Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

XP Home Security 2012 virus help? [Closed]

Started by ikissedyomomma , Dec 01 2011 11:21 PM

  • This topic is locked This topic is locked

#1
ikissedyomomma
Posted 01 December 2011 - 11:21 PM

ikissedyomomma

    Member

  • Member
  • PipPip
  • 35 posts
I have the virus XP Home Security 2012 on my computer, I've ran malwarebytes 4 times but it's still here. The log says it's been deleted successfully, but I've tracked the virus down and found out where it's located, I've tried deleting it myself but it says something like "Cannot delete flp: Access is Denied". Is there any possible way where I can go step by step to delete this? I just don't know what to do. Thank you!

Here's the log from Malwarebytes.



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8288

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/2/2011 12:08:14 AM
mbam-log-2011-12-02 (00-08-14).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 232213
Time elapsed: 21 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Jessica\Local Settings\Application Data\flp.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Jessica\Local Settings\Application Data\flp.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Jessica\Local Settings\Application Data\flp.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




I appreciate any help I receive! I'll do anything to get rid of this virus.
  • 0

Advertisements

#2
Essexboy
Posted 02 December 2011 - 01:52 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets have a proper look see

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
    C:\Windows\assembly\tmp\U\*.* /s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#3
ikissedyomomma
Posted 02 December 2011 - 07:26 PM

ikissedyomomma

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
OTL.Txt:



OTL logfile created on: 12/2/2011 8:05:00 PM - Run 4
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Jessica\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.73 Mb Total Physical Memory | 592.54 Mb Available Physical Memory | 57.94% Memory free
2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.04% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24.41 Gb Total Space | 6.13 Gb Free Space | 25.09% Space Free | Partition Type: NTFS
Drive D: | 50.11 Gb Total Space | 50.03 Gb Free Space | 99.84% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive H: | 7.40 Gb Total Space | 5.11 Gb Free Space | 69.13% Space Free | Partition Type: FAT32

Computer Name: JESSICAA | User Name: Jessica | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/02 02:46:34 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jessica\My Documents\Downloads\OTL.com
PRC - [2011/11/19 00:23:01 | 006,860,960 | ---- | M] (Spotify Ltd) -- C:\Documents and Settings\Jessica\Application Data\Spotify\spotify.exe
PRC - [2011/06/28 09:58:08 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/06/28 09:58:07 | 000,567,464 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
PRC - [2011/04/27 05:37:04 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/09/14 14:37:25 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/04/30 19:01:10 | 000,154,136 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/04/13 19:12:31 | 000,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ping.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2010/09/14 14:38:29 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2006/10/22 14:22:00 | 000,212,992 | ---- | M] () -- C:\WINDOWS\system32\nvapi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Secunia Update Agent)
SRV - File not found [Auto | Stopped] -- -- (Akamai)
SRV - [2011/06/28 09:58:08 | 000,428,200 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE -- (AntiVirWebService)
SRV - [2011/06/28 09:58:08 | 000,340,136 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avmailc.exe -- (AntiVirMailService)
SRV - [2011/06/28 09:58:08 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/06/28 09:58:07 | 000,567,464 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe -- (AntiVirFirewallService)
SRV - [2011/04/27 05:37:04 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/04/30 19:01:10 | 000,154,136 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)


========== Driver Services (SafeList) ==========

DRV - [2011/06/28 09:58:08 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 09:58:08 | 000,106,904 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avfwot.sys -- (avfwot)
DRV - [2011/06/28 09:58:08 | 000,082,952 | ---- | M] (Avira GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avfwim.sys -- (avfwim)
DRV - [2011/06/28 09:58:08 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/09/14 14:39:05 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/09/14 14:37:15 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/04/30 19:00:12 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2009/04/30 18:03:30 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2009/04/30 18:03:08 | 006,754,712 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam 250(UVC)
DRV - [2009/04/30 18:01:36 | 000,265,496 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/04/30 18:00:00 | 000,114,712 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2007/02/08 08:45:14 | 000,029,184 | R--- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dsiarhwprog.sys -- (dsiarhwprog)
DRV - [2007/02/07 22:30:30 | 000,392,704 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2007/02/07 22:30:30 | 000,033,995 | R--- | M] (Sonic Focus, Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sf.sys -- (sf)
DRV - [2006/05/05 21:21:00 | 000,004,608 | ---- | M] (NVIDIA Corporation.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\nvport.sys -- (nvport)
DRV - [2006/03/29 10:49:26 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.search.ya...043,16898,0,8,0
IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EA 82 44 DB 07 66 CC 01 [binary data]
IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/10 14:35:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/01 20:37:29 | 000,000,000 | ---D | M]

[2010/09/15 16:51:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Extensions
[2010/09/15 16:51:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Extensions\[email protected]
[2011/10/27 01:08:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\extensions
[2010/12/11 20:27:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/10/17 21:46:19 | 000,000,000 | ---D | M] (RawCoupon Community Toolbar) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\extensions\{93130a67-a674-4177-952a-7d803ce57924}
[2011/07/28 19:32:35 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2011/08/31 17:36:23 | 000,000,000 | ---D | M] (SweetIM Toolbar for Firefox) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\extensions\{EEE6C361-6118-11DC-9C72-001320C79847}
[2011/10/18 01:38:59 | 000,000,000 | ---D | M] (ShopAtHome.com Toolbar) -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\extensions\[email protected]
[2011/10/09 11:11:32 | 000,000,921 | ---- | M] () -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\searchplugins\conduit.xml
[2010/10/28 07:21:32 | 000,002,228 | ---- | M] () -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\searchplugins\iBryte_potfarm.xml
[2011/08/31 17:35:53 | 000,003,915 | ---- | M] () -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\searchplugins\SweetIM Search.xml
[2011/08/31 17:36:19 | 000,003,915 | ---- | M] () -- C:\Documents and Settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\searchplugins\sweetim.xml
[2011/11/10 14:35:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/10 14:35:18 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/04/14 07:08:00 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/10 14:35:18 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: SweetIM Search ()
CHR - default_search_provider: search_url = http://search.sweeti...C-443A20F8B47B}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}

Hosts file not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent File not found
O4 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005..\Run: [Logitech Vid] C:\Program Files\Logitech\Vid HD\Vid.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} file:///E:/components/hidinputmonitorx.ocx (HidInputMonitorX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} file:///E:/components/A9.ocx (A9Helper.A9)
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} file:///E:/components/wmvhdrating.ocx (WMVHDRatingCtrl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_25)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2F5F9398-AF2C-47F6-B9ED-11B076565380}: DhcpNameServer = 68.87.68.166 68.87.74.166
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jessica\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jessica\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 12:43:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\...exe [@ = ah] -- "C:\Documents and Settings\Jessica\Local Settings\Application Data\flp.exe" -a "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/12/01 18:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2011/12/01 18:32:36 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/11/28 01:11:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jessica\My Documents\LimeWire
[2011/11/28 01:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2011/11/15 03:12:54 | 002,060,760 | ---- | C] (Bandoo Media Inc. ) -- C:\Documents and Settings\Jessica\Desktop\iLividSetupV1.exe

========== Files - Modified Within 30 Days ==========

[2011/12/02 20:00:36 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/02 19:51:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/02 07:04:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/12/02 05:51:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/02 02:23:03 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/02 02:21:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/02 02:21:54 | 1072,480,256 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/02 02:21:51 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2011/12/02 00:41:52 | 000,015,798 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\e8cu43g8kg1coi
[2011/12/02 00:41:52 | 000,015,798 | -H-- | M] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\e8cu43g8kg1coi
[2011/12/01 20:26:19 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/12/01 18:32:38 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hooblahh.pif
[2011/11/30 21:41:14 | 000,036,948 | ---- | M] () -- C:\Documents and Settings\Jessica\Desktop\14076570.gif
[2011/11/29 05:39:47 | 000,125,135 | ---- | M] () -- C:\Documents and Settings\Jessica\Desktop\Chocobo.jpg
[2011/11/29 05:15:02 | 000,052,581 | ---- | M] () -- C:\Documents and Settings\Jessica\Desktop\Baby_chocobo.jpg
[2011/11/29 05:12:01 | 000,039,799 | ---- | M] () -- C:\Documents and Settings\Jessica\Desktop\FFVII-Chocobo.jpg
[2011/11/29 04:48:17 | 000,011,889 | ---- | M] () -- C:\Documents and Settings\Jessica\Desktop\monkey_cartoon4.gif
[2011/11/24 13:06:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Jessica\Application Data\subv.exe
[2011/11/15 03:12:54 | 002,060,760 | ---- | M] (Bandoo Media Inc. ) -- C:\Documents and Settings\Jessica\Desktop\iLividSetupV1.exe
[2011/11/11 13:30:18 | 000,501,382 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/11 13:30:18 | 000,087,010 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/10 12:04:32 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== Files Created - No Company Name ==========

[2011/12/02 02:21:54 | 1072,480,256 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/01 17:47:00 | 000,015,798 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\e8cu43g8kg1coi
[2011/12/01 17:47:00 | 000,015,798 | -H-- | C] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\e8cu43g8kg1coi
[2011/11/30 21:41:10 | 000,036,948 | ---- | C] () -- C:\Documents and Settings\Jessica\Desktop\14076570.gif
[2011/11/29 05:39:47 | 000,125,135 | ---- | C] () -- C:\Documents and Settings\Jessica\Desktop\Chocobo.jpg
[2011/11/29 05:15:01 | 000,052,581 | ---- | C] () -- C:\Documents and Settings\Jessica\Desktop\Baby_chocobo.jpg
[2011/11/29 05:12:00 | 000,039,799 | ---- | C] () -- C:\Documents and Settings\Jessica\Desktop\FFVII-Chocobo.jpg
[2011/11/29 04:48:12 | 000,011,889 | ---- | C] () -- C:\Documents and Settings\Jessica\Desktop\monkey_cartoon4.gif
[2011/11/24 13:06:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jessica\Application Data\subv.exe
[2011/08/22 02:23:42 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/09 16:00:30 | 000,000,085 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2011/03/22 22:16:10 | 000,001,223 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2010/12/11 22:01:14 | 000,082,289 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2010/10/28 07:21:39 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\fusioncache.dat
[2010/10/06 01:47:57 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2009/06/11 13:35:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/06/11 12:46:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/06/11 12:40:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/06/11 05:31:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/06/11 05:30:27 | 003,447,096 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/08 13:13:04 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 19:00:12 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2006/10/22 14:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 14:22:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/22 14:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 14:22:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/22 14:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 14:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 14:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 14:22:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/22 14:22:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/22 14:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 14:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/02/28 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 07:00:00 | 000,501,382 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 07:00:00 | 000,087,010 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/01/01 01:34:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

========== LOP Check ==========

[2010/11/11 18:18:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited
[2011/08/24 14:10:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2011/06/07 05:30:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Giraffic
[2011/10/14 13:03:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
[2011/04/14 21:43:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2011/10/27 01:08:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2011/04/07 23:08:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Transparent
[2010/11/11 18:18:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\Canneverbe Limited
[2011/10/14 12:27:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
[2011/06/11 23:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\FrostWire
[2010/12/31 21:29:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\GetRightToGo
[2010/12/11 22:02:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\Leadertech
[2011/01/01 04:52:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\Opera
[2010/11/14 22:30:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\PlayFirst
[2011/09/20 21:29:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\Pokemon Online
[2011/09/02 00:20:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\PriceGong
[2011/06/29 18:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\QuickScan
[2011/12/02 18:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\Spotify
[2010/10/06 01:05:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\Uniblue
[2011/10/27 01:10:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jessica\Application Data\Unity

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2006/02/28 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2006/02/28 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2006/02/28 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2006/02/28 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s >
"Type" = 1
"Start" = 1
"ErrorControl" = 1
"Tag" = 6
"ImagePath" = system32\DRIVERS\netbt.sys -- [2008/04/13 14:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation)
"DisplayName" = NetBios over Tcpip
"Group" = PNP_TDI
"DependOnService" = Tcpip [binary data]
"DependOnGroup" = [binary data]
"Description" = NetBios over Tcpip
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Linkage]
"OtherDependencies" = Tcpip [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters]
"NbProvider" = _tcp
"NameServerPort" = 137
"CacheTimeout" = 600000
"BcastNameQueryCount" = 3
"BcastQueryTimeout" = 750
"NameSrvQueryCount" = 3
"NameSrvQueryTimeout" = 1500
"Size/Small/Medium/Large" = 1
"SessionKeepAlive" = 3600000
"TransportBindName" = \Device\
"EnableLMHOSTS" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{2F5F9398-AF2C-47F6-B9ED-11B076565380}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{56DE8C8E-905E-46E2-A93C-7D6BAC3CEA84}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{5E98BD52-2C83-457F-8449-6EA3B5E0A4E2}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{D786A872-0D91-4159-BBCD-4C5A03D713D7}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Enum]
"0" = Root\LEGACY_NETBT\0000
"Count" = 1
"NextInstance" = 1

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s >
"Type" = 2
"Start" = 1
"ErrorControl" = 1
"Tag" = 1
"ImagePath" = system32\DRIVERS\netbios.sys -- [2008/04/13 13:56:02 | 000,034,688 | ---- | M] (Microsoft Corporation)
"DisplayName" = NetBIOS Interface
"Group" = NetBIOSGroup
"Description" = NetBIOS Interface
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Linkage]
"LanaMap" = 01 03 01 00 00 01 00 02 [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters]
"MaxLana" = 3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters\Winsock]
"HelperDllName" = %SystemRoot%\System32\wshnetbs.dll -- [2006/02/28 07:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation)
"MaxSockAddrLength" = 20
"MinSockAddrLength" = 20
"Mapping" = 02 00 00 00 03 00 00 00 11 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 02 00 00 00 00 00 00 00 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Enum]
"0" = Root\LEGACY_NETBIOS\0000
"Count" = 1
"NextInstance" = 1

< C:\Windows\assembly\tmp\U\*.* /s >

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

< End of report >



aswMBR.txt:



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-02 20:10:51
-----------------------------
20:10:51.921 OS Version: Windows 5.1.2600 Service Pack 3
20:10:51.921 Number of processors: 2 586 0x209
20:10:51.921 ComputerName: JESSICAA UserName: Jessica
20:10:53.156 Initialize success
20:11:02.281 AVAST engine defs: 11120200
20:11:25.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:11:25.187 Disk 0 Vendor: ST380011A 3.06 Size: 76319MB BusType: 3
20:11:27.218 Disk 0 MBR read successfully
20:11:27.218 Disk 0 MBR scan
20:11:27.296 Disk 0 Windows XP default MBR code
20:11:27.328 Disk 0 scanning sectors +156296385
20:11:27.437 Disk 0 scanning C:\WINDOWS\system32\drivers
20:11:47.671 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AOK [Rtk]
20:11:54.046 Service scanning
20:11:54.234 Service .ipsec \* **LOCKED** 123
20:11:54.906 Modules scanning
20:11:59.281 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**
20:12:09.171 Disk 0 trace - called modules:
20:12:09.187 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8649af10]<<
20:12:09.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86757ab8]
20:12:09.203 3 CLASSPNP.SYS[f78a3fd7] -> nt!IofCallDriver -> [0x8655af08]
20:12:09.203 \Driver\00000831[0x864e0c08] -> IRP_MJ_CREATE -> 0x8649af10
20:12:09.562 AVAST engine scan C:\WINDOWS
20:12:22.531 AVAST engine scan C:\WINDOWS\system32
20:15:31.421 AVAST engine scan C:\WINDOWS\system32\drivers
20:15:50.359 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AOK [Rtk]
20:15:59.312 AVAST engine scan C:\Documents and Settings\Jessica
20:17:35.578 File: C:\Documents and Settings\Jessica\Application Data\Sun\Java\Deployment\cache\6.0\51\19a31173-4b2c93c3 **INFECTED** Win32:FakeAlert-BLY [Trj]
20:19:40.281 File: C:\Documents and Settings\Jessica\Local Settings\temp\641.6021.exe **INFECTED** Win32:FakeAlert-BLY [Trj]
20:23:51.562 AVAST engine scan C:\Documents and Settings\All Users
20:25:06.843 Scan finished successfully
20:25:53.125 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jessica\My Documents\Downloads\MBR.dat"
20:25:53.125 The log file has been saved successfully to "C:\Documents and Settings\Jessica\My Documents\Downloads\aswMBR.txt"
20:26:48.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jessica\My Documents\Downloads\MBR.dat"
20:26:48.671 The log file has been saved successfully to "C:\Documents and Settings\Jessica\My Documents\Downloads\aswMBR.txt"



Thank you for replying!
  • 0

#4
Essexboy
Posted 03 December 2011 - 05:42 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK thank you for that I can now see all the infections and I will use different tools to take out each one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O37 - HKU\S-1-5-21-1819643104-910290269-4184997253-1005\...exe [@ = ah] -- "C:\Documents and Settings\Jessica\Local Settings\Application Data\flp.exe" -a "%1" %*
    [2011/12/02 00:41:52 | 000,015,798 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\e8cu43g8kg1coi
    [2011/12/02 00:41:52 | 000,015,798 | -H-- | M] () -- C:\Documents and Settings\Jessica\Local Settings\Application Data\e8cu43g8kg1coi
    [2011/11/15 03:12:54 | 002,060,760 | ---- | M] (Bandoo Media Inc. ) -- C:\Documents and Settings\Jessica\Desktop\iLividSetupV1.exe
    [2011/11/24 13:06:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jessica\Application Data\subv.exe

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks, also allow the installation of the recovery console

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
  • 0

#5
Essexboy
Posted 07 December 2011 - 02:43 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP