Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malwared and hijacked! HELP! [Closed]


  • This topic is locked This topic is locked

#1
cbroadway

cbroadway

    Member

  • Member
  • PipPip
  • 37 posts
Hello!

Thanks in advance for your help. I've gotten a hold of something ugly that's causing lockups and frequent browser redirects. I've been using Avira AntiVir Personal. It's been going crazy with alerts about infections. I tried following the GtG directions for correcting Google redirects, but it didn't help. Would you mind taking a look to set me straight? Here's my OTL log. Thanks you so much, Chad.
__________________________________________________


OTL logfile created on: 12/5/2011 8:16:00 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Chad\Desktop\virus 2011
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 53.80% Memory free
3.74 Gb Paging File | 2.77 Gb Available in Paging File | 74.02% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 101.93 Gb Total Space | 61.85 Gb Free Space | 60.68% Space Free | Partition Type: NTFS
Drive D: | 9.85 Gb Total Space | 1.73 Gb Free Space | 17.58% Space Free | Partition Type: NTFS

Computer Name: CHADLAPTOP | User Name: Chad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/04 21:18:09 | 000,172,544 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe
PRC - [2011/12/04 21:12:33 | 000,286,208 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Microsoft\EA43\D72.exe
PRC - [2011/12/04 17:34:42 | 000,189,440 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\79553\lvvm.exe
PRC - [2011/11/24 10:49:27 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Chad\Desktop\virus 2011\OTL.exe
PRC - [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/07/04 19:42:41 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/05/03 15:34:39 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/04 13:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 20:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/02/11 07:48:00 | 000,480,264 | ---- | M] (Avid Technology, Inc.) -- C:\Windows\System32\M-AudioTaskBarIcon.exe
PRC - [2008/04/26 02:15:26 | 000,361,808 | ---- | M] () -- C:\Windows\SMINST\BLService.exe
PRC - [2008/02/22 05:25:21 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
PRC - [2008/01/20 20:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/02 06:35:35 | 000,176,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wpcumi.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/04 21:18:09 | 000,172,544 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe
MOD - [2011/12/04 21:12:33 | 000,286,208 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Microsoft\EA43\D72.exe
MOD - [2011/12/04 17:34:42 | 000,189,440 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\79553\lvvm.exe
MOD - [2011/11/09 17:44:10 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2010/08/21 21:38:54 | 005,969,360 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2008/06/11 23:18:38 | 000,120,216 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSchMgr.dll
MOD - [2008/06/11 23:18:36 | 000,259,480 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapEngine.dll
MOD - [2008/06/11 23:18:34 | 000,345,384 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLTinyDB.dll
MOD - [2008/06/11 23:17:08 | 000,066,856 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/04 19:42:41 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/05/03 15:34:39 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/26 02:15:26 | 000,361,808 | ---- | M] () [Auto | Running] -- C:\Windows\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/20 20:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2011/07/04 19:42:42 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/04 19:42:42 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 13:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/02/11 07:47:48 | 000,156,552 | ---- | M] (Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mausbft.sys -- (MAUSBFT)
DRV - [2008/07/11 12:31:00 | 007,530,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/06/05 10:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/05/09 13:17:32 | 000,043,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/27 12:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/24 16:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/29 07:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/10/17 17:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/07/11 11:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/06/18 18:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT3001705
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: - No CLSID value found
IE - HKCU\..\URLSearchHook: {08a4f3d8-73a4-4212-b58c-2840ab3578ca} - No CLSID value found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:58040

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Quixley_v2b Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..keyword.URL: "http://search.condui...rchSource=2&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Chad\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Chad\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/11 14:22:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/09 17:44:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/18 06:03:51 | 000,000,000 | ---D | M]

[2008/11/28 14:11:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Extensions
[2011/12/02 19:52:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions
[2011/12/01 19:50:47 | 000,000,000 | ---D | M] (Quixley_v2b Community Toolbar) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{08a4f3d8-73a4-4212-b58c-2840ab3578ca}(28)
[2011/07/12 20:19:05 | 000,000,000 | ---D | M] (SocialRibbons LP2) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}
[2011/12/02 19:29:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\staged(27)
[2011/12/05 20:07:57 | 000,000,000 | ---D | M] (WindowShopper) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\[email protected]
[2011/07/12 20:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}\chrome\content\dca\core\extensionManager
[2011/06/23 13:30:48 | 000,000,925 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\conduit.xml
[2011/07/12 20:19:53 | 000,009,965 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\mywebsearch.xml
[2011/03/31 20:24:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/09 17:44:11 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/09 20:56:57 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/09 17:44:11 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========


O1 HOSTS File: ([2011/11/24 11:15:30 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {08A4F3D8-73A4-4212-B58C-2840AB3578CA} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\M-AudioTaskBarIcon.exe (Avid Technology, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
O4 - HKCU..\Run: [D72.exe] C:\Users\Chad\AppData\Roaming\Microsoft\EA43\D72.exe ()
O4 - HKCU..\Run: [Facebook Update] C:\Users\Chad\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - Startup: C:\Users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
F3 - HKCU WinNT: Load - (C:\Users\Chad\AppData\Roaming\79553\lvvm.exe) -C:\Users\Chad\AppData\Roaming\79553\lvvm.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: lockcast.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6EC1223-5CF3-44E0-AD85-FAE65C70892E}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe) -C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe ()
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Skyline.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Skyline.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/11 13:50:39 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/24 11:15:28 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/11/24 10:48:36 | 000,000,000 | ---D | C] -- C:\Users\Chad\Desktop\virus 2011
[2011/11/14 17:34:37 | 000,000,000 | ---D | C] -- C:\Users\Chad\AppData\Local\Facebook
[2011/11/08 06:22:42 | 000,000,000 | ---D | C] -- C:\Program Files\LP
[2011/11/07 20:34:51 | 000,000,000 | ---D | C] -- C:\Users\Chad\Desktop\Cali 2011
[2011/11/07 17:44:54 | 000,000,000 | ---D | C] -- C:\Users\Chad\AppData\Roaming\79553
[2011/11/07 17:44:54 | 000,000,000 | ---D | C] -- C:\Users\Chad\AppData\Roaming\38979
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/05 20:05:39 | 000,248,744 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/12/05 20:05:39 | 000,248,744 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/12/05 19:20:51 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/05 19:20:51 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/05 19:13:49 | 000,000,246 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2011/12/05 19:13:37 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/05 19:13:37 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/05 19:13:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/05 17:39:05 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/12/05 17:39:05 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/12/04 20:55:22 | 000,002,595 | ---- | M] () -- C:\Users\Chad\Desktop\Microsoft Word.lnk
[2011/12/02 20:09:17 | 000,055,641 | ---- | M] () -- C:\Users\Chad\Desktop\twilight.jpg
[2011/11/29 17:48:30 | 000,007,505 | ---- | M] () -- C:\Users\Chad\Desktop\attachment(2).ashx
[2011/11/29 17:48:13 | 000,007,505 | ---- | M] () -- C:\Users\Chad\Desktop\attachment(1).ashx
[2011/11/29 17:48:04 | 000,007,505 | ---- | M] () -- C:\Users\Chad\Desktop\attachment.ashx
[2011/11/24 11:15:30 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/11/16 23:08:00 | 000,036,864 | ---- | M] () -- C:\Users\Chad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/11 19:43:30 | 000,074,832 | ---- | M] () -- C:\Users\Chad\Desktop\newhallsalary.pdf
[2011/11/08 17:43:27 | 000,073,085 | ---- | M] () -- C:\Users\Chad\Desktop\carmensmile.jpg
[2011/11/08 06:23:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At2.job
[2011/11/08 06:22:25 | 000,177,664 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\firefox.exe
[2011/11/07 21:05:22 | 000,177,664 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\wmplayer.exe
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/02 20:09:17 | 000,055,641 | ---- | C] () -- C:\Users\Chad\Desktop\twilight.jpg
[2011/11/29 17:48:29 | 000,007,505 | ---- | C] () -- C:\Users\Chad\Desktop\attachment(2).ashx
[2011/11/29 17:48:13 | 000,007,505 | ---- | C] () -- C:\Users\Chad\Desktop\attachment(1).ashx
[2011/11/29 17:48:04 | 000,007,505 | ---- | C] () -- C:\Users\Chad\Desktop\attachment.ashx
[2011/11/14 17:34:43 | 000,000,924 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/11/14 17:34:42 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/11/11 19:43:30 | 000,074,832 | ---- | C] () -- C:\Users\Chad\Desktop\newhallsalary.pdf
[2011/11/08 17:43:26 | 000,073,085 | ---- | C] () -- C:\Users\Chad\Desktop\carmensmile.jpg
[2011/11/08 06:22:46 | 000,000,380 | ---- | C] () -- C:\Windows\tasks\At2.job
[2011/11/07 20:35:24 | 000,177,664 | ---- | C] () -- C:\Users\Chad\AppData\Roaming\wmplayer.exe
[2011/10/16 09:52:26 | 000,177,664 | ---- | C] () -- C:\Users\Chad\AppData\Roaming\firefox.exe
[2009/02/21 21:32:59 | 000,007,592 | ---- | C] () -- C:\Users\Chad\AppData\Local\d3d9caps.dat
[2008/12/15 19:00:22 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/11/28 19:06:13 | 000,036,864 | ---- | C] () -- C:\Users\Chad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/28 09:58:27 | 000,248,744 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/11/28 09:58:01 | 000,248,744 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/10/08 17:36:55 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008/08/11 14:05:13 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2008/01/20 20:24:14 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 06:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:47:37 | 000,297,728 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 04:33:01 | 000,595,684 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 04:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 04:33:01 | 000,101,350 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 04:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 04:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 02:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 02:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 01:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 01:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/03/09 03:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2001/08/06 21:16:34 | 000,045,056 | ---- | C] () -- C:\Windows\OTS_UI.EXE

========== LOP Check ==========

[2011/11/07 20:38:12 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\16F9B
[2011/12/04 21:18:09 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\38979
[2011/12/04 17:34:42 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\79553
[2011/11/07 20:28:01 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\9BB26
[2011/07/22 12:42:08 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Acoustica
[2009/01/12 21:50:40 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Crayon Physics Deluxe
[2011/12/05 19:14:36 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Dropbox
[2011/07/27 08:39:43 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\GetRightToGo
[2010/10/07 15:43:23 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\ICAClient
[2009/06/01 18:20:23 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\muvee Technologies
[2008/12/23 13:20:31 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\NCH Swift Sound
[2009/08/08 21:33:33 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\PlayFirst
[2008/11/30 17:35:40 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Super-Cow
[2011/07/22 12:57:34 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\SynthMaker
[2011/06/13 13:13:50 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Unity
[2008/11/28 09:56:21 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\WildTangent
[2011/10/16 09:55:00 | 000,000,380 | ---- | M] () -- C:\Windows\Tasks\At1.job
[2011/11/08 06:23:00 | 000,000,380 | ---- | M] () -- C:\Windows\Tasks\At2.job
[2011/12/05 17:39:05 | 000,000,902 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/12/05 17:39:05 | 000,000,924 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/12/05 19:12:13 | 000,032,642 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

__________________________________________________________________
  • 0

Advertisements


#2
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Hi, cbroadway! Posted ImageMy nick name is CompCav and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any questions or you are unsure about anything, just ask and I will help you out. :)

If you have resolved the issues you were originally experiencing, or have received help elsewhere, please let me know so that this topic can be closed.

I am currently still in training and my posts have to be approved by an expert so please expect a delay between my posts.

Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. One of the steps I will be asking you to do requires you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.

If you are ready to get started, please review and follow these guidelines so that we resolve your issues in a timely and effective manner:
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instructions that I give you. Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. These instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. However, the one thing that you should always do, is to make sure your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Just do a Copy/Paste of the entire contents of the log file inside your post and submit.
  • You must reply within four days failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. PM me only if I have not responded to your last post in 2 days.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to ultimately reformat your hard drive and reinstall the operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Please have the software and storage media for backing up your data available.


I am currently reviewing your post and will have an initial set of instructions to begin malware removal later today! :thumbsup:
  • 0

#3
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Step 1.

OTL Fix


We need to run an OTL Fix

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :processes
    killallprocesses
    
    :OTL
    PRC - [2011/12/04 21:18:09 | 000,172,544 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe
    PRC - [2011/12/04 21:12:33 | 000,286,208 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Microsoft\EA43\D72.exe
    PRC - [2011/12/04 17:34:42 | 000,189,440 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\79553\lvvm.exe
    MOD - [2011/12/04 21:18:09 | 000,172,544 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe
    MOD - [2011/12/04 21:12:33 | 000,286,208 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Microsoft\EA43\D72.exe
    MOD - [2011/12/04 17:34:42 | 000,189,440 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\79553\lvvm.exe
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\..\URLSearchHook: - No CLSID value found
    IE - HKCU\..\URLSearchHook: {08a4f3d8-73a4-4212-b58c-2840ab3578ca} - No CLSID value found
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:58040
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {08A4F3D8-73A4-4212-B58C-2840AB3578CA} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
    O4 - HKCU..\Run: [D72.exe] C:\Users\Chad\AppData\Roaming\Microsoft\EA43\D72.exe ()
    F3 - HKCU WinNT: Load - (C:\Users\Chad\AppData\Roaming\79553\lvvm.exe) -C:\Users\Chad\AppData\Roaming\79553\lvvm.exe ()
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
    O15 - HKCU\..Trusted Domains: lockcast.com ([www] https in Trusted sites)
    O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
    O20 - HKCU Winlogon: Shell - (C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe) -C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe ()
    [2011/11/07 17:44:54 | 000,000,000 | ---D | C] -- C:\Users\Chad\AppData\Roaming\79553
    [2011/11/07 17:44:54 | 000,000,000 | ---D | C] -- C:\Users\Chad\AppData\Roaming\38979
    [2011/11/08 06:23:00 | 000,000,380 | ---- | M] () -- C:\Windows\tasks\At2.job
    [2011/11/07 20:38:12 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\16F9B
    [2011/12/04 21:18:09 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\38979
    [2011/12/04 17:34:42 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\79553
    [2011/11/07 20:28:01 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\9BB26
    [2011/10/16 09:55:00 | 000,000,380 | ---- | M] () -- C:\Windows\Tasks\At1.job
    
    :files
    ipconfig /flushdns /c
    xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
    xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
    xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
    xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
    C:\Users\Chad\AppData\Roaming\38979
    C:\Users\Chad\AppData\Roaming\Microsoft\EA43
    C:\Users\Chad\AppData\Roaming\79553
    C:\Windows\Tasks\At*.job
    
    
    
    
    :Commands
    [purity]
    [resethosts]
    [emptyjava]
    [emptyflash]
    [createrestorepoint]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.





Step 2.

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image


Step 3.

  • Download OTL to your Desktop
  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Standard output is selected.
  • Select Scan all users
  • Under Extra Registry select Use SafeList
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scans/Fixes box copy and paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    iexplorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    C:\Windows\assembly\tmp\U\*.* /s
    CREATERESTOREPOINT

  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan won't take long.

  • When the scan completes, it will open OTL.Txt in Notepad window and the Extras.txt file on the task bar.
  • Please copy (Edit->Select All, Edit->Copy) the content of this file, the Extras.txt file, and post them with your next reply.


Step 3.

Please post:

OTL fix log
aswMBR log
OTL.txt
Extras.txt


What problems do you now have?
  • 0

#4
cbroadway

cbroadway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Awesome, thanks! Here you go.
_____________________________________________

========== PROCESSES ==========
All processes killed
========== OTL ==========
No active process named 7D1EA.exe was found!
No active process named D72.exe was found!
No active process named lvvm.exe was found!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\StartPageCache| /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{08a4f3d8-73a4-4212-b58c-2840ab3578ca} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08a4f3d8-73a4-4212-b58c-2840ab3578ca}\ not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08A4F3D8-73A4-4212-B58C-2840AB3578CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08A4F3D8-73A4-4212-B58C-2840AB3578CA}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully.
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\D72.exe deleted successfully.
C:\Users\Chad\AppData\Roaming\Microsoft\EA43\D72.exe moved successfully.
File \Users\Chad\AppData\Roaming\79553\lvvm.exe) -C:\Users\Chad\AppData\Roaming\79553\lvvm.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\Users\Chad\AppData\Roaming\79553\lvvm.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\lockcast.com\www\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe deleted successfully.
File \Users\Chad\AppData\Roaming\38979\7D1EA.exe) -C:\Users\Chad\AppData\Roaming\38979\7D1EA.exe not found.
C:\Users\Chad\AppData\Roaming\79553 folder moved successfully.
C:\Users\Chad\AppData\Roaming\38979 folder moved successfully.
C:\Windows\Tasks\At2.job moved successfully.
C:\Users\Chad\AppData\Roaming\16F9B folder moved successfully.
Folder C:\Users\Chad\AppData\Roaming\38979\ not found.
Folder C:\Users\Chad\AppData\Roaming\79553\ not found.
C:\Users\Chad\AppData\Roaming\9BB26 folder moved successfully.
C:\Windows\Tasks\At1.job moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Chad\Desktop\virus 2011\cmd.bat deleted successfully.
C:\Users\Chad\Desktop\virus 2011\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Users\Chad\Desktop\virus 2011\cmd.bat deleted successfully.
C:\Users\Chad\Desktop\virus 2011\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
C:\Users\Chad\Desktop\virus 2011\cmd.bat deleted successfully.
C:\Users\Chad\Desktop\virus 2011\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Users\Chad\Desktop\virus 2011\cmd.bat deleted successfully.
C:\Users\Chad\Desktop\virus 2011\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
C:\Users\Chad\Desktop\virus 2011\cmd.bat deleted successfully.
C:\Users\Chad\Desktop\virus 2011\cmd.txt deleted successfully.
File\Folder C:\Users\Chad\AppData\Roaming\38979 not found.
C:\Users\Chad\AppData\Roaming\Microsoft\EA43 folder moved successfully.
File\Folder C:\Users\Chad\AppData\Roaming\79553 not found.
File\Folder C:\Windows\Tasks\At*.job not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: All Users

User: Chad
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Chad
->Flash cache emptied: 47200 bytes

User: Default

User: Default User

User: Public

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 12062011_174506

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
__________________________________________________________

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-06 17:52:43
-----------------------------
17:52:43.934 OS Version: Windows 6.0.6001 Service Pack 1
17:52:43.934 Number of processors: 2 586 0x301
17:52:43.934 ComputerName: CHADLAPTOP UserName: Chad
17:52:52.545 Initialize success
17:53:05.548 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5
17:53:05.548 Disk 0 Vendor: WDC_WD1200BEVS-60UST0 01.01A01 Size: 114473MB BusType: 3
17:53:07.591 Disk 0 MBR read successfully
17:53:07.591 Disk 0 MBR scan
17:53:07.607 Disk 0 unknown MBR code
17:53:07.607 Disk 0 scanning sectors +234434560
17:53:07.701 Disk 0 scanning C:\Windows\system32\drivers
17:53:16.764 Service scanning
17:53:18.059 Modules scanning
17:53:22.645 Disk 0 trace - called modules:
17:53:22.708 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
17:53:22.708 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x851ce400]
17:53:22.708 3 CLASSPNP.SYS[807a3745] -> nt!IofCallDriver -> [0x84a4e950]
17:53:22.723 5 acpi.sys[806116a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-5[0x840d0ba0]
17:53:22.723 Scan finished successfully
17:53:45.312 Disk 0 MBR has been saved successfully to "C:\Users\Chad\Desktop\virus 2011\MBR.dat"
17:53:45.328 The log file has been saved successfully to "C:\Users\Chad\Desktop\virus 2011\aswMBR.txt"

___________________________________________________________________________

OTL logfile created on: 12/6/2011 5:59:18 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Chad\Desktop\virus 2011
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 1.07 Gb Available Physical Memory | 61.37% Memory free
3.74 Gb Paging File | 2.81 Gb Available in Paging File | 75.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 101.93 Gb Total Space | 61.92 Gb Free Space | 60.75% Space Free | Partition Type: NTFS
Drive D: | 9.85 Gb Total Space | 1.73 Gb Free Space | 17.58% Space Free | Partition Type: NTFS

Computer Name: CHADLAPTOP | User Name: Chad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/24 10:49:27 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Chad\Desktop\virus 2011\OTL.exe
PRC - [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/09/01 18:42:06 | 024,183,152 | ---- | M] (Dropbox, Inc.) -- C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2011/07/04 19:42:41 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/05/03 15:34:39 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/04 13:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 20:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/02/11 07:48:00 | 000,480,264 | ---- | M] (Avid Technology, Inc.) -- C:\Windows\System32\M-AudioTaskBarIcon.exe
PRC - [2008/04/26 02:15:26 | 000,361,808 | ---- | M] () -- C:\Windows\SMINST\BLService.exe
PRC - [2008/01/20 20:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/02 06:35:35 | 000,176,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wpcumi.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/09 17:44:10 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2010/08/21 21:38:54 | 005,969,360 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2008/06/11 23:18:38 | 000,120,216 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSchMgr.dll
MOD - [2008/06/11 23:18:36 | 000,259,480 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapEngine.dll
MOD - [2008/06/11 23:18:34 | 000,345,384 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLTinyDB.dll
MOD - [2008/06/11 23:17:08 | 000,066,856 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/04 19:42:41 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/05/03 15:34:39 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/26 02:15:26 | 000,361,808 | ---- | M] () [Auto | Running] -- C:\Windows\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/20 20:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2011/07/04 19:42:42 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/04 19:42:42 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 13:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/02/11 07:47:48 | 000,156,552 | ---- | M] (Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mausbft.sys -- (MAUSBFT)
DRV - [2008/07/11 12:31:00 | 007,530,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/06/05 10:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/05/09 13:17:32 | 000,043,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/27 12:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/24 16:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/29 07:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/10/17 17:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/07/11 11:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/06/18 18:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKU\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT3001705
IE - HKU\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache =
IE - HKU\S-1-5-21-365443478-1480907561-30040671-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-365443478-1480907561-30040671-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKU\S-1-5-21-365443478-1480907561-30040671-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Quixley_v2b Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..keyword.URL: "http://search.condui...rchSource=2&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Chad\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Chad\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/11 14:22:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/09 17:44:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/18 06:03:51 | 000,000,000 | ---D | M]

[2008/11/28 14:11:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Extensions
[2011/12/02 19:52:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions
[2011/12/01 19:50:47 | 000,000,000 | ---D | M] (Quixley_v2b Community Toolbar) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{08a4f3d8-73a4-4212-b58c-2840ab3578ca}(28)
[2011/07/12 20:19:05 | 000,000,000 | ---D | M] (SocialRibbons LP2) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}
[2011/12/02 19:29:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\staged(27)
[2011/12/06 17:48:44 | 000,000,000 | ---D | M] (WindowShopper) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\[email protected]
[2011/07/12 20:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}\chrome\content\dca\core\extensionManager
[2011/06/23 13:30:48 | 000,000,925 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\conduit.xml
[2011/07/12 20:19:53 | 000,009,965 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\mywebsearch.xml
[2011/03/31 20:24:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/09 17:44:11 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/09 20:56:57 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/09 17:44:11 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========


O1 HOSTS File: ([2011/12/06 17:45:11 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\M-AudioTaskBarIcon.exe (Avid Technology, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-365443478-1480907561-30040671-1000..\Run: [Facebook Update] C:\Users\Chad\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - Startup: C:\Users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O7 - HKU\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6EC1223-5CF3-44E0-AD85-FAE65C70892E}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-365443478-1480907561-30040671-1000 Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Skyline.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Skyline.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/11 13:50:39 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-365443478-1480907561-30040671-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found


CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/12/06 17:47:23 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\Chad\Desktop\aswMBR.exe
[2011/12/06 17:45:06 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/11/24 11:15:28 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/11/24 10:48:36 | 000,000,000 | ---D | C] -- C:\Users\Chad\Desktop\virus 2011
[2011/11/14 17:34:37 | 000,000,000 | ---D | C] -- C:\Users\Chad\AppData\Local\Facebook
[2011/11/08 06:22:42 | 000,000,000 | ---D | C] -- C:\Program Files\LP
[2011/11/07 20:34:51 | 000,000,000 | ---D | C] -- C:\Users\Chad\Desktop\Cali 2011
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/06 17:50:37 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/06 17:50:37 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/06 17:47:26 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\Chad\Desktop\aswMBR.exe
[2011/12/06 17:46:57 | 000,248,744 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/12/06 17:46:48 | 000,000,246 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2011/12/06 17:46:21 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/06 17:46:21 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/06 17:46:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/06 17:45:11 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/12/05 21:16:48 | 000,248,744 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/12/05 20:39:05 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/12/05 17:39:05 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/12/04 20:55:22 | 000,002,595 | ---- | M] () -- C:\Users\Chad\Desktop\Microsoft Word.lnk
[2011/12/02 20:09:17 | 000,055,641 | ---- | M] () -- C:\Users\Chad\Desktop\twilight.jpg
[2011/11/29 17:48:30 | 000,007,505 | ---- | M] () -- C:\Users\Chad\Desktop\attachment(2).ashx
[2011/11/29 17:48:13 | 000,007,505 | ---- | M] () -- C:\Users\Chad\Desktop\attachment(1).ashx
[2011/11/29 17:48:04 | 000,007,505 | ---- | M] () -- C:\Users\Chad\Desktop\attachment.ashx
[2011/11/16 23:08:00 | 000,036,864 | ---- | M] () -- C:\Users\Chad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/11 19:43:30 | 000,074,832 | ---- | M] () -- C:\Users\Chad\Desktop\newhallsalary.pdf
[2011/11/08 17:43:27 | 000,073,085 | ---- | M] () -- C:\Users\Chad\Desktop\carmensmile.jpg
[2011/11/08 06:22:25 | 000,177,664 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\firefox.exe
[2011/11/07 21:05:22 | 000,177,664 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\wmplayer.exe
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/02 20:09:17 | 000,055,641 | ---- | C] () -- C:\Users\Chad\Desktop\twilight.jpg
[2011/11/29 17:48:29 | 000,007,505 | ---- | C] () -- C:\Users\Chad\Desktop\attachment(2).ashx
[2011/11/29 17:48:13 | 000,007,505 | ---- | C] () -- C:\Users\Chad\Desktop\attachment(1).ashx
[2011/11/29 17:48:04 | 000,007,505 | ---- | C] () -- C:\Users\Chad\Desktop\attachment.ashx
[2011/11/14 17:34:43 | 000,000,924 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/11/14 17:34:42 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/11/11 19:43:30 | 000,074,832 | ---- | C] () -- C:\Users\Chad\Desktop\newhallsalary.pdf
[2011/11/08 17:43:26 | 000,073,085 | ---- | C] () -- C:\Users\Chad\Desktop\carmensmile.jpg
[2011/11/07 20:35:24 | 000,177,664 | ---- | C] () -- C:\Users\Chad\AppData\Roaming\wmplayer.exe
[2011/10/16 09:52:26 | 000,177,664 | ---- | C] () -- C:\Users\Chad\AppData\Roaming\firefox.exe
[2009/02/21 21:32:59 | 000,007,592 | ---- | C] () -- C:\Users\Chad\AppData\Local\d3d9caps.dat
[2008/12/15 19:00:22 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/11/28 19:06:13 | 000,036,864 | ---- | C] () -- C:\Users\Chad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/28 09:58:27 | 000,248,744 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/11/28 09:58:01 | 000,248,744 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/10/08 17:36:55 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008/08/11 14:05:13 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2008/01/20 20:24:14 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 06:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:47:37 | 000,297,728 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 04:33:01 | 000,595,684 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 04:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 04:33:01 | 000,101,350 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 04:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 04:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 02:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 02:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 01:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 01:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/03/09 03:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2001/08/06 21:16:34 | 000,045,056 | ---- | C] () -- C:\Windows\OTS_UI.EXE

========== LOP Check ==========

[2011/07/22 12:42:08 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Acoustica
[2009/01/12 21:50:40 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Crayon Physics Deluxe
[2011/12/06 17:47:11 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Dropbox
[2011/07/27 08:39:43 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\GetRightToGo
[2010/10/07 15:43:23 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\ICAClient
[2009/06/01 18:20:23 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\muvee Technologies
[2008/12/23 13:20:31 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\NCH Swift Sound
[2009/08/08 21:33:33 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\PlayFirst
[2008/11/30 17:35:40 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Super-Cow
[2011/07/22 12:57:34 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\SynthMaker
[2011/06/13 13:13:50 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Unity
[2008/11/28 09:56:21 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\WildTangent
[2011/12/05 17:39:05 | 000,000,902 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/12/05 20:39:05 | 000,000,924 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/12/06 17:45:29 | 000,032,642 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/01/20 20:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\explorer.exe
[2008/01/20 20:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/01/20 20:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008/01/20 20:23:43 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/01/20 20:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008/01/20 20:24:49 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/01/20 20:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\System32\winlogon.exe
[2008/01/20 20:24:49 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/11/09 17:44:10 | 000,713,560 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/11/09 17:44:10 | 000,713,560 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/11/09 17:44:10 | 000,713,560 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2008/01/20 20:24:17 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2008/01/20 20:24:17 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2008/01/20 20:24:17 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2008/01/20 20:23:50 | 000,625,664 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/11/09 17:44:10 | 000,713,560 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/11/09 17:44:10 | 000,713,560 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/11/09 17:44:10 | 000,713,560 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2008/01/20 20:24:17 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2008/01/20 20:24:17 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2008/01/20 20:24:17 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2008/01/20 20:23:50 | 000,625,664 | ---- | M] (Microsoft Corporation)

< C:\Windows\assembly\tmp\U\*.* /s >

< End of report >

______________________________________________________________________________

OTL Extras logfile created on: 12/6/2011 5:59:18 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Chad\Desktop\virus 2011
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 1.07 Gb Available Physical Memory | 61.37% Memory free
3.74 Gb Paging File | 2.81 Gb Available in Paging File | 75.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 101.93 Gb Total Space | 61.92 Gb Free Space | 60.75% Space Free | Partition Type: NTFS
Drive D: | 9.85 Gb Total Space | 1.73 Gb Free Space | 17.58% Space Free | Partition Type: NTFS

Computer Name: CHADLAPTOP | User Name: Chad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OtsMedia.Surf] -- "C:\OtsLabs\OTSPLAY.EXE" "%1" /play /surf ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 1
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-365443478-1480907561-30040671-1000]
"EnableNotificationsRef" = 2
"EnableNotifications" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{09299410-832E-4261-8E77-EDD716CBAD94}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{1FAFB9E9-C38E-4266-9C6C-1EF5FD7001D6}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{3DF47EDF-6044-4F09-A7EB-627E4E174757}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{445C883C-71DB-425C-8851-F147A6D64ACF}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{561377B9-36DB-4BF6-96B7-4B00ECA4D983}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{BE9E307A-29EA-4FC4-B04A-311CEB449270}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{C4135FD4-8FFF-4A56-AAC1-F912B36345D8}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{E1B8064E-28A0-40FD-BF4B-EBBB2625FBD6}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02DB54E5-04C2-41EC-96FE-CCCF0C3BE847}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{2745BBE1-D8DF-4D3E-A7A6-DBEB445B8F45}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{4D88F9B5-0A7E-406E-8A5E-D953D184DF18}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{53A672E4-CE22-4C41-9A5D-0E84DDFEA1EF}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 1000 j110 series\bin\usbsetup.exe |
"{54F4F3EE-BBA8-4822-A2BD-EF8430D4B894}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{562D153A-244B-4167-872E-C5AF80E3FC5F}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{59639179-9648-43CC-A7ED-65A81095A8FD}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{842B7AF2-6A05-4DFD-9B08-4CA6A71EB74B}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{872D0836-493A-4541-986C-9FB6BCFCA5C2}" = dir=in | app=c:\users\chad\appdata\local\facebook\video\skype\facebookvideocalling.exe |
"{8F78E3F4-89F4-4A8F-8338-BD001DA72E56}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{9ECA344C-088D-4425-BAAD-7B8B57162963}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{B1CE5338-20BF-4F68-B6B6-996944C9A6E5}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 1000 j110 series\bin\usbsetup.exe |
"{B9DD911E-1966-4F26-9E97-06B36E8D2F6E}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{BB9356B4-D4BC-4DAD-B3AC-A77CC0FA28A6}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{D7BA198F-EB15-4F28-92FA-9CAB2165E5C7}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{EAD465E8-3680-44DC-B509-62F191DFEE26}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{FD3C97DA-046E-46EE-BEAB-A367C9742662}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"TCP Query User{0EFAF3B0-971D-473B-BA52-3BAB9A2C132D}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=6 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
"TCP Query User{2AECD448-9096-4829-831C-D27D6D5CAAFF}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=6 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
"TCP Query User{818A3CB4-30F6-49C5-A5E0-6E3155651CB9}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{CB281532-2E6A-4164-A5AB-B5D60972B3D3}C:\program files\mozilla firefox\plugin-container.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\plugin-container.exe |
"UDP Query User{217B97FE-2785-43FE-B705-0D76DD008923}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=17 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |
"UDP Query User{4068B725-7BF3-476C-AC25-98AF958A0637}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{6772FA22-5C42-45ED-B045-793571575C16}C:\program files\mozilla firefox\plugin-container.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\plugin-container.exe |
"UDP Query User{EC64F058-78CC-48AC-ABE1-11E432FE4E83}C:\program files\hp games\wheel of fortune\wheel of fortune.exe" = protocol=17 | dir=in | app=c:\program files\hp games\wheel of fortune\wheel of fortune.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1
"{07D4A7C5-C55C-45B5-9E86-D8068D25EF40}" = Fast Track
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{1D7CE340-70C3-4848-BCCF-215950328A4C}" = Facebook Video Calling 1.0.0.8953
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{340F521E-3576-4E1A-B75C-EB0ACF751379}" = HP Wireless Assistant
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 D3
"{380357CA-29F4-4B3C-B401-32C057E6B59B}" = HP Smart Web Printing
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8DF92D68-F8EE-4F9C-89A2-26254C1C4B6B}" = HP Help and Support
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9E2CCD5E-1990-4EF2-9B61-32F0BBACC29B}" = HP Active Support Library
"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1
"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}" = Citrix Presentation Server Client
"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}" = HP User Guides 0118
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{C27C82E4-9C53-4D76-9ED3-A01A3D5EE679}" = HP Customer Experience Enhancements
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1
"{DDDFCC77-7F9C-45E9-B38E-721BA599BA0C}" = HP Deskjet 1000 J110 series Help
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{f32502b5-5b64-4882-bf61-77f23edcac4f}" = HP Total Care Advisor
"{F4B1B985-F308-4DBA-BFD7-CCCB8839234B}" = HP Deskjet 1000 J110 series Basic Device Software
"{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FA3B34BE-4246-4062-90A3-34CBBEA12B72}" = HPTCSSetup
"Acoustica Effects Pack" = Acoustica Effects Pack
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"AP Tuner 3.08" = AP Tuner 3.08
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"Desktop Taipei_is1" = Desktop Taipei version 2.2
"ESET Online Scanner" = ESET Online Scanner v3
"ExpressBurn" = Express Burn
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"KRISTAL Audio Engine" = KRISTAL Audio Engine
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NVIDIA Drivers" = NVIDIA Drivers
"OtsTurntables Free" = OtsTurntables Free 1.00.027
"ReadPlease 2003_is1" = ReadPlease 2003/ReadPlease PLUS 2003
"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.6
"Switch" = Switch Sound File Converter
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"WildTangent hp Master Uninstall" = My HP Games

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-365443478-1480907561-30040671-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/6/2010 9:06:40 AM | Computer Name = Chadlaptop | Source = WinMgmt | ID = 10
Description =

Error - 9/7/2010 9:49:29 PM | Computer Name = Chadlaptop | Source = WinMgmt | ID = 10
Description =

Error - 9/7/2010 9:50:07 PM | Computer Name = Chadlaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/8/2010 6:25:27 PM | Computer Name = Chadlaptop | Source = WinMgmt | ID = 10
Description =

Error - 9/8/2010 6:25:30 PM | Computer Name = Chadlaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/9/2010 7:24:45 AM | Computer Name = Chadlaptop | Source = WinMgmt | ID = 10
Description =

Error - 9/9/2010 7:25:45 AM | Computer Name = Chadlaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/9/2010 7:41:34 PM | Computer Name = Chadlaptop | Source = WinMgmt | ID = 10
Description =

Error - 9/9/2010 7:41:35 PM | Computer Name = Chadlaptop | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 9/10/2010 8:03:28 AM | Computer Name = Chadlaptop | Source = WinMgmt | ID = 10
Description =

[ Media Center Events ]
Error - 12/31/2008 2:32:45 PM | Computer Name = Chadlaptop | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 6/24/2009 11:42:13 PM | Computer Name = Chadlaptop | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 12/31/2010 9:26:47 PM | Computer Name = Chadlaptop | Source = Service Control Manager | ID = 7011
Description =

Error - 1/1/2011 1:29:28 PM | Computer Name = Chadlaptop | Source = HTTP | ID = 15016
Description =

Error - 1/1/2011 1:32:24 PM | Computer Name = Chadlaptop | Source = HTTP | ID = 15016
Description =

Error - 1/1/2011 1:32:40 PM | Computer Name = Chadlaptop | Source = Service Control Manager | ID = 7000
Description =

Error - 1/1/2011 2:27:49 PM | Computer Name = Chadlaptop | Source = HTTP | ID = 15016
Description =

Error - 1/1/2011 2:28:07 PM | Computer Name = Chadlaptop | Source = Service Control Manager | ID = 7000
Description =

Error - 1/1/2011 2:32:00 PM | Computer Name = Chadlaptop | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.65 for the Network Card with network
address 00234D2CBE66 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 1/1/2011 6:37:28 PM | Computer Name = Chadlaptop | Source = HTTP | ID = 15016
Description =

Error - 1/1/2011 6:37:41 PM | Computer Name = Chadlaptop | Source = Service Control Manager | ID = 7000
Description =

Error - 1/1/2011 6:39:55 PM | Computer Name = Chadlaptop | Source = EventLog | ID = 6008
Description = The previous system shutdown at 4:38:17 PM on 1/1/2011 was unexpected.


< End of report >
  • 0

#5
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
What problems do you now have?
  • 0

#6
cbroadway

cbroadway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Wow! You're a genius! I can't say with absolute certainty, but it does appear to be completely free of all aforementioned problems. You really know your stuff, CompCav! Thank you so much, Chad.
  • 0

#7
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Viewpoint is Foistware

Viewpoint is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". I recommend you uninstall your Viewpoint product but it is your choice.
Especially since this may change, read Viewpoint to Plunge Into Adware. Please uninstall Viewpoint Media Player


Step 1.

OTL Fix


We need to run an OTL Fix

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    PRC - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
    SRV - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
    [2011/06/23 13:30:48 | 000,000,925 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\conduit.xml
    [2011/07/12 20:19:53 | 000,009,965 | ---- | M] () -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\mywebsearch.xml
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll File not found
    
    
    :files
    ipconfig /flushdns /c
    C:\Windows\Tasks\At*.job
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    
    
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [createrestorepoint]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.


Step 2.

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



Step 3.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Step 4.

Security Check
Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Step 5.

  • Double click on the Posted Image icon to run it.
  • Click the Quick Scan button. Post the log it produces in your next reply. The scan won't take long.


Step 6.

Please post:

otl fix log
mbam log
eset log
security check log
OTL.txt


Please give me an update on how your computer is doing!
  • 0

#8
cbroadway

cbroadway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thank you! I will get to that ASAP. I'm out of town and away from that machine currently, but will respond as soon as I can (probably 2 days from now).

Thanks again! Chad
  • 0

#9
cbroadway

cbroadway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
OK, I've done as you requested. Everything went OK, except ESET wouldn't run. Actually it was something preventing Active X from installing. Not sure what the problem was, though. Here are my log files. Everything seems to be running great now!

Thanks, Chad

____________________________________________________
All processes killed
========== OTL ==========
Process ViewpointService.exe killed successfully!
Service Viewpoint Manager Service stopped successfully!
Service Viewpoint Manager Service deleted successfully!
C:\Program Files\Viewpoint\Common\ViewpointService.exe moved successfully.
C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\conduit.xml moved successfully.
C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\searchplugins\mywebsearch.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\ deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Chad\Desktop\virus 2011\cmd.bat deleted successfully.
C:\Users\Chad\Desktop\virus 2011\cmd.txt deleted successfully.
File\Folder C:\Windows\Tasks\At*.job not found.
File\Folder C:\Program Files\Viewpoint\Common\ViewpointService.exe not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Chad
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 39679957 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 65240987 bytes
->Flash cache emptied: 18830 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 468754 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 560539929 bytes

Total Files Cleaned = 635.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 12112011_210217

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

________________________________________________________________________


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8354

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

12/11/2011 9:20:49 PM
mbam-log-2011-12-11 (21-20-49).txt

Scan type: Quick scan
Objects scanned: 167680
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Chad\AppData\Roaming\firefox.exe (Malware.Packer) -> Quarantined and deleted successfully.
c:\Users\Chad\AppData\Roaming\wmplayer.exe (Malware.Packer) -> Quarantined and deleted successfully.
c:\Users\Chad\AppData\Local\Temp\4136.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Users\Chad\AppData\Local\Temp\9E36.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Users\Chad\AppData\Local\Temp\wpbt0.dll (Backdoor.Bot) -> Quarantined and deleted successfully.

_________________________________________________________________-

Results of screen317's Security Check version 0.99.28
Windows Vista Service Pack 1 x86
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 5
Java version out of date!
Adobe Flash Player ( 10.1.82.76) Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox (8.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

______________________________________________________

OTL logfile created on: 12/11/2011 9:34:19 PM - Run 4
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Chad\Desktop\virus 2011
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.22% Memory free
3.74 Gb Paging File | 2.75 Gb Available in Paging File | 73.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 101.93 Gb Total Space | 61.53 Gb Free Space | 60.36% Space Free | Partition Type: NTFS
Drive D: | 9.85 Gb Total Space | 1.73 Gb Free Space | 17.58% Space Free | Partition Type: NTFS

Computer Name: CHADLAPTOP | User Name: Chad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/11 21:30:49 | 000,879,649 | ---- | M] () -- C:\Users\Chad\Desktop\SecurityCheck.exe
PRC - [2011/11/24 10:49:27 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Chad\Desktop\virus 2011\OTL.exe
PRC - [2011/11/09 17:44:11 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/09/01 18:42:06 | 024,183,152 | ---- | M] (Dropbox, Inc.) -- C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2011/07/04 19:42:41 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/05/03 15:34:39 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/03/04 13:36:51 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/01/14 20:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/02/11 07:48:00 | 000,480,264 | ---- | M] (Avid Technology, Inc.) -- C:\Windows\System32\M-AudioTaskBarIcon.exe
PRC - [2008/04/26 02:15:26 | 000,361,808 | ---- | M] () -- C:\Windows\SMINST\BLService.exe
PRC - [2008/01/20 20:24:24 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/20 20:23:50 | 000,318,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cmd.exe
PRC - [2006/11/02 06:35:35 | 000,176,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wpcumi.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/11 21:30:49 | 000,879,649 | ---- | M] () -- C:\Users\Chad\Desktop\SecurityCheck.exe
MOD - [2011/11/09 17:44:10 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2008/06/11 23:18:38 | 000,120,216 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSchMgr.dll
MOD - [2008/06/11 23:18:36 | 000,259,480 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapEngine.dll
MOD - [2008/06/11 23:18:34 | 000,345,384 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLTinyDB.dll
MOD - [2008/06/11 23:17:08 | 000,066,856 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/04 19:42:41 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/05/03 15:34:39 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/26 02:15:26 | 000,361,808 | ---- | M] () [Auto | Running] -- C:\Windows\SMINST\BLService.exe -- (Recovery Service for Windows)
SRV - [2008/01/20 20:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/07/04 19:42:42 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/04 19:42:42 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 13:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/02/11 07:47:48 | 000,156,552 | ---- | M] (Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mausbft.sys -- (MAUSBFT)
DRV - [2008/07/11 12:31:00 | 007,530,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/06/05 10:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/05/09 13:17:32 | 000,043,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/27 12:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/24 16:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/29 07:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2007/10/17 17:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/07/11 11:30:22 | 000,007,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\HpqRemHid.sys -- (HpqRemHid)
DRV - [2007/06/18 18:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Quixley_v2b Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..keyword.URL: "http://search.condui...rchSource=2&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Chad\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Chad\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/11 14:22:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/09 17:44:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/18 06:03:51 | 000,000,000 | ---D | M]

[2008/11/28 14:11:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Extensions
[2011/12/02 19:52:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions
[2011/12/01 19:50:47 | 000,000,000 | ---D | M] (Quixley_v2b Community Toolbar) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{08a4f3d8-73a4-4212-b58c-2840ab3578ca}(28)
[2011/07/12 20:19:05 | 000,000,000 | ---D | M] (SocialRibbons LP2) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}
[2011/12/02 19:29:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\staged(27)
[2011/12/11 21:27:14 | 000,000,000 | ---D | M] (WindowShopper) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\[email protected]
[2011/07/12 20:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\od5fcwnc.default\extensions\{0dd5ab7a-9db5-0aa4-e914-7148cd6c0afc}\chrome\content\dca\core\extensionManager
[2011/03/31 20:24:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/09 17:44:11 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/09 20:56:57 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/09 17:44:11 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========


O1 HOSTS File: ([2011/12/11 21:02:23 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\M-AudioTaskBarIcon.exe (Avid Technology, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Facebook Update] C:\Users\Chad\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - Startup: C:\Users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Chad\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A6EC1223-5CF3-44E0-AD85-FAE65C70892E}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\Skyline.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\Skyline.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/11 13:50:39 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/11 21:09:12 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Chad\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/06 17:45:06 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/11/24 11:15:28 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/11/24 10:48:36 | 000,000,000 | ---D | C] -- C:\Users\Chad\Desktop\virus 2011
[2011/11/14 17:34:37 | 000,000,000 | ---D | C] -- C:\Users\Chad\AppData\Local\Facebook

========== Files - Modified Within 30 Days ==========

[2011/12/11 21:30:49 | 000,879,649 | ---- | M] () -- C:\Users\Chad\Desktop\SecurityCheck.exe
[2011/12/11 21:30:42 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/11 21:30:42 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/11 21:26:19 | 000,248,744 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/12/11 21:25:57 | 000,000,246 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2011/12/11 21:25:37 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/11 21:25:36 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/11 21:25:28 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/11 21:10:04 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Chad\Desktop\mbam-setup-1.51.2.1300.exe
[2011/12/11 21:02:23 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/12/11 17:39:02 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/12/11 17:39:00 | 000,000,902 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/12/08 20:11:24 | 000,061,861 | ---- | M] () -- C:\Users\Chad\Desktop\Insurance Best-Places-to-work.pdf
[2011/12/05 21:16:48 | 000,248,744 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/12/04 20:55:22 | 000,002,595 | ---- | M] () -- C:\Users\Chad\Desktop\Microsoft Word.lnk
[2011/12/02 20:09:17 | 000,055,641 | ---- | M] () -- C:\Users\Chad\Desktop\twilight.jpg
[2011/11/16 23:08:00 | 000,036,864 | ---- | M] () -- C:\Users\Chad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011/12/11 21:30:49 | 000,879,649 | ---- | C] () -- C:\Users\Chad\Desktop\SecurityCheck.exe
[2011/12/08 20:11:24 | 000,061,861 | ---- | C] () -- C:\Users\Chad\Desktop\Insurance Best-Places-to-work.pdf
[2011/12/02 20:09:17 | 000,055,641 | ---- | C] () -- C:\Users\Chad\Desktop\twilight.jpg
[2011/11/14 17:34:43 | 000,000,924 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/11/14 17:34:42 | 000,000,902 | ---- | C] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2009/02/21 21:32:59 | 000,007,592 | ---- | C] () -- C:\Users\Chad\AppData\Local\d3d9caps.dat
[2008/12/15 19:00:22 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/11/28 19:06:13 | 000,036,864 | ---- | C] () -- C:\Users\Chad\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/28 09:58:27 | 000,248,744 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/11/28 09:58:01 | 000,248,744 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2008/10/08 17:36:55 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008/08/11 14:05:13 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2008/01/20 20:24:14 | 000,100,043 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 06:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:47:37 | 000,297,728 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 06:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 04:33:01 | 000,595,684 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 04:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 04:33:01 | 000,101,350 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 04:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 04:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 02:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 02:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 01:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 01:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 01:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/03/09 03:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2001/08/06 21:16:34 | 000,045,056 | ---- | C] () -- C:\Windows\OTS_UI.EXE

========== LOP Check ==========

[2011/07/22 12:42:08 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Acoustica
[2009/01/12 21:50:40 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Crayon Physics Deluxe
[2011/12/11 21:26:37 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Dropbox
[2011/07/27 08:39:43 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\GetRightToGo
[2010/10/07 15:43:23 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\ICAClient
[2009/06/01 18:20:23 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\muvee Technologies
[2008/12/23 13:20:31 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\NCH Swift Sound
[2009/08/08 21:33:33 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\PlayFirst
[2008/11/30 17:35:40 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Super-Cow
[2011/07/22 12:57:34 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\SynthMaker
[2011/06/13 13:13:50 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\Unity
[2008/11/28 09:56:21 | 000,000,000 | ---D | M] -- C:\Users\Chad\AppData\Roaming\WildTangent
[2011/12/11 17:39:00 | 000,000,902 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000Core.job
[2011/12/11 17:39:02 | 000,000,924 | ---- | M] () -- C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-365443478-1480907561-30040671-1000UA.job
[2011/12/11 21:24:30 | 000,032,598 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

#10
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Warning!!
You have an information stealing trojan installed on your computer.
Backdoor Trojans, IRCBots, keyloggers and Infostealers are very dangerous because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following.

  • All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.
  • Banking and credit card institutions should be notified of the possible security breach.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue cleaning the existing install please follow the steps below:



Step 1.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


Step 2.

Uninstall eset online scanner.


Step 3.

Re try to install and run eset online scanner.

Run ESET Online Scan

Since you had an activeX issue please follow these instructions using FireFox instead of Internet Explorer.

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  • ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Step 4. (Do this step only if eset still does not work)

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient



Step 3.

Please post:

eset log or F-Secure log

Is your computer continuing to run well?

What remaining issues do you have?
  • 0

#11
cbroadway

cbroadway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Sorry for the delay. I have successfully updated Java. I have tried to run ESET 3 times, with no luck. I usually let it run over night, as it seems to take several hours. However, I come back the next day to find ESET completely exited out. I don't have the opportunity to view the log. Perhaps you may know where it gets saved (if at all).

Also, I have changed all my passwords (from another computer) and will discontinue using this one for any sensitive data.

Everything is running great again, although I keep getting a message that "Windows has blocked some of your startup programs" - something to that effect. I'll jot down the exact wording next time it happens.

Thanks, Chad
  • 0

#12
CompCav

CompCav

    Member 5k

  • Expert
  • 12,448 posts
Please try step 4, F-Secure online scan.

CompCav
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP