 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9ED3A2C1-165F-4724-B95F-A45E8ADE7395}\mpengine.dll

2013-04-14 17:47 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-04-12 00:03 . 2013-04-12 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2013-04-11 01:56 . 2013-04-11 23:44 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-04-07 17:29 . 2013-04-07 17:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\IAC

2013-04-07 17:29 . 2013-04-07 17:29 -------- d-----w- c:\documents and settings\User\Application Data\ReadingFanatic_6x

2013-04-07 17:28 . 2013-04-07 17:29 -------- d-----w- c:\program files\ReadingFanatic_6x

2013-04-07 17:24 . 2013-04-20 17:12 -------- d-----w- c:\documents and settings\User\Application Data\Open Download Manager

2013-04-07 17:24 . 2013-04-07 17:24 -------- d-----w- c:\windows\system32\searchplugins

2013-04-07 17:24 . 2013-04-07 17:24 -------- d-----w- c:\windows\system32\Extensions

2013-04-07 17:24 . 2013-04-07 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\BrowserProtect

2013-04-07 17:23 . 2013-04-07 17:24 -------- d-----w- c:\program files\OpenDownloaderManager

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-09 22:11 . 2012-02-05 16:58 248192 ----a-r- c:\windows\system32\cpnprt2.cid

2013-03-17 23:46 . 2013-03-17 23:09 283 ----a-w- c:\documents and settings\User\Application Data\$h.bat

2013-01-12 19:19 . 2013-01-12 19:19 439 ----a-w- c:\program files\0112201314190610.bat

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Open Download Manager"="c:\program files\OpenDownloaderManager\odm.exe" [2013-02-20 6369280]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-04 39408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]

"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]

"ReadingFanatic Search Scope Monitor"="c:\progra~1\READIN~2\bar\1.bin\6xsrchmn.exe" [2013-04-07 42536]

"ReadingFanatic_6x Browser Plugin Loader"="c:\progra~1\READIN~2\bar\1.bin\6xbrmon.exe" [2013-04-07 30096]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"427:UDP"= 427:UDP:SLP_Port(427)

.

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 1:37 PM 13672]

S2 ReadingFanatic_6xService;ReadingFanaticService;c:\progra~1\READIN~2\bar\1.bin\6xbarsvc.exe [4/7/2013 1:28 PM 42504]

S3 GamesAppService;GamesAppService;"c:\program files\WildTangent Games\App\GamesAppService.exe" --> c:\program files\WildTangent Games\App\GamesAppService.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/10/2013 9:56 PM 40776]

S3 RoxMediaDBVHS;RoxMediaDBVHS;c:\program files\Common Files\Roxio Shared\VHStoDVD\SharedCOM\RoxMediaDBVHS.exe [2/19/2010 7:44 AM 1116656]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - SASKUTIL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wg4n

Appn

TdmService

ceepwrsvc

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-04-10 11:27 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2013-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 19:17]

.

2013-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 19:17]

.

2013-04-20 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]

.

2013-04-20 c:\windows\Tasks\User_Feed_Synchronization-{D8494A2B-1A55-47E3-B87C-F9D35C4482B9}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://portal.wowway.net/

uInternet Settings,ProxyOverride = *.local

IE: Download all with Open Download Manager - file://c:\program files\OpenDownloaderManager\dlall.htm

IE: Download selected with Open Download Manager - file://c:\program files\OpenDownloaderManager\dlselected.htm

IE: Download video with Open Download Manager - file://c:\program files\OpenDownloaderManager\dlfvideo.htm

IE: Download with Open Download Manager - file://c:\program files\OpenDownloaderManager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: care.com\www

Trusted Zone: sittercity.com\www

TCP: DhcpNameServer = 64.233.217.2 64.233.217.3

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{f897eb0e-a3a4-46c3-80eb-2729699d8892} - c:\program files\SmileBox_EN\prxtbSmi2.dll

BHO-{f897eb0e-a3a4-46c3-80eb-2729699d8892} - c:\program files\SmileBox_EN\prxtbSmi2.dll

Toolbar-{f897eb0e-a3a4-46c3-80eb-2729699d8892} - c:\program files\SmileBox_EN\prxtbSmi2.dll

WebBrowser-{F897EB0E-A3A4-46C3-80EB-2729699D8892} - c:\program files\SmileBox_EN\prxtbSmi2.dll

HKCU-Run-SearchEngineProtection - c:\program files\Gamesbar\SearchEngineProtection.exe

HKCU-Run-Yontoo Desktop - c:\documents and settings\User\Application Data\Yontoo\YontooDesktop.exe

HKLM-Run-MigAutoPlay - c:\documents and settings\All Users\Application Data\MigAutoPlay.exe

AddRemove-Bejeweled 3 - c:\program files\iWin.com\Bejeweled 3\Uninstall.exe

AddRemove-delta - c:\program files\Delta\delta\1.8.10.0\GUninstaller.exe

AddRemove-Delta Chrome Toolbar - c:\documents and settings\User\Application Data\BabSolution\Shared\GUninstaller.exe

AddRemove-GamesBar - c:\program files\GamesBar\uninst.exe

AddRemove-WT066036 - c:\program files\WildGames\Chuzzle Deluxe\Uninstall.exe

AddRemove-WT069980 - c:\program files\WildGames\The Hidden Object Game Show\Uninstall.exe

AddRemove-{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App - c:\program files\WildTangent Games\App\Uninstall.exe

AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-04-20 15:59

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(960)

c:\windows\system32\WININET.dll

c:\progra~1\READIN~2\bar\1.bin\6xbrstub.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\MsMpEng.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RunDLL32.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2013-04-20 16:01:29 - machine was rebooted

ComboFix-quarantined-files.txt 2013-04-20 20:01

.

Pre-Run: 124,437,864,448 bytes free

Post-Run: 124,934,225,920 bytes free

.

- - End Of File - - 016D227D8CD98DB535F45E7280102F29

[gringo_pr]

Hello Gryn

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  

1. report from Combofix
   
2. let me know of any problems you may have had
   
3. How is the computer doing now after running the script?

Gringo

[Gryn]

Gringo,

Finished that last script.

Computer seems to be functioning normally. I can access and open my files, get on the internet, print, etc. I haven't seen anything abnormal.

Following is the log:

ComboFix 13-04-20.02 - User 04/20/2013 17:30:47.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1391 [GMT -4:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((( Files Created from 2013-03-20 to 2013-04-20 )))))))))))))))))))))))))))))))

.

.

2013-04-20 17:14 . 2013-04-20 17:14 83 ----a-w- c:\windows\DeleteOnReboot.bat

2013-04-20 14:55 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe

2013-04-20 14:52 . 2013-04-20 14:52 -------- d-----w- C:\_OTL

2013-04-20 14:11 . 2013-04-10 03:08 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9ED3A2C1-165F-4724-B95F-A45E8ADE7395}\mpengine.dll

2013-04-14 17:47 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-04-12 00:03 . 2013-04-12 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro

2013-04-11 01:56 . 2013-04-11 23:44 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-04-07 17:29 . 2013-04-07 17:29 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\IAC

2013-04-07 17:29 . 2013-04-07 17:29 -------- d-----w- c:\documents and settings\User\Application Data\ReadingFanatic_6x

2013-04-07 17:28 . 2013-04-07 17:29 -------- d-----w- c:\program files\ReadingFanatic_6x

2013-04-07 17:24 . 2013-04-20 21:33 -------- d-----w- c:\documents and settings\User\Application Data\Open Download Manager

2013-04-07 17:24 . 2013-04-07 17:24 -------- d-----w- c:\windows\system32\searchplugins

2013-04-07 17:24 . 2013-04-07 17:24 -------- d-----w- c:\windows\system32\Extensions

2013-04-07 17:24 . 2013-04-07 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\BrowserProtect

2013-04-07 17:23 . 2013-04-07 17:24 -------- d-----w- c:\program files\OpenDownloaderManager

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-09 22:11 . 2012-02-05 16:58 248192 ----a-r- c:\windows\system32\cpnprt2.cid

2013-03-17 23:46 . 2013-03-17 23:09 283 ----a-w- c:\documents and settings\User\Application Data\$h.bat

2013-01-12 19:19 . 2013-01-12 19:19 439 ----a-w- c:\program files\0112201314190610.bat

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Open Download Manager"="c:\program files\OpenDownloaderManager\odm.exe" [2013-02-20 6369280]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-04 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]

"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]

"ReadingFanatic Search Scope Monitor"="c:\progra~1\READIN~2\bar\1.bin\6xsrchmn.exe" [2013-04-07 42536]

"ReadingFanatic_6x Browser Plugin Loader"="c:\progra~1\READIN~2\bar\1.bin\6xbrmon.exe" [2013-04-07 30096]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\FrostWire 5\\FrostWire.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"427:UDP"= 427:UDP:SLP_Port(427)

.

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 1:37 PM 13672]

S2 ReadingFanatic_6xService;ReadingFanaticService;c:\progra~1\READIN~2\bar\1.bin\6xbarsvc.exe [4/7/2013 1:28 PM 42504]

S3 GamesAppService;GamesAppService;"c:\program files\WildTangent Games\App\GamesAppService.exe" --> c:\program files\WildTangent Games\App\GamesAppService.exe [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/10/2013 9:56 PM 40776]

S3 RoxMediaDBVHS;RoxMediaDBVHS;c:\program files\Common Files\Roxio Shared\VHStoDVD\SharedCOM\RoxMediaDBVHS.exe [2/19/2010 7:44 AM 1116656]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - SASKUTIL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wg4n

Appn

TdmService

ceepwrsvc

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-04-10 11:27 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2013-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 19:17]

.

2013-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 19:17]

.

2013-04-20 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]

.

2013-04-20 c:\windows\Tasks\User_Feed_Synchronization-{D8494A2B-1A55-47E3-B87C-F9D35C4482B9}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://portal.wowway.net/

uInternet Settings,ProxyOverride = *.local

IE: Download all with Open Download Manager - file://c:\program files\OpenDownloaderManager\dlall.htm

IE: Download selected with Open Download Manager - file://c:\program files\OpenDownloaderManager\dlselected.htm

IE: Download video with Open Download Manager - file://c:\program files\OpenDownloaderManager\dlfvideo.htm

IE: Download with Open Download Manager - file://c:\program files\OpenDownloaderManager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: care.com\www

Trusted Zone: sittercity.com\www

TCP: DhcpNameServer = 64.233.217.2 64.233.217.3

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-04-20 17:34

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(288)

c:\windows\system32\WININET.dll

c:\progra~1\READIN~2\bar\1.bin\6xbrstub.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2013-04-20 17:35:33

ComboFix-quarantined-files.txt 2013-04-20 21:35

ComboFix2.txt 2013-04-20 20:01

.

Pre-Run: 124,915,744,768 bytes free

Post-Run: 124,917,395,456 bytes free

.

- - End Of File - - B9319E062B6FB7148C49B475CE850BD1

[gringo_pr]

Hello Gryn

I would like to see a report that combofix makes.

extra combofix report

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box
  

C:\Qoobox\Add-Remove Programs.txt

• click ok
  

copy and paste the report into this topic for me to review

Gringo

[Gryn]

Gringo,

Here is the report:

32 Bit HP CIO Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.1)

Adobe Shockwave Player 11.5

American Greetings CreataCard Select 6

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

BrowserProtect

BufferChm

C6300

C6300_Help

Cards_Calendar_OrderGift_DoMorePlugout

Coupon Printer for Windows

CustomerResearchQFolder

Destination Component

DeviceDiscovery

DeviceManagementQFolder

DirectX 9 Runtime

DocProc

DocProcQFolder

ESET Online Scanner v3

eSupportQFolder

Facebook Plug-In

FLV Player 2.0 (build 25)

FrostWire 5.2.11

Google Chrome

Google Earth Plug-in

Google Toolbar for Internet Explorer

Google Update Helper

GPBaseService

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Customer Participation Program 11.0

HP Imaging Device Functions 11.0

HP Photosmart C6300 All-In-One Driver Software 11.0 Rel .4

HP Photosmart Essential 3.5

HP Smart Web Printing

HP Solution Center 11.0

HP Update

HPPhotoSmartDiscLabelContent1

HPPhotosmartEssential

HPPhotoSmartPhotobookWebPack1

HPProductAssistant

HPSSupply

ImageMixer 3 SE Ver.4 Transfer Utility

ImageMixer 3 SE Ver.4 Video Tools

iTunes

Java Auto Updater

Java 6 Update 29

Malwarebytes Anti-Malware version 1.70.0.1100

MarketResearch

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Default Manager

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Web Publishing Wizard 1.52

Microsoft Works 6-9 Converter

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Music Transfer Utility Ver.1

Musicnotes Software Suite 1.4.6

Network

NVIDIA Control Panel 285.58

NVIDIA Drivers

NVIDIA Install Application

NVIDIA nView 135.95

NVIDIA Update 1.5.20

NVIDIA Update Components

OCR Software by I.R.I.S. 11.0

Open Downloader Manager

palmOne

PanoStandAlone

PS_AIO_04_C6300_ProductContext

PS_AIO_04_C6300_Software

PS_AIO_04_C6300_Software_Min

PSSWCORE

QuickTime

Quizulous

ReadingFanatic Toolbar

Realtek High Definition Audio Driver

Roxio CinePlayer Decoder Pack

Roxio Easy VHS to DVD

Roxio Express Labeler

Roxio Video Capture USB

Scan

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2817183)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2709162)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2753842)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB2807986)

Security Update for Windows XP (KB2808735)

Security Update for Windows XP (KB2813170)

Security Update for Windows XP (KB2813345)

Security Update for Windows XP (KB2820917)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Shop for HP Supplies

Sibelius Scorch (ActiveX Only)

SolutionCenter

Status

Stellar Phoenix Windows Data Recovery

thinkorswim

Toolbox

TrayApp

TurboTax 2010

TurboTax 2010 WinPerFedFormset

TurboTax 2010 WinPerReleaseEngine

TurboTax 2010 WinPerTaxSupport

TurboTax 2010 wmiiper

TurboTax 2010 wrapper

TurboTax 2011

TurboTax 2011 WinPerFedFormset

TurboTax 2011 WinPerReleaseEngine

TurboTax 2011 WinPerTaxSupport

TurboTax 2011 wmiiper

TurboTax 2011 wrapper

TurboTax 2012

TurboTax 2012 WinPerFedFormset

TurboTax 2012 WinPerReleaseEngine

TurboTax 2012 WinPerTaxSupport

TurboTax 2012 wmiiper

TurboTax 2012 wrapper

UnloadSupport

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB960763)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VideoToolkit01

WebFldrs XP

WebReg

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live ID Sign-in Assistant

Windows Media Format Runtime

[gringo_pr]

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur

Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld

These logs are looking allot better. But we still have some work to do.

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

• Programs to remove
  
  • 
    Adobe Reader X (10.1.1)
    BrowserProtect
    Coupon Printer for Windows
    FrostWire 5.2.11
    Java™ 6 Update 29
    ReadingFanatic Toolbar
    
    

• Please download and install

Revo Uninstaller FreeDouble click Revo Uninstaller to run it.
From the list of programs double click on The Program to remove
When prompted if you want to uninstall click Yes.
Be sure the Moderate option is selected then click Next.
The program will run, If prompted again click Yes
when the built-in uninstaller is finished click on Next.
Once the program has searched for leftovers click Next.
Check/tick the bolded items only on the list then click Delete
when prompted click on Yes and then on next.
put a check on any folders that are found and select delete
when prompted select yes then on next
Once done click Finish.

.

Update Adobe reader

• Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.
  You can download it from

http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

• If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from

here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Clean Out Temp Files

• This small application you may want to keep and use once a week to keep the computer clean.
  Download CCleaner from here http://www.ccleaner.com/
  
  • Run the installer to install the application.
    
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    
  • Click Run Cleaner.
    
  • Close CCleaner.
    

: Malwarebytes' Anti-Malware :

I see you have MBAM installed - I think this is a great program and would like you to run a quick scan at this time

• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidentally close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis program
  
• Save HijackThis to your desktop.
  
• Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  
• Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  
• copy and paste hijackthis report into the topic
  

"information and logs"

• In your next post I need the following
  

1. Log From MBAM
   
2. report from Hijackthis
   
3. let me know of any problems you may have had
   
4. How is the computer doing now?
   

Gringo

[Gryn]

Gringo,

I thought I posted a reply awile ago but do not see the update so I am posting again.

I was able to complete the list of items from your last post.

The computer seems to be functioning normally. Everything I have tried has worked.

Below are the logs you requested:

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.04.22.09

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

User :: USER-72FB034A10 [administrator]

4/22/2013 8:19:51 PM

mbam-log-2013-04-22 (20-19-51).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 239935

Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:29:24 PM, on 4/22/2013

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\OpenDownloaderManager\odm.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.wowway.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [Open Download Manager] C:\Program Files\OpenDownloaderManager\odm.exe -autorun

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-2025429265-343818398-682003330-1005\..\Run: [firedogadvisor] C:\Program Files\firedog advisor\faAgnt.exe /startup (User 'UpdatusUser')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: Download all with Open Download Manager - file://C:\Program Files\OpenDownloaderManager\dlall.htm

O8 - Extra context menu item: Download selected with Open Download Manager - file://C:\Program Files\OpenDownloaderManager\dlselected.htm

O8 - Extra context menu item: Download video with Open Download Manager - file://C:\Program Files\OpenDownloaderManager\dlfvideo.htm

O8 - Extra context menu item: Download with Open Download Manager - file://C:\Program Files\OpenDownloaderManager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%203/Images/stg_drm.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251932999515

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1354297280500

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Bejeweled%203/Images/armhelper.ocx

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: GamesAppService - Unknown owner - C:\Program Files\WildTangent Games\App\GamesAppService.exe (file missing)

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: RoxMediaDBVHS - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\VHStoDVD\SharedCOM\RoxMediaDBVHS.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 9368 bytes

[gringo_pr]

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional

These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

• Run HijackThis (rightclick and run as admin)
  
• Click on the Scan button
  
• Put a check beside all of the items listed below (if present):
  
  • 
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Open Download Manager] C:\Program Files\OpenDownloaderManager\odm.exe -autorun
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    

[*] Close all open windows and browsers/email, etc...

[*] Click on the "Fix Checked" button

[*] When completed, close the application.

• NOTE**You can research each of those lines

>here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
    

  [*]When asked, allow the add/on to be installed

  • Click Start
    

  [*]Make sure that the option Remove found threats is unticked

  [*]Click on Advanced Settings, ensure the options

  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    

  [*]Click Scan

  [*]wait for the virus definitions to be downloaded

  [*]Wait for the scan to finish

When the scan is complete

• If no threats were found
  
  • put a checkmark in "Uninstall application on close"
    
  • close program
    
  • report to me that nothing was found
    

• If threats were found
  
  • click on "list of threats found"
    
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
    
  • Click on back
    
  • put a checkmark in "Uninstall application on close"
    
  • click on finish
    
  • close program
    
  • copy and paste the report here
    

Gringo