Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijacked by Virus "Antivir Solutions".


  • Please log in to reply

#1
chadwheat

chadwheat

    New Member

  • Member
  • Pip
  • 8 posts
My PC picked up the same virus that a previous poster described

My PC is has Windows Vista OS.

Much like the previous poster, desktop is there, but immediatley after login in I start to get 'Security Warning' pop-ups that ask if I want to activate my antivirus software. When I click 'Yes' I am directed to the "Antivir Solution" website and a scan starts telling me I've got all sorts of stuff infecting my computer and it can remove it all if I go to their site and buy their program.

Like the other poster, I cannot go to any other site. I cannot open the Task Manager. I cannot open the Control Panel. I cannot open the System Tools. I can't do anything.

The first instruction in the other thread was to boot up in safemode and download OTL. Is booting up in safemode likely to allow me to navigate to the geeks to go site and download the required software?

Thanks for you help,

Chad
  • 0

Advertisements


#2
Elliot

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hello, chadwheat!

:)

My name is Elster and I will be helping you fix your computer.

Please keep in mind that very rarely will a computer be "dis-infected" on the first sweep. The absence of symptoms does not mean that your computer is clean, so please stick with me until I give you the All Clear!

I recommend that you save and print each of my posts, as there will be times when you will not be able to be online to access them.


Step 1:

OTL and friends

If you have access to a computer that is not infected, you can download OTL and the other tools listed in the Removal and Cleaning Guide to a flash drive, then copy them onto the desktop of your infected computer. If you are not able to do this, then boot your PC into Safe Mode with Networking. You should be able to access this site and download OTL.

Please follow the instructions in the Removal Guide (as much as possible) and post your logs in your next reply. If you have any problems completing this step, please let me know.

Thanks!

Elster
  • 0

#3
chadwheat

chadwheat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Elster,

Thanks for your post.

After creating my initial post, I found a tutorial on the G2G site regarding the 'Antivir Solution' virus. It basically just provided instructions on how to download and use Malwarebytes' Anti-Malware software. I was able to get the software onto my infected machine via flash drive and run it. It seems to have stopped the most obvious symptoms of the virus, and I can now navigate the internet etc.

When I return home from work, I will follow the instructions in your post to ensure that I get the entire virus removed. Does the fact that I have already run Malwarebytes' Anti-Malware change what I should do at all?

Thanks,

Chad
  • 0

#4
Elliot

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hi Chad!

That's great! :)

When you get home, just do the following:



Step 1:

OTL
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Custom Scan box, paste in the following:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 2:

GMER

Posted Image GMER Rootkit Scanner - Download - Homepage
  • Download GMER
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...

    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.



Step 3:

Reply

Things I need to see in your reply:
  • Malwarebytes log
  • OTL log
  • GMER log
Thanks!

Elster
  • 0

#5
chadwheat

chadwheat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Elster,

Here is the content from OTL.txt:

OTL logfile created on: 8/10/2010 8:26:59 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\chadwheat\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 208.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 105.23 Gb Total Space | 33.46 Gb Free Space | 31.80% Space Free | Partition Type: NTFS
Drive D: | 6.56 Gb Total Space | 0.67 Gb Free Space | 10.19% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHADWHEAT-PC
Current User Name: chadwheat
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\chadwheat\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Internet Explorer\ieuser.exe (Microsoft Corporation)
PRC - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
PRC - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
PRC - C:\Windows\System32\Macromed\Flash\FlashUtil10c.exe (Adobe Systems, Inc.)
PRC - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)
PRC - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe ()
PRC - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe ()
PRC - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe (Hewlett Packard)


========== Modules (SafeList) ==========

MOD - C:\Users\chadwheat\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\asOEHook.dll (Symantec Corporation)
MOD - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\Microsoft.VC90.CRT\msvcr90.dll (Microsoft Corporation)
MOD - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\Microsoft.VC90.CRT\msvcp90.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (LiveUpdate Notice Ex) -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe File not found
SRV - (CLTNetCnService) -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe File not found
SRV - (N360) -- C:\Program Files\Norton Security Suite\Engine\4.0.0.127\ccSvcHst.exe (Symantec Corporation)
SRV - (LeapFrog Connect Device Service) -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe (LeapFrog Enterprises, Inc.)
SRV - (LiveUpdate Notice Service) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (CLSched) CyberLink Task Scheduler (CTS) -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe ()
SRV - (CLCapSvc) CyberLink Background Capture Service (CBCS) -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe ()
SRV - (AddFiltr) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (UIUSys) -- C:\Windows\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (SymEvent) -- C:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100809.002\navex15.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100809.002\naveng.sys (Symantec Corporation)
DRV - (ccHP) -- C:\Windows\system32\drivers\N360\0400000.07F\ccHPx86.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\Windows\system32\drivers\N360\0400000.07F\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\system32\drivers\N360\0400000.07F\SRTSPX.SYS (Symantec Corporation)
DRV - (SymEFA) -- C:\Windows\system32\drivers\N360\0400000.07F\SYMEFA.SYS (Symantec Corporation)
DRV - (SymIRON) -- C:\Windows\system32\drivers\N360\0400000.07F\Ironx86.SYS (Symantec Corporation)
DRV - (BHDrvx86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20091205.001\BHDrvx86.sys (Symantec Corporation)
DRV - (SYMTDIV) -- C:\Windows\system32\drivers\N360\0400000.07F\SYMTDIV.SYS (Symantec Corporation)
DRV - (IDSVix86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20091105.001\IDSVix86.sys (Symantec Corporation)
DRV - (SymDS) -- C:\Windows\system32\drivers\N360\0400000.07F\SYMDS.SYS (Symantec Corporation)
DRV - (FlyUsb) -- C:\Windows\System32\drivers\FlyUsb.sys (LeapFrog)
DRV - (PalmUSBD) -- C:\Windows\System32\drivers\PalmUSBD.sys (PalmSource, Inc.)
DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (ialm) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LUsbFilt) -- C:\Windows\System32\drivers\LUsbFilt.sys (Logitech, Inc.)
DRV - (BCM43XX) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (BCM43XV) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (HdAudAddService) -- C:\Windows\System32\drivers\CHDART.sys (Conexant Systems Inc.)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (NETw3v32) Intel® -- C:\Windows\System32\drivers\NETw3v32.sys (Intel® Corporation)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (HSFHWAZL) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (eabfiltr) -- C:\Windows\System32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HBtnKey) -- C:\Windows\System32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (XLoader) PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys) -- C:\Windows\System32\drivers\XLoader.sys (Plextor Corp.)
DRV - (WISTechVIDCAP) -- C:\Windows\System32\drivers\Xstream.sys (Plextor Corp.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/08/09 22:31:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/08/09 22:31:20 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.0.0.127\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HotSync] C:\Program Files\PalmSource\Desktop\HotSync.exe File not found
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\iexplore.exe.exe File not found
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O4 - Startup: C:\Users\chadwheat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterf...ds/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius....tiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img19.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img19.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/12/18 01:12:22 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - File not found
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivXNetworks, Inc.)

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 90 Days ==========

[2010/08/10 20:25:31 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\chadwheat\Desktop\OTL.exe
[2010/08/09 22:29:13 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2010/08/09 22:28:15 | 000,340,016 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\N360\0400000.07F\symtdiv.sys
[2010/08/09 22:28:15 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\N360\0400000.07F\SymDS.sys
[2010/08/09 22:28:15 | 000,325,168 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\N360\0400000.07F\srtsp.sys
[2010/08/09 22:28:15 | 000,172,592 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\N360\0400000.07F\SymEFA.sys
[2010/08/09 22:28:15 | 000,116,272 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\N360\0400000.07F\Ironx86.sys
[2010/08/09 22:28:15 | 000,043,696 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\N360\0400000.07F\srtspx.sys
[2010/08/09 22:28:14 | 000,501,888 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\N360\0400000.07F\cchpx86.sys
[2010/08/09 22:27:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\N360
[2010/08/09 22:27:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\N360\0400000.07F
[2010/08/09 22:27:55 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Suite
[2010/08/09 22:27:40 | 000,000,000 | ---D | C] -- C:\Users\chadwheat\Documents\Symantec
[2010/08/09 22:27:40 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010/08/09 22:27:40 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/08/09 21:58:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/08/09 19:06:06 | 000,000,000 | ---D | C] -- C:\Users\chadwheat\AppData\Roaming\Malwarebytes
[2010/08/09 19:05:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/08/09 19:05:57 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/08/09 19:05:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/08/09 19:05:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/08 13:19:56 | 000,000,000 | ---D | C] -- C:\Users\chadwheat\AppData\Local\pyupgwikl
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/10 20:48:33 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/10 20:48:26 | 002,359,296 | -HS- | M] () -- C:\Users\chadwheat\NTUSER.DAT
[2010/08/10 20:45:28 | 000,001,971 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/08/10 20:36:05 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/08/10 20:25:41 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\chadwheat\Desktop\OTL.exe
[2010/08/10 20:17:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/08/10 20:17:19 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/08/10 20:17:17 | 000,003,072 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/08/09 22:30:24 | 001,862,410 | ---- | M] () -- C:\Windows\System32\drivers\N360\0400000.07F\Cat.DB
[2010/08/09 22:28:39 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2010/08/09 22:28:39 | 000,007,443 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2010/08/09 22:28:39 | 000,000,805 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2010/08/09 22:28:27 | 000,002,270 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Suite.lnk
[2010/08/09 22:25:09 | 000,000,903 | ---- | M] () -- C:\Users\chadwheat\Desktop\Norton Installation Files.lnk
[2010/08/09 21:07:30 | 000,716,948 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/08/09 21:07:30 | 000,618,648 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/08/09 21:07:30 | 000,104,024 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/08/09 21:04:43 | 000,000,149 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2010/08/09 21:03:14 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/09 21:03:04 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/08/09 21:02:58 | 1063,313,408 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/09 21:00:18 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/08/09 20:12:35 | 002,351,933 | -H-- | M] () -- C:\Users\chadwheat\AppData\Local\IconCache.db
[2010/08/09 19:57:05 | 000,009,333 | ---- | M] () -- C:\ProgramData\LUUnInstall.LiveUpdate
[2010/08/09 19:08:53 | 000,000,854 | ---- | M] () -- C:\Users\chadwheat\Desktop\iexplore.exe - Shortcut.lnk
[2010/08/09 19:06:00 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/08 16:19:45 | 000,001,356 | ---- | M] () -- C:\Users\chadwheat\AppData\Local\d3d9caps.dat
[2010/08/02 19:31:38 | 027,430,753 | ---- | M] () -- C:\Users\chadwheat\Documents\2010-01-06_GilFronsdal_IntroductionToMeditation_1of6.mp3
[2010/06/29 21:38:01 | 000,008,192 | ---- | M] () -- C:\Users\chadwheat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/09 20:40:50 | 000,015,548 | ---- | M] () -- C:\Users\chadwheat\Documents\Questions_for_Jim(1).xlsx
[2010/05/16 15:46:37 | 005,198,816 | ---- | M] () -- C:\Users\chadwheat\Documents\Chad Wheatley - Credit Report (16May10).one
[2010/05/15 08:38:51 | 000,002,073 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/09 22:29:45 | 001,862,410 | ---- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\Cat.DB
[2010/08/09 22:29:13 | 000,007,443 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2010/08/09 22:29:13 | 000,000,805 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2010/08/09 22:28:27 | 000,002,270 | ---- | C] () -- C:\Users\Public\Desktop\Norton Security Suite.lnk
[2010/08/09 22:27:57 | 000,007,787 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\symnetv.cat
[2010/08/09 22:27:57 | 000,007,444 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\SymEFA.cat
[2010/08/09 22:27:57 | 000,007,442 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\srtspx.cat
[2010/08/09 22:27:57 | 000,007,438 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\srtsp.cat
[2010/08/09 22:27:57 | 000,007,438 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\iron.cat
[2010/08/09 22:27:57 | 000,007,425 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\SymDS.cat
[2010/08/09 22:27:57 | 000,007,396 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\cchpx86.cat
[2010/08/09 22:27:57 | 000,007,368 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\SymNet.cat
[2010/08/09 22:27:57 | 000,003,374 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\SymEFA.inf
[2010/08/09 22:27:57 | 000,002,793 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\SymDS.inf
[2010/08/09 22:27:57 | 000,001,756 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\ccHPx86.inf
[2010/08/09 22:27:57 | 000,001,473 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\SymNetV.inf
[2010/08/09 22:27:57 | 000,001,445 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\SymNet.inf
[2010/08/09 22:27:57 | 000,001,388 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\srtspx.inf
[2010/08/09 22:27:57 | 000,001,382 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\srtsp.inf
[2010/08/09 22:27:57 | 000,000,742 | R--- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\Iron.inf
[2010/08/09 22:27:57 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\N360\0400000.07F\isolate.ini
[2010/08/09 22:25:08 | 000,000,903 | ---- | C] () -- C:\Users\chadwheat\Desktop\Norton Installation Files.lnk
[2010/08/09 19:54:04 | 000,009,333 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
[2010/08/09 19:10:21 | 1063,313,408 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/09 19:08:53 | 000,000,854 | ---- | C] () -- C:\Users\chadwheat\Desktop\iexplore.exe - Shortcut.lnk
[2010/08/09 19:06:00 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/02 19:31:13 | 027,430,753 | ---- | C] () -- C:\Users\chadwheat\Documents\2010-01-06_GilFronsdal_IntroductionToMeditation_1of6.mp3
[2010/06/05 13:29:46 | 000,015,548 | ---- | C] () -- C:\Users\chadwheat\Documents\Questions_for_Jim(1).xlsx
[2010/05/16 15:46:34 | 005,198,816 | ---- | C] () -- C:\Users\chadwheat\Documents\Chad Wheatley - Credit Report (16May10).one
[2010/05/15 08:38:51 | 000,002,073 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2009/12/26 10:00:00 | 000,000,110 | ---- | C] () -- C:\Windows\{7E7D778E-121D-4BBD-BA29-FAA81B9FBD8C}_WiseFW.ini
[2009/02/01 22:21:58 | 000,000,094 | ---- | C] () -- C:\Windows\family.ini
[2007/03/17 16:17:33 | 000,000,000 | ---- | C] () -- C:\Windows\OpPrintServer.INI
[2007/02/26 18:54:14 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1187.dll
[2006/11/29 03:32:42 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/06 07:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/11/06 05:05:40 | 000,180,224 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/19 03:02:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/19 03:02:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/03/09 19:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/05/08 00:06:00 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2004/09/16 16:24:26 | 003,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll

========== LOP Check ==========

[2010/02/01 19:15:22 | 000,000,000 | ---D | M] -- C:\Users\chadwheat\AppData\Roaming\eBookPro6
[2008/03/12 21:59:57 | 000,000,000 | ---D | M] -- C:\Users\chadwheat\AppData\Roaming\HotSync
[2007/04/28 07:25:08 | 000,000,000 | ---D | M] -- C:\Users\chadwheat\AppData\Roaming\muvee Technologies
[2007/04/03 20:23:04 | 000,000,000 | ---D | M] -- C:\Users\chadwheat\AppData\Roaming\Template
[2010/08/09 21:00:20 | 000,032,608 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/12/18 01:12:22 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
[2007/04/29 08:32:51 | 000,000,090 | ---- | M] () -- C:\bcmwl6.log
[2006/11/02 05:53:57 | 000,438,840 | RHS- | M] () -- C:\bootmgr
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/08/09 21:02:58 | 1063,313,408 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/09 21:02:56 | 1377,239,040 | -HS- | M] () -- C:\pagefile.sys
[2009/02/09 22:05:34 | 000,058,760 | ---- | M] () -- C:\symlcsv1.exe
[2007/03/17 15:06:36 | 000,000,027 | ---- | M] () -- C:\wizard.txt

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/11/02 08:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 08:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 08:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 08:37:12 | 000,030,808 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 17:37:34 | 000,000,065 | -H-- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 08:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2006/10/26 23:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/12/12 04:18:11 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2006/11/02 05:47:18 | 000,228,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2007/07/13 03:01:40 | 000,223,232 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-10 00:48:12
< End of report >
  • 0

#6
chadwheat

chadwheat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Elster:

This is the content from Extras.txt:

OTL Extras logfile created on: 8/10/2010 8:26:59 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\chadwheat\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 208.00 Mb Available Physical Memory | 20.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 105.23 Gb Total Space | 33.46 Gb Free Space | 31.80% Space Free | Partition Type: NTFS
Drive D: | 6.56 Gb Total Space | 0.67 Gb Free Space | 10.19% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHADWHEAT-PC
Current User Name: chadwheat
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{08353BCA-095B-4C7E-97E6-38B436306156}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{0D26767E-1200-4714-8D7B-5D0C17D364BA}" = protocol=17 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{1527A20A-9856-4DE3-852A-10E73B707B3C}" = protocol=17 | dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{1F01BF90-4230-48B1-A759-7E8251A1C816}" = protocol=6 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{209DD644-EE5B-41B3-9983-74E3DBF635F0}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{278F0B4D-D607-41CF-95FA-FD4ED3198B77}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{344114AA-9FB4-48B5-84B2-7994E04D8AC4}" = protocol=6 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{5D4E537E-DEF2-4B74-B555-EF473F2CC5F4}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{5D752E3B-9435-4FE8-88BA-783E9B4F4ED7}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{76E2CDFA-CC47-44B4-9120-F3214297AC38}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{840EDC5E-633C-4CF3-82C7-E924CA15AC26}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{85E113F6-2BAD-472B-BF41-FECD2C1E6B22}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{97C35DD8-5A0B-4BB2-8E8D-46F3ADD03644}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{A3A3B900-76AB-4184-8FE2-5A2BC2A9FD0B}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C1729459-FF53-4016-955F-F16A89461BFD}" = dir=in | app=c:\program files\hp connections\6811507\program\hp connections |
"{DF34F3B4-1E33-4238-9468-FEC89F04C1AD}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E76B4AC4-ED29-487A-AE3B-AD101B503B38}" = protocol=17 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{F5FAE2A8-D534-43B4-8A75-DFB5F4F8B543}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{F68661BE-C072-4C3F-8437-B845A302674C}" = protocol=6 | dir=in | app=c:\program files\hp connections\6811507\program\hp connections.exe |
"{FF410DC1-9B89-450A-9149-56091397F842}" = protocol=6 | dir=in | app=c:\program files\hp\quickplay\qp.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DC3C69-02AF-47C2-9B68-AA2A69631CF8}" = DigiTech X-Edit 2.4.1
"{02F33FB0-F7D5-4C0A-B4AD-8CE5CE230BBE}" = HP Wireless Assistant
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F8D80B7-CD77-49CB-8015-E2EAE2033126}" = DigiTech RP250 Drivers
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 21
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}" = Roxio MyDVD Basic v9
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 B9
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = RAW Image Task 1.1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{779A19AC-A302-425D-B295-F12116C2D731}" = DGOControls
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7E15C4B8-85FC-4539-94F2-8280C0B213A3}" = LeapFrog Tag Plugin
"{7E7D778E-121D-4BBD-BA29-FAA81B9FBD8C}" = LeapFrog Connect
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{99C5770C-1C90-42E7-9B74-D47CFAF14621}" = muvee autoProducer 5.0
"{9E2CCD5E-1990-4EF2-9B61-32F0BBACC29B}" = HP Active Support Library
"{A12A3DED-CCDA-4F29-A1BA-00F0C6521CD5}" = HP Total Care Advisor
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}" = Sibelius Scorch (ActiveX Only)
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = RemoteCapture Task 1.0.3
"{D9DE9E03-71CA-423B-B101-57F13A751003}" = LeapFrog Tag Junior Plugin
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"{E4DDBA93-769B-49D8-BA33-8814E45ED0C1}" = HP Help and Support
"{ED4905E3-2B32-4DD8-BC14-7CAFD30E9ECD}" = HP User Guide 0048
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}" = HP Easy Setup - Core
"{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}" = ASL_HS_Installer32
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}" = Palm Desktop by ACCESS
"0E5906722E3ECA13747F1633D3F55E9F47120424" = Windows Driver Package - LeapFrog (FlyUsb) USB (06/15/2007 1.0.0.6)
"781745E87AFF80C0C1388CFF79D19ECAB2E9BB47" = Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CameraUserGuide-PSSD1200IS_IXUS95IS" = Canon PowerShot SD1200 IS_IXUS 95 IS Camera User Guide
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5045&SUBSYS_103C30B7" = Soft Data Fax Modem with SmartCP
"DigiTech RP250 Drivers" = DigiTech RP250 Drivers
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HPOOVClient-6811507 Uninstaller" = HP Connections (remove only)
"InstallShield_{68E7E8BD-2233-49BE-81D6-1A1FAF1B5196}" = Canon RAW Image Task for ZoomBrowser EX
"InstallShield_{CF2C1A86-5A98-4862-A3AE-9992E3A6427D}" = Canon RemoteCapture Task for ZoomBrowser EX
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"N360" = Norton Security Suite
"Personal Printing Guide" = Canon Personal Printing Guide
"PhotoStitch" = Canon Utilities PhotoStitch
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SoftwareStarterGuide-DCSD40_46" = Canon Digital Camera Solution Disk 40-46 Software Starter Guide
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TagJuniorPlugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Junior Plugin)
"TagPlugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
"UPCShell" = LeapFrog Connect
"WildTangent hplaptop Master Uninstall" = My HP Games
"Yahoo! Companion" = Yahoo! Toolbar for Internet Explorer
"Yahoo! Toolbar" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/9/2010 10:29:55 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:29:55 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:29:55 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:29:58 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:29:59 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:29:59 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:30:00 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:30:01 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:30:01 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 8/9/2010 10:30:03 PM | Computer Name = chadwheat-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ System Events ]
Error - 8/9/2010 7:04:39 PM | Computer Name = chadwheat-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 8/9/2010 7:11:38 PM | Computer Name = chadwheat-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 8/9/2010 7:16:15 PM | Computer Name = chadwheat-PC | Source = DCOM | ID = 10010
Description =

Error - 8/9/2010 7:30:46 PM | Computer Name = chadwheat-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 8/9/2010 7:34:29 PM | Computer Name = chadwheat-PC | Source = DCOM | ID = 10010
Description =

Error - 8/9/2010 7:54:39 PM | Computer Name = chadwheat-PC | Source = DCOM | ID = 10010
Description =

Error - 8/9/2010 7:59:47 PM | Computer Name = chadwheat-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 8/9/2010 8:13:05 PM | Computer Name = chadwheat-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.8 for the Network Card with network
address 001A7319CBF4 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 8/9/2010 8:44:54 PM | Computer Name = chadwheat-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 8/9/2010 9:03:49 PM | Computer Name = chadwheat-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >
  • 0

#7
chadwheat

chadwheat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Elster,

I have tried three times to run gmer, but I am have not been able to get the scan to complete. I have noticed that the scan results in 100% CPU usage. It has frozen on all three occasions, and I ultimately get a message that the program is no longer responding. On one occasion, the computer rebooted automatically.

Lastly, I am not able to find log file from the Malwarebytes' Anti-Malware scan that I had previously completed.

Any thoughts on how I should proceed with regard to these two items.

Thanks,

Chad
  • 0

#8
Elliot

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hi Chad!

Any thoughts on how I should proceed with regard to these two items.

Yup! Don't worry about them. :) We'll just move on.


Step 1:

OTL

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2010/08/08 13:19:56 | 000,000,000 | ---D | C] -- C:\Users\chadwheat\AppData\Local\pyupgwikl
    [2010/08/08 16:19:45 | 000,001,356 | ---- | M] () -- C:\Users\chadwheat\AppData\Local\d3d9caps.dat
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post a new OTL log

Step 2:

ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


Step 3:

Reply

Things I need to see in your reply:
  • OTL log
  • ComboFix log
  • How is your computer running?
Thanks!

Elster
  • 0

#9
chadwheat

chadwheat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Elster,

Here is the OTL log from the Run Fix:

All processes killed
========== OTL ==========
C:\Users\chadwheat\AppData\Local\pyupgwikl folder moved successfully.
C:\Users\chadwheat\AppData\Local\d3d9caps.dat moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: chadwheat
->Temp folder emptied: 10815587 bytes
->Temporary Internet Files folder emptied: 478208870 bytes
->Java cache emptied: 20703352 bytes
->Flash cache emptied: 337608 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1243339 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1619274 bytes
RecycleBin emptied: 1204176367 bytes

Total Files Cleaned = 1,638.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08122010_211514

Files\Folders moved on Reboot...
C:\Users\chadwheat\AppData\Local\Temp\ehmsas.txt moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WN15L5WO\hp-laptop_aol_com[2].htm moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U4HF7RZP\load_v6[4].htm moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N5BNYVBE\like[2].htm moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N5BNYVBE\tcodewads_at[2].htm moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EVQC55QX\like[1].htm moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2DQO42GN\283906-hijacked-by-virus-antivir-solutions[1].htm moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2DQO42GN\xd_proxy[1].htm moved successfully.
C:\Users\chadwheat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...
  • 0

#10
chadwheat

chadwheat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Elster

Here is the Combofix log:

ComboFix 10-08-12.02 - chadwheat 08/12/2010 21:59:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.378 [GMT -4:00]
Running from: c:\users\chadwheat\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Security Suite *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
.

2010-08-13 02:10 . 2010-08-13 02:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-13 01:48 . 2010-08-13 01:52 -------- d-----w- C:\32788R22FWJFW
2010-08-13 01:15 . 2010-08-13 01:15 -------- d-----w- C:\_OTL
2010-08-12 01:55 . 2010-08-12 02:10 -------- d-----w- c:\users\chadwheat\AppData\Roaming\ZoomBrowser EX
2010-08-12 01:52 . 2010-08-12 01:56 -------- d-----w- c:\users\chadwheat\AppData\Roaming\CameraWindowDC
2010-08-12 01:52 . 2010-08-12 01:52 -------- d-----w- c:\users\chadwheat\AppData\Roaming\CANON INC
2010-08-10 02:29 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-10 02:29 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-08-10 02:29 . 2010-08-10 02:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-10 02:27 . 2010-08-13 01:21 -------- d-----w- c:\windows\system32\drivers\N360
2010-08-10 02:27 . 2010-08-10 02:27 -------- d-----w- c:\program files\Norton Security Suite
2010-08-10 02:27 . 2010-08-10 02:27 -------- d-----w- c:\programdata\NortonInstaller
2010-08-10 02:27 . 2010-08-10 02:27 -------- d-----w- c:\program files\NortonInstaller
2010-08-10 01:58 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-09 23:06 . 2010-08-09 23:06 -------- d-----w- c:\users\chadwheat\AppData\Roaming\Malwarebytes
2010-08-09 23:05 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-09 23:05 . 2010-08-09 23:05 -------- d-----w- c:\programdata\Malwarebytes
2010-08-09 23:05 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-09 23:05 . 2010-08-09 23:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 01:18 . 2006-12-18 04:05 12 ----a-w- c:\windows\bthservsdp.dat
2010-08-12 07:04 . 2006-12-18 04:50 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 01:37 . 2008-08-31 01:56 -------- d-----w- c:\programdata\Google Updater
2010-08-11 01:00 . 2006-12-18 04:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-10 02:29 . 2006-12-18 04:37 -------- d-----w- c:\program files\Symantec
2010-08-10 02:28 . 2010-08-10 02:29 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-10 02:28 . 2010-08-10 02:29 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-10 02:27 . 2009-12-15 23:52 -------- d-----w- c:\programdata\Norton
2010-08-10 01:58 . 2006-12-18 05:26 -------- d-----w- c:\program files\Common Files\Java
2010-08-10 01:58 . 2006-12-18 05:26 -------- d-----w- c:\program files\Java
2010-08-09 23:56 . 2006-12-18 04:37 -------- d-----w- c:\programdata\Symantec
2010-07-20 11:40 . 2009-03-20 00:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-05 23:39 . 2006-12-18 04:32 -------- d-----w- c:\programdata\Roxio
2010-06-19 13:03 . 2007-03-18 01:04 -------- d-----w- c:\users\chadwheat\AppData\Roaming\Apple Computer
2010-05-21 18:14 . 2009-10-03 01:23 221568 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-22 1474560]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-04-12 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-11-24 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 151552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 126976]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\chadwheat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2006-12-18 34520]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca030a795f1c0;Google Update Service (gupdate1ca030a795f1c0);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-12 133104]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 19456]
R3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\Drivers\XLoader.sys [2004-09-04 13184]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100719.001\BHDrvx86.sys [2010-07-20 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100809.001\IDSvix86.sys [2010-06-17 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-08-09 102448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-01 00:46]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-12 16:01]

2010-08-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-12 16:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\iexplore.exe.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-12 22:12
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\CHADWH~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5400)
c:\windows\system32\timedate.cpl
c:\windows\system32\actxprxy.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\system32\ntshrui.dll
.
Completion time: 2010-08-12 22:18:54
ComboFix-quarantined-files.txt 2010-08-13 02:18

Pre-Run: 40,905,248,768 bytes free
Post-Run: 40,851,636,224 bytes free

- - End Of File - - C2BB59FF81B4B15205539B4C85014B1A
  • 0

#11
chadwheat

chadwheat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Elster,

Lastly, I think my machine is running ok. Virtually everything was running slow as I was trying to download combofix, but I rebooted after the scan was completed and performance seems to have improved. I'll continue to monitor as I continue to use it.

The only thing that I have noticed for sure that isn't working is a piece of software called 'HP Advisor' that gives you a status for your battery, security, backups (general system stuff). This program runs each time I boot up the machine. Since the virus, I get a message indicating that the program has had some type of problem and will be shut down.

As I mentioned in a previous post, the major symptoms that the virus caused have been resolved.

Thanks,

Chad
  • 0

#12
Elliot

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hi Chad,

Everything looks good, but I want to run a couple of follow-up scans just to make sure.


Step 1:

Malwarebytes

Please run a Quick Scan with Malwarebytes. Remove any threats found, then post the log in your reply.


Step 2:

Online scan

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Step 3:

Reply

Things I need to see in your reply:
  • MBAM log
  • ESET log

Regarding your HP Advisor, this is not a necessary program (in fact, it basically just uses up resources in your computer, slowing its performance) and can be removed if you wish. If it is a feature you like, you may try uninstalling it and then re-installing it. If you don't have it on a disk, you may download from HP's website.

Thanks!

Elster
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP