1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot download files (including Microsoft). Files are deleted before saved.

Discussion in 'Virus & Other Malware Removal' started by edpled, May 22, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    I need serious help. Something is deleting every file I attempt to download. I get the same message... " (file name) contained a virus and was deleted" enclosed in a box which also includes a red colored shield with a white "x" inside. It does not discriminate...even Microsoft files are deleted rather than saved. It occurs even in "safe" mode.

    Please also note that for some reason, I am unable to access your web site except while in "safe" mode.

    Per your instructions, following is the system info file contents:

    ====================================================
    Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft® Windows Vista™ Home Basic, Service Pack 2, 32 bit
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+, x64 Family 15 Model 107 Stepping 2
    Processor Count: 2
    RAM: 3453 Mb
    Graphics Card: NVIDIA GeForce 6150SE nForce 430, 128 Mb
    Hard Drives: C: Total - 227239 MB, Free - 163065 MB; D: Total - 11232 MB, Free - 1545 MB; G: Total - 238472 MB, Free - 186898 MB;
    Motherboard: OEM_MB, IVY8
    Antivirus: GFI Software VIPRE, Updated and Enabled

    ====================================================

    Likewise, the Hijackthis.txt :

    ====================================================
    File of Trend Micro HijackThis v2.0.4
    Scan saved at 19:05:09, on 5/22/2013
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v9.00 (9.00.8112.16483)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\GFI Software\VIPRE\SBAMTray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Internet Explorer\IELowutil.exe
    C:\Users\Edministrator\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accessnorthga.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\GFI Software\VIPRE\SBAMTray.exe"
    O4 - HKLM\..\Run: [SBRegRebootCleaner] "C:\Program Files\GFI Software\VIPRE\SBRC.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: GFI LanGuard 10 Attendant Service (gfi_lanss10_attservice) - GFI Software Development Ltd. - C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe
    O23 - Service: iolo System Service (ioloSystemService) - iolo technologies, LLC - C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: VIPRE Internet Security (SBAMSvc) - GFI Software - C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
    O23 - Service: SB Recovery Service (SBPIMSvc) - GFI Software - C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe

    ====================================================

    Next is the contents of the dds.txt file:

    ====================================================
    (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16483 BrowserJavaVersion: 10.17.2
    Run by Edministrator at 19:06:49 on 2013-05-22
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3454.2447 [GMT -4:00]
    .
    AV: GFI Software VIPRE *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: GFI Software VIPRE *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
    FW: GFI Software VIPRE *Enabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\GFI Software\VIPRE\SBAMTray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe
    C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
    C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\Mantle.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Internet Explorer\IELowutil.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.accessnorthga.com/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [SBAMTray] "c:\program files\gfi software\vipre\SBAMTray.exe"
    mRun: [SBRegRebootCleaner] "c:\program files\gfi software\vipre\SBRC.exe"
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    TCP: NameServer = 192.168.1.1 97.81.22.195 71.92.29.130
    TCP: Interfaces\{7CE36365-C172-44CC-B6BF-306BFD008961} : DHCPNameServer = 192.168.1.1 97.81.22.195 71.92.29.130
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2013-4-9 27080]
    R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2013-4-6 226672]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 gfi_lanss10_attservice;GFI LanGuard 10 Attendant Service;c:\program files\gfi software\vipre\languard 10 agent\lnssatt.exe [2012-7-2 115568]
    R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2013-4-9 1070080]
    R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2013-4-9 68464]
    R2 SBAMSvc;VIPRE Internet Security;c:\program files\gfi software\vipre\SBAMSvc.exe [2013-2-20 3680512]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-12-4 68904]
    R2 SBPIMSvc;SB Recovery Service;c:\program files\gfi software\vipre\SBPIMSvc.exe [2013-2-20 175936]
    R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-8-28 207360]
    R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2013-4-6 96288]
    R3 sbwtis;sbwtis;c:\windows\system32\drivers\sbwtis.sys [2012-12-11 76064]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-4-6 41584]
    S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2013-4-6 96288]
    S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2013-4-6 95344]
    S4 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-3-6 93984]
    S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    .
    =============== File Associations ===============
    .
    FileExt: .vbe: VBEFile=NOTEPAD.EXE "%1"
    FileExt: .vbs: VBSFile=NOTEPAD.EXE "%1"
    FileExt: .js: JSFile=NOTEPAD.EXE "%1"
    FileExt: .jse: JSEFile=NOTEPAD.EXE "%1"
    FileExt: .wsf: WSFFile=NOTEPAD.EXE "%1"
    .
    =============== Created Last 30 ================
    .
    2013-05-22 22:32:08 -------- d-----w- c:\users\edministrator\appdata\local\MigWiz
    2013-05-16 07:08:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2013-05-15 20:13:51 638328 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2013-05-15 20:13:50 37376 ----a-w- c:\windows\system32\cdd.dll
    2013-05-15 20:13:44 2049024 ----a-w- c:\windows\system32\win32k.sys
    2013-05-14 23:43:26 23656 ----a-w- c:\windows\system32\drivers\gfiutil.sys
    .
    ==================== Find3M ====================
    .
    2013-04-20 15:53:19 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-04-20 15:53:18 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-04-11 15:06:45 41584 ----a-w- c:\windows\system32\drivers\gfiark.sys
    2013-04-09 07:16:32 98816 ----a-w- c:\windows\system32\mfps.dll
    2013-04-09 07:15:31 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
    2013-04-09 07:15:31 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2013-04-09 07:15:31 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2013-04-09 07:15:30 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2013-04-09 07:15:30 519680 ----a-w- c:\windows\system32\d3d11.dll
    2013-04-09 07:15:30 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2013-04-09 07:15:30 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2013-04-09 07:15:30 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2013-04-09 06:41:02 74703 ----a-w- c:\windows\system32\mfc45.dat
    2013-04-09 06:16:50 74703 ----a-w- c:\windows\system32\mfc45.dll
    2013-04-06 04:38:31 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-04-06 04:38:29 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
    2013-04-06 04:38:29 782240 ----a-w- c:\windows\system32\deployJava1.dll
    2013-04-04 22:11:34 1800704 ----a-w- c:\windows\system32\jscript9.dll
    2013-04-04 22:02:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-04-04 22:02:17 1129472 ----a-w- c:\windows\system32\wininet.dll
    2013-04-04 21:58:51 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2013-04-04 21:57:45 420864 ----a-w- c:\windows\system32\vbscript.dll
    2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-03-18 03:59:00 41616 ----a-w- c:\windows\system32\iolobtdfg.exe
    2013-03-18 03:58:52 23568 ----a-w- c:\windows\system32\smrgdf.exe
    2013-03-18 03:43:56 2097472 ----a-w- c:\windows\system32\Incinerator32.dll
    2013-03-18 03:36:22 68464 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys
    2013-03-12 05:10:56 237088 ------w- c:\windows\system32\MpSigStub.exe
    2013-03-11 13:25:50 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-03-11 13:25:50 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-03-09 03:45:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2013-03-09 01:28:08 64000 ----a-w- c:\windows\system32\smss.exe
    2013-03-08 03:53:50 376320 ----a-w- c:\windows\system32\winsrv.dll
    2013-03-08 03:52:22 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2013-03-03 19:07:52 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys

    ====================================================

    Next is the contents of the attach.txt file:

    ====================================================

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/6/2013 00:07:32
    System Uptime: 5/22/2013 18:57:32 (1 hours ago)
    .
    Motherboard: OEM_MB | | IVY8
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ | Socket AM2 | 2300/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 222 GiB total, 159.226 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 1.509 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is FIXED (NTFS) - 233 GiB total, 182.519 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.1.2
    CaddieSync Express 1.5.8
    Cards_Calendar_OrderGift_DoMorePlugout
    Compatibility Pack for the 2007 Office system
    CyberLink DVD Suite Deluxe
    DVD Play
    EditPad Lite 7.2.3
    EPSON Scan
    EPSON WorkForce 500 Series Printer Uninstall
    FileZilla Client 3.7.0.1
    Hewlett-Packard Active Check for Health Check
    Hewlett-Packard Asset Agent for Health Check
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Customer Experience Enhancements
    HP Customer Feedback
    HP Demo
    HP Photosmart Essential 2.5
    HP Photosmart Essential 3.0
    HP Recovery Manager RSS
    HP Total Care Advisor
    HP Update
    HPPhotoSmartPhotobookWebPack1
    HPTCSSetup
    iolo technologies' System Mechanic
    Java 7 Update 17
    Java Auto Updater
    LabelPrint
    LightScribe System Software 1.14.17.1
    LightScribeTemplateLabeler
    Logitech Vid HD
    Logitech Webcam Software
    Logitech Webcam Software Driver Package
    Malwarebytes Anti-Malware version 1.75.0.1300
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    muvee autoProducer 6.1
    My HP Games
    NVIDIA Drivers
    OneClickdigital Media Manager
    OpenOffice.org 3.4.1
    PCIe Soft Data Fax Modem with SmartCP
    PictureMover
    Power2Go
    PowerDirector
    PSSWCORE
    Python 2.5.2
    Realtek High Definition Audio Driver
    Revo Uninstaller 1.94
    Search Protect by conduit
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
    Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
    Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
    TaxACT 2012 - 1040 Edition
    TaxACT 2012 Georgia
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VideoToolkit01
    VIPRE Internet Security
    Yahoo! Messenger

    ====================================================

    and, finally the contents of the ark.txt file:

    ====================================================
    2.1.19163 - http://www.gmer.net
    Rootkit scan 2013-05-22 19:23:11
    Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\00000051 ST325031 rev.3.AH 232.89GB
    Running: 4hbn5yur.exe; Driver: C:\Users\EDMINI~1\AppData\Local\Temp\kwldipow.sys

    ---- Kernel code sections - GMER 2.1 ----
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EC01340, 0x3DA8C7, 0xE8000020]
    ? C:\Users\EDMINI~1\AppData\Local\Temp\mbr.sys The filename, directory name, or volume label syntax is incorrect. !
    ---- Devices - GMER 2.1 ----
    AttachedDevice \Driver\tdx \Device\Tcp SbFw.sys
    AttachedDevice \Driver\tdx \Device\Udp SbFw.sys
    AttachedDevice \Driver\tdx \Device\RawIp SbFw.sys
    ---- Disk sectors - GMER 2.1 ----
    Disk \Device\Harddisk0\DR0 unknown MBR code
    ---- EOF - GMER 2.1 ----


    ====================================================
     
  2. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    I do not see this thread on any of the forum's 4 pages. I can only find it by logging in and looking at my "subscriptions". I wonder if it is even visible to you. 05/30/2013
     
  3. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello edpled,

    Please download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
  4. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    Hello Emerald. Thanks for taking on my problem. Hope things are well in New Zealand. Farbar tool has executed...following are the text files generated:First the FRST.txt...============================================================================Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-05-2013Ran by Edministrator (administrator) on 30-05-2013 18:02:39Running from C:\Users\Edministrator\DesktopWindows Vista (TM) Home Basic Service Pack 2 (X86) OS Language: English(US)Internet Explorer Version 9Boot Mode: Normal==================== Processes (Whitelisted) ===================(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe(Microsoft Corporation) C:\Windows\system32\SLsvc.exe(GFI Software Development Ltd.) C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe(iolo technologies, LLC) C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe(GFI Software) C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe(GFI Software) C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe(GFI Software Development Ltd.) C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\Mantle.exe(GFI Software) C:\Program Files\GFI Software\VIPRE\SBAMTray.exe(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe(Microsoft Corporation) C:\Program Files\Windows Mail\WinMail.exe==================== Registry (Whitelisted) ==================HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13539872 2008-05-22] (NVIDIA Corporation)HKLM\...\Run: [SBAMTray] "C:\Program Files\GFI Software\VIPRE\SBAMTray.exe" [3154752 2013-02-20] (GFI Software)HKLM\...\Run: [SBRegRebootCleaner] "C:\Program Files\GFI Software\VIPRE\SBRC.exe" [202048 2013-02-20] (GFI Software)HKCU\...\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [1233920 2009-04-11] (Microsoft Corporation)HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)HKU\Guest\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)HKU\Guest\...\Run: [SearchProtect] C:\Users\Guest\AppData\Roaming\SearchProtect\bin\cltmng.exe [ 2013-03-06] (Conduit)HKU\Sissy\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)HKU\Sissy\...\Run: [SearchProtect] C:\Users\Sissy\AppData\Roaming\SearchProtect\bin\cltmng.exe [ 2013-03-06] (Conduit)Startup: C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnkShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()BootExecute: "autocheck autochk * "==================== Internet (Whitelisted) ====================HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accessnorthga.com/HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...sario&pf=cndtHKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...sario&pf=cndtHKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...e=en_us&c=84&bd=Presario&pf=cndtSearchScopes: HKLM - {84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^ZO^xdm036^YY^us&si=EL_UTUS_20&ptb=7A626B60-FD70-4E11-A66A-AD5ECDEBF0AB&ind=2013040605&n=77fc8fdd&psa=&st=sb&searchfor={searchTerms}SearchScopes: HKLM - {BB67E9B4-E19D-4753-A3FB-5C52509D3BF9} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdtSearchScopes: HKLM - {D20B6448-844F-44E8-96EB-AEDDA205B403} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqdSearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKCU - {84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^ZO^xdm036^YY^us&si=EL_UTUS_20&ptb=7A626B60-FD70-4E11-A66A-AD5ECDEBF0AB&ind=2013040605&n=77fc8fdd&psa=&st=sb&searchfor={searchTerms}SearchScopes: HKCU - {9C5CA580-A48D-4030-AB35-D78B61D7D8F2} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN22761286072919264&UM=2&SSPV=TB_T3SearchScopes: HKCU - {BB67E9B4-E19D-4753-A3FB-5C52509D3BF9} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdtSearchScopes: HKCU - {D20B6448-844F-44E8-96EB-AEDDA205B403} URL = BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No FileBHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FileHandler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txtTcpip\Parameters: [DhcpNameServer] 192.168.1.1 97.81.22.195 71.92.29.130========================== Services (Whitelisted) =================S4 CltMngSvc; C:\Program Files\SearchProtect\bin\CltMngSvc.exe [93984 2013-03-06] (Conduit)R2 gfi_lanss10_attservice; C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe [115568 2012-07-02] (GFI Software Development Ltd.)S4 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-02] (Hewlett-Packard)R2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1072664 2013-05-21] (iolo technologies, LLC)R2 SBAMSvc; C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe [3680512 2013-02-20] (GFI Software)R2 SBPIMSvc; C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe [175936 2013-02-20] (GFI Software)S3 msiserver; %systemroot%\system32\msiexec /V [x]==================== Drivers (Whitelisted) ====================R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [27080 2012-04-17] (EldoS Corporation)R3 gfiark; C:\Windows\System32\drivers\gfiark.sys [41584 2013-04-11] (ThreatTrack Security)S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [23656 2013-05-15] (ThreatTrack Security)R3 HSXHWBS3; C:\Windows\System32\DRIVERS\HSXHWBS3.sys [207360 2008-02-12] (Conexant Systems, Inc.)S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()R2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2013-03-17] (Raxco Software, Inc.)S3 pepifilter; C:\Windows\System32\DRIVERS\lv302af.sys [13976 2009-04-30] (Logitech Inc.)S3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2687512 2009-04-30] (Logitech Inc.)R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [68904 2012-12-04] (GFI Software)R1 SbFw; C:\Windows\System32\drivers\SbFw.sys [226672 2012-12-26] (GFI Software)S3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [96288 2012-09-24] (GFI Software)R3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [96288 2012-09-24] (GFI Software)S3 sbhips; C:\Windows\System32\drivers\sbhips.sys [95344 2012-12-26] (GFI Software)R3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [76064 2012-12-11] (GFI Software)S3 IpInIp; system32\DRIVERS\ipinip.sys [x]S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]S1 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [x]==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-05-30 18:02 - 2013-05-30 18:02 - 00000000 ____D C:\FRST2013-05-30 17:56 - 2013-05-30 17:56 - 01355557 ____A (Farbar) C:\Users\Edministrator\Desktop\FRST.exe2013-05-28 18:12 - 2013-05-28 18:12 - 02250054 ____A C:\ProgramData\1.bmp2013-05-27 15:07 - 2013-05-27 15:09 - 00013540 ____A C:\Users\Edministrator\Documents\Ebay for Carlyle.ods2013-05-27 14:05 - 2013-05-27 14:06 - 00080806 ____A C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.html2013-05-24 07:13 - 2012-04-17 08:25 - 00027080 ____A (EldoS Corporation) C:\Windows\System32\Drivers\ElRawDsk.sys2013-05-22 20:33 - 2013-05-22 20:35 - 00000510 ____A C:\Windows\ULead32.ini2013-05-22 20:33 - 2013-05-22 20:35 - 00000000 ____D C:\Windows\Ulead.dat2013-05-22 20:30 - 2013-05-22 20:30 - 00003584 ____A C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini2013-05-22 19:24 - 2013-05-22 20:35 - 00000000 ____D C:\Users\Edministrator\Desktop\files2013-05-22 19:24 - 2013-05-22 19:48 - 00000000 ____D C:\Users\Edministrator\Desktop\saver2013-05-22 17:17 - 2013-05-22 17:17 - 00004608 ____A C:\Users\Sissy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini2013-05-20 18:32 - 2013-05-20 18:42 - 00010752 ____A C:\Users\Sissy\Documents\SissysMeds.xlr2013-05-18 15:49 - 2013-05-22 19:36 - 00000680 ____A C:\Users\Edministrator\AppData\Local\d3d9caps.dat2013-05-18 15:49 - 2013-05-18 15:49 - 00000000 ____D C:\ProgramData\Yahoo!2013-05-17 16:22 - 2013-05-17 16:22 - 00000000 ____D C:\Users\Edministrator\AppData\Roaming\EPSON2013-05-16 13:51 - 2013-05-16 13:51 - 00080020 ____A C:\Users\Edministrator\Documents\Fridaygolf.xps2013-05-16 03:08 - 2013-05-05 15:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-05-16 03:08 - 2013-05-05 15:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-05-16 03:00 - 2013-04-04 18:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll2013-05-16 03:00 - 2013-04-04 18:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll2013-05-16 03:00 - 2013-04-04 18:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl2013-05-16 03:00 - 2013-04-04 18:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll2013-05-16 03:00 - 2013-04-04 18:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll2013-05-16 03:00 - 2013-04-04 18:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll2013-05-16 03:00 - 2013-04-04 17:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll2013-05-16 03:00 - 2013-04-04 17:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll2013-05-16 03:00 - 2013-04-04 17:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe2013-05-16 03:00 - 2013-04-04 17:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll2013-05-16 03:00 - 2013-04-04 17:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll2013-05-16 03:00 - 2013-04-04 17:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll2013-05-16 03:00 - 2013-04-04 17:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll2013-05-16 03:00 - 2013-04-04 17:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll2013-05-15 16:13 - 2013-04-15 10:20 - 00638328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys2013-05-15 16:13 - 2013-04-13 06:56 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll2013-05-15 16:13 - 2013-04-08 21:36 - 02049024 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys2013-05-14 19:43 - 2013-05-15 14:23 - 00023656 ____A (ThreatTrack Security) C:\Windows\System32\Drivers\gfiutil.sys2013-05-11 10:50 - 2013-05-11 10:50 - 00001791 ____A C:\Users\Public\Desktop\FileZilla Client.lnk2013-05-11 10:49 - 2013-05-11 10:49 - 04811793 ____A (FileZilla Project) C:\Users\Edministrator\Downloads\FileZilla_3.7.0.1_win32-setup.exe2013-05-04 03:35 - 2013-05-04 03:36 - 00006308 ____A C:\Windows\System32\lvcoinst.log==================== One Month Modified Files and Folders ========2013-05-30 18:02 - 2013-05-30 18:02 - 00000000 ____D C:\FRST2013-05-30 18:00 - 2006-11-02 06:33 - 00755222 ____A C:\Windows\System32\PerfStringBackup.INI2013-05-30 17:56 - 2013-05-30 17:56 - 01355557 ____A (Farbar) C:\Users\Edministrator\Desktop\FRST.exe2013-05-30 17:43 - 2006-11-02 08:49 - 00081941 ____A C:\Windows\setupact.log2013-05-30 17:10 - 2013-04-06 15:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2013-05-30 17:00 - 2006-11-02 08:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A02013-05-30 17:00 - 2006-11-02 08:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A02013-05-30 04:03 - 2013-04-06 04:34 - 00000000 ____D C:\Users\Edministrator\CMGA2013-05-30 04:03 - 2013-04-06 03:01 - 00001918 ____A C:\Users\Edministrator\AppData\Roaming\wklnhst.dat2013-05-30 03:00 - 2013-04-05 23:51 - 01190987 ____A C:\Windows\WindowsUpdate.log2013-05-29 16:04 - 2013-04-06 15:30 - 00000000 ____D C:\Users\Edministrator\AppData\Roaming\FileZilla2013-05-28 19:00 - 2006-11-02 08:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT2013-05-28 19:00 - 2006-11-02 08:44 - 00329792 ____A C:\Windows\System32\FNTCACHE.DAT2013-05-28 18:59 - 2008-01-20 23:02 - 00181740 ____A C:\Windows\PFRO.log2013-05-28 18:12 - 2013-05-28 18:12 - 02250054 ____A C:\ProgramData\1.bmp2013-05-28 08:44 - 2013-04-06 04:27 - 00030720 ____A C:\Users\Edministrator\Documents\2013TaxWorksheet.xlr2013-05-28 00:13 - 2006-11-02 08:58 - 00027032 ____A C:\Windows\Tasks\SCHEDLGU.TXT2013-05-27 15:09 - 2013-05-27 15:07 - 00013540 ____A C:\Users\Edministrator\Documents\Ebay for Carlyle.ods2013-05-27 14:06 - 2013-05-27 14:05 - 00080806 ____A C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.html2013-05-27 14:05 - 2013-04-06 04:27 - 00021861 ____A C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.ods2013-05-25 10:16 - 2013-04-06 04:27 - 00012800 ____A C:\Users\Edministrator\Documents\EdsMeds.xlr2013-05-24 07:13 - 2013-04-09 02:16 - 00000000 ____D C:\ProgramData\iolo2013-05-22 20:35 - 2013-05-22 20:33 - 00000510 ____A C:\Windows\ULead32.ini2013-05-22 20:35 - 2013-05-22 20:33 - 00000000 ____D C:\Windows\Ulead.dat2013-05-22 20:35 - 2013-05-22 19:24 - 00000000 ____D C:\Users\Edministrator\Desktop\files2013-05-22 20:30 - 2013-05-22 20:30 - 00003584 ____A C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini2013-05-22 19:48 - 2013-05-22 19:24 - 00000000 ____D C:\Users\Edministrator\Desktop\saver2013-05-22 19:36 - 2013-05-18 15:49 - 00000680 ____A C:\Users\Edministrator\AppData\Local\d3d9caps.dat2013-05-22 18:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Registration2013-05-22 17:17 - 2013-05-22 17:17 - 00004608 ____A C:\Users\Sissy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini2013-05-22 16:06 - 2013-04-06 00:14 - 00000000 ____D C:\users\Edministrator2013-05-22 00:08 - 2013-04-09 02:20 - 00041616 ____A (iolo technologies, LLC) C:\Windows\System32\iolobtdfg.exe2013-05-22 00:08 - 2013-04-09 02:20 - 00023568 ____A (iolo technologies, LLC) C:\Windows\System32\smrgdf.exe2013-05-21 23:48 - 2013-04-09 02:24 - 02097472 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator32.dll2013-05-20 18:42 - 2013-05-20 18:32 - 00010752 ____A C:\Users\Sissy\Documents\SissysMeds.xlr2013-05-20 18:42 - 2013-04-06 04:03 - 00000602 ____A C:\Users\Sissy\AppData\Roaming\wklnhst.dat2013-05-20 16:43 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\LogFiles2013-05-18 15:49 - 2013-05-18 15:49 - 00000000 ____D C:\ProgramData\Yahoo!2013-05-18 15:49 - 2008-08-28 06:28 - 00000000 ____D C:\Program Files\Yahoo!2013-05-18 00:14 - 2013-04-06 04:27 - 00085504 ____A C:\Users\Edministrator\Documents\Reading List.xlr2013-05-17 16:22 - 2013-05-17 16:22 - 00000000 ____D C:\Users\Edministrator\AppData\Roaming\EPSON2013-05-16 13:51 - 2013-05-16 13:51 - 00080020 ____A C:\Users\Edministrator\Documents\Fridaygolf.xps2013-05-16 05:17 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Microsoft.NET2013-05-16 03:03 - 2006-11-02 06:24 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe2013-05-15 14:23 - 2013-05-14 19:43 - 00023656 ____A (ThreatTrack Security) C:\Windows\System32\Drivers\gfiutil.sys2013-05-11 10:50 - 2013-05-11 10:50 - 00001791 ____A C:\Users\Public\Desktop\FileZilla Client.lnk2013-05-11 10:50 - 2013-04-06 15:31 - 00000000 ____D C:\Program Files\FileZilla FTP Client2013-05-11 10:49 - 2013-05-11 10:49 - 04811793 ____A (FileZilla Project) C:\Users\Edministrator\Downloads\FileZilla_3.7.0.1_win32-setup.exe2013-05-05 15:25 - 2013-05-16 03:08 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll2013-05-05 15:12 - 2013-05-16 03:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb2013-05-05 12:18 - 2013-04-13 01:16 - 00011264 ____A C:\Users\Edministrator\Documents\EdDailyBloodPressure.xlr2013-05-04 21:40 - 2013-04-06 04:28 - 00000000 ____D C:\Users\Edministrator\Documents\EV stuff2013-05-04 03:36 - 2013-05-04 03:35 - 00006308 ____A C:\Windows\System32\lvcoinst.logZeroAccess:C:\$Recycle.Bin\S-1-5-21-2286856821-3026158987-1088416257-1000\$b3f893802346af01b32a942f8f12ff62==================== Bamital & volsnap Check =================C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legitC:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows DefenderLast Boot: 2013-05-30 07:13==================== End Of Log ============================Next the ADDITION.txt file....================================================================Additional scan result of Farbar Recovery Scan Tool (x86) Version: 30-05-2013Ran by Edministrator at 2013-05-30 18:03:36 Run:Running from C:\Users\Edministrator\DesktopBoot Mode: Normal============================================================================== Installed Programs =======================Adobe Flash Player 11 ActiveX (Version: 11.7.700.169)Adobe Reader 8.1.2 (Version: 8.1.2)CaddieSync Express 1.5.8 (Version: 1.5.8)Cards_Calendar_OrderGift_DoMorePlugout (Version: 2.03.0000)Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)CyberLink DVD Suite Deluxe (Version: .1707)DVD Play (Version: 2.4.5411)EditPad Lite 7.2.3 (Version: 7.2.3)EPSON ScanEPSON WorkForce 500 Series Printer UninstallFileZilla Client 3.7.0.1 (Version: 3.7.0.1)Hewlett-Packard Active Check for Health Check (Version: 1.1.15.2)Hewlett-Packard Asset Agent for Health Check (Version: 2.0.63.2)HP Active Support Library (Version: 3.1.6.1)HP Customer Experience Enhancements (Version: 5.6.0.2510)HP Customer Feedback (Version: 1.0.0)HP Demo (Version: 1.00.0000)HP Photosmart Essential 2.5 (Version: 1.03.0000)HP Photosmart Essential 3.0 (Version: 3.0)HP Recovery Manager RSS (Version: 84.0.0.7)HP Total Care Advisor (Version: 2.3.4292.2709)HP Update (Version: 4.000.010.008)HPPhotoSmartPhotobookWebPack1 (Version: 2.03.0000)HPTCSSetup (Version: 1.0.964.2626)iolo technologies' System Mechanic (Version: 11.7.1)Java 7 Update 17 (Version: 7.0.170)Java Auto Updater (Version: 2.1.9.0)LabelPrint (Version: 2.2.2913)LightScribe System Software 1.14.17.1 (Version: 1.14.17.1)LightScribeTemplateLabeler (Version: 1.10.23.1)Logitech Vid HD (Version: 7.2 (7259))Logitech Webcam Software (Version: 12.10.1113)Logitech Webcam Software Driver Package (Version: 12.10.1110)Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)Microsoft .NET Framework 4 Extended (Version: 4.0.30319)Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)Microsoft Works (Version: 9.7.0621)MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)muvee autoProducer 6.1 (Version: 6.10.050)My HP Games (Version: 1.0.0.52)NVIDIA DriversOneClickdigital Media Manager (Version: 61.0.0.0)OpenOffice.org 3.4.1 (Version: 3.41.9593)PCIe Soft Data Fax Modem with SmartCP (Version: 7.71.00.50)PictureMover (Version: 3.0.1.52)Power2Go (Version: 5.6.4109)PowerDirector (Version: 6.5.2926)PSSWCORE (Version: 2.03.0000)Python 2.5.2 (Version: 2.5.2150)Realtek High Definition Audio Driver (Version: 6.0.1.5789)Revo Uninstaller 1.94 (Version: 1.94)Search Protect by conduit (Version: 1.4.1.12)Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)TaxACT 2012 - 1040 EditionTaxACT 2012 GeorgiaUpdate for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)VideoToolkit01 (Version: 110.0.171.000)VIPRE Internet Security (Version: 6.2.1.10)Yahoo! Messenger==================== Restore Points =========================09-05-2013 20:32:11 Scheduled Checkpoint11-05-2013 05:00:28 Scheduled Checkpoint13-05-2013 02:34:32 Scheduled Checkpoint14-05-2013 05:00:20 Scheduled Checkpoint16-05-2013 01:00:59 Scheduled Checkpoint16-05-2013 07:00:18 Windows Update17-05-2013 02:46:40 Scheduled Checkpoint17-05-2013 17:06:03 Scheduled Checkpoint18-05-2013 16:40:00 Scheduled Checkpoint19-05-2013 05:00:25 Scheduled Checkpoint20-05-2013 05:40:18 Scheduled Checkpoint21-05-2013 00:35:49 Scheduled Checkpoint21-05-2013 16:18:11 Scheduled Checkpoint23-05-2013 03:20:27 Scheduled Checkpoint23-05-2013 15:45:33 Scheduled Checkpoint24-05-2013 04:18:43 Scheduled Checkpoint25-05-2013 04:17:37 Scheduled Checkpoint26-05-2013 04:02:04 Scheduled Checkpoint27-05-2013 12:15:11 Scheduled Checkpoint28-05-2013 04:51:41 Scheduled Checkpoint28-05-2013 23:36:07 Scheduled Checkpoint30-05-2013 08:30:42 Scheduled Checkpoint==================== Hosts content: ==========================::1 localhost127.0.0.1 localhost==================== Faulty Device Manager Devices ================================= Event log errors: =========================Application errors:==================Error: (05/28/2013 07:01:29 PM) (Source: WinMgmt) (User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/28/2013 06:16:12 PM) (Source: WinMgmt) (User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/28/2013 06:15:26 PM) (Source: EventSystem) (User: )Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043cError: (05/28/2013 09:41:21 AM) (Source: Application Error) (User: )Description: Faulting application iexplore.exe, version 9.0.8112.16483, time stamp 0x515df825, faulting module oehook.dll, version 3.2.3.0, time stamp 0x4924724a, exception code 0xc0000005, fault offset 0x00002012,process id 0xaa8, application start time 0xiexplore.exe0.Error: (05/28/2013 00:15:51 AM) (Source: WinMgmt) (User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/28/2013 00:12:37 AM) (Source: Application Error) (User: )Description: Faulting application WinMail.exe, version 6.0.6001.18000, time stamp 0x47918ed8, faulting module oehook.dll, version 3.2.3.0, time stamp 0x4924724a, exception code 0xc0000005, fault offset 0x00002012,process id 0x7f8, application start time 0xWinMail.exe0.Error: (05/27/2013 07:35:17 AM) (Source: ESENT) (User: )Description: wuaueng.dll (1068) SUS20ClientDataStore: Database recovery/restore failed with unexpected error -501.Error: (05/27/2013 07:35:17 AM) (Source: ESENT) (User: )Description: wuaueng.dll (1068) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb035F5.log. Error -501.Error: (05/27/2013 07:33:30 AM) (Source: WinMgmt) (User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/27/2013 07:30:22 AM) (Source: ESENT) (User: )Description: wuaueng.dll (1116) SUS20ClientDataStore: The version store for this instance (0) has reached its maximum size of 8Mb. It is likely that a long-running transaction is preventing cleanup of the version store and causing it to build up in size. Updates will be rejected until the long-running transaction has been completely committed or rolled back.Possible long-running transaction: SessionId: 0x01550320 Session-context: 0x00000000 Session-context ThreadId: 0x000000D8 Cleanup: 1System errors:=============Error: (05/30/2013 00:58:42 AM) (Source: Schannel) (User: )Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.Error: (05/28/2013 07:09:10 PM) (Source: Schannel) (User: )Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.Error: (05/28/2013 07:01:29 PM) (Source: Service Control Manager) (User: )Description: i8042prtSBREError: (05/28/2013 07:01:29 PM) (Source: Service Control Manager) (User: )Description: Computer Browser%%1060Error: (05/28/2013 07:01:29 PM) (Source: Service Control Manager) (User: )Description: Parallel port driver%%1058Error: (05/28/2013 06:19:33 PM) (Source: Service Control Manager) (User: )Description: VIPRE Internet SecurityError: (05/28/2013 06:16:13 PM) (Source: Service Control Manager) (User: )Description: ElRawDiski8042prtSBREspldrWanarpv6Error: (05/28/2013 06:16:13 PM) (Source: Service Control Manager) (User: )Description: Computer BrowserServer%%1068Error: (05/28/2013 06:15:29 PM) (Source: DCOM) (User: )Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}Error: (05/28/2013 06:15:29 PM) (Source: DCOM) (User: )Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}Microsoft Office Sessions:=========================Error: (05/28/2013 07:01:29 PM) (Source: WinMgmt)(User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/28/2013 06:16:12 PM) (Source: WinMgmt)(User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/28/2013 06:15:26 PM) (Source: EventSystem)(User: )Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043cError: (05/28/2013 09:41:21 AM) (Source: Application Error)(User: )Description: iexplore.exe9.0.8112.16483515df825oehook.dll3.2.3.04924724ac000000500002012aa801ce5ba909e64c2bError: (05/28/2013 00:15:51 AM) (Source: WinMgmt)(User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/28/2013 00:12:37 AM) (Source: Application Error)(User: )Description: WinMail.exe6.0.6001.1800047918ed8oehook.dll3.2.3.04924724ac0000005000020127f801ce5b5994824549Error: (05/27/2013 07:35:17 AM) (Source: ESENT)(User: )Description: wuaueng.dll1068SUS20ClientDataStore: -501Error: (05/27/2013 07:35:17 AM) (Source: ESENT)(User: )Description: wuaueng.dll1068SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb035F5.log-501Error: (05/27/2013 07:33:30 AM) (Source: WinMgmt)(User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003Error: (05/27/2013 07:30:22 AM) (Source: ESENT)(User: )Description: wuaueng.dll1116SUS20ClientDataStore: 080x015503200x000000000x000000D81CodeIntegrity Errors:=================================== Date: 2013-05-30 18:02:57.631 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-30 18:02:57.475 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-30 18:02:57.335 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-30 18:02:57.179 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-30 18:02:56.789 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-30 18:02:56.633 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-30 18:02:56.492 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-30 18:02:56.336 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-28 18:48:44.496 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system. Date: 2013-05-28 18:48:44.355 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.==================== Memory info =========================== Percentage of memory in use: 40%Total physical RAM: 3453.57 MBAvailable physical RAM: 2071 MBTotal Pagefile: 7119.59 MBAvailable Pagefile: 5909.11 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1910.29 MB==================== Drives ================================Drive c: (COMPAQ) (Fixed) (Total:221.91 GB) (Free:159.59 GB) NTFS ==>[Drive with boot components (obtained from BCD)]Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.97 GB) (Free:1.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]Drive g: (SimpleDrive) (Fixed) (Total:232.88 GB) (Free:182.56 GB) NTFS==================== MBR & Partition Table ==========================================================================Disk: 0 (Size: 233 GB) (Disk ID: 1549F232)Partition 1: (Active) - (Size=222 GB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)========================================================Disk: 2 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: 4F38E226)Partition 1: (Not Active) - (Size=233 GB) - (Type=07 NTFS)==================== End Of Log ============================
     
  5. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello edpled,

    How did you post that into the thread?

    I can see infection there but it's extremely hard to interpret properly. Don't want to get it wrong.:p

    The log should post along the lines of your previous ones. I am wondering if we can get it pasted into the forum in a way I can read it.

    Alternatively, if you attached the FRST.txt I can maybe download onto notepad at my end.:)
     
  6. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    I see what you mean. I have heretofore been unable to log into your site, except in protected mode, and see a formatted readable web page. I did not use the protected mode on my last response so I will go back to that inconvenience. Thank you for your patience.

    Following are the two text files again....

    =======================================
    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-05-2013
    Ran by Edministrator (administrator) on 30-05-2013 18:02:39
    Running from C:\Users\Edministrator\Desktop
    Windows Vista (TM) Home Basic Service Pack 2 (X86) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Normal
    ==================== Processes (Whitelisted) ===================
    (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
    (Microsoft Corporation) C:\Windows\system32\SLsvc.exe
    (GFI Software Development Ltd.) C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe
    (iolo technologies, LLC) C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
    (GFI Software) C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
    (GFI Software) C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
    (GFI Software Development Ltd.) C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\Mantle.exe
    (GFI Software) C:\Program Files\GFI Software\VIPRE\SBAMTray.exe
    (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
    (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
    (Microsoft Corporation) C:\Program Files\Windows Mail\WinMail.exe
    ==================== Registry (Whitelisted) ==================
    HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13539872 2008-05-22] (NVIDIA Corporation)
    HKLM\...\Run: [SBAMTray] "C:\Program Files\GFI Software\VIPRE\SBAMTray.exe" [3154752 2013-02-20] (GFI Software)
    HKLM\...\Run: [SBRegRebootCleaner] "C:\Program Files\GFI Software\VIPRE\SBRC.exe" [202048 2013-02-20] (GFI Software)
    HKCU\...\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [1233920 2009-04-11] (Microsoft Corporation)
    HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)
    HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)
    HKU\Guest\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)
    HKU\Guest\...\Run: [SearchProtect] C:\Users\Guest\AppData\Roaming\SearchProtect\bin\cltmng.exe [ 2013-03-06] (Conduit)
    HKU\Sissy\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2008-07-03] (Hewlett-Packard)
    HKU\Sissy\...\Run: [SearchProtect] C:\Users\Sissy\AppData\Roaming\SearchProtect\bin\cltmng.exe [ 2013-03-06] (Conduit)
    Startup: C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk
    ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
    BootExecute: "autocheck autochk * "
    ==================== Internet (Whitelisted) ====================
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.accessnorthga.com/
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    SearchScopes: HKLM - {84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8} URL = http://search.mywebsearch.com/myweb...&n=77fc8fdd&psa=&st=sb&searchfor={searchTerms}
    SearchScopes: HKLM - {BB67E9B4-E19D-4753-A3FB-5C52509D3BF9} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
    SearchScopes: HKLM - {D20B6448-844F-44E8-96EB-AEDDA205B403} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
    SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
    SearchScopes: HKCU - {84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8} URL = http://search.mywebsearch.com/myweb...&n=77fc8fdd&psa=&st=sb&searchfor={searchTerms}
    SearchScopes: HKCU - {9C5CA580-A48D-4030-AB35-D78B61D7D8F2} URL = http://search.conduit.com/ResultsEx...89847&CUI=UN22761286072919264&UM=2&SSPV=TB_T3
    SearchScopes: HKCU - {BB67E9B4-E19D-4753-A3FB-5C52509D3BF9} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
    SearchScopes: HKCU - {D20B6448-844F-44E8-96EB-AEDDA205B403} URL =
    BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
    Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 97.81.22.195 71.92.29.130
    ========================== Services (Whitelisted) =================
    S4 CltMngSvc; C:\Program Files\SearchProtect\bin\CltMngSvc.exe [93984 2013-03-06] (Conduit)
    R2 gfi_lanss10_attservice; C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe [115568 2012-07-02] (GFI Software Development Ltd.)
    S4 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-02] (Hewlett-Packard)
    R2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [1072664 2013-05-21] (iolo technologies, LLC)
    R2 SBAMSvc; C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe [3680512 2013-02-20] (GFI Software)
    R2 SBPIMSvc; C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe [175936 2013-02-20] (GFI Software)
    S3 msiserver; %systemroot%\system32\msiexec /V [x]
    ==================== Drivers (Whitelisted) ====================
    R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [27080 2012-04-17] (EldoS Corporation)
    R3 gfiark; C:\Windows\System32\drivers\gfiark.sys [41584 2013-04-11] (ThreatTrack Security)
    S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [23656 2013-05-15] (ThreatTrack Security)
    R3 HSXHWBS3; C:\Windows\System32\DRIVERS\HSXHWBS3.sys [207360 2008-02-12] (Conexant Systems, Inc.)
    S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-07] ()
    R2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2013-03-17] (Raxco Software, Inc.)
    S3 pepifilter; C:\Windows\System32\DRIVERS\lv302af.sys [13976 2009-04-30] (Logitech Inc.)
    S3 PID_PEPI; C:\Windows\System32\DRIVERS\LV302V32.SYS [2687512 2009-04-30] (Logitech Inc.)
    R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [68904 2012-12-04] (GFI Software)
    R1 SbFw; C:\Windows\System32\drivers\SbFw.sys [226672 2012-12-26] (GFI Software)
    S3 SBFWIMCL; C:\Windows\System32\DRIVERS\sbfwim.sys [96288 2012-09-24] (GFI Software)
    R3 SBFWIMCLMP; C:\Windows\System32\DRIVERS\SBFWIM.sys [96288 2012-09-24] (GFI Software)
    S3 sbhips; C:\Windows\System32\drivers\sbhips.sys [95344 2012-12-26] (GFI Software)
    R3 sbwtis; C:\Windows\System32\DRIVERS\sbwtis.sys [76064 2012-12-11] (GFI Software)
    S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
    S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
    S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
    S1 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2013-05-30 18:02 - 2013-05-30 18:02 - 00000000 ____D C:\FRST
    2013-05-30 17:56 - 2013-05-30 17:56 - 01355557 ____A (Farbar) C:\Users\Edministrator\Desktop\FRST.exe
    2013-05-28 18:12 - 2013-05-28 18:12 - 02250054 ____A C:\ProgramData\1.bmp
    2013-05-27 15:07 - 2013-05-27 15:09 - 00013540 ____A C:\Users\Edministrator\Documents\Ebay for Carlyle.ods
    2013-05-27 14:05 - 2013-05-27 14:06 - 00080806 ____A C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.html
    2013-05-24 07:13 - 2012-04-17 08:25 - 00027080 ____A (EldoS Corporation) C:\Windows\System32\Drivers\ElRawDsk.sys
    2013-05-22 20:33 - 2013-05-22 20:35 - 00000510 ____A C:\Windows\ULead32.ini
    2013-05-22 20:33 - 2013-05-22 20:35 - 00000000 ____D C:\Windows\Ulead.dat
    2013-05-22 20:30 - 2013-05-22 20:30 - 00003584 ____A C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-05-22 19:24 - 2013-05-22 20:35 - 00000000 ____D C:\Users\Edministrator\Desktop\files
    2013-05-22 19:24 - 2013-05-22 19:48 - 00000000 ____D C:\Users\Edministrator\Desktop\saver
    2013-05-22 17:17 - 2013-05-22 17:17 - 00004608 ____A C:\Users\Sissy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-05-20 18:32 - 2013-05-20 18:42 - 00010752 ____A C:\Users\Sissy\Documents\SissysMeds.xlr
    2013-05-18 15:49 - 2013-05-22 19:36 - 00000680 ____A C:\Users\Edministrator\AppData\Local\d3d9caps.dat
    2013-05-18 15:49 - 2013-05-18 15:49 - 00000000 ____D C:\ProgramData\Yahoo!
    2013-05-17 16:22 - 2013-05-17 16:22 - 00000000 ____D C:\Users\Edministrator\AppData\Roaming\EPSON
    2013-05-16 13:51 - 2013-05-16 13:51 - 00080020 ____A C:\Users\Edministrator\Documents\Fridaygolf.xps
    2013-05-16 03:08 - 2013-05-05 15:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-05-16 03:08 - 2013-05-05 15:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-05-16 03:00 - 2013-04-04 18:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2013-05-16 03:00 - 2013-04-04 18:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2013-05-16 03:00 - 2013-04-04 18:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2013-05-16 03:00 - 2013-04-04 18:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2013-05-16 03:00 - 2013-04-04 18:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2013-05-16 03:00 - 2013-04-04 18:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2013-05-16 03:00 - 2013-04-04 17:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2013-05-16 03:00 - 2013-04-04 17:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2013-05-16 03:00 - 2013-04-04 17:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2013-05-16 03:00 - 2013-04-04 17:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
    2013-05-16 03:00 - 2013-04-04 17:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
    2013-05-16 03:00 - 2013-04-04 17:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2013-05-16 03:00 - 2013-04-04 17:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2013-05-16 03:00 - 2013-04-04 17:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2013-05-15 16:13 - 2013-04-15 10:20 - 00638328 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
    2013-05-15 16:13 - 2013-04-13 06:56 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
    2013-05-15 16:13 - 2013-04-08 21:36 - 02049024 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2013-05-14 19:43 - 2013-05-15 14:23 - 00023656 ____A (ThreatTrack Security) C:\Windows\System32\Drivers\gfiutil.sys
    2013-05-11 10:50 - 2013-05-11 10:50 - 00001791 ____A C:\Users\Public\Desktop\FileZilla Client.lnk
    2013-05-11 10:49 - 2013-05-11 10:49 - 04811793 ____A (FileZilla Project) C:\Users\Edministrator\Downloads\FileZilla_3.7.0.1_win32-setup.exe
    2013-05-04 03:35 - 2013-05-04 03:36 - 00006308 ____A C:\Windows\System32\lvcoinst.log
    ==================== One Month Modified Files and Folders ========
    2013-05-30 18:02 - 2013-05-30 18:02 - 00000000 ____D C:\FRST
    2013-05-30 18:00 - 2006-11-02 06:33 - 00755222 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-05-30 17:56 - 2013-05-30 17:56 - 01355557 ____A (Farbar) C:\Users\Edministrator\Desktop\FRST.exe
    2013-05-30 17:43 - 2006-11-02 08:49 - 00081941 ____A C:\Windows\setupact.log
    2013-05-30 17:10 - 2013-04-06 15:49 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-05-30 17:00 - 2006-11-02 08:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2013-05-30 17:00 - 2006-11-02 08:45 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2013-05-30 04:03 - 2013-04-06 04:34 - 00000000 ____D C:\Users\Edministrator\CMGA
    2013-05-30 04:03 - 2013-04-06 03:01 - 00001918 ____A C:\Users\Edministrator\AppData\Roaming\wklnhst.dat
    2013-05-30 03:00 - 2013-04-05 23:51 - 01190987 ____A C:\Windows\WindowsUpdate.log
    2013-05-29 16:04 - 2013-04-06 15:30 - 00000000 ____D C:\Users\Edministrator\AppData\Roaming\FileZilla
    2013-05-28 19:00 - 2006-11-02 08:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-05-28 19:00 - 2006-11-02 08:44 - 00329792 ____A C:\Windows\System32\FNTCACHE.DAT
    2013-05-28 18:59 - 2008-01-20 23:02 - 00181740 ____A C:\Windows\PFRO.log
    2013-05-28 18:12 - 2013-05-28 18:12 - 02250054 ____A C:\ProgramData\1.bmp
    2013-05-28 08:44 - 2013-04-06 04:27 - 00030720 ____A C:\Users\Edministrator\Documents\2013TaxWorksheet.xlr
    2013-05-28 00:13 - 2006-11-02 08:58 - 00027032 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2013-05-27 15:09 - 2013-05-27 15:07 - 00013540 ____A C:\Users\Edministrator\Documents\Ebay for Carlyle.ods
    2013-05-27 14:06 - 2013-05-27 14:05 - 00080806 ____A C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.html
    2013-05-27 14:05 - 2013-04-06 04:27 - 00021861 ____A C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.ods
    2013-05-25 10:16 - 2013-04-06 04:27 - 00012800 ____A C:\Users\Edministrator\Documents\EdsMeds.xlr
    2013-05-24 07:13 - 2013-04-09 02:16 - 00000000 ____D C:\ProgramData\iolo
    2013-05-22 20:35 - 2013-05-22 20:33 - 00000510 ____A C:\Windows\ULead32.ini
    2013-05-22 20:35 - 2013-05-22 20:33 - 00000000 ____D C:\Windows\Ulead.dat
    2013-05-22 20:35 - 2013-05-22 19:24 - 00000000 ____D C:\Users\Edministrator\Desktop\files
    2013-05-22 20:30 - 2013-05-22 20:30 - 00003584 ____A C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-05-22 19:48 - 2013-05-22 19:24 - 00000000 ____D C:\Users\Edministrator\Desktop\saver
    2013-05-22 19:36 - 2013-05-18 15:49 - 00000680 ____A C:\Users\Edministrator\AppData\Local\d3d9caps.dat
    2013-05-22 18:36 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Registration
    2013-05-22 17:17 - 2013-05-22 17:17 - 00004608 ____A C:\Users\Sissy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2013-05-22 16:06 - 2013-04-06 00:14 - 00000000 ____D C:\users\Edministrator
    2013-05-22 00:08 - 2013-04-09 02:20 - 00041616 ____A (iolo technologies, LLC) C:\Windows\System32\iolobtdfg.exe
    2013-05-22 00:08 - 2013-04-09 02:20 - 00023568 ____A (iolo technologies, LLC) C:\Windows\System32\smrgdf.exe
    2013-05-21 23:48 - 2013-04-09 02:24 - 02097472 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator32.dll
    2013-05-20 18:42 - 2013-05-20 18:32 - 00010752 ____A C:\Users\Sissy\Documents\SissysMeds.xlr
    2013-05-20 18:42 - 2013-04-06 04:03 - 00000602 ____A C:\Users\Sissy\AppData\Roaming\wklnhst.dat
    2013-05-20 16:43 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\System32\LogFiles
    2013-05-18 15:49 - 2013-05-18 15:49 - 00000000 ____D C:\ProgramData\Yahoo!
    2013-05-18 15:49 - 2008-08-28 06:28 - 00000000 ____D C:\Program Files\Yahoo!
    2013-05-18 00:14 - 2013-04-06 04:27 - 00085504 ____A C:\Users\Edministrator\Documents\Reading List.xlr
    2013-05-17 16:22 - 2013-05-17 16:22 - 00000000 ____D C:\Users\Edministrator\AppData\Roaming\EPSON
    2013-05-16 13:51 - 2013-05-16 13:51 - 00080020 ____A C:\Users\Edministrator\Documents\Fridaygolf.xps
    2013-05-16 05:17 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Microsoft.NET
    2013-05-16 03:03 - 2006-11-02 06:24 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2013-05-15 14:23 - 2013-05-14 19:43 - 00023656 ____A (ThreatTrack Security) C:\Windows\System32\Drivers\gfiutil.sys
    2013-05-11 10:50 - 2013-05-11 10:50 - 00001791 ____A C:\Users\Public\Desktop\FileZilla Client.lnk
    2013-05-11 10:50 - 2013-04-06 15:31 - 00000000 ____D C:\Program Files\FileZilla FTP Client
    2013-05-11 10:49 - 2013-05-11 10:49 - 04811793 ____A (FileZilla Project) C:\Users\Edministrator\Downloads\FileZilla_3.7.0.1_win32-setup.exe
    2013-05-05 15:25 - 2013-05-16 03:08 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2013-05-05 15:12 - 2013-05-16 03:08 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2013-05-05 12:18 - 2013-04-13 01:16 - 00011264 ____A C:\Users\Edministrator\Documents\EdDailyBloodPressure.xlr
    2013-05-04 21:40 - 2013-04-06 04:28 - 00000000 ____D C:\Users\Edministrator\Documents\EV stuff
    2013-05-04 03:36 - 2013-05-04 03:35 - 00006308 ____A C:\Windows\System32\lvcoinst.log
    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-2286856821-3026158987-1088416257-1000\$b3f893802346af01b32a942f8f12ff62
    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

    Last Boot: 2013-05-30 07:13
    ==================== End Of Log ====================================

    Additional scan result of Farbar Recovery Scan Tool (x86) Version: 30-05-2013
    Ran by Edministrator at 2013-05-30 18:03:36 Run:
    Running from C:\Users\Edministrator\Desktop
    Boot Mode: Normal
    ==========================================================

    ==================== Installed Programs =======================
    Adobe Flash Player 11 ActiveX (Version: 11.7.700.169)
    Adobe Reader 8.1.2 (Version: 8.1.2)
    CaddieSync Express 1.5.8 (Version: 1.5.8)
    Cards_Calendar_OrderGift_DoMorePlugout (Version: 2.03.0000)
    Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
    CyberLink DVD Suite Deluxe (Version: .1707)
    DVD Play (Version: 2.4.5411)
    EditPad Lite 7.2.3 (Version: 7.2.3)
    EPSON Scan
    EPSON WorkForce 500 Series Printer Uninstall
    FileZilla Client 3.7.0.1 (Version: 3.7.0.1)
    Hewlett-Packard Active Check for Health Check (Version: 1.1.15.2)
    Hewlett-Packard Asset Agent for Health Check (Version: 2.0.63.2)
    HP Active Support Library (Version: 3.1.6.1)
    HP Customer Experience Enhancements (Version: 5.6.0.2510)
    HP Customer Feedback (Version: 1.0.0)
    HP Demo (Version: 1.00.0000)
    HP Photosmart Essential 2.5 (Version: 1.03.0000)
    HP Photosmart Essential 3.0 (Version: 3.0)
    HP Recovery Manager RSS (Version: 84.0.0.7)
    HP Total Care Advisor (Version: 2.3.4292.2709)
    HP Update (Version: 4.000.010.008)
    HPPhotoSmartPhotobookWebPack1 (Version: 2.03.0000)
    HPTCSSetup (Version: 1.0.964.2626)
    iolo technologies' System Mechanic (Version: 11.7.1)
    Java 7 Update 17 (Version: 7.0.170)
    Java Auto Updater (Version: 2.1.9.0)
    LabelPrint (Version: 2.2.2913)
    LightScribe System Software 1.14.17.1 (Version: 1.14.17.1)
    LightScribeTemplateLabeler (Version: 1.10.23.1)
    Logitech Vid HD (Version: 7.2 (7259))
    Logitech Webcam Software (Version: 12.10.1113)
    Logitech Webcam Software Driver Package (Version: 12.10.1110)
    Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
    Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
    Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
    Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
    Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
    Microsoft Works (Version: 9.7.0621)
    MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
    MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
    muvee autoProducer 6.1 (Version: 6.10.050)
    My HP Games (Version: 1.0.0.52)
    NVIDIA Drivers
    OneClickdigital Media Manager (Version: 61.0.0.0)
    OpenOffice.org 3.4.1 (Version: 3.41.9593)
    PCIe Soft Data Fax Modem with SmartCP (Version: 7.71.00.50)
    PictureMover (Version: 3.0.1.52)
    Power2Go (Version: 5.6.4109)
    PowerDirector (Version: 6.5.2926)
    PSSWCORE (Version: 2.03.0000)
    Python 2.5.2 (Version: 2.5.2150)
    Realtek High Definition Audio Driver (Version: 6.0.1.5789)
    Revo Uninstaller 1.94 (Version: 1.94)
    Search Protect by conduit (Version: 1.4.1.12)
    Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
    TaxACT 2012 - 1040 Edition
    TaxACT 2012 Georgia
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
    VideoToolkit01 (Version: 110.0.171.000)
    VIPRE Internet Security (Version: 6.2.1.10)
    Yahoo! Messenger
    ==================== Restore Points =========================
    09-05-2013 20:32:11 Scheduled Checkpoint
    11-05-2013 05:00:28 Scheduled Checkpoint
    13-05-2013 02:34:32 Scheduled Checkpoint
    14-05-2013 05:00:20 Scheduled Checkpoint
    16-05-2013 01:00:59 Scheduled Checkpoint
    16-05-2013 07:00:18 Windows Update
    17-05-2013 02:46:40 Scheduled Checkpoint
    17-05-2013 17:06:03 Scheduled Checkpoint
    18-05-2013 16:40:00 Scheduled Checkpoint
    19-05-2013 05:00:25 Scheduled Checkpoint
    20-05-2013 05:40:18 Scheduled Checkpoint
    21-05-2013 00:35:49 Scheduled Checkpoint
    21-05-2013 16:18:11 Scheduled Checkpoint
    23-05-2013 03:20:27 Scheduled Checkpoint
    23-05-2013 15:45:33 Scheduled Checkpoint
    24-05-2013 04:18:43 Scheduled Checkpoint
    25-05-2013 04:17:37 Scheduled Checkpoint
    26-05-2013 04:02:04 Scheduled Checkpoint
    27-05-2013 12:15:11 Scheduled Checkpoint
    28-05-2013 04:51:41 Scheduled Checkpoint
    28-05-2013 23:36:07 Scheduled Checkpoint
    30-05-2013 08:30:42 Scheduled Checkpoint
    ==================== Hosts content: ==========================
    ::1 localhost
    127.0.0.1 localhost

    ==================== Faulty Device Manager Devices =============

    ==================== Event log errors: =========================
    Application errors:
    ==================
    Error: (05/28/2013 07:01:29 PM) (Source: WinMgmt) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/28/2013 06:16:12 PM) (Source: WinMgmt) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/28/2013 06:15:26 PM) (Source: EventSystem) (User: )
    Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
    Error: (05/28/2013 09:41:21 AM) (Source: Application Error) (User: )
    Description: Faulting application iexplore.exe, version 9.0.8112.16483, time stamp 0x515df825, faulting module oehook.dll, version 3.2.3.0, time stamp 0x4924724a, exception code 0xc0000005, fault offset 0x00002012,
    process id 0xaa8, application start time 0xiexplore.exe0.
    Error: (05/28/2013 00:15:51 AM) (Source: WinMgmt) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/28/2013 00:12:37 AM) (Source: Application Error) (User: )
    Description: Faulting application WinMail.exe, version 6.0.6001.18000, time stamp 0x47918ed8, faulting module oehook.dll, version 3.2.3.0, time stamp 0x4924724a, exception code 0xc0000005, fault offset 0x00002012,
    process id 0x7f8, application start time 0xWinMail.exe0.
    Error: (05/27/2013 07:35:17 AM) (Source: ESENT) (User: )
    Description: wuaueng.dll (1068) SUS20ClientDataStore: Database recovery/restore failed with unexpected error -501.
    Error: (05/27/2013 07:35:17 AM) (Source: ESENT) (User: )
    Description: wuaueng.dll (1068) SUS20ClientDataStore: Unable to read the header of logfile C:\Windows\SoftwareDistribution\DataStore\Logs\edb035F5.log. Error -501.
    Error: (05/27/2013 07:33:30 AM) (Source: WinMgmt) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/27/2013 07:30:22 AM) (Source: ESENT) (User: )
    Description: wuaueng.dll (1116) SUS20ClientDataStore: The version store for this instance (0) has reached its maximum size of 8Mb. It is likely that a long-running transaction is preventing cleanup of the version store and causing it to build up in size. Updates will be rejected until the long-running transaction has been completely committed or rolled back.
    Possible long-running transaction:
    SessionId: 0x01550320
    Session-context: 0x00000000
    Session-context ThreadId: 0x000000D8
    Cleanup: 1

    System errors:
    =============
    Error: (05/30/2013 00:58:42 AM) (Source: Schannel) (User: )
    Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    Error: (05/28/2013 07:09:10 PM) (Source: Schannel) (User: )
    Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    Error: (05/28/2013 07:01:29 PM) (Source: Service Control Manager) (User: )
    Description: i8042prt
    SBRE
    Error: (05/28/2013 07:01:29 PM) (Source: Service Control Manager) (User: )
    Description: Computer Browser%%1060
    Error: (05/28/2013 07:01:29 PM) (Source: Service Control Manager) (User: )
    Description: Parallel port driver%%1058
    Error: (05/28/2013 06:19:33 PM) (Source: Service Control Manager) (User: )
    Description: VIPRE Internet Security
    Error: (05/28/2013 06:16:13 PM) (Source: Service Control Manager) (User: )
    Description: ElRawDisk
    i8042prt
    SBRE
    spldr
    Wanarpv6
    Error: (05/28/2013 06:16:13 PM) (Source: Service Control Manager) (User: )
    Description: Computer BrowserServer%%1068
    Error: (05/28/2013 06:15:29 PM) (Source: DCOM) (User: )
    Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}
    Error: (05/28/2013 06:15:29 PM) (Source: DCOM) (User: )
    Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

    Microsoft Office Sessions:
    =========================
    Error: (05/28/2013 07:01:29 PM) (Source: WinMgmt)(User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/28/2013 06:16:12 PM) (Source: WinMgmt)(User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/28/2013 06:15:26 PM) (Source: EventSystem)(User: )
    Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
    Error: (05/28/2013 09:41:21 AM) (Source: Application Error)(User: )
    Description: iexplore.exe9.0.8112.16483515df825oehook.dll3.2.3.04924724ac000000500002012aa801ce5ba909e64c2b
    Error: (05/28/2013 00:15:51 AM) (Source: WinMgmt)(User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/28/2013 00:12:37 AM) (Source: Application Error)(User: )
    Description: WinMail.exe6.0.6001.1800047918ed8oehook.dll3.2.3.04924724ac0000005000020127f801ce5b5994824549
    Error: (05/27/2013 07:35:17 AM) (Source: ESENT)(User: )
    Description: wuaueng.dll1068SUS20ClientDataStore: -501
    Error: (05/27/2013 07:35:17 AM) (Source: ESENT)(User: )
    Description: wuaueng.dll1068SUS20ClientDataStore: C:\Windows\SoftwareDistribution\DataStore\Logs\edb035F5.log-501
    Error: (05/27/2013 07:33:30 AM) (Source: WinMgmt)(User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
    Error: (05/27/2013 07:30:22 AM) (Source: ESENT)(User: )
    Description: wuaueng.dll1116SUS20ClientDataStore: 080x015503200x000000000x000000D81

    CodeIntegrity Errors:
    ===================================
    Date: 2013-05-30 18:02:57.631
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-30 18:02:57.475
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-30 18:02:57.335
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-30 18:02:57.179
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\sbhips.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-30 18:02:56.789
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-30 18:02:56.633
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-30 18:02:56.492
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-30 18:02:56.336
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\SbFw.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-28 18:48:44.496
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
    Date: 2013-05-28 18:48:44.355
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

    ==================== Memory info ===========================
    Percentage of memory in use: 40%
    Total physical RAM: 3453.57 MB
    Available physical RAM: 2071 MB
    Total Pagefile: 7119.59 MB
    Available Pagefile: 5909.11 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1910.29 MB
    ==================== Drives ================================
    Drive c: (COMPAQ) (Fixed) (Total:221.91 GB) (Free:159.59 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.97 GB) (Free:1.51 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive g: (SimpleDrive) (Fixed) (Total:232.88 GB) (Free:182.56 GB) NTFS
    ==================== MBR & Partition Table ==================
    ========================================================
    Disk: 0 (Size: 233 GB) (Disk ID: 1549F232)
    Partition 1: (Active) - (Size=222 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
    ========================================================
    Disk: 2 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: 4F38E226)
    Partition 1: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
    ==================== End Of Log ============================
     
  7. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello edpled,

    Download attached fixlist.txt file and save it to the Desktop.

    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

    After that

    Download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste in the contents of the code box below:

      Code:
      BASESERVICES
      dir C:\ /S /A:L /C
      %USERPROFILE%\..|smtmp;true;true;true /FP
      
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so.

      • o When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
        o Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post back here.
    When you return please post
    • Fixlog.txt
    • OTL.txt
    • Extras.txt

     

    Attached Files:

  8. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    Programs executed. Following are fixlog.txt, OTL.txt and extras.txt:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-05-2013
    Ran by Edministrator at 2013-05-30 21:10:02 Run:1
    Running from C:\Users\Edministrator\Desktop
    Boot Mode: Normal
    ==============================================
    "C:\Program Files\Windows Defender" => Deleting junctions and unlocking files completed successfully.
    C:\$Recycle.Bin\S-1-5-21-2286856821-3026158987-1088416257-1000\$b3f893802346af01b32a942f8f12ff62 => Directory moved successfully.
    ==== End of Fixlog ====


    OTL logfile created on: 5/30/2013 21:12:31 - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Edministrator\Desktop
    Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.37 Gb Total Physical Memory | 2.11 Gb Available Physical Memory | 62.64% Memory free
    6.95 Gb Paging File | 5.82 Gb Available in Paging File | 83.70% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 221.91 Gb Total Space | 159.59 Gb Free Space | 71.92% Space Free | Partition Type: NTFS
    Drive D: | 10.97 Gb Total Space | 1.51 Gb Free Space | 13.76% Space Free | Partition Type: NTFS
    Drive G: | 232.88 Gb Total Space | 182.56 Gb Free Space | 78.39% Space Free | Partition Type: NTFS
    Drive I: | 14.90 Gb Total Space | 14.85 Gb Free Space | 99.67% Space Free | Partition Type: FAT32

    Computer Name: HOME-PC | User Name: Edministrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/05/30 20:58:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Edministrator\Desktop\OTL.exe
    PRC - [2013/05/21 23:45:46 | 001,072,664 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
    PRC - [2013/04/20 11:53:17 | 000,812,424 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe
    PRC - [2013/02/20 21:33:32 | 003,154,752 | ---- | M] (GFI Software) -- C:\Program Files\GFI Software\VIPRE\SBAMTray.exe
    PRC - [2013/02/20 21:30:18 | 003,680,512 | ---- | M] (GFI Software) -- C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
    PRC - [2013/02/20 21:30:14 | 000,175,936 | ---- | M] (GFI Software) -- C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
    PRC - [2012/07/02 16:10:32 | 000,115,568 | ---- | M] (GFI Software Development Ltd.) -- C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe
    PRC - [2012/07/02 16:10:32 | 000,093,552 | ---- | M] (GFI Software Development Ltd.) -- C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\mantle.exe
    PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/05/10 14:56:08 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll


    ========== Services (SafeList) ==========

    SRV - [2013/05/21 23:45:46 | 001,072,664 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
    SRV - [2013/04/20 11:53:20 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\WINDOWS\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2013/03/06 08:36:52 | 000,093,984 | ---- | M] (Conduit) [Disabled | Stopped] -- C:\Program Files\SearchProtect\bin\CltMngSvc.exe -- (CltMngSvc)
    SRV - [2013/02/20 21:30:18 | 003,680,512 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
    SRV - [2013/02/20 21:30:14 | 000,175,936 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
    SRV - [2012/07/02 16:10:32 | 000,115,568 | ---- | M] (GFI Software Development Ltd.) [Auto | Running] -- C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe -- (gfi_lanss10_attservice)
    SRV - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\SBREDrv.sys -- (SBRE)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - [2013/05/15 14:23:01 | 000,023,656 | ---- | M] (ThreatTrack Security) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\gfiutil.sys -- (gfiutil)
    DRV - [2013/04/11 11:06:45 | 000,041,584 | ---- | M] (ThreatTrack Security) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\gfiark.sys -- (gfiark)
    DRV - [2013/03/17 23:36:22 | 000,068,464 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\PDFsFilter.sys -- (PDFsFilter)
    DRV - [2012/12/26 21:02:44 | 000,226,672 | ---- | M] (GFI Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\SbFw.sys -- (SbFw)
    DRV - [2012/12/26 21:02:44 | 000,095,344 | ---- | M] (GFI Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\sbhips.sys -- (sbhips)
    DRV - [2012/12/11 21:02:16 | 000,076,064 | ---- | M] (GFI Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\sbwtis.sys -- (sbwtis)
    DRV - [2012/12/04 21:01:14 | 000,068,904 | ---- | M] (GFI Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\sbapifs.sys -- (sbapifs)
    DRV - [2012/09/24 19:26:18 | 000,096,288 | ---- | M] (GFI Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\SbFwIm.sys -- (SBFWIMCLMP)
    DRV - [2012/09/24 19:26:18 | 000,096,288 | ---- | M] (GFI Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\SbFwIm.sys -- (SBFWIMCL)
    DRV - [2012/04/17 08:25:02 | 000,027,080 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ElRawDsk.sys -- (ElRawDisk)
    DRV - [2009/10/07 01:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2009/04/30 19:01:34 | 000,265,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\lvrs.sys -- (LVRS)
    DRV - [2009/04/30 18:55:56 | 002,687,512 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\LV302V32.SYS -- (PID_PEPI)
    DRV - [2009/04/30 18:55:32 | 000,013,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\lv302af.sys -- (pepifilter)
    DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvmfdx32.sys -- (NVENETFD)
    DRV - [2008/06/06 15:13:40 | 000,133,152 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\nvrd32.sys -- (nvrd32)
    DRV - [2008/06/06 15:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\nvstor32.sys -- (nvstor32)
    DRV - [2008/05/22 10:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/05/22 05:39:34 | 000,015,360 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\nvsmu.sys -- (nvsmu)
    DRV - [2008/02/12 11:27:34 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSXHWBS3.sys -- (HSXHWBS3)
    DRV - [2008/02/12 11:25:22 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_DP.sys -- (HSF_DP)
    DRV - [2007/10/18 11:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)
    DRV - [2007/07/13 08:18:20 | 000,050,688 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Rtnicxp.sys -- (RTL8023xp)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\..\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}: "URL" = http://search.mywebsearch.com/myweb...&n=77fc8fdd&psa=&st=sb&searchfor={searchTerms}
    IE - HKLM\..\SearchScopes\{BB67E9B4-E19D-4753-A3FB-5C52509D3BF9}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
    IE - HKLM\..\SearchScopes\{D20B6448-844F-44E8-96EB-AEDDA205B403}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.accessnorthga.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\..\SearchScopes,DefaultScope = {F85C1AD7-228A-4E9D-86AB-6A2C4563A6E5}
    IE - HKCU\..\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}: "URL" = http://search.mywebsearch.com/myweb...&n=77fc8fdd&psa=&st=sb&searchfor={searchTerms}
    IE - HKCU\..\SearchScopes\{9C5CA580-A48D-4030-AB35-D78B61D7D8F2}: "URL" = http://search.conduit.com/ResultsEx...89847&CUI=UN22761286072919264&UM=2&SSPV=TB_T3
    IE - HKCU\..\SearchScopes\{BB67E9B4-E19D-4753-A3FB-5C52509D3BF9}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
    IE - HKCU\..\SearchScopes\{F85C1AD7-228A-4E9D-86AB-6A2C4563A6E5}: "URL" = http://www.google.com/search?q={sea...x?}&startPage={startPage}&rlz=1I7MXGB_enUS532
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)


    [2013/04/06 06:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla FireFox\extensions

    O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [SBAMTray] C:\Program Files\GFI Software\VIPRE\SBAMTray.exe (GFI Software)
    O4 - HKLM..\Run: [SBRegRebootCleaner] C:\Program Files\GFI Software\VIPRE\SBRC.exe (GFI Software)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
    O13 - gopher Prefix: missing
    O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 97.81.22.195 71.92.29.130
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7CE36365-C172-44CC-B6BF-306BFD008961}: DhcpNameServer = 192.168.1.1 97.81.22.195 71.92.29.130
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/08/28 06:11:22 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: ("autocheck autochk *")
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/05/30 21:09:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Edministrator\Desktop\OTL.exe
    [2013/05/30 18:02:35 | 000,000,000 | ---D | C] -- C:\FRST
    [2013/05/30 17:56:45 | 001,355,557 | ---- | C] (Farbar) -- C:\Users\Edministrator\Desktop\FRST.exe
    [2013/05/24 07:13:52 | 000,027,080 | ---- | C] (EldoS Corporation) -- C:\Windows\System32\drivers\ElRawDsk.sys
    [2013/05/22 20:33:44 | 000,000,000 | ---D | C] -- C:\Windows\Ulead.dat
    [2013/05/22 19:24:31 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\Desktop\files
    [2013/05/22 19:24:04 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\Desktop\saver
    [2013/05/22 18:32:08 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\AppData\Local\MigWiz
    [2013/05/18 15:49:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
    [2013/05/18 15:49:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
    [2013/05/17 16:22:22 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\AppData\Roaming\EPSON
    [2013/05/16 03:08:57 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
    [2013/05/16 03:00:52 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
    [2013/05/16 03:00:52 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
    [2013/05/16 03:00:51 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
    [2013/05/16 03:00:50 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
    [2013/05/16 03:00:48 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
    [2013/05/16 03:00:48 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
    [2013/05/16 03:00:46 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
    [2013/05/15 16:13:50 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
    [2013/05/15 16:13:44 | 002,049,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
    [2013/05/14 19:43:26 | 000,023,656 | ---- | C] (ThreatTrack Security) -- C:\Windows\System32\drivers\gfiutil.sys
    [1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/05/30 21:10:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2013/05/30 21:00:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/05/30 21:00:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/05/30 20:58:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Edministrator\Desktop\OTL.exe
    [2013/05/30 20:42:41 | 000,018,490 | ---- | M] () -- C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.pdf
    [2013/05/30 20:40:54 | 000,021,206 | ---- | M] () -- C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.ods
    [2013/05/30 18:00:57 | 000,639,904 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2013/05/30 18:00:57 | 000,118,156 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2013/05/30 17:56:00 | 001,355,557 | ---- | M] (Farbar) -- C:\Users\Edministrator\Desktop\FRST.exe
    [2013/05/30 04:03:50 | 000,001,918 | ---- | M] () -- C:\Users\Edministrator\AppData\Roaming\wklnhst.dat
    [2013/05/28 19:00:05 | 000,329,792 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2013/05/28 18:59:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2013/05/28 18:59:46 | 3622,244,352 | -HS- | M] () -- C:\hiberfil.sys
    [2013/05/28 18:12:25 | 002,250,054 | ---- | M] () -- C:\ProgramData\1.bmp
    [2013/05/28 08:44:22 | 000,030,720 | ---- | M] () -- C:\Users\Edministrator\Documents\2013TaxWorksheet.xlr
    [2013/05/27 15:09:28 | 000,013,540 | ---- | M] () -- C:\Users\Edministrator\Documents\Ebay for Carlyle.ods
    [2013/05/25 10:16:26 | 000,012,800 | ---- | M] () -- C:\Users\Edministrator\Documents\EdsMeds.xlr
    [2013/05/22 20:35:16 | 000,000,510 | ---- | M] () -- C:\Windows\ULead32.ini
    [2013/05/22 20:30:39 | 000,003,584 | ---- | M] () -- C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2013/05/22 19:36:48 | 000,000,680 | ---- | M] () -- C:\Users\Edministrator\AppData\Local\d3d9caps.dat
    [2013/05/22 00:08:38 | 000,041,616 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
    [2013/05/22 00:08:30 | 000,023,568 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
    [2013/05/21 23:48:08 | 002,097,472 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator32.dll
    [2013/05/18 00:14:22 | 000,085,504 | ---- | M] () -- C:\Users\Edministrator\Documents\Reading List.xlr
    [2013/05/16 13:51:53 | 000,080,020 | ---- | M] () -- C:\Users\Edministrator\Documents\Fridaygolf.xps
    [2013/05/15 14:23:01 | 000,023,656 | ---- | M] (ThreatTrack Security) -- C:\Windows\System32\drivers\gfiutil.sys
    [2013/05/11 10:50:28 | 000,001,791 | ---- | M] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
    [2013/05/05 15:12:55 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
    [2013/05/05 12:18:50 | 000,011,264 | ---- | M] () -- C:\Users\Edministrator\Documents\EdDailyBloodPressure.xlr
    [1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/05/30 20:42:39 | 000,018,490 | ---- | C] () -- C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.pdf
    [2013/05/28 18:59:46 | 3622,244,352 | -HS- | C] () -- C:\hiberfil.sys
    [2013/05/28 18:12:25 | 002,250,054 | ---- | C] () -- C:\ProgramData\1.bmp
    [2013/05/27 15:07:35 | 000,013,540 | ---- | C] () -- C:\Users\Edministrator\Documents\Ebay for Carlyle.ods
    [2013/05/22 20:33:44 | 000,000,510 | ---- | C] () -- C:\Windows\ULead32.ini
    [2013/05/22 20:30:39 | 000,003,584 | ---- | C] () -- C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2013/05/18 15:49:49 | 000,000,680 | ---- | C] () -- C:\Users\Edministrator\AppData\Local\d3d9caps.dat
    [2013/05/16 13:51:52 | 000,080,020 | ---- | C] () -- C:\Users\Edministrator\Documents\Fridaygolf.xps
    [2013/05/11 10:50:28 | 000,001,791 | ---- | C] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
    [2013/04/27 17:29:48 | 000,350,795 | ---- | C] () -- C:\ProgramData\1.jpg
    [2013/04/12 17:32:20 | 000,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
    [2013/04/09 02:41:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dat
    [2013/04/09 02:20:42 | 002,319,536 | ---- | C] () -- C:\Windows\System32\Incinerator.dll
    [2013/04/09 02:16:50 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
    [2013/04/06 16:51:44 | 000,073,220 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
    [2013/04/06 16:51:44 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
    [2013/04/06 16:51:44 | 000,029,114 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
    [2013/04/06 16:51:44 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
    [2013/04/06 16:51:44 | 000,021,021 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
    [2013/04/06 16:51:44 | 000,015,670 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
    [2013/04/06 16:51:44 | 000,013,280 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
    [2013/04/06 16:51:44 | 000,010,673 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
    [2013/04/06 16:51:44 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
    [2013/04/06 16:51:44 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
    [2013/04/06 16:51:44 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
    [2013/04/06 16:51:44 | 000,001,137 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
    [2013/04/06 16:51:44 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
    [2013/04/06 16:51:44 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
    [2013/04/06 16:51:44 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
    [2013/04/06 16:51:44 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
    [2013/04/06 16:07:31 | 000,000,048 | ---- | C] () -- C:\Windows\TaxACT12.ini
    [2013/04/06 03:05:42 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2013/04/06 03:05:42 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2013/04/06 03:01:36 | 000,001,918 | ---- | C] () -- C:\Users\Edministrator\AppData\Roaming\wklnhst.dat
    [2013/04/06 02:14:34 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
    [2013/04/06 02:13:26 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

    ========== ZeroAccess Check ==========

    [2006/11/02 08:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
    "ThreadingModel" = Both
    "" = shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== Custom Scans ==========

    ========== Base Services ==========
    SRV - [2006/11/02 05:46:02 | 000,024,576 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\aelupsvc.dll -- (AeLookupSvc)
    SRV - [2008/01/20 22:33:54 | 000,033,280 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\System32\appinfo.dll -- (Appinfo)
    SRV - [2008/01/20 22:33:53 | 000,059,392 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\alg.exe -- (ALG)
    SRV - [2009/04/11 02:28:23 | 000,758,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\qmgr.dll -- (BITS)
    SRV - [2009/04/11 02:28:18 | 000,334,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\BFE.DLL -- (BFE)
    SRV - [2011/11/16 10:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\lsass.exe -- (KeyIso)
    SRV - [2009/04/11 02:28:19 | 000,268,800 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\es.dll -- (EventSystem)
    SRV - [2008/01/20 22:34:20 | 000,081,920 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\System32\browser.dll -- (Browser)
    SRV - [2012/06/01 20:02:32 | 000,133,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\cryptsvc.dll -- (CryptSvc)
    SRV - [2009/04/11 02:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\rpcss.dll -- (DcomLaunch)
    SRV - [2009/04/11 02:28:18 | 000,204,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\dhcpcsvc.dll -- (Dhcp)
    SRV - [2011/03/02 11:44:27 | 000,086,528 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\dnsrslvr.dll -- (Dnscache)
    SRV - [2008/01/20 22:34:51 | 000,057,344 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\eapsvc.dll -- (EapHost)
    SRV - [2009/04/11 02:28:19 | 000,026,112 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\hidserv.dll -- (hidserv)
    No service found with a name of SharedAccess
    SRV - [2009/04/11 02:28:20 | 000,364,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\IPSECSVC.DLL -- (PolicyAgent)
    No service found with a name of MsMpSvc
    No service found with a name of NisSrv
    SRV - [2009/04/11 02:28:24 | 000,311,808 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\swprv.dll -- (swprv)
    SRV - [2008/01/20 22:34:43 | 000,045,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\mmcss.dll -- (MMCSS)
    SRV - [2008/01/20 22:33:50 | 000,274,432 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\System32\netman.dll -- (Netman)
    SRV - [2008/01/20 22:34:04 | 000,237,056 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\netprofm.dll -- (netprofm)
    SRV - [2008/01/20 22:33:15 | 000,168,448 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\nlasvc.dll -- (NlaSvc)
    SRV - [2008/01/20 22:34:35 | 000,018,432 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\nsisvc.dll -- (nsi)
    SRV - [2009/04/11 02:28:25 | 000,222,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\umpnpmgr.dll -- (PlugPlay)
    SRV - [2010/08/17 10:11:37 | 000,128,000 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\spoolsv.exe -- (Spooler)
    SRV - [2011/11/16 10:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\System32\lsass.exe -- (ProtectedStorage)
    SRV - [2009/04/11 02:28:19 | 000,564,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\emdmgmt.dll -- (EMDMgmt)
    SRV - [2008/01/20 22:34:00 | 000,090,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\rasauto.dll -- (RasAuto)
    SRV - [2009/04/11 02:28:24 | 000,262,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\System32\rasmans.dll -- (RasMan)
    SRV - [2009/04/11 02:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\rpcss.dll -- (RpcSs)
    SRV - [2008/01/20 22:34:19 | 000,019,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\seclogon.dll -- (seclogon)
    SRV - [2011/11/16 10:12:25 | 000,009,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\lsass.exe -- (SamSs)
    No service found with a name of wscsvc
    SRV - [2010/09/06 12:20:29 | 000,125,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\srvsvc.dll -- (LanmanServer)
    SRV - [2009/07/10 07:47:42 | 000,247,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\shsvcs.dll -- (ShellHWDetection)
    SRV - [2009/04/11 02:27:49 | 003,408,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\SLsvc.exe -- (slsvc)
    SRV - [2010/11/04 14:55:12 | 000,601,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\schedsvc.dll -- (Schedule)
    SRV - [2009/04/11 02:28:24 | 000,242,688 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\System32\tapisrv.dll -- (TapiSrv)
    SRV - [2009/07/10 07:47:42 | 000,247,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\shsvcs.dll -- (Themes)
    SRV - [2009/04/11 02:28:23 | 000,153,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\profsvc.dll -- (ProfSvc)
    SRV - [2009/04/11 02:28:10 | 001,055,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\VSSVC.exe -- (VSS)
    SRV - [2009/04/11 02:28:18 | 000,315,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\audiosrv.dll -- (Audiosrv)
    SRV - [2009/04/11 02:28:18 | 000,315,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\audiosrv.dll -- (AudioEndpointBuilder)
    SRV - [2008/01/20 22:32:53 | 000,104,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\sdrsvc.dll -- (SDRSVC)
    No service found with a name of WinDefend
    SRV - [2009/04/11 02:28:25 | 001,017,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\wevtsvc.dll -- (Eventlog)
    No service found with a name of MpsSvc
    SRV - [2009/04/11 02:28:25 | 000,453,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\wiaservc.dll -- (stisvc)
    SRV - [2009/04/11 02:27:45 | 000,073,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\msiexec.exe -- (msiserver)
    SRV - [2009/04/11 02:28:25 | 000,162,304 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\wbem\WMIsvc.dll -- (Winmgmt)
    SRV - [2012/06/02 18:19:17 | 001,933,848 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\wuaueng.dll -- (wuauserv)
    SRV - [2009/04/11 02:28:18 | 000,175,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dot3svc.dll -- (dot3svc)
    SRV - [2009/07/11 15:01:42 | 000,513,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\wlansvc.dll -- (Wlansvc)
    SRV - [2009/06/10 07:42:23 | 000,160,256 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\wkssvc.dll -- (LanmanWorkstation)

    < dir C:\ /S /A:L /C >
    Volume in drive C is COMPAQ
    Volume Serial Number is 3AB6-BBB0
    Directory of C:\
    04/06/2013 00:14 <JUNCTION> Documents and Settings [C:\Users]
    0 File(s) 0 bytes
    Directory of C:\ProgramData
    04/06/2013 00:14 <JUNCTION> Application Data [C:\ProgramData]
    04/06/2013 00:14 <JUNCTION> Desktop [C:\Users\Public\Desktop]
    04/06/2013 00:14 <JUNCTION> Documents [C:\Users\Public\Documents]
    04/06/2013 00:14 <JUNCTION> Favorites [C:\Users\Public\Favorites]
    04/06/2013 00:14 <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
    04/06/2013 00:14 <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
    0 File(s) 0 bytes
    Directory of C:\Users
    04/06/2013 00:14 <SYMLINKD> All Users [C:\ProgramData]
    04/06/2013 00:14 <JUNCTION> Default User [C:\Users\Default]
    0 File(s) 0 bytes
    Directory of C:\Users\All Users
    04/06/2013 00:14 <JUNCTION> Application Data [C:\ProgramData]
    04/06/2013 00:14 <JUNCTION> Desktop [C:\Users\Public\Desktop]
    04/06/2013 00:14 <JUNCTION> Documents [C:\Users\Public\Documents]
    04/06/2013 00:14 <JUNCTION> Favorites [C:\Users\Public\Favorites]
    04/06/2013 00:14 <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
    04/06/2013 00:14 <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
    0 File(s) 0 bytes
    Directory of C:\Users\Default
    04/06/2013 00:14 <JUNCTION> Application Data [C:\Users\Default\AppData\Roaming]
    04/06/2013 00:14 <JUNCTION> Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
    04/06/2013 00:14 <JUNCTION> Local Settings [C:\Users\Default\AppData\Local]
    04/06/2013 00:14 <JUNCTION> My Documents [C:\Users\Default\Documents]
    04/06/2013 00:14 <JUNCTION> NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
    04/06/2013 00:14 <JUNCTION> PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
    04/06/2013 00:14 <JUNCTION> Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
    04/06/2013 00:14 <JUNCTION> SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
    04/06/2013 00:14 <JUNCTION> Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
    04/06/2013 00:14 <JUNCTION> Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
    0 File(s) 0 bytes
    Directory of C:\Users\Default\AppData\Local
    04/06/2013 00:14 <JUNCTION> Application Data [C:\Users\Default\AppData\Local]
    04/06/2013 00:14 <JUNCTION> History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
    04/06/2013 00:14 <JUNCTION> Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
    0 File(s) 0 bytes
    Directory of C:\Users\Default\Documents
    04/06/2013 00:14 <JUNCTION> My Music [C:\Users\Default\Music]
    04/06/2013 00:14 <JUNCTION> My Pictures [C:\Users\Default\Pictures]
    04/06/2013 00:14 <JUNCTION> My Videos [C:\Users\Default\Videos]
    0 File(s) 0 bytes
    Directory of C:\Users\Edministrator
    04/06/2013 00:15 <JUNCTION> Application Data [C:\Users\Edministrator\AppData\Roaming]
    04/06/2013 00:15 <JUNCTION> Cookies [C:\Users\Edministrator\AppData\Roaming\Microsoft\Windows\Cookies]
    04/06/2013 00:15 <JUNCTION> Local Settings [C:\Users\Edministrator\AppData\Local]
    04/06/2013 00:15 <JUNCTION> My Documents [C:\Users\Edministrator\Documents]
    04/06/2013 00:15 <JUNCTION> NetHood [C:\Users\Edministrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
    04/06/2013 00:15 <JUNCTION> PrintHood [C:\Users\Edministrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
    04/06/2013 00:15 <JUNCTION> Recent [C:\Users\Edministrator\AppData\Roaming\Microsoft\Windows\Recent]
    04/06/2013 00:15 <JUNCTION> SendTo [C:\Users\Edministrator\AppData\Roaming\Microsoft\Windows\SendTo]
    04/06/2013 00:15 <JUNCTION> Start Menu [C:\Users\Edministrator\AppData\Roaming\Microsoft\Windows\Start Menu]
    04/06/2013 00:15 <JUNCTION> Templates [C:\Users\Edministrator\AppData\Roaming\Microsoft\Windows\Templates]
    0 File(s) 0 bytes
    Directory of C:\Users\Edministrator\AppData\Local
    04/06/2013 00:15 <JUNCTION> Application Data [C:\Users\Edministrator\AppData\Local]
    04/06/2013 00:15 <JUNCTION> History [C:\Users\Edministrator\AppData\Local\Microsoft\Windows\History]
    04/06/2013 00:15 <JUNCTION> Temporary Internet Files [C:\Users\Edministrator\AppData\Local\Microsoft\Windows\Temporary Internet Files]
    0 File(s) 0 bytes
    Directory of C:\Users\Guest
    04/08/2013 16:39 <JUNCTION> Application Data [C:\Users\Guest\AppData\Roaming]
    04/08/2013 16:39 <JUNCTION> Cookies [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Cookies]
    04/08/2013 16:39 <JUNCTION> Local Settings [C:\Users\Guest\AppData\Local]
    04/08/2013 16:39 <JUNCTION> My Documents [C:\Users\Guest\Documents]
    04/08/2013 16:39 <JUNCTION> NetHood [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
    04/08/2013 16:39 <JUNCTION> PrintHood [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
    04/08/2013 16:39 <JUNCTION> Recent [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent]
    04/08/2013 16:39 <JUNCTION> SendTo [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\SendTo]
    04/08/2013 16:39 <JUNCTION> Start Menu [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu]
    04/08/2013 16:39 <JUNCTION> Templates [C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Templates]
    0 File(s) 0 bytes
    Directory of C:\Users\Guest\AppData\Local
    04/08/2013 16:39 <JUNCTION> Application Data [C:\Users\Guest\AppData\Local]
    04/08/2013 16:39 <JUNCTION> History [C:\Users\Guest\AppData\Local\Microsoft\Windows\History]
    04/08/2013 16:39 <JUNCTION> Temporary Internet Files [C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files]
    0 File(s) 0 bytes
    Directory of C:\Users\Guest\Documents
    04/08/2013 16:39 <JUNCTION> My Music [C:\Users\Guest\Music]
    04/08/2013 16:39 <JUNCTION> My Pictures [C:\Users\Guest\Pictures]
    04/08/2013 16:39 <JUNCTION> My Videos [C:\Users\Guest\Videos]
    0 File(s) 0 bytes
    Directory of C:\Users\Public\Documents
    04/06/2013 00:14 <JUNCTION> My Music [C:\Users\Public\Music]
    04/06/2013 00:14 <JUNCTION> My Pictures [C:\Users\Public\Pictures]
    04/06/2013 00:14 <JUNCTION> My Videos [C:\Users\Public\Videos]
    0 File(s) 0 bytes
    Directory of C:\Users\Sissy
    04/06/2013 03:28 <JUNCTION> Application Data [C:\Users\Sissy\AppData\Roaming]
    04/06/2013 03:28 <JUNCTION> Cookies [C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Cookies]
    04/06/2013 03:28 <JUNCTION> Local Settings [C:\Users\Sissy\AppData\Local]
    04/06/2013 03:28 <JUNCTION> My Documents [C:\Users\Sissy\Documents]
    04/06/2013 03:28 <JUNCTION> NetHood [C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
    04/06/2013 03:28 <JUNCTION> PrintHood [C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
    04/06/2013 03:28 <JUNCTION> Recent [C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Recent]
    04/06/2013 03:28 <JUNCTION> SendTo [C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\SendTo]
    04/06/2013 03:28 <JUNCTION> Start Menu [C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Start Menu]
    04/06/2013 03:28 <JUNCTION> Templates [C:\Users\Sissy\AppData\Roaming\Microsoft\Windows\Templates]
    0 File(s) 0 bytes
    Directory of C:\Users\Sissy\AppData\Local
    04/06/2013 03:28 <JUNCTION> Application Data [C:\Users\Sissy\AppData\Local]
    04/06/2013 03:28 <JUNCTION> History [C:\Users\Sissy\AppData\Local\Microsoft\Windows\History]
    04/06/2013 03:28 <JUNCTION> Temporary Internet Files [C:\Users\Sissy\AppData\Local\Microsoft\Windows\Temporary Internet Files]
    0 File(s) 0 bytes
    Directory of C:\Users\Sissy\Documents
    04/06/2013 03:28 <JUNCTION> My Music [C:\Users\Sissy\Music]
    04/06/2013 03:28 <JUNCTION> My Pictures [C:\Users\Sissy\Pictures]
    04/06/2013 03:28 <JUNCTION> My Videos [C:\Users\Sissy\Videos]
    0 File(s) 0 bytes
    Directory of C:\WINDOWS\winsxs\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6000.16386_none_b3613e39beae266f
    11/02/2006 08:33 <SYMLINK> MpEvMsg.dll [...]
    1 File(s) 65,640 bytes
    Directory of C:\WINDOWS\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5
    11/02/2006 08:33 <SYMLINK> MpAsDesc.dll [...]
    01/20/2008 22:32 <SYMLINK> MpClient.dll [...]
    01/20/2008 22:33 <SYMLINK> MpCmdRun.exe [...]
    01/20/2008 22:33 <SYMLINK> MpOAV.dll [...]
    01/20/2008 22:33 <SYMLINK> MpRtMon.dll [...]
    01/20/2008 22:33 <SYMLINK> MpRtPlug.dll [...]
    01/20/2008 22:33 <SYMLINK> MpSigDwn.dll [...]
    01/20/2008 22:33 <SYMLINK> MpSvc.dll [...]
    01/20/2008 22:33 <SYMLINK> MSASCui.exe [...]
    01/20/2008 22:33 <SYMLINK> MsMpCom.dll [...]
    11/02/2006 08:33 <SYMLINK> MsMpLics.dll [...]
    11/02/2006 08:33 <SYMLINK> MsMpRes.dll [...]
    12 File(s) 3,765,552 bytes
    Directory of C:\WINDOWS\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411
    11/02/2006 08:33 <SYMLINK> MpAsDesc.dll [...]
    01/20/2008 22:32 <SYMLINK> MpClient.dll [...]
    01/20/2008 22:33 <SYMLINK> MpCmdRun.exe [...]
    01/20/2008 22:33 <SYMLINK> MpOAV.dll [...]
    01/20/2008 22:33 <SYMLINK> MpRtMon.dll [...]
    01/20/2008 22:33 <SYMLINK> MpRtPlug.dll [...]
    01/20/2008 22:33 <SYMLINK> MpSigDwn.dll [...]
    04/11/2009 02:27 <SYMLINK> MpSoftEx.dll [...]
    01/20/2008 22:33 <SYMLINK> MpSvc.dll [...]
    01/20/2008 22:33 <SYMLINK> MSASCui.exe [...]
    01/20/2008 22:33 <SYMLINK> MsMpCom.dll [...]
    11/02/2006 08:33 <SYMLINK> MsMpLics.dll [...]
    11/02/2006 08:33 <SYMLINK> MsMpRes.dll [...]
    13 File(s) 4,278,552 bytes
    Total Files Listed:
    26 File(s) 8,109,744 bytes
    79 Dir(s) 171,358,318,592 bytes free

    < %USERPROFILE%\..|smtmp;true;true;true /FP >
    < End of report >


    OTL Extras logfile created on: 5/30/2013 21:12:31 - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Edministrator\Desktop
    Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.37 Gb Total Physical Memory | 2.11 Gb Available Physical Memory | 62.64% Memory free
    6.95 Gb Paging File | 5.82 Gb Available in Paging File | 83.70% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 221.91 Gb Total Space | 159.59 Gb Free Space | 71.92% Space Free | Partition Type: NTFS
    Drive D: | 10.97 Gb Total Space | 1.51 Gb Free Space | 13.76% Space Free | Partition Type: NTFS
    Drive G: | 232.88 Gb Total Space | 182.56 Gb Free Space | 78.39% Space Free | Partition Type: NTFS
    Drive I: | 14.90 Gb Total Space | 14.85 Gb Free Space | 99.67% Space Free | Partition Type: FAT32

    Computer Name: HOME-PC | User Name: Edministrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .html [@ = ChromeHTML] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    http [open] -- Reg Error: Value error.
    https [open] -- Reg Error: Value error.
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 0
    "UacDisableNotify" = 0
    "InternetSettingsDisableNotify" = 0
    "AutoUpdateDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    ========== Firewall Settings ==========

    ========== Authorized Applications List ==========


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{09633A5E-3089-41A8-9FF1-382171423C5D}" = PSSWCORE
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software 1.14.17.1
    "{15B8AFD9-92E9-4E86-96D9-83FAC510B82E}" = HPPhotoSmartPhotobookWebPack1
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
    "{22F761D1-8063-4170-ADF7-2D2F47834CA9}" = VideoToolkit01
    "{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
    "{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
    "{305D4B08-5807-4475-B1C8-D54685534864}" = LightScribeTemplateLabeler
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
    "{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = DVD Play
    "{48BF4489-0C58-4E80-BB17-94A673CE310A}" = HP Demo
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{55FD1D5A-7AEF-4DA3-8FAF-A71B2A52FFC7}_is1" = iolo technologies' System Mechanic
    "{5DAA9C36-8F8B-462F-8CCA-E205BC3751F5}" = HP Active Support Library
    "{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
    "{6B976ADF-8AE8-434E-B282-A06C7F624D2F}" = Python 2.5.2
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
    "{9F1F2AEA-C72A-4DD6-991E-C5506A5625E4}" = OpenOffice.org 3.4.1
    "{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS
    "{A2FA012E-27C7-4308-9457-5FCFB84B0436}" = PictureMover
    "{A46F7968-271D-48D5-BCE9-568624123A48}" = VIPRE Internet Security
    "{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
    "{B9AB88D8-3A09-4A4A-8993-0E2F6F9F294B}" = muvee autoProducer 6.1
    "{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}" = VIPRE Internet Security
    "{C259BBE2-2531-4387-B5E3-9E6845854272}" = OneClickdigital Media Manager
    "{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}" = Logitech Webcam Software
    "{C27C82E4-9C53-4D76-9ED3-A01A3D5EE679}" = HP Customer Experience Enhancements
    "{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
    "{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
    "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D74CFE48-087F-46E1-80E6-E2950E1A8DCE}" = HP Photosmart Essential 2.5
    "{E535C94A-B87F-4182-BEA8-1E9322078D3E}" = Cards_Calendar_OrderGift_DoMorePlugout
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{f32502b5-5b64-4882-bf61-77f23edcac4f}" = HP Total Care Advisor
    "{FA3B34BE-4246-4062-90A3-34CBBEA12B72}" = HPTCSSetup
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "CaddieSync Express" = CaddieSync Express 1.5.8
    "CNXT_MODEM_PCI_HSF" = PCIe Soft Data Fax Modem with SmartCP
    "EditPad Lite" = EditPad Lite 7.2.3
    "EPSON Scanner" = EPSON Scan
    "EPSON WorkForce 500 Series" = EPSON WorkForce 500 Series Printer Uninstall
    "FileZilla Client" = FileZilla Client 3.7.0.1
    "HP Photosmart Essential" = HP Photosmart Essential 3.0
    "InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "Logitech Vid" = Logitech Vid HD
    "lvdrivers_12.10" = Logitech Webcam Software Driver Package
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "NVIDIA Drivers" = NVIDIA Drivers
    "Revo Uninstaller" = Revo Uninstaller 1.94
    "SearchProtect" = Search Protect by conduit
    "SLABCOMM&10C4&EA60" = Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
    "TaxACT 2012 - 1040 Edition" = TaxACT 2012 - 1040 Edition
    "TaxACT 2012 Georgia" = TaxACT 2012 Georgia
    "WildTangent hp Master Uninstall" = My HP Games
    "Yahoo! Messenger" = Yahoo! Messenger

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 5/23/2013 15:35:20 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1096) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x011A0320 Session-context: 0x00000000 Session-context ThreadId: 0x0000120C Cleanup:
    1

    Error - 5/23/2013 18:41:27 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1096) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01190320 Session-context: 0x00000000 Session-context ThreadId: 0x00001018 Cleanup:
    1

    Error - 5/24/2013 07:15:10 | Computer Name = Home-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 5/24/2013 07:18:30 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1124) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01CC0320 Session-context: 0x00000000 Session-context ThreadId: 0x00000CDC Cleanup:
    1

    Error - 5/24/2013 07:53:15 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1124) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01290320 Session-context: 0x00000000 Session-context ThreadId: 0x00000928 Cleanup:
    1

    Error - 5/24/2013 15:22:23 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1124) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01290320 Session-context: 0x00000000 Session-context ThreadId: 0x00001B18 Cleanup:
    1

    Error - 5/25/2013 08:03:11 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1124) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01290320 Session-context: 0x00000000 Session-context ThreadId: 0x000027DC Cleanup:
    1

    Error - 5/25/2013 10:54:10 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1124) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01290320 Session-context: 0x00000000 Session-context ThreadId: 0x000021D4 Cleanup:
    1

    Error - 5/26/2013 04:35:26 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1124) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01290320 Session-context: 0x00000000 Session-context ThreadId: 0x000021E8 Cleanup:
    1

    Error - 5/26/2013 08:13:50 | Computer Name = Home-PC | Source = ESENT | ID = 623
    Description = wuaueng.dll (1124) SUS20ClientDataStore: The version store for this
    instance (0) has reached its maximum size of 8Mb. It is likely that a long-running
    transaction is preventing cleanup of the version store and causing it to build
    up in size. Updates will be rejected until the long-running transaction has been
    completely committed or rolled back. Possible long-running transaction: SessionId:
    0x01290320 Session-context: 0x00000000 Session-context ThreadId: 0x00002630 Cleanup:
    1

    [ System Events ]
    Error - 4/9/2013 00:18:39 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 4/9/2013 00:18:39 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7026
    Description =

    Error - 4/9/2013 02:28:40 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 4/9/2013 02:28:40 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7026
    Description =

    Error - 4/9/2013 02:39:15 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 4/9/2013 02:39:16 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7026
    Description =

    Error - 4/9/2013 02:45:49 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 4/9/2013 02:45:49 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7026
    Description =

    Error - 4/9/2013 02:50:21 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 4/9/2013 02:50:21 | Computer Name = Home-PC | Source = Service Control Manager | ID = 7026
    Description =


    < End of report >
     
  9. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right click JRT.exe and "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Next

    Please download ESET's Service Repair Tool.

    • Save it to your desktop
    • Right click on it an run it as Administrator
    Finally in this post

    Please download Farbar Service Scanner and run.


    • Make sure the following options are checked:
        • Internet Services
        • Windows Firewall
        • System Restore
        • Security Center/Action Center
        • Windows Update
        • Other Services
    • Press Scan
    • A log (FSS.txt) will be created in the same directory the tool is run.
    • Copy and paste the log back here.
    So when you return please post
    • JRT.txt
    • FSS.txt
     
  10. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    OK...executed the JRT, the SRT and the FSS. Following are log files JRT.txt and FSS.txt:


    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.9.4 (05.06.2013:1)
    OS: Windows Vista (TM) Home Basic x86
    Ran by Edministrator on Thu 05/30/2013 at 22:46:00.13
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    ~~~ Services
    Successfully stopped: [Service] cltmngsvc
    Successfully deleted: [Service] cltmngsvc

    ~~~ Registry Values
    Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\sbregrebootcleaner
    Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL
    Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL

    ~~~ Registry Keys
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\Software\conduit
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\Software\conduitsearchscopes
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\Software\pricegong
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\Software\smartbar
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}
    Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9C5CA580-A48D-4030-AB35-D78B61D7D8F2}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{84dc9f6c-c9a5-4c64-ab67-d6ef60f963c8}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{D20B6448-844F-44E8-96EB-AEDDA205B403}
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

    ~~~ Files
    Successfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ebay.lnk"
    Successfully deleted: [File] "C:\end"

    ~~~ Folders
    Successfully deleted: [Folder] "C:\Users\Edministrator\AppData\Roaming\searchprotect"
    Successfully deleted: [Folder] "C:\Users\Edministrator\appdata\local\conduit"
    Successfully deleted: [Folder] "C:\Users\Edministrator\appdata\local\swvupdater"
    Successfully deleted: [Folder] "C:\Users\Edministrator\appdata\locallow\conduit"
    Successfully deleted: [Folder] "C:\Users\Edministrator\appdata\locallow\iac"
    Successfully deleted: [Folder] "C:\Users\Edministrator\appdata\locallow\pricegong"
    Successfully deleted: [Folder] "C:\Program Files\conduit"
    Successfully deleted: [Folder] "C:\Program Files\searchprotect"

    ~~~ Event Viewer Logs were cleared


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Thu 05/30/2013 at 22:47:12.87
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Farbar Service Scanner Version: 25-05-2013
    Ran by Edministrator (administrator) on 30-05-2013 at 22:57:35
    Running from "C:\Users\Edministrator\Desktop"
    Windows Vista (TM) Home Basic Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    Other Services:
    ==============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2013-04-08 16:38] - [2013-01-04 07:28] - 0905576 ____A (Microsoft Corporation) 74E2D020C47BB2B2FCCBA29A518A7EB4
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Windows\system32\ipnathlp.dll => MD5 is legit
    C:\Windows\system32\iphlpsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log ****
     
  11. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello edpled,

    • Close all windows and open OTL again.
    • Click Run Scan and let the program run uninterrupted
    • It will produce a log for you. Post the log here.
    Note: If the log doesn't appear where you saved OTL when you downloaded it, then a copy of the OTL log is saved in a text file at

    :\_OTL\MovedFiles
    in most cases this will be C:\_OTL\MovedFiles
     
  12. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    Ran OTL again. Following is the OTL log file:


    OTL logfile created on: 5/30/2013 23:33:01 - Run 2
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Edministrator\Desktop
    Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.37 Gb Total Physical Memory | 2.48 Gb Available Physical Memory | 73.39% Memory free
    6.96 Gb Paging File | 6.01 Gb Available in Paging File | 86.36% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 221.91 Gb Total Space | 159.34 Gb Free Space | 71.80% Space Free | Partition Type: NTFS
    Drive D: | 10.97 Gb Total Space | 1.51 Gb Free Space | 13.76% Space Free | Partition Type: NTFS
    Drive G: | 232.88 Gb Total Space | 182.56 Gb Free Space | 78.39% Space Free | Partition Type: NTFS

    Computer Name: HOME-PC | User Name: Edministrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/05/30 20:58:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Edministrator\Desktop\OTL.exe
    PRC - [2013/05/21 23:45:46 | 001,072,664 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
    PRC - [2013/04/20 11:53:17 | 000,812,424 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe
    PRC - [2013/02/20 21:33:32 | 003,154,752 | ---- | M] (GFI Software) -- C:\Program Files\GFI Software\VIPRE\SBAMTray.exe
    PRC - [2013/02/20 21:30:18 | 003,680,512 | ---- | M] (GFI Software) -- C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
    PRC - [2013/02/20 21:30:14 | 000,175,936 | ---- | M] (GFI Software) -- C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
    PRC - [2012/07/02 16:10:32 | 000,115,568 | ---- | M] (GFI Software Development Ltd.) -- C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe
    PRC - [2012/07/02 16:10:32 | 000,093,552 | ---- | M] (GFI Software Development Ltd.) -- C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\mantle.exe
    PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/05/10 14:56:08 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll


    ========== Services (SafeList) ==========

    SRV - [2013/05/21 23:45:46 | 001,072,664 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
    SRV - [2013/04/20 11:53:20 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\WINDOWS\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2013/02/20 21:30:18 | 003,680,512 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
    SRV - [2013/02/20 21:30:14 | 000,175,936 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
    SRV - [2012/07/02 16:10:32 | 000,115,568 | ---- | M] (GFI Software Development Ltd.) [Auto | Running] -- C:\Program Files\GFI Software\VIPRE\LanGuard 10 Agent\lnssatt.exe -- (gfi_lanss10_attservice)
    SRV - [2009/10/07 01:47:34 | 000,154,136 | ---- | M] (Logitech Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
    SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\SBREDrv.sys -- (SBRE)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - [2013/05/15 14:23:01 | 000,023,656 | ---- | M] (ThreatTrack Security) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\gfiutil.sys -- (gfiutil)
    DRV - [2013/03/17 23:36:22 | 000,068,464 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\PDFsFilter.sys -- (PDFsFilter)
    DRV - [2012/12/26 21:02:44 | 000,226,672 | ---- | M] (GFI Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\SbFw.sys -- (SbFw)
    DRV - [2012/12/26 21:02:44 | 000,095,344 | ---- | M] (GFI Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\sbhips.sys -- (sbhips)
    DRV - [2012/12/11 21:02:16 | 000,076,064 | ---- | M] (GFI Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\sbwtis.sys -- (sbwtis)
    DRV - [2012/12/04 21:01:14 | 000,068,904 | ---- | M] (GFI Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\sbapifs.sys -- (sbapifs)
    DRV - [2012/09/24 19:26:18 | 000,096,288 | ---- | M] (GFI Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\SbFwIm.sys -- (SBFWIMCLMP)
    DRV - [2012/09/24 19:26:18 | 000,096,288 | ---- | M] (GFI Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\SbFwIm.sys -- (SBFWIMCL)
    DRV - [2012/04/17 08:25:02 | 000,027,080 | ---- | M] (EldoS Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ElRawDsk.sys -- (ElRawDisk)
    DRV - [2009/10/07 01:46:36 | 000,025,752 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
    DRV - [2009/04/30 19:01:34 | 000,265,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\lvrs.sys -- (LVRS)
    DRV - [2009/04/30 18:55:56 | 002,687,512 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\LV302V32.SYS -- (PID_PEPI)
    DRV - [2009/04/30 18:55:32 | 000,013,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\lv302af.sys -- (pepifilter)
    DRV - [2008/08/01 19:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvmfdx32.sys -- (NVENETFD)
    DRV - [2008/06/06 15:13:40 | 000,133,152 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\nvrd32.sys -- (nvrd32)
    DRV - [2008/06/06 15:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\nvstor32.sys -- (nvstor32)
    DRV - [2008/05/22 10:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2008/05/22 05:39:34 | 000,015,360 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\nvsmu.sys -- (nvsmu)
    DRV - [2008/02/12 11:27:34 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSXHWBS3.sys -- (HSXHWBS3)
    DRV - [2008/02/12 11:25:22 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\HSX_DP.sys -- (HSF_DP)
    DRV - [2007/10/18 11:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\XAudio.sys -- (XAudio)
    DRV - [2007/07/13 08:18:20 | 000,050,688 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Rtnicxp.sys -- (RTL8023xp)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\..\SearchScopes\{BB67E9B4-E19D-4753-A3FB-5C52509D3BF9}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.accessnorthga.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\..\SearchScopes,DefaultScope = {F85C1AD7-228A-4E9D-86AB-6A2C4563A6E5}
    IE - HKCU\..\SearchScopes\{BB67E9B4-E19D-4753-A3FB-5C52509D3BF9}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
    IE - HKCU\..\SearchScopes\{F85C1AD7-228A-4E9D-86AB-6A2C4563A6E5}: "URL" = http://www.google.com/search?q={sea...x?}&startPage={startPage}&rlz=1I7MXGB_enUS532
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)


    [2013/04/06 06:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla FireFox\extensions

    O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\WINDOWS\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [SBAMTray] C:\Program Files\GFI Software\VIPRE\SBAMTray.exe (GFI Software)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
    O13 - gopher Prefix: missing
    O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 97.81.22.195 71.92.29.130
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7CE36365-C172-44CC-B6BF-306BFD008961}: DhcpNameServer = 192.168.1.1 97.81.22.195 71.92.29.130
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/08/28 06:11:22 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: ("autocheck autochk *")
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/05/30 22:49:41 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\CC Support
    [2013/05/30 22:45:58 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
    [2013/05/30 22:45:27 | 000,000,000 | ---D | C] -- C:\JRT
    [2013/05/30 22:41:18 | 000,354,297 | ---- | C] (Farbar) -- C:\Users\Edministrator\Desktop\FSS.exe
    [2013/05/30 22:39:19 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Users\Edministrator\Desktop\JRT.exe
    [2013/05/30 21:09:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Edministrator\Desktop\OTL.exe
    [2013/05/30 18:02:35 | 000,000,000 | ---D | C] -- C:\FRST
    [2013/05/30 17:56:45 | 001,355,557 | ---- | C] (Farbar) -- C:\Users\Edministrator\Desktop\FRST.exe
    [2013/05/24 07:13:52 | 000,027,080 | ---- | C] (EldoS Corporation) -- C:\Windows\System32\drivers\ElRawDsk.sys
    [2013/05/22 20:33:44 | 000,000,000 | ---D | C] -- C:\Windows\Ulead.dat
    [2013/05/22 19:24:31 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\Desktop\files
    [2013/05/22 19:24:04 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\Desktop\saver
    [2013/05/22 18:32:08 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\AppData\Local\MigWiz
    [2013/05/18 15:49:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
    [2013/05/18 15:49:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
    [2013/05/17 16:22:22 | 000,000,000 | ---D | C] -- C:\Users\Edministrator\AppData\Roaming\EPSON
    [2013/05/16 03:08:57 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
    [2013/05/16 03:00:52 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
    [2013/05/16 03:00:52 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
    [2013/05/16 03:00:51 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
    [2013/05/16 03:00:50 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
    [2013/05/16 03:00:48 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
    [2013/05/16 03:00:48 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
    [2013/05/16 03:00:46 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
    [2013/05/15 16:13:50 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
    [2013/05/15 16:13:44 | 002,049,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
    [2013/05/14 19:43:26 | 000,023,656 | ---- | C] (ThreatTrack Security) -- C:\Windows\System32\drivers\gfiutil.sys
    [1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/05/30 23:10:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2013/05/30 22:56:25 | 000,639,904 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2013/05/30 22:56:25 | 000,118,156 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2013/05/30 22:51:21 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/05/30 22:51:21 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/05/30 22:51:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2013/05/30 22:51:14 | 3622,289,408 | -HS- | M] () -- C:\hiberfil.sys
    [2013/05/30 22:43:32 | 000,001,918 | ---- | M] () -- C:\Users\Edministrator\AppData\Roaming\wklnhst.dat
    [2013/05/30 22:41:04 | 000,354,297 | ---- | M] (Farbar) -- C:\Users\Edministrator\Desktop\FSS.exe
    [2013/05/30 22:40:20 | 004,009,167 | ---- | M] () -- C:\Users\Edministrator\Desktop\ServicesRepair.exe
    [2013/05/30 22:39:06 | 000,545,954 | ---- | M] (Oleg N. Scherbakov) -- C:\Users\Edministrator\Desktop\JRT.exe
    [2013/05/30 20:58:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Edministrator\Desktop\OTL.exe
    [2013/05/30 20:42:41 | 000,018,490 | ---- | M] () -- C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.pdf
    [2013/05/30 20:40:54 | 000,021,206 | ---- | M] () -- C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.ods
    [2013/05/30 17:56:00 | 001,355,557 | ---- | M] (Farbar) -- C:\Users\Edministrator\Desktop\FRST.exe
    [2013/05/28 19:00:05 | 000,329,792 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2013/05/28 18:12:25 | 002,250,054 | ---- | M] () -- C:\ProgramData\1.bmp
    [2013/05/28 08:44:22 | 000,030,720 | ---- | M] () -- C:\Users\Edministrator\Documents\2013TaxWorksheet.xlr
    [2013/05/27 15:09:28 | 000,013,540 | ---- | M] () -- C:\Users\Edministrator\Documents\Ebay for Carlyle.ods
    [2013/05/25 10:16:26 | 000,012,800 | ---- | M] () -- C:\Users\Edministrator\Documents\EdsMeds.xlr
    [2013/05/22 20:35:16 | 000,000,510 | ---- | M] () -- C:\Windows\ULead32.ini
    [2013/05/22 20:30:39 | 000,003,584 | ---- | M] () -- C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2013/05/22 19:36:48 | 000,000,680 | ---- | M] () -- C:\Users\Edministrator\AppData\Local\d3d9caps.dat
    [2013/05/22 00:08:38 | 000,041,616 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\iolobtdfg.exe
    [2013/05/22 00:08:30 | 000,023,568 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\smrgdf.exe
    [2013/05/21 23:48:08 | 002,097,472 | ---- | M] (iolo technologies, LLC) -- C:\Windows\System32\Incinerator32.dll
    [2013/05/18 00:14:22 | 000,085,504 | ---- | M] () -- C:\Users\Edministrator\Documents\Reading List.xlr
    [2013/05/16 13:51:53 | 000,080,020 | ---- | M] () -- C:\Users\Edministrator\Documents\Fridaygolf.xps
    [2013/05/15 14:23:01 | 000,023,656 | ---- | M] (ThreatTrack Security) -- C:\Windows\System32\drivers\gfiutil.sys
    [2013/05/11 10:50:28 | 000,001,791 | ---- | M] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
    [2013/05/05 15:12:55 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
    [2013/05/05 12:18:50 | 000,011,264 | ---- | M] () -- C:\Users\Edministrator\Documents\EdDailyBloodPressure.xlr
    [1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/05/30 22:40:46 | 004,009,167 | ---- | C] () -- C:\Users\Edministrator\Desktop\ServicesRepair.exe
    [2013/05/30 20:42:39 | 000,018,490 | ---- | C] () -- C:\Users\Edministrator\Documents\MON - FRIDAY GOLF AT CGC.pdf
    [2013/05/28 18:59:46 | 3622,289,408 | -HS- | C] () -- C:\hiberfil.sys
    [2013/05/28 18:12:25 | 002,250,054 | ---- | C] () -- C:\ProgramData\1.bmp
    [2013/05/27 15:07:35 | 000,013,540 | ---- | C] () -- C:\Users\Edministrator\Documents\Ebay for Carlyle.ods
    [2013/05/22 20:33:44 | 000,000,510 | ---- | C] () -- C:\Windows\ULead32.ini
    [2013/05/22 20:30:39 | 000,003,584 | ---- | C] () -- C:\Users\Edministrator\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2013/05/18 15:49:49 | 000,000,680 | ---- | C] () -- C:\Users\Edministrator\AppData\Local\d3d9caps.dat
    [2013/05/16 13:51:52 | 000,080,020 | ---- | C] () -- C:\Users\Edministrator\Documents\Fridaygolf.xps
    [2013/05/11 10:50:28 | 000,001,791 | ---- | C] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
    [2013/04/27 17:29:48 | 000,350,795 | ---- | C] () -- C:\ProgramData\1.jpg
    [2013/04/12 17:32:20 | 000,082,289 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
    [2013/04/09 02:41:02 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dat
    [2013/04/09 02:20:42 | 002,319,536 | ---- | C] () -- C:\Windows\System32\Incinerator.dll
    [2013/04/09 02:16:50 | 000,074,703 | ---- | C] () -- C:\Windows\System32\mfc45.dll
    [2013/04/06 16:51:44 | 000,073,220 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
    [2013/04/06 16:51:44 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
    [2013/04/06 16:51:44 | 000,029,114 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
    [2013/04/06 16:51:44 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
    [2013/04/06 16:51:44 | 000,021,021 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
    [2013/04/06 16:51:44 | 000,015,670 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
    [2013/04/06 16:51:44 | 000,013,280 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
    [2013/04/06 16:51:44 | 000,010,673 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
    [2013/04/06 16:51:44 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
    [2013/04/06 16:51:44 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
    [2013/04/06 16:51:44 | 000,001,140 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
    [2013/04/06 16:51:44 | 000,001,137 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
    [2013/04/06 16:51:44 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
    [2013/04/06 16:51:44 | 000,001,130 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
    [2013/04/06 16:51:44 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
    [2013/04/06 16:51:44 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
    [2013/04/06 16:07:31 | 000,000,048 | ---- | C] () -- C:\Windows\TaxACT12.ini
    [2013/04/06 03:05:42 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2013/04/06 03:05:42 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2013/04/06 03:01:36 | 000,001,918 | ---- | C] () -- C:\Users\Edministrator\AppData\Roaming\wklnhst.dat
    [2013/04/06 02:14:34 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
    [2013/04/06 02:13:26 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin

    ========== ZeroAccess Check ==========

    [2006/11/02 08:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
    "ThreadingModel" = Both
    "" = shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both
    < End of report >
     
  13. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    Hello again edpled,

    Please run OTL.exe

    • Under the Custom Scans/Fixes box at the bottom, copy and paste the content of the quote box below:

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • It will produce a log for you on reboot, please post that log in your next reply.The log is saved in the same location as OTL.
    Next

    Please run a free online scan with the ESET Online Scanner

    Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

    Note: This scan works with Internet Explorer or Mozilla FireFox.

    If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

    • Click the green ESET Online Scanner box
    • Tick the box next to YES, I accept the Terms of Use
      then click on: Start
    • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
    • Make sure that the option Scan archives is checked.
    • Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    • Click on Start
    • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically. The scan may take several hours.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close, make sure you copy the logfile first!
    • Then click on: Finish
    • Use notepad to open the logfile located at C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt.
    • Copy and paste that log as a reply to this topic and tell me how your computer is now.
    When you return please post
    • OTL log
    • ESET scan results.
     
  14. edpled

    edpled Thread Starter

    Joined:
    Aug 8, 2010
    Messages:
    48
    OK...I have two problems:

    1. I ran OTL and rebooted at conclusion. The log file displayed OK. However, I closed the window before copying the file text and it was NOT saved on the desktop where the OTL.exe resided. I have no log file to forward.

    2. I attempted to run the ESET Scanner anyway. I got as far as the EULA pop-up. I checked the box for accepting the terms of use but the "Start" button would/did not highlight and I was unable to launch the scan. I loaded IE as Administrator in regular mode (not "safe"). I got the same kind of "unformatted" appearance on that site as I get on your site without using "safe" mode. I did not try to run the scan in "safe" mode.

    FYI, I did successfully download to my desktop the set-up file for Malwarebytes antimalware program without it erasing...so at least that is encouraging.

    What can I do?
     
  15. emeraldnzl

    emeraldnzl Malware Specialist

    Joined:
    Nov 3, 2007
    Messages:
    2,570
    No problem. It was only removing temp files and flushing domain names. If it ran successfully and rebooted that would have happened.

    So are you running other security programs in between our actions?

    I should warn you that with this particular infection it's possible to render your computer unbootable if a security program removes an infected file at the wrong time.

    Let's have another look:
    • Please run Farbars Recovery Scan Tool again
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1099471

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice