Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Daughter needs help with Vista Home Premium SP 2 Malware Help Needed [

Started by beabruin , Jan 16 2012 09:42 AM

  • This topic is locked This topic is locked

#46
beabruin
Posted 05 March 2012 - 08:56 AM

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Per post #13 on January 23rd ESET was run by me on January 24

Here's the ESET Online Scanner Log:
The log below is dated 1/23/2012.
Per post #12 from you, I downloaded & ran the ESET Scan on 1/24/2012.
I'm not sure where the current log is or if it was not saved after I reboot the laptop.
****************************************
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
****************************************

  • Please note, I have been using Internet Explorer for all downloads 7 scans during these attemptes to clean this laptop.
  • I've also been logged in as _admin during most of these scans & fixes.
  • The Windows has blocked some programs from startup occur when I logon as CARUDA (my daughter's account).
  • I did a reboot of the laptop to logon as CARUDA and received the same dialog popup about blocked programs.
  • ESET did find & fix two problems related to: Iframe.B.Gen virus
  • For some reason, this does not show up in the ESET log.

  • 0

Advertisements

#47
Nedklaw
Posted 05 March 2012 - 01:44 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)

Perform the following instructions whilst logged into the CARUDA account:

  • Open OTL and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Things I want to see in your next reply

  • OTL.txt
  • 0

#48
beabruin
Posted 06 March 2012 - 06:56 PM

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
While logged on as CARUDA, I ran the OTL Scan All Users Quick Scan.
*******************************************************************
OTL logfile created on: 3/6/2012 7:51:07 PM - Run 10
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\owner\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 53.05% Memory free
6.18 Gb Paging File | 4.81 Gb Available in Paging File | 77.80% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.19 Gb Total Space | 134.47 Gb Free Space | 60.79% Space Free | Partition Type: NTFS
Drive D: | 11.69 Gb Total Space | 2.03 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 1.90 Gb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: CARUDA | User Name: owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Webroot\WRSA.exe (Webroot)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
PRC - C:\Program Files\Panda USB Vaccine\USBVaccine.exe (Panda Security)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
MOD - C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll ()
MOD - C:\Windows\System32\igfxTMM.dll ()


========== Win32 Services (SafeList) ==========

SRV - (WRSVC) -- C:\Program Files\Webroot\WRSA.exe (Webroot)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MotoHelper) -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- File not found
DRV - (NwlnkFlt) -- File not found
DRV - (MCSTRM) -- File not found
DRV - (IpInIp) -- File not found
DRV - (catchme) -- File not found
DRV - (WRkrn) -- C:\Windows\System32\drivers\WRkrn.sys (Webroot)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (motccgp) -- C:\Windows\System32\drivers\motccgp.sys (Motorola)
DRV - (motmodem) -- C:\Windows\System32\drivers\motmodem.sys (Motorola)
DRV - (Motousbnet) -- C:\Windows\System32\drivers\Motousbnet.sys (Motorola)
DRV - (motusbdevice) -- C:\Windows\System32\drivers\motusbdevice.sys (Motorola Inc)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (BVRPMPR5) -- C:\Windows\System32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (motccgpfl) -- C:\Windows\System32\drivers\motccgpfl.sys (Motorola)
DRV - (BTCFilterService) -- C:\Windows\System32\drivers\motfilt.sys (Motorola Inc)
DRV - (NETw5v32) Intel® -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (MotoSwitchService) -- C:\Windows\System32\drivers\motswch.sys (Motorola)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKLM\..\SearchScopes,DefaultScope = {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}
IE - HKLM\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect...mrud=07-05-2010
IE - HKLM\..\SearchScopes\{94F30000-B2A1-4D56-959A-37DADA8B1666}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpd
IE - HKLM\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect...e=tb50winampie7
IE - HKLM\..\SearchScopes\{F34447C2-A73E-4561-AB1C-EE4DF291A1FF}: "URL" = http://search.yahoo....ing}&fr=hp-pvdt


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://blackle.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes,DefaultScope = {3D41F773-C2A2-4541-8F58-DF94FA1311D3}
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect...mrud=07-05-2010
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{3D41F773-C2A2-4541-8F58-DF94FA1311D3}: "URL" = http://search.yahoo....q={searchTerms}
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{409DD3B4-D1F8-EC6E-EDBD-2367FDA78762}: "URL" = http://www.bing.com/...015&form=ZGAIDF
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{94F30000-B2A1-4D56-959A-37DADA8B1666}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpd
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect...e=tb50winampie7
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{F34447C2-A73E-4561-AB1C-EE4DF291A1FF}: "URL" = http://search.yahoo....ing}&fr=hp-pvdt
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect...nampie7&query="
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {bbf8fc30-5280-11db-b0de-0800200c9a66}:2.20090609
FF - prefs.js..extensions.enabledItems: {66871bd1-5ba2-4739-b485-2a15f5969bd8}:2.20100123
FF - prefs.js..keyword.URL: "http://slirsredirect...inampab&query="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\owner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Users\owner\AppData\Roaming\nprhapengine.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/02 19:22:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/02 19:22:11 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]

[2008/08/31 19:55:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Extensions
[2012/01/23 14:32:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions
[2010/07/27 15:23:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/27 15:23:25 | 000,000,000 | ---D | M] (MidnightFox) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{66871bd1-5ba2-4739-b485-2a15f5969bd8}
[2009/10/06 17:38:48 | 000,000,000 | ---D | M] (HalloFF) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{bbf8fc30-5280-11db-b0de-0800200c9a66}
[2010/07/27 15:23:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{66871bd1-5ba2-4739-b485-2a15f5969bd8}\chrome\mozapps\extensions
[2010/07/27 15:23:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{66871bd1-5ba2-4739-b485-2a15f5969bd8}\chrome\mozapps\extensions\CVS
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6c4uiwsd.default\searchplugins\AOL Search.xml
[2010/11/02 19:16:44 | 000,001,919 | ---- | M] () -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6c4uiwsd.default\searchplugins\bing-zugo.xml
[2010/12/28 09:30:26 | 000,001,196 | ---- | M] () -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6c4uiwsd.default\searchplugins\winamp-search.xml
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/12/09 05:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/08 07:13:49 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [WRSVC] C:\Program Files\Webroot\WRSA.exe (Webroot)
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [AgVQVkFpNfmITWf.exe] C:\ProgramData\AgVQVkFpNfmITWf.exe File not found
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [Desktop Software] C:\Program Files\Common Files\SupportSoft\bin\bcont.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [HLBackupScheduler] C:\Users\owner\Desktop\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe File not found
O4 - Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welcome Center.lnk = C:\Windows\System32\control.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE41FC19-29CB-4C60-8950-CADE512413A1}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\owner\Desktop\002.JPG
O24 - Desktop BackupWallPaper: C:\Users\owner\Desktop\002.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/01 08:18:01 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{86b10bf9-06cb-11e0-a1a0-001e68b4a676}\Shell - "" = AutoRun
O33 - MountPoints2\{86b10bf9-06cb-11e0-a1a0-001e68b4a676}\Shell\AutoRun\command - "" = I:\setup.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/06 19:46:15 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2012/02/23 07:04:58 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/02/23 04:29:39 | 000,000,000 | ---D | C] -- C:\Reg_Backup
[2012/02/23 03:55:56 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2012/02/23 03:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2012/02/16 04:17:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2
[2012/02/08 16:50:00 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Local\ElevatedDiagnostics
[2012/02/08 16:43:32 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Malwarebytes
[11 C:\Users\owner\Desktop\*.tmp files -> C:\Users\owner\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/06 19:46:45 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/06 19:46:45 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/06 19:46:39 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2012/03/06 19:39:44 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/06 19:39:44 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/06 19:39:42 | 000,000,699 | ---- | M] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/03/06 19:39:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/06 19:39:39 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/02 05:28:55 | 000,145,528 | ---- | M] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/03/02 05:28:55 | 000,109,520 | ---- | M] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[2012/02/23 09:23:54 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 09:02:59 | 000,002,491 | ---- | M] () -- C:\Users\owner\Desktop\Microsoft PowerPoint.lnk
[2012/02/23 08:22:53 | 000,315,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/23 07:05:04 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,002,008 | ---- | M] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/16 04:12:40 | 271,320,429 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/02/08 17:04:38 | 006,302,022 | ---- | M] () -- C:\Users\owner\Documents\WinUpdateErr.02-08-2012.rtf
[2012/02/08 07:13:49 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/02/07 22:12:33 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[11 C:\Users\owner\Desktop\*.tmp files -> C:\Users\owner\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/23 09:49:33 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/23 09:23:54 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 09:23:26 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
[2012/02/23 04:50:26 | 000,303,616 | ---- | C] ( ) -- C:\SetACL.exe
[2012/02/23 03:54:46 | 000,002,008 | ---- | C] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/08 17:04:38 | 006,302,022 | ---- | C] () -- C:\Users\owner\Documents\WinUpdateErr.02-08-2012.rtf
[2012/01/19 20:40:52 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/19 20:40:52 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/19 20:40:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/19 20:40:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/19 20:40:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/09/16 13:02:48 | 000,001,356 | ---- | C] () -- C:\Users\owner\AppData\Local\d3d9caps.dat
[2011/05/28 01:04:09 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/07/07 15:04:12 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat

========== LOP Check ==========

[2008/09/01 08:06:38 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\acccore
[2010/06/21 19:30:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Facebook
[2010/11/02 19:18:16 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ooVoo Details
[2012/03/06 19:38:43 | 000,032,576 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

#49
Nedklaw
Posted 07 March 2012 - 03:38 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
I've found the things that have been causing the blocked program messages. Please be logged into the CARUDA account for the following instructions:


Step 1

Please uninstall the following program via Control Panel > Uninstall a program (if present):

  • Ask (Toolbar, Updater, etc.)


Step 2

If you have Malwarebytes 1.6 or later installed, please disable it for the duration of this run.

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following: 

    :OTL 
IE - HKLM\..\SearchScopes\{94F30000-B2A1-4D56-959A-37DADA8B1666}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpd
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{94F30000-B2A1-4D56-959A-37DADA8B1666}: "URL" = http://www.ask.com/w...}&l=dis&o=ushpd
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
[2010/11/02 19:16:44 | 000,001,919 | ---- | M] () -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6c4uiwsd.default\searchplugins\bing-zugo.xml
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000..\Run: [AgVQVkFpNfmITWf.exe] C:\ProgramData\AgVQVkFpNfmITWf.exe File not found
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Policies\Microsoft\Internet Explorer\Restrictions present
[11 C:\Users\owner\Desktop\*.tmp files -> C:\Users\owner\Desktop\*.tmp -> ]

:Reg
[HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run] 
"Desktop Software"=-
[HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run] 
"HLBackupScheduler"=-

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT] 
[Reboot]

  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post the log that appears upon reboot in your next reply.
  • If no log appears upon reboot, the OTL Fix log should be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.
  • Open OTL again and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Things I want to see in your next reply

  • OTL Fix Log
  • OTL.txt
  • 0

#50
beabruin
Posted 08 March 2012 - 07:48 PM

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Here are the RunFix & Quick Scan Logs.
*
*************************
OTL RunFix Log
*************************
*
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{94F30000-B2A1-4D56-959A-37DADA8B1666}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94F30000-B2A1-4D56-959A-37DADA8B1666}\ not found.
Registry key HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Internet Explorer\SearchScopes\{94F30000-B2A1-4D56-959A-37DADA8B1666}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94F30000-B2A1-4D56-959A-37DADA8B1666}\ not found.
Prefs.js: "Ask.com" removed from browser.search.defaultengine
Prefs.js: "Ask.com" removed from browser.search.defaultenginename
Prefs.js: "Ask.com" removed from browser.search.order.1
Prefs.js: "Ask.com" removed from browser.search.selectedEngine
Prefs.js: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 removed from extensions.enabledItems
C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6c4uiwsd.default\searchplugins\bing-zugo.xml moved successfully.
Registry value HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AgVQVkFpNfmITWf.exe deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Registry key HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
C:\Users\owner\Desktop\~WRL0001.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL0073.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL0186.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL0357.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL1365.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL2015.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL2057.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL2922.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL3623.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL3810.tmp deleted successfully.
C:\Users\owner\Desktop\~WRL4060.tmp deleted successfully.
========== REGISTRY ==========
Registry value HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Desktop Software deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Run\\HLBackupScheduler deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\owner\Desktop\cmd.bat deleted successfully.
C:\Users\owner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: owner
->Temp folder emptied: 69370 bytes
->Temporary Internet Files folder emptied: 90115046 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 617 bytes

User: Public
->Temp folder emptied: 0 bytes

User: _admin
->Temp folder emptied: 36271 bytes
->Temporary Internet Files folder emptied: 11657645 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 507 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 162506 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 97.00 mb



OTL by OldTimer - Version 3.2.35.1 log created on 03082012_202158

Files\Folders moved on Reboot...
C:\Users\owner\AppData\Local\Temp\ehmsas.txt moved successfully.
C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z95EB1M2\fastbutton[1].htm moved successfully.
C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File\Folder C:\Windows\temp\WRusr.dll-174974262-0.tmp not found!

Registry entries deleted on Reboot...
***************************************
OTL Scan All Users Quick Scan Log
***************************************
OTL logfile created on: 3/8/2012 8:44:14 PM - Run 11
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\owner\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.73 Gb Available Physical Memory | 57.72% Memory free
6.18 Gb Paging File | 4.99 Gb Available in Paging File | 80.75% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.19 Gb Total Space | 133.71 Gb Free Space | 60.45% Space Free | Partition Type: NTFS
Drive D: | 11.69 Gb Total Space | 2.03 Gb Free Space | 17.34% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 1.90 Gb Free Space | 100.00% Space Free | Partition Type: FAT

Computer Name: CARUDA | User Name: owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\Webroot\WRSA.exe (Webroot)
PRC - C:\Users\owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
PRC - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
PRC - C:\Program Files\Panda USB Vaccine\USBVaccine.exe (Panda Security)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe ()
MOD - C:\Program Files\HP\QuickPlay\Kernel\common\MCEMediaStatus.dll ()
MOD - C:\Windows\System32\igfxTMM.dll ()


========== Win32 Services (SafeList) ==========

SRV - (WRSVC) -- C:\Program Files\Webroot\WRSA.exe (Webroot)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MotoHelper) -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (IJPLMSVC) -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe ()
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- File not found
DRV - (NwlnkFlt) -- File not found
DRV - (MCSTRM) -- File not found
DRV - (IpInIp) -- File not found
DRV - (catchme) -- File not found
DRV - (WRkrn) -- C:\Windows\System32\drivers\WRkrn.sys (Webroot)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (motccgp) -- C:\Windows\System32\drivers\motccgp.sys (Motorola)
DRV - (motmodem) -- C:\Windows\System32\drivers\motmodem.sys (Motorola)
DRV - (Motousbnet) -- C:\Windows\System32\drivers\Motousbnet.sys (Motorola)
DRV - (motusbdevice) -- C:\Windows\System32\drivers\motusbdevice.sys (Motorola Inc)
DRV - (smserial) -- C:\Windows\System32\drivers\smserial.sys (Motorola Inc.)
DRV - (BVRPMPR5) -- C:\Windows\System32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (motccgpfl) -- C:\Windows\System32\drivers\motccgpfl.sys (Motorola)
DRV - (BTCFilterService) -- C:\Windows\System32\drivers\motfilt.sys (Motorola Inc)
DRV - (NETw5v32) Intel® -- C:\Windows\System32\drivers\NETw5v32.sys (Intel Corporation)
DRV - (MotoSwitchService) -- C:\Windows\System32\drivers\motswch.sys (Motorola)
DRV - (RTL8169) -- C:\Windows\System32\drivers\Rtlh86.sys (Realtek Corporation )
DRV - (HpqRemHid) -- C:\Windows\System32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (NETw4v32) Intel® -- C:\Windows\System32\drivers\NETw4v32.sys (Intel Corporation)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...ilion&pf=laptop
IE - HKLM\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKLM\..\SearchScopes,DefaultScope = {EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}
IE - HKLM\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect...mrud=07-05-2010
IE - HKLM\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect...e=tb50winampie7
IE - HKLM\..\SearchScopes\{F34447C2-A73E-4561-AB1C-EE4DF291A1FF}: "URL" = http://search.yahoo....ing}&fr=hp-pvdt


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://blackle.com/
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\URLSearchHook: {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes,DefaultScope = {3D41F773-C2A2-4541-8F58-DF94FA1311D3}
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}: "URL" = http://slirsredirect...mrud=07-05-2010
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{3D41F773-C2A2-4541-8F58-DF94FA1311D3}: "URL" = http://search.yahoo....q={searchTerms}
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{409DD3B4-D1F8-EC6E-EDBD-2367FDA78762}: "URL" = http://www.bing.com/...015&form=ZGAIDF
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{EEE7E0A3-AE64-4dc8-84D1-F5D7BAF2DB0C}: "URL" = http://slirsredirect...e=tb50winampie7
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\SearchScopes\{F34447C2-A73E-4561-AB1C-EE4DF291A1FF}: "URL" = http://search.yahoo....ing}&fr=hp-pvdt
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: ""
FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect...nampie7&query="
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems:
FF - prefs.js..extensions.enabledItems:
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: {bbf8fc30-5280-11db-b0de-0800200c9a66}:2.20090609
FF - prefs.js..extensions.enabledItems: {66871bd1-5ba2-4739-b485-2a15f5969bd8}:2.20100123
FF - prefs.js..keyword.URL: "http://slirsredirect...inampab&query="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\owner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Users\owner\AppData\Roaming\nprhapengine.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/02 19:22:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/02 19:22:11 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/31 19:45:47 | 000,000,000 | ---D | M]

[2008/08/31 19:55:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Extensions
[2012/01/23 14:32:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions
[2010/07/27 15:23:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/27 15:23:25 | 000,000,000 | ---D | M] (MidnightFox) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{66871bd1-5ba2-4739-b485-2a15f5969bd8}
[2009/10/06 17:38:48 | 000,000,000 | ---D | M] (HalloFF) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{bbf8fc30-5280-11db-b0de-0800200c9a66}
[2010/07/27 15:23:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{66871bd1-5ba2-4739-b485-2a15f5969bd8}\chrome\mozapps\extensions
[2010/07/27 15:23:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\owner\AppData\Roaming\mozilla\Firefox\Profiles\6c4uiwsd.default\extensions\{66871bd1-5ba2-4739-b485-2a15f5969bd8}\chrome\mozapps\extensions\CVS
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6c4uiwsd.default\searchplugins\AOL Search.xml
[2010/12/28 09:30:26 | 000,001,196 | ---- | M] () -- C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6c4uiwsd.default\searchplugins\winamp-search.xml
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2012/01/02 19:22:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/12/09 05:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2010/05/06 20:22:31 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/08 07:13:49 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [WRSVC] C:\Program Files\Webroot\WRSA.exe (Webroot)
O4 - Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Welcome Center.lnk = C:\Windows\System32\control.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O9 - Extra Button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)
O15 - HKU\S-1-5-21-1643871695-1882474329-1398546539-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C187B1F-FC4B-45FF-8753-2264EA38E7AD}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EE41FC19-29CB-4C60-8950-CADE512413A1}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\owner\Desktop\002.JPG
O24 - Desktop BackupWallPaper: C:\Users\owner\Desktop\002.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/01 08:18:01 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 10:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{86b10bf9-06cb-11e0-a1a0-001e68b4a676}\Shell - "" = AutoRun
O33 - MountPoints2\{86b10bf9-06cb-11e0-a1a0-001e68b4a676}\Shell\AutoRun\command - "" = I:\setup.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/06 19:46:15 | 000,584,704 | ---- | C] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2012/02/23 07:04:58 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/02/23 04:29:39 | 000,000,000 | ---D | C] -- C:\Reg_Backup
[2012/02/23 03:55:56 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
[2012/02/23 03:54:45 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2012/02/16 04:17:42 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2
[2012/02/08 16:50:00 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Local\ElevatedDiagnostics
[2012/02/08 16:43:32 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\Malwarebytes

========== Files - Modified Within 30 Days ==========

[2012/03/08 20:31:31 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/03/08 20:31:31 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/03/08 20:24:16 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/08 20:24:16 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/08 20:24:13 | 000,000,699 | ---- | M] () -- C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
[2012/03/08 20:24:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/08 20:24:10 | 3211,190,272 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/08 20:15:28 | 000,145,592 | ---- | M] (Webroot) -- C:\Windows\System32\WRusr.dll
[2012/03/08 20:15:28 | 000,109,584 | ---- | M] (Webroot) -- C:\Windows\System32\drivers\WRkrn.sys
[2012/03/06 19:46:39 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\owner\Desktop\OTL.exe
[2012/02/23 09:23:54 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 09:02:59 | 000,002,491 | ---- | M] () -- C:\Users\owner\Desktop\Microsoft PowerPoint.lnk
[2012/02/23 08:22:53 | 000,315,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/02/23 07:05:04 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2012/02/23 03:54:46 | 000,002,008 | ---- | M] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/16 04:12:40 | 271,320,429 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/02/08 17:04:38 | 006,302,022 | ---- | M] () -- C:\Users\owner\Documents\WinUpdateErr.02-08-2012.rtf
[2012/02/08 07:13:49 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2012/02/07 22:12:33 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/02/23 09:49:33 | 3211,190,272 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/23 09:23:54 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/02/23 09:23:47 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2012/02/23 09:23:26 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
[2012/02/23 04:50:26 | 000,303,616 | ---- | C] ( ) -- C:\SetACL.exe
[2012/02/23 03:54:46 | 000,002,008 | ---- | C] () -- C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
[2012/02/08 17:04:38 | 006,302,022 | ---- | C] () -- C:\Users\owner\Documents\WinUpdateErr.02-08-2012.rtf
[2012/01/19 20:40:52 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/01/19 20:40:52 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/01/19 20:40:52 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/01/19 20:40:52 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/01/19 20:40:52 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/09/16 13:02:48 | 000,001,356 | ---- | C] () -- C:\Users\owner\AppData\Local\d3d9caps.dat
[2011/05/28 01:04:09 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2010/07/07 15:04:12 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat

========== LOP Check ==========

[2008/09/01 08:06:38 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\acccore
[2010/06/21 19:30:50 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\Facebook
[2010/11/02 19:18:16 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\ooVoo Details
[2012/03/08 20:23:12 | 000,032,576 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

#51
Nedklaw
Posted 09 March 2012 - 12:01 AM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Have the blocked program pop-ups for the three programs stopped appearing?
  • 0

#52
beabruin
Posted 11 March 2012 - 07:44 AM

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Yes, the blocked startup programs dialog box has stopped popping up when I reboot and logon as CARUDA. They of course never did pop up wafter a reboot and/or when loggin on as _admin. Thank you for all your help.
  • 0

#53
Nedklaw
Posted 11 March 2012 - 09:29 AM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hello! :wave:
Congratultions your logs look clean! :thumbsup: :yeah: :woot:
Please follow the steps below to make your computer more secure.


First, re-enable any anti-virus/anti-malware programs we have disabled during the removal process!


Combofix Uninstall

Click START then RUN.
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Posted Image


Cleanup

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following: 

    :Commands 
[emptytemp]
[CLEARALLRESTOREPOINTS] 
[Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.

  • Open OTL to run it. (Vista users, right click on OTL and "Run as administrator").
  • Close all other programs apart from OTL as this step will require a reboot.
  • On the OTL main screen, press the CLEANUP button.
  • Say Yes to the prompt and then allow the program to reboot your computer.
Note: If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


Updates

Windows Update - This site is a Microsoft site that will scan your computer for any patches or updates that are missing from your computer. You should check this website regularly to keep windows up to date. This will ensure your computer has all of the latest security updates installed on your computer and is secure from any known security holes. Windows Updates are constantly being revised to combat the newest hacks and threats.
It is best if you have these set to download automatically.

How to turn on Automatic Updates:

  • Click on Start.
  • Right-click My Computer.
  • Select Properties.
  • Click on the Automatic Updates Tab.
  • Place a checkmark in the circle next to Automatic (recommended) near the green shield.
  • Click Apply > OK.

Posted Image
Adobe Reader - Your version of Adobe Reader is outdated. It's important to keep Adobe Reader updated because many security problems are fixed with updates.

How to check for Adobe Reader updates:

  • Open Adobe Reader.
  • On the menu bar click on Help then Check For Updates.
  • The program will then tell you if updates are available.

Make sure you have the latest Adobe Flash Player (11.1.102.63) and Adobe Shockwave Player (11.6.4.634) so you can view all of the latest content on websites.


Make Internet Explorer more secure

  • Click Start > Run.
  • Type Inetcpl.cpl & click OK.
  • Click on the Security tab.
  • Click Reset all zones to default level.
  • Make sure the Internet Zone is selected & Click Custom level.
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

Recommended Programs

Make sure you update your security programs regularly so they know about new infections so they can protect your computer against them.
Here are a list of programs/tools that I like to recommend to users to reduce the risk of infection in the future:


Anti-Spyware Programs

MBAM - MalwareBytes Anti Malware is an excellent tool program to detect and get rid of malware. This program should be updated and run often.

SpywareBlaster - Prevents spyware from installing on your system and stops you from getting infected. It protects against bad ActiveX and immunizes your PC against them.

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place. It offers realtime protection from spyware installation attempts.
Note: Make sure you are only running one real-time anti-spyware protection program (eg: TeaTimer, Windows Defender) or there will be a conflict.


Alternate Browsers

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. Hijackers like to attack Internet Explorer more than FireFox. If you are interested, Firefox may be downloaded from here.

Add-ons

NoScript - Blocks ads and other potential website attacks.

AdBlockPlus - Adblock Plus gets rid of ads and banners on the internet.

DrWeb Anti-Virus Link Checker - Allows you to check any file you are about to download, any page you are about to visit with online version of Dr.Web anti-virus.

Other browsers include:

Google Chrome
Safari
Opera


Other Programs

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go.
Yellow for caution.
Red to stop.
WOT has an addon available for both Firefox and IE.


ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.


IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It prevents Cookies etc from downloading, from these websites, onto your computer.


MVPS Hosts File replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.


FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.


Google Toolbar - Get the free google toolbar to help stop pop ups.


Finally...

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Please respond one last time so we can consider the thread resolved and close it, thank-you.
Good luck and stay safe!!! :thumbsup:
  • 0

#54
beabruin
Posted 12 March 2012 - 04:57 PM

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
While trying to uninstall Combofix /Uninstall,I'm getting a pop-up dialog box

Warning!!

Combofix has detected the following real time scanner(s)to be active:

antivirus: WebRoot SecureAnywhere
antispyware: Webroot SecureAnywhere

Antivirus and intrusion prevention programs are known to interfere
with ComboFix's running. This may lead to unpredictable results or
possible machine damage.

Please disable these scanners before clicking 'OK'.

I'm not exactly sure how to temporarily disable these scanners. I'll click close (red x in upper RH corner) and will not continue the remainder of these steps for now.

After unsuccessfully trying to cancel the uninstall of Combofix, and following a reboot, I decided to continue with the remaining steps to make this laptop more secure.

I ran the OTL RunFix and the OTL Cleanup steps.

I also made sure Windows Update is set for automatic updates.

I updated Adobe Reader.

I made Internet Explorer more secure. I almost never use IE choosing instead Mozilla as my primary browser. I also do use Safari and Google Chrome. I haven't used Opera in several years.

Malwarebytes Anti-Malware is running and gets updated regulary. I will also look into installing some of the other anti-spyware software once I am familiar how to only run one actively at a time.

I will also be looking at some of the other programs to keep me protected.

Again, thank you & the Geeks To Go staff.

Edited by beabruin, 13 March 2012 - 02:34 AM.

  • 0

#55
Nedklaw
Posted 13 March 2012 - 05:55 PM

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Your very welcome!!!

To disable Webroot SecureAnywhere:
  • Right click the round green icon in the system tray with a W in it.
  • Click Shut down Webroot.
Make sure to re-enable Webroot after uninstalling ComboFix.

Thanks again!
  • 0

Advertisements

#56
beabruin
Posted 17 March 2012 - 03:37 AM

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
ComboFix is uninstalled. Everything appears to be running normally now. Thank you.
  • 0

#57
NeonFx
Posted 17 March 2012 - 02:58 PM

NeonFx

    Malware Removal Dude

  • Expert
  • 3,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP