Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Daughter needs help with Vista Home Premium SP 2 Malware Help Needed [


  • This topic is locked This topic is locked

#16
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Here's the OTL Logs.

OTL Run Fix Log 27012012
*************************
All processes killed
========== FILES ==========
AgVQVkFpNfmITWf.exe not found in C:\
AgVQVkFpNfmITWf.exe not found in D:\
AgVQVkFpNfmITWf.exe not found in F:\
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\_admin\Desktop\cmd.bat deleted successfully.
C:\Users\_admin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: owner
->Temp folder emptied: 2099718 bytes
->Temporary Internet Files folder emptied: 3435740 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 19764509 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 611 bytes

User: Public
->Temp folder emptied: 0 bytes

User: _admin
->Temp folder emptied: 71919 bytes
->Temporary Internet Files folder emptied: 14058143 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 507 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 377048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 38.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 01272012_093355

Files\Folders moved on Reboot...
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S94A21I1\fastbutton[1].htm moved successfully.

Registry entries deleted on Reboot...
*************************************
OTL Quick Scan Log
*************************************
*
OTL logfile created on: 1/27/2012 9:49:03 AM - Run 6
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\_admin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 56.03% Memory free
6.18 Gb Paging File | 4.78 Gb Available in Paging File | 77.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.19 Gb Total Space | 110.47 Gb Free Space | 49.94% Space Free | Partition Type: NTFS
Drive D: | 11.69 Gb Total Space | 2.03 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 1.90 Gb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: CARUDA | User Name: _admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\Webroot\WRSA.exe (Webroot)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Users\_admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
PRC - c:\Program Files\Winamp Toolbar\winampTbServer.exe (AOL LLC.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\userinit.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\40da9084d0863e07d7ce55953833b8b0\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\c1c06a392871267db27f7cbc40e1c4fb\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1363115565fff5a641243a48f396f107\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\367c4043efc2f32d843cb588b0dc97fc\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\231b0b42eff55de5c7d7debe555c16b7\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\94f892556ec9fa7a508fc9d214ceaedf\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\53f949f4664bb316f9b7a00d73a6e290\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\fd2c727bcef2e019eb96c1145f423701\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\f9c36ea806e77872dce891c77b68fac3\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll ()
MOD - C:\Windows\System32\igfxTMM.dll ()


========== Win32 Services (SafeList) ==========

SRV - (WRSVC) -- C:\Program Files\Webroot\WRSA.exe (Webroot)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MotoHelper) -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (WRkrn) -- C:\Windows\System32\drivers\WRkrn.sys (Webroot)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (motccgp) -- C:\Windows\System32\drivers\motccgp.sys (Motorola)
DRV - (motmodem) -- C:\Windows\System32\drivers\motmodem.sys (Motorola)
DRV - (Motousbnet) -- C:\Windows\System32\drivers\Motousbnet.sys (Motorola)
DRV - (motusbdevice) -- C:\Windows\System32\drivers\motusbdevice.sys (Motorola Inc)
DRV - (BVRPMPR5) -- C:\Windows\System32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (motccgpfl) -- C:\Windows\System32\drivers\motccgpfl.sys (Motorola)
DRV - (BTCFilterService) -- C:\Windows\System32\drivers\motfilt.sys (Motorola Inc)
DRV - (MotoSwitchService) -- C:\Windows\System32\drivers\motswch.sys (Motorola)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://blackle.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/02 19:22:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/02 19:22:11 | 000,000,000 | ---D | M]

[2009/12/23 10:18:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Extensions
[2012/01/19 20:10:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions
[2009/12/23 11:02:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/16 06:52:15 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/12/09 05:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/01/27 09:37:26 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [WRSVC] C:\Program Files\Webroot\WRSA.exe (Webroot)
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [AgVQVkFpNfmITWf.exe] C:\ProgramData\AgVQVkFpNfmITWf.exe File not found
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [HLBackupScheduler] C:\Users\owner\Desktop\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe File not found
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001..\Run: [WindowsWelcomeCenter] "C:\Windows\system32\rundll32.exe" oobefldr.dll,ShowWelcomeCenter File not found
O4 - Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welcome Center.lnk = C:\Windows\System32\control.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 69.78.96.14 66.174.92.14 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE41FC19-29CB-4C60-8950-CADE512413A1}: DhcpNameServer = 69.78.96.14 66.174.92.14 8.8.8.8
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/01 08:18:01 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/26 08:57:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot SecureAnywhere
[2012/01/26 08:56:46 | 000,145,592 | ---- | C] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/01/26 08:56:45 | 000,109,072 | ---- | C] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[2012/01/26 08:56:37 | 000,000,000 | ---D | C] -- C:\ProgramData\WRData
[2012/01/24 10:46:28 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Local\Microsoft Games
[2012/01/24 09:57:20 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/19 22:13:33 | 000,000,000 | ---D | C] -- C:\Windows\TEMP
[2012/01/19 22:13:07 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/19 22:13:04 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Local\temp
[2012/01/19 20:40:52 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/19 20:40:52 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/19 20:40:52 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/19 20:40:43 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/19 20:40:41 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/01/19 20:40:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/19 20:10:15 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/19 20:03:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2012/01/19 20:03:00 | 000,000,000 | ---D | C] -- C:\Program Files\Panda USB Vaccine
[2012/01/19 20:03:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security
[2012/01/17 09:19:35 | 001,976,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\_admin\Desktop\tdsskiller.exe
[2012/01/17 09:06:17 | 000,000,000 | ---D | C] -- C:\e6767b004533ac8a30eb3661c92de8
[2012/01/16 13:45:49 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Users\_admin\Desktop\aswMBR.exe
[2012/01/16 12:51:50 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Roaming\Malwarebytes
[2012/01/16 12:51:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/16 12:51:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/16 12:51:26 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/16 12:51:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/16 06:56:14 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Local\Winamp Toolbar

========== Files - Modified Within 30 Days ==========

[2012/01/27 09:46:37 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/27 09:46:37 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/27 09:39:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/27 09:39:09 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/27 09:39:05 | 000,000,699 | ---- | M] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/01/27 09:39:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/27 09:39:02 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/27 09:37:26 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/01/26 08:56:46 | 000,145,592 | ---- | M] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/01/26 08:56:45 | 000,109,072 | ---- | M] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[2012/01/19 20:01:09 | 000,823,346 | ---- | M] () -- C:\Users\_admin\Desktop\USBVaccine.zip
[2012/01/18 08:05:34 | 000,000,512 | ---- | M] () -- C:\Users\_admin\Desktop\MBR.dat
[2012/01/18 07:53:11 | 000,080,384 | ---- | M] () -- C:\Users\_admin\Desktop\MBRCheck.exe
[2012/01/17 09:58:32 | 000,000,903 | ---- | M] () -- C:\Users\_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/17 09:48:31 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
[2012/01/17 09:48:31 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
[2012/01/17 09:48:20 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2012/01/17 09:01:42 | 001,922,249 | ---- | M] () -- C:\Users\_admin\Desktop\Windows6.0-KB968389-x86.msu
[2012/01/17 08:47:26 | 001,976,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\_admin\Desktop\tdsskiller.exe
[2012/01/16 13:44:34 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Users\_admin\Desktop\aswMBR.exe
[2012/01/16 12:51:28 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/16 08:49:39 | 000,001,908 | ---- | M] () -- C:\Windows\diagwrn.xml
[2012/01/16 08:49:39 | 000,001,908 | ---- | M] () -- C:\Windows\diagerr.xml
[2012/01/16 08:46:09 | 000,002,678 | ---- | M] () -- C:\Users\_admin\Desktop\Windows Compatibility Report.htm
[2012/01/16 08:32:20 | 314,467,661 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/01/02 19:22:19 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk

========== Files Created - No Company Name ==========

[2012/01/26 08:56:47 | 000,000,699 | ---- | C] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/01/23 13:01:54 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/19 20:40:52 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/19 20:40:52 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/19 20:40:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/19 20:40:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/19 20:40:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/19 20:01:05 | 000,823,346 | ---- | C] () -- C:\Users\_admin\Desktop\USBVaccine.zip
[2012/01/18 07:53:11 | 000,080,384 | ---- | C] () -- C:\Users\_admin\Desktop\MBRCheck.exe
[2012/01/17 09:58:32 | 000,000,903 | ---- | C] () -- C:\Users\_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/17 09:48:20 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2012/01/17 09:28:40 | 001,922,249 | ---- | C] () -- C:\Users\_admin\Desktop\Windows6.0-KB968389-x86.msu
[2012/01/16 14:10:13 | 000,000,512 | ---- | C] () -- C:\Users\_admin\Desktop\MBR.dat
[2012/01/16 12:51:28 | 000,000,866 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/16 08:46:09 | 000,002,678 | ---- | C] () -- C:\Users\_admin\Desktop\Windows Compatibility Report.htm
[2012/01/16 07:17:56 | 000,001,908 | ---- | C] () -- C:\Windows\diagwrn.xml
[2012/01/16 07:17:56 | 000,001,908 | ---- | C] () -- C:\Windows\diagerr.xml
[2012/01/02 19:22:19 | 000,000,818 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/01/02 19:22:19 | 000,000,806 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/11/05 15:27:31 | 000,000,680 | ---- | C] () -- C:\Users\_admin\AppData\Local\d3d9caps.dat
[2011/05/28 01:04:09 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/07/07 15:04:12 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/04/24 07:43:07 | 000,004,608 | ---- | C] () -- C:\Users\_admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/10 21:12:37 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/10 21:12:36 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008/12/13 15:58:21 | 000,121,368 | ---- | C] () -- C:\Windows\hpoins15.dat
[2008/12/13 15:58:21 | 000,001,037 | ---- | C] () -- C:\Windows\hpomdl15.dat
[2008/08/31 20:26:32 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/08/31 20:26:32 | 000,000,063 | ---- | C] () -- C:\Windows\mdm.ini
[2008/08/31 20:26:18 | 000,000,000 | ---- | C] () -- C:\Windows\NSREX.INI
[2008/08/30 21:39:06 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/07/19 02:56:53 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/07/01 08:33:22 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/09/13 10:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/09/13 10:22:46 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/13 10:22:46 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/09/13 10:11:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,315,440 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:24:01 | 048,324,552 | ---- | C] () -- C:\Windows\System32\mrt.exe
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 15:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[1999/01/22 06:46:56 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/09/01 08:06:38 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\acccore
[2010/06/21 19:30:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Facebook
[2010/11/02 19:18:16 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ooVoo Details
[2012/01/27 09:38:04 | 000,032,576 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#17
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Yes, I have worked with Webroot to successfully update my A/V software [Webroot SecureAnywhere v8.0.1.82] which is now running. Other than the blocked programs, I cannot seem to D/L & install any Microsoft Windows Updates.

I did try to run a disk repair with the option to "Automatically fix file system errors" AND "Scan for and attempt recovery of bad sectors" which ran through step 3 of 5 and "stopped running" at approximately 75% at step 4 of 5. I ended up doing a hard reboot and starting in Safe Mode, followed by a shutdown & normal startup. In case I forget later, I want to thank you and the Geeks to Go team for your assistance over the las two weeks. Most of my issues are solved. I've actually applied to become a Geeks to Go volunteer to help others. I'm still waiting for a response.
  • 0

#18
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Your welcome and good luck with the GeekU application!!! Let me know how you get on.


Step 1

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :OTL 
    O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [AgVQVkFpNfmITWf.exe] C:\ProgramData\AgVQVkFpNfmITWf.exe File not found
    
    :Files
    ipconfig /flushdns /c
    
    :Commands 
    [purity] 
    [resethosts] 
    [emptytemp]
    [CREATERESTOREPOINT] 
    [Reboot]

  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post the log that appears upon reboot in your next reply.
  • Open OTL again and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Step 2

Has the warning for AgVQVkFpNfmITWf.exe stopped pooping up now?


Step 3

Run the Microsoft Fixit tool here.
Does Windows Update now work?


Things I want to see in your next reply

  • OTL Fix Log
  • OTL.txt
  • Answers to my questions

  • 0

#19
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I was traveling for a couple of days and I just read your post from Jan-28. I will try the OTL scan tonight. Thanks again.
  • 0

#20
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

Have you followed the instructions in my previous post?
  • 0

#21
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#22
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Your topic has now been re-opened.

Can you follow my instructions in post #18.
Thank you.
  • 0

#23
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I followed the steps in Post #18.
The warning for AgVQVkFpNfmITWf.exe stopped popping up now.
When I logon as _admin, I do NOT receive any blocked programs errors.
When I logon as CARUDA, I DO receive blocked startup programs error.
The blocked program is SupportSoft perhaps masquerading as Windows Defender.
I ran the Microsoft Fixit tool and then ran Windows Update and the Windows update failed on 5 updates.
The error codes are: 80096001 and 80246007.
I have a screen print I saved to a Wordpad doc but it is too large to attach it here.

Below are the OTL logs:
***************************
OTL-Run_Fix-02-08-2012
*************************
All processes killed
========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry key HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\_admin\Desktop\cmd.bat deleted successfully.
C:\Users\_admin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: owner
->Temp folder emptied: 32536 bytes
->Temporary Internet Files folder emptied: 14709254 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 21790846 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 648 bytes

User: Public
->Temp folder emptied: 0 bytes

User: _admin
->Temp folder emptied: 212795 bytes
->Temporary Internet Files folder emptied: 19961695 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 617 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 709968 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1270 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 55.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 02082012_071347

Files\Folders moved on Reboot...
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RCB2GQ0U\google_com[1].htm moved successfully.
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NR7OWZIT\google_com[2].htm moved successfully.
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ND8X4ADX\fastbutton[1].htm moved successfully.
C:\Users\_admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ND8X4ADX\page__st__15__p__2118056__hl__daughter+needs+help__fromsearch__1[1].htm moved successfully.

Registry entries deleted on Reboot...
************************
OTL Quick Scan All Users
************************
OTL logfile created on: 2/8/2012 4:32:27 PM - Run 7
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\_admin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.78 Gb Available Physical Memory | 59.38% Memory free
6.18 Gb Paging File | 4.96 Gb Available in Paging File | 80.28% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.19 Gb Total Space | 111.33 Gb Free Space | 50.33% Space Free | Partition Type: NTFS
Drive D: | 11.69 Gb Total Space | 2.03 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 1.90 Gb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: CARUDA | User Name: _admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\Webroot\WRSA.exe (Webroot)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Users\_admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE (CANON INC.)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\6d2f689baff5da3df134fdec0742a13c\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\02768700bc8f762ccfe37785ba8eb498\System.EnterpriseServices.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\8f3b3ab45e3e5fa61aa6cbfe2a8b61af\System.Transactions.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\02768700bc8f762ccfe37785ba8eb498\System.EnterpriseServices.Wrapper.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\40da9084d0863e07d7ce55953833b8b0\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\c1c06a392871267db27f7cbc40e1c4fb\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1363115565fff5a641243a48f396f107\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\367c4043efc2f32d843cb588b0dc97fc\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\9e53d9921c4bb153f1ffbe1ae0e1b615\System.Data.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\231b0b42eff55de5c7d7debe555c16b7\PresentationFramework.Aero.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\94f892556ec9fa7a508fc9d214ceaedf\PresentationFramework.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\53f949f4664bb316f9b7a00d73a6e290\PresentationCore.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\fd2c727bcef2e019eb96c1145f423701\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\f9c36ea806e77872dce891c77b68fac3\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
MOD - C:\Windows\System32\msjetoledb40.dll ()
MOD - C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll ()
MOD - C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll ()
MOD - C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\Content.XmlSerializers.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll ()
MOD - C:\Windows\System32\igfxTMM.dll ()


========== Win32 Services (SafeList) ==========

SRV - (WRSVC) -- C:\Program Files\Webroot\WRSA.exe (Webroot)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MotoHelper) -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (WRkrn) -- C:\Windows\System32\drivers\WRkrn.sys (Webroot)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (motccgp) -- C:\Windows\System32\drivers\motccgp.sys (Motorola)
DRV - (motmodem) -- C:\Windows\System32\drivers\motmodem.sys (Motorola)
DRV - (Motousbnet) -- C:\Windows\System32\drivers\Motousbnet.sys (Motorola)
DRV - (motusbdevice) -- C:\Windows\System32\drivers\motusbdevice.sys (Motorola Inc)
DRV - (BVRPMPR5) -- C:\Windows\System32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (motccgpfl) -- C:\Windows\System32\drivers\motccgpfl.sys (Motorola)
DRV - (BTCFilterService) -- C:\Windows\System32\drivers\motfilt.sys (Motorola Inc)
DRV - (MotoSwitchService) -- C:\Windows\System32\drivers\motswch.sys (Motorola)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/02 19:22:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/02 19:22:11 | 000,000,000 | ---D | M]

[2009/12/23 10:18:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Extensions
[2012/01/19 20:10:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions
[2009/12/23 11:02:00 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/16 06:52:15 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\_admin\AppData\Roaming\Mozilla\Firefox\Profiles\hlk4iq79.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/12/09 05:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/08 07:13:49 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [WRSVC] C:\Program Files\Webroot\WRSA.exe (Webroot)
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001..\Run: [WindowsWelcomeCenter] "C:\Windows\system32\rundll32.exe" oobefldr.dll,ShowWelcomeCenter File not found
O4 - Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welcome Center.lnk = C:\Windows\System32\control.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1001\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 204.117.214.10 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE41FC19-29CB-4C60-8950-CADE512413A1}: DhcpNameServer = 204.117.214.10 4.2.2.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/01 08:18:01 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/26 08:57:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot SecureAnywhere
[2012/01/26 08:56:46 | 000,145,528 | ---- | C] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/01/26 08:56:45 | 000,109,520 | ---- | C] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[2012/01/26 08:56:37 | 000,000,000 | ---D | C] -- C:\ProgramData\WRData
[2012/01/24 10:46:28 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Local\Microsoft Games
[2012/01/24 09:57:20 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/19 22:13:33 | 000,000,000 | ---D | C] -- C:\Windows\TEMP
[2012/01/19 22:13:07 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/19 22:13:04 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Local\temp
[2012/01/19 20:40:52 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/01/19 20:40:52 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/01/19 20:40:52 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/01/19 20:40:43 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/19 20:40:41 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/01/19 20:40:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/19 20:10:15 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/19 20:03:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2012/01/19 20:03:00 | 000,000,000 | ---D | C] -- C:\Program Files\Panda USB Vaccine
[2012/01/19 20:03:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security
[2012/01/17 09:19:35 | 001,976,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\_admin\Desktop\tdsskiller.exe
[2012/01/17 09:06:17 | 000,000,000 | ---D | C] -- C:\e6767b004533ac8a30eb3661c92de8
[2012/01/16 13:45:49 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Users\_admin\Desktop\aswMBR.exe
[2012/01/16 12:51:50 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Roaming\Malwarebytes
[2012/01/16 12:51:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/16 12:51:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/16 12:51:26 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/16 12:51:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/16 06:56:14 | 000,000,000 | ---D | C] -- C:\Users\_admin\AppData\Local\Winamp Toolbar

========== Files - Modified Within 30 Days ==========

[2012/02/08 16:26:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/08 07:21:37 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/02/08 07:21:36 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/02/08 07:15:41 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/08 07:15:41 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/08 07:15:37 | 000,000,699 | ---- | M] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/02/08 07:15:34 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/08 07:13:49 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/02/07 22:12:33 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/07 17:43:44 | 000,145,528 | ---- | M] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/02/07 17:43:44 | 000,109,520 | ---- | M] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[2012/01/19 20:01:09 | 000,823,346 | ---- | M] () -- C:\Users\_admin\Desktop\USBVaccine.zip
[2012/01/18 08:05:34 | 000,000,512 | ---- | M] () -- C:\Users\_admin\Desktop\MBR.dat
[2012/01/18 07:53:11 | 000,080,384 | ---- | M] () -- C:\Users\_admin\Desktop\MBRCheck.exe
[2012/01/17 09:58:32 | 000,000,903 | ---- | M] () -- C:\Users\_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/17 09:48:31 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
[2012/01/17 09:48:31 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
[2012/01/17 09:48:20 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2012/01/17 09:01:42 | 001,922,249 | ---- | M] () -- C:\Users\_admin\Desktop\Windows6.0-KB968389-x86.msu
[2012/01/17 08:47:26 | 001,976,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\_admin\Desktop\tdsskiller.exe
[2012/01/16 13:44:34 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Users\_admin\Desktop\aswMBR.exe
[2012/01/16 08:49:39 | 000,001,908 | ---- | M] () -- C:\Windows\diagwrn.xml
[2012/01/16 08:49:39 | 000,001,908 | ---- | M] () -- C:\Windows\diagerr.xml
[2012/01/16 08:46:09 | 000,002,678 | ---- | M] () -- C:\Users\_admin\Desktop\Windows Compatibility Report.htm
[2012/01/16 08:32:20 | 314,467,661 | ---- | M] () -- C:\Windows\MEMORY.DMP

========== Files Created - No Company Name ==========

[2012/01/26 08:56:47 | 000,000,699 | ---- | C] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/01/23 13:01:54 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/19 20:40:52 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/19 20:40:52 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/19 20:40:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/19 20:40:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/19 20:40:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/01/19 20:01:05 | 000,823,346 | ---- | C] () -- C:\Users\_admin\Desktop\USBVaccine.zip
[2012/01/18 07:53:11 | 000,080,384 | ---- | C] () -- C:\Users\_admin\Desktop\MBRCheck.exe
[2012/01/17 09:58:32 | 000,000,903 | ---- | C] () -- C:\Users\_admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/17 09:48:20 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2012/01/17 09:28:40 | 001,922,249 | ---- | C] () -- C:\Users\_admin\Desktop\Windows6.0-KB968389-x86.msu
[2012/01/16 14:10:13 | 000,000,512 | ---- | C] () -- C:\Users\_admin\Desktop\MBR.dat
[2012/01/16 12:51:28 | 000,000,866 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/16 08:46:09 | 000,002,678 | ---- | C] () -- C:\Users\_admin\Desktop\Windows Compatibility Report.htm
[2012/01/16 07:17:56 | 000,001,908 | ---- | C] () -- C:\Windows\diagwrn.xml
[2012/01/16 07:17:56 | 000,001,908 | ---- | C] () -- C:\Windows\diagerr.xml
[2011/11/05 15:27:31 | 000,000,680 | ---- | C] () -- C:\Users\_admin\AppData\Local\d3d9caps.dat
[2011/05/28 01:04:09 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/07/07 15:04:12 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/04/24 07:43:07 | 000,004,608 | ---- | C] () -- C:\Users\_admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/10 21:12:37 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/10 21:12:36 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008/12/13 15:58:21 | 000,121,368 | ---- | C] () -- C:\Windows\hpoins15.dat
[2008/12/13 15:58:21 | 000,001,037 | ---- | C] () -- C:\Windows\hpomdl15.dat
[2008/08/31 20:26:32 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/08/31 20:26:32 | 000,000,063 | ---- | C] () -- C:\Windows\mdm.ini
[2008/08/31 20:26:18 | 000,000,000 | ---- | C] () -- C:\Windows\NSREX.INI
[2008/08/30 21:39:06 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2008/07/19 02:57:22 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008/07/19 02:56:53 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/07/01 08:33:22 | 000,101,605 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/09/13 10:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/09/13 10:22:46 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/13 10:22:46 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/09/13 10:11:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,315,440 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:24:01 | 048,324,552 | ---- | C] () -- C:\Windows\System32\mrt.exe
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 15:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[1999/01/22 06:46:56 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/09/01 08:06:38 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\acccore
[2010/06/21 19:30:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Facebook
[2010/11/02 19:18:16 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ooVoo Details
[2012/02/08 07:14:33 | 000,032,576 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

#24
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Run Farbar Service Scanner.

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.


Things I want to see in your next reply

  • FSS.txt

  • 0

#25
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Below is the Farbar log.
************************
Farbar Service Scanner Version: 12-02-2012
Ran by owner (administrator) on 12-02-2012 at 06:31:20
Running from "C:\Users\owner\Downloads"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Defender:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-08-13 16:39] - [2011-06-17 15:13] - 0905104 ____A (Microsoft Corporation) 2756186E287139310997090797E0182B

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2008-01-20 21:23] - [2008-01-20 21:23] - 0272952 ____A (Microsoft Corporation) 4575AA12561C5648483403541D0D7F2B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by beabruin, 12 February 2012 - 05:34 AM.

  • 0

Advertisements


#26
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Step 1

Please download and run the Microsoft Fixit found here.


Step 2

You must be logged in as administrator to perform these steps:

  • Open Administrative Tools by clicking the Start button, clicking Control Panel, clicking System and Maintenance, and then clicking Administrative Tools.
  • Double-click Services. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Right-click the Background Intelligent Transfer Service (BITS) service, and then click Properties.
  • On the General tab, next to Startup type, make sure that Automatic (Delayed Start) is selected. If it is not, select it and then click Apply.
  • Next to Service status, check to see if the service is started. If it is not, click Start.

Step 3

Does Windows Update now work?


Things I want to see in your next reply

  • Answer to my question

  • 0

#27
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Hello,

Prior to following you instructions, Webroot SecureAnywhere A/V found the W32 gen Trojan and I removed it.

Then I downloaded & ran Microsoft Fixit per Step 1.

I verified the infor in Step 2. No changes were necessary.

I then attempted to run Windows Update which failed with error code 80096001.
  • 0

#28
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts

Hello,

Prior to following your instructions, Webroot SecureAnywhere A/V found the W32 gen Trojan and I removed it.

Then I downloaded & ran Microsoft Fixit per Step 1.

I verified the info in Step 2. No changes were necessary.

I then attempted to run Windows Update which failed with error code 80096001.

After I posted the above reply, I was closing some open Windows. When I closed the Windows Explorer window, there was a dialog box underneath that stated Microsoft Fixit has made changes and the system requires a reboot. I was preparing to reboot when the laptop received the BSOD and automatically rebooted. When finished, I logged back into Windows (CARUDA) and attempted another Windows Update. This failed with the previous errod code stated above.
  • 0

#29
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Step 1

  • Click Start and type cmd into the search box.
  • Right click on cmd and click on Run as Administrator.
  • Type in sfc /scannow and press Enter.
  • The process might take a while to complete but reboot the compuer when it has finished.

Step 2

Does Windows Update now work?


Step 3

Can you tell me what file Webroot removed and its location?


Things I want to see in your next reply

  • Answers to my questions

  • 0

#30
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I ran the sfc /scannow as Administrator. The scan reported it found corrupt files but was unable to fix some of them. I then attempted to run Windows Update which failed with error code 80096001.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP