Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help iwas infected with "NCJ TROJAN" + OTHERS [Solved]

Started by jamiemad1 , Apr 06 2012 07:05 AM

  • This topic is locked This topic is locked

#1
jamiemad1
Posted 06 April 2012 - 07:05 AM

jamiemad1

    Member

  • Member
  • PipPip
  • 98 posts
Hello and thank you for helping.I recently was helpped by one of your workers,who did a awesome job, and now I got hit again, very aggravating.I thought I got it cleaned up but some programs are still acting strange I cannot open documents and settings it just closes, also Mbam is constantly blocking a strange IP address (outgoing) here are my logs and thank you so much for helping me again.

OTL logfile created on: 4/6/2012 8:34:08 AM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = D:\jacobs downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.80 Mb Total Physical Memory | 167.67 Mb Available Physical Memory | 16.39% Memory free
2.40 Gb Paging File | 1.83 Gb Available in Paging File | 76.23% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.13 Gb Total Space | 1.48 Gb Free Space | 7.76% Space Free | Partition Type: NTFS
Drive D: | 31.49 Gb Total Space | 26.69 Gb Free Space | 84.75% Space Free | Partition Type: NTFS
Drive E: | 480.33 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: JHOME | User Name: jacob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/06 08:33:14 | 000,593,920 | ---- | M] (OldTimer Tools) -- D:\jacobs downloads\OTL.exe
PRC - [2012/04/06 08:15:37 | 004,731,392 | ---- | M] (AVAST Software) -- D:\jacobs downloads\aswMBR(1).exe
PRC - [2012/03/30 21:00:26 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/03/30 21:00:23 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\system32\java.exe
PRC - [2012/03/26 03:34:22 | 000,306,688 | ---- | M] (FileHippo.com) -- C:\Program Files\FileHippo.com\UpdateChecker.exe
PRC - [2012/03/24 12:23:33 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/01/13 15:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/01/13 15:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/06/16 17:42:58 | 000,839,680 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/11/13 15:43:49 | 000,204,800 | ---- | M] () -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/04/22 05:43:44 | 000,413,775 | ---- | M] (Microsoft Corporation) -- D:\Program Files\WCESCOMM.EXE
PRC - [2001/09/27 04:39:42 | 000,245,760 | ---- | M] (ATI Technologies, Inc.) -- C:\WINDOWS\system32\atiptaxx.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/24 12:23:32 | 001,969,080 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/02/15 04:24:47 | 011,817,472 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\29bdc8352d3c26e3c572ea60639dec3b\System.Web.ni.dll
MOD - [2012/02/15 04:22:04 | 001,712,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\96e485c02ad346a2bd26a635e7fcb023\Microsoft.VisualBasic.ni.dll
MOD - [2012/02/15 04:21:31 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll
MOD - [2012/02/15 04:18:15 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll
MOD - [2012/02/15 04:17:57 | 012,430,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll
MOD - [2012/02/15 04:17:27 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll
MOD - [2012/02/15 04:13:52 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll
MOD - [2012/02/15 04:11:04 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2011/10/13 03:17:02 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/06/18 19:31:53 | 006,271,136 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2010/06/16 17:42:58 | 000,839,680 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
MOD - [2008/12/12 19:11:26 | 000,148,480 | ---- | M] () -- C:\Program Files\Common Files\Pure Networks Shared\Platform\CAntiVirusCOM.dll
MOD - [2008/12/12 19:11:26 | 000,097,280 | ---- | M] () -- C:\Program Files\Common Files\Pure Networks Shared\Platform\CFirewallCOM.dll
MOD - [2008/11/13 15:43:49 | 000,204,800 | ---- | M] () -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
MOD - [2008/11/13 15:43:49 | 000,081,920 | ---- | M] () -- C:\Program Files\Linksys\Linksys Updater\lib\wrapper.dll
MOD - [2007/02/16 17:40:42 | 005,521,408 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtGui4.dll
MOD - [2007/02/16 17:40:40 | 001,466,368 | ---- | M] () -- C:\Program Files\Common Files\LightScribe\QtCore4.dll
MOD - [2003/03/26 06:15:00 | 000,057,422 | ---- | M] () -- C:\WINDOWS\system32\MOBILEV.ACM
MOD - [2001/08/18 08:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexingService.exe -- (NMIndexingService)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- -- (AOLService)
SRV - [2012/03/30 21:00:26 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/01/13 15:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2008/12/12 19:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/11/13 15:43:49 | 000,204,800 | ---- | M] () [Auto | Running] -- C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -- (LinksysUpdater)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\My Documents\Garena Plus\Room\safedrv.sys -- (GGSAFERDriver)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\jacob\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - [2012/04/06 08:34:32 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012/04/06 05:54:35 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0D76EE75-053E-4E9A-B5A5-1C33156B78C6}\MpKsl621c15e2.sys -- (MpKsl621c15e2)
DRV - [2011/12/10 16:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/02/17 17:59:09 | 000,007,168 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\utmzmza3.sys -- (utmzmza3)
DRV - [2010/02/03 15:56:56 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/09/08 18:54:23 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/12/12 19:05:20 | 000,025,264 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 19:05:18 | 000,023,984 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/04/13 15:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 14:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2007/12/26 03:47:30 | 000,272,128 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)
DRV - [2006/08/02 11:45:32 | 000,114,560 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr7910.sys -- (mr7910)
DRV - [2006/03/03 14:27:53 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/09/22 12:43:06 | 001,330,048 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2003/09/22 08:48:06 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 08:47:38 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/02/26 22:12:19 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2002/09/19 21:33:52 | 000,035,120 | ---- | M] (Copyright © Fuji Photo film Co.,Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALABULK2.SYS -- (ALABULK)
DRV - [2002/01/11 01:22:10 | 000,295,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2001/08/22 12:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)
DRV - [2001/08/17 13:19:38 | 000,037,120 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1370mp.sys -- (ES1370) Creative AudioPCI (ES1370), SB PCI 64/128 (WDM)
DRV - [2001/08/17 09:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 08:48:52 | 000,281,856 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mpaa.sys -- (ati2mpaa)
DRV - [2001/07/25 21:58:28 | 000,584,336 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsf_cnxt.sys -- (winachsf)
DRV - [2001/07/18 23:07:00 | 000,080,449 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\spkpnt.sys -- (SpeakerPhone)
DRV - [2001/07/18 23:06:40 | 000,426,783 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\k56nt.sys -- (K56)
DRV - [2001/07/18 23:06:12 | 000,127,405 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fsksnt.sys -- (Fsks)
DRV - [2001/07/18 23:05:26 | 000,217,019 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\faxnt.sys -- (SoftFax)
DRV - [2001/07/18 23:04:26 | 000,056,607 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tonesnt.sys -- (Tones)
DRV - [2001/07/18 23:04:04 | 000,310,899 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fallback.sys -- (Fallback)
DRV - [2001/07/18 23:01:56 | 000,077,426 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\basic2.sys -- (basic2)
DRV - [2001/07/18 23:01:38 | 000,067,654 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rksample.sys -- (Rksample)
DRV - [2001/07/18 23:01:20 | 000,534,125 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\v124nt.sys -- (V124)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page_bak =
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect...mrud=19-08-2010
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsea...CFQTd4AodQnow0Q
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 32 06 8C 89 9A EE CC 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...3A-D3739C5E4364
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7GGLL_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://www.google.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll File not found
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@nsroblox.roblox.com/launcher: C:\Documents and Settings\jacob\Local Settings\Application Data\RobloxVersions\version-ad555162e16d43e0\\NPRobloxProxy.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files\Object\facetheme
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/24 12:23:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/18 20:41:30 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{EB132DB0-A4CA-11DF-9732-0E29E0D72085}: C:\Program Files\Object\facetheme

[2010/08/19 15:46:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Extensions
[2012/04/02 23:14:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\extensions
[2012/01/03 18:41:55 | 000,000,000 | ---D | M] (Battlefield Play4Free) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\extensions\[email protected]
[2012/03/09 22:35:46 | 000,000,000 | ---D | M] (Browse For Change) -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\extensions\[email protected]
[2011/02/11 21:01:38 | 000,002,567 | ---- | M] () -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\searchplugins\askcom.xml
[2010/12/12 12:16:22 | 000,000,919 | ---- | M] () -- C:\Documents and Settings\jacob\Application Data\Mozilla\Firefox\Profiles\ttwr6ldg.default\searchplugins\conduit.xml
[2012/02/05 12:39:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/03/24 12:23:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2007/08/24 23:52:00 | 000,300,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2008/09/15 11:52:06 | 000,376,832 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npsnapfish.dll
[2012/01/05 21:33:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/05 21:33:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.122\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.122\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\12.0.742.122\gears.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: Snapfish Plugin for Firefox (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Garmin Communicator Plug-In (Enabled) = C:\Program Files\Garmin GPS Plugin\npGarmin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.4.6_0\
CHR - Extension: Poppit = C:\Documents and Settings\jacob\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2011/02/18 11:39:08 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\WINDOWS\System32\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKCU..\Run: [FileHippo.com] C:\Program Files\FileHippo.com\UpdateChecker.exe (FileHippo.com)
O4 - HKCU..\Run: [H/PC Connection Agent] D:\program files\WCESCOMM.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - d:\Program Files\INETREPL.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\Program Files\INETREPL.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.micr...veX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} http://gamingzone.ub...s/GSManager.cab (CoGSManager Class)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.syma...bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} http://aolcc.aol.com...kup/qdiagcc.cab (QDiagAOLCCUpdateObj Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creat...101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1139962132984 (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai...all/xscan53.cab (HouseCall Control)
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} http://www3.ca.com/s...nfo/webscan.cab (WScanCtl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} http://www.installen...gine/isetup.cab (InstallShield International Setup Player)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.c.../cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Registry Information Class)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_03)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creat...15109/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.154.1.6 24.154.1.37 192.168.1.1 24.154.1.6 24.154.1.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870E5707-EBC8-4FEC-91A7-1C9F31F19226}: DhcpNameServer = 24.154.1.6 24.154.1.37 192.168.1.1 24.154.1.6 24.154.1.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{870E5707-EBC8-4FEC-91A7-1C9F31F19226}: NameServer = 208.67.222.123,208.67.220.123
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - d:\Program Files\AATP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\jacob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\jacob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/21 16:04:21 | 000,000,109 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/06 08:34:32 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/04/05 23:11:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/04/02 17:10:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\AI_RecycleBin
[2012/04/02 17:07:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WeCareReminder
[2012/03/31 21:54:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Start Menu\Programs\Roblox
[2012/03/31 12:45:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Local Settings\Application Data\Sun
[2012/03/31 08:50:31 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2012/03/31 08:50:31 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2012/03/31 08:50:25 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2012/03/31 08:49:21 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2012/03/31 07:28:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Local Settings\Application Data\Pando_Temp
[2012/03/30 21:01:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/03/30 21:00:54 | 000,637,848 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/03/30 21:00:54 | 000,141,312 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/30 21:00:53 | 000,224,136 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/03/30 21:00:53 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/03/30 21:00:53 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/03/30 20:55:13 | 000,000,000 | ---D | C] -- C:\AMD
[2012/03/30 20:47:35 | 000,000,000 | ---D | C] -- C:\Program Files\FileHippo.com
[2012/03/30 19:46:58 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/03/28 17:14:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/28 12:08:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/03/17 20:23:37 | 000,000,000 | ---D | C] -- C:\Program Files\OpenDNS Updater
[2012/03/17 20:05:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Application Data\MSN6
[2012/03/09 22:35:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jacob\Local Settings\Application Data\iBryte
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/06 08:44:04 | 000,000,489 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\Shortcut to OTL.exe.lnk
[2012/04/06 08:34:32 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/04/06 08:19:30 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\MBR.dat
[2012/04/06 08:04:53 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\jacob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/04/06 07:55:05 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/06 05:48:27 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/04/05 22:55:51 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/05 22:54:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/05 22:54:28 | 1072,549,888 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/05 22:34:48 | 000,010,842 | -H-- | M] () -- C:\WINDOWS\System32\ATMenuxx.GID
[2012/04/05 21:15:05 | 000,030,310 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\Battlefield man.jpeg
[2012/04/05 20:40:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/04/05 19:33:01 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/04/05 14:00:00 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/04/05 10:10:07 | 000,000,464 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/04/02 14:27:08 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/02 12:20:41 | 000,020,844 | ---- | M] () -- C:\Documents and Settings\jacob\My Documents\clip0139.avi
[2012/04/02 01:17:35 | 000,780,000 | ---- | M] () -- C:\Documents and Settings\jacob\My Documents\clip0008.avi.bak
[2012/03/31 21:54:21 | 000,001,120 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\PLAY ROBLOX!.lnk
[2012/03/30 21:00:24 | 000,224,136 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/03/30 21:00:24 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/03/30 21:00:23 | 000,637,848 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2012/03/30 21:00:23 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/03/30 21:00:23 | 000,141,312 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/30 21:00:22 | 000,567,696 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/03/30 20:47:37 | 000,001,632 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\Update Checker.lnk
[2012/03/30 20:11:27 | 000,225,616 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/26 21:22:50 | 000,000,502 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\Shortcut to aswMBR.lnk
[2012/03/18 14:44:42 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/18 14:39:46 | 000,001,397 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\Paint.lnk
[2012/03/18 11:39:31 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\jacob\Desktop\SpywareBlaster.lnk
[2012/03/18 11:31:34 | 000,434,136 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/03/18 11:31:34 | 000,068,456 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/06 08:44:04 | 000,000,489 | ---- | C] () -- C:\Documents and Settings\jacob\Desktop\Shortcut to OTL.exe.lnk
[2012/04/06 08:19:30 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\jacob\Desktop\MBR.dat
[2012/04/05 21:45:55 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/05 21:45:52 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/05 21:14:58 | 000,030,310 | ---- | C] () -- C:\Documents and Settings\jacob\Desktop\Battlefield man.jpeg
[2012/04/02 17:13:39 | 000,021,566 | ---- | C] () -- C:\Documents and Settings\jacob\My Documents\AmericanFlag.ani
[2012/04/02 12:20:31 | 000,020,844 | ---- | C] () -- C:\Documents and Settings\jacob\My Documents\clip0139.avi
[2012/04/02 01:17:35 | 000,780,000 | ---- | C] () -- C:\Documents and Settings\jacob\My Documents\clip0008.avi.bak
[2012/03/31 21:54:21 | 000,001,120 | ---- | C] () -- C:\Documents and Settings\jacob\Desktop\PLAY ROBLOX!.lnk
[2012/03/30 20:47:37 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\jacob\Start Menu\Programs\Update Checker.lnk
[2012/03/30 20:47:37 | 000,001,632 | ---- | C] () -- C:\Documents and Settings\jacob\Desktop\Update Checker.lnk
[2012/03/26 21:22:50 | 000,000,502 | ---- | C] () -- C:\Documents and Settings\jacob\Desktop\Shortcut to aswMBR.lnk
[2012/03/18 14:39:39 | 000,001,397 | ---- | C] () -- C:\Documents and Settings\jacob\Desktop\Paint.lnk
[2012/03/17 19:51:02 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\jacob\My Documents\Interneto!.lnk
[2012/02/15 02:46:54 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/05 01:48:04 | 000,138,056 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2012/01/05 01:48:04 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\jacob\Application Data\PnkBstrK.sys
[2012/01/05 01:47:45 | 000,189,248 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2012/01/05 01:47:42 | 000,075,136 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2011/02/28 04:19:50 | 000,141,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/02/17 17:59:09 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\utmzmza3.sys
[2010/11/28 19:11:01 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\jacob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/03 11:02:36 | 000,000,081 | ---- | C] () -- C:\Documents and Settings\jacob\Application Data\RSBot Accounts.ini

< End of report >


HERE IS MY ESET SCAN FROM LAST NIGHT ( WHY DIDNT MBAM OR MICROSOFT SECURITY PICK UP ON THESES)

C:\Documents and Settings\jacob\Application Data\Sun\Java\Deployment\cache\6.0\0\3b28e640-7e276d55 a variant of Java/TrojanDownloader.Agent.NCJ trojan deleted - quarantined
C:\Documents and Settings\jacob\Application Data\Sun\Java\Deployment\cache\6.0\0\7de90d80-24dbb738 a variant of Java/TrojanDownloader.Agent.NCJ trojan deleted - quarantined
C:\Documents and Settings\jacob\Application Data\Sun\Java\Deployment\cache\6.0\19\7ff8dfd3-5399108b Java/TrojanDownloader.Agent.NCJ trojan deleted - quarantined
C:\Documents and Settings\jacob\Application Data\Sun\Java\Deployment\cache\6.0\21\4d890f55-40a6fd1f a variant of Java/TrojanDownloader.Agent.NCJ trojan deleted - quarantined
C:\Documents and Settings\jacob\Application Data\Sun\Java\Deployment\cache\6.0\7\3a8042c7-393c6a07 a variant of Java/TrojanDownloader.Agent.NCJ trojan deleted - quarantined
C:\Documents and Settings\jacob\Local Settings\temp\is-CHJU9.tmp\WMF.exe a variant of Win32/Adware.MediaFinder.C application cleaned by deleting - quarantined
C:\Program Files\Uninstall Fun Web Products.dll a variant of Win32/Toolbar.MyWebSearch.K application cleaned by deleting - quarantined
C:\Program Files\Mozilla Firefox\hsempirecache\JFrame\WorldMap\WorldMap.jar a variant of Java/TrojanDownloader.Agent.NCJ trojan deleted - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\F3HKSTUB.DLL a variant of Win32/Toolbar.MyWebSearch.G application cleaned by deleting - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Win32/Toolbar.MyWebSearch.B application cleaned by deleting - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\M3PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\M3TPINST.DLL Win32/Toolbar.MyWebSearch.I application cleaned by deleting - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\MWSBAR.DLL a variant of Win32/Toolbar.MyWebSearch.K application cleaned by deleting - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1708537768-484061587-725345543-1004\Dc7.exe multiple threats deleted

Edited by jamiemad1, 06 April 2012 - 07:15 AM.

  • 0

Advertisements

#2
WhiteHat
Posted 06 April 2012 - 07:39 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hello jamiemad1 and welcome to GeeksToGo :)

My nickname is GLeobas and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
  • Please do not try to fix anything without being asked
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
  • I am currently reviewing your logs.

  • 0

#3
jamiemad1
Posted 07 April 2012 - 06:02 AM

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello again, and thank you very much for helping, my kids are on spring break and a dirty computer is what I get lol.
  • 0

#4
WhiteHat
Posted 07 April 2012 - 03:49 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
# Step 1 #

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect...mrud=19-08-2010
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsea...CFQTd4AodQnow0Q
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...3A-D3739C5E4364
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"


:Files
Type C:\WINDOWS\tasks\At1.job /c
Type C:\WINDOWS\tasks\At2.job /c
Type C:\WINDOWS\tasks\At3.job /c
Type C:\WINDOWS\tasks\At4.job /c

:Commands
[EMPTYTEMP]
[EMPTYFLASH]
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 2 #

Please, Reopen MalwareBytes' Anti-Malware.

  • Go to the tab Updates and click in Download Update. If there's an update, allow MBAM to update its database.
  • Now, click on the tab Verify and select "Perform Full scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be
    prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


# Step 3 #

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#5
jamiemad1
Posted 07 April 2012 - 08:27 PM

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hi again!! when I tried to run otl it turnred of Microsoft security essentials,and closed down + froze up mbam also my whole computer froze up I had to power down here is fisrt log I will try to run mbam again. Thank you

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-07 22:21:34
-----------------------------
22:21:34.890 OS Version: Windows 5.1.2600 Service Pack 3
22:21:34.890 Number of processors: 1 586 0x204
22:21:34.890 ComputerName: JHOME UserName: jacob
22:21:35.250 Initialize success
22:21:45.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
22:21:45.203 Disk 0 Vendor: MAXTOR_6L020J1 A93.0500 Size: 19595MB BusType: 3
22:21:45.203 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
22:21:45.203 Disk 1 Vendor: Maxtor_54098H8 DAC10SC0 Size: 32253MB BusType: 3
22:21:45.218 Disk 0 MBR read successfully
22:21:45.218 Disk 0 MBR scan
22:21:45.218 Disk 0 Windows XP default MBR code
22:21:45.218 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 19587 MB offset 63
22:21:45.218 Disk 0 scanning sectors +40114305
22:21:45.312 Disk 0 scanning C:\WINDOWS\system32\drivers
22:21:58.656 Service scanning
22:22:12.468 Service MpKsl35f4054f C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA565694-E6AF-4A6A-BD67-2DB58CDFD2AE}\MpKsl35f4054f.sys **LOCKED** 32
22:22:44.937 Modules scanning
22:23:28.281 Disk 0 trace - called modules:
22:23:28.828 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
22:23:28.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f84ab8]
22:23:28.843 3 CLASSPNP.SYS[f76e3fd7] -> nt!IofCallDriver -> \Device\00000067[0x86f471e0]
22:23:28.843 5 ACPI.sys[f765a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86f79d98]
22:23:28.843 Scan finished successfully
22:24:52.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jacob\Desktop\MBR.dat"
22:24:52.484 The log file has been saved successfully to "C:\Documents and Settings\jacob\Desktop\aswMBR.txt"

And MBAM:

Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.07.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jacob :: JHOME [administrator]

Protection: Enabled

4/7/2012 10:38:18 PM
mbam-log-2012-04-07 (22-38-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 319870
Time elapsed: 4 hour(s), 26 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (PUP.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\jacob\Local Settings\Application Data\iBryte\Implementations\browseforchange\Assemblies\1\BrowserObjects.dll (Adware.IBryte) -> Quarantined and deleted successfully.
C:\Documents and Settings\jacob\Local Settings\Application Data\iBryte\Implementations\browseforchange\ProgramFiles\iBryteDesktop.exe (Adware.IBryte) -> Quarantined and deleted successfully.

(end)

Also I keep getting this message from mbam and its always outgoing( is this a virus trying to send out info)

2012/04/07 22:18:03 -0400 JHOME jacob MESSAGE IP Protection started successfully
2012/04/07 22:20:25 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:26 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:28 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:28 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:29 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:32 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:32 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:34 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:34 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:38 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:39 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:42 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:46 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:48 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:49 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:54 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:20:55 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:21:00 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:22 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:23 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:25 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:26 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:31 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:32 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:44 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:47 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:25:53 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:08 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:11 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:11 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:17 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:17 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:29 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:32 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:38 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:50 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:28:53 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/07 22:33:51 -0400 JHOME jacob MESSAGE Starting database refresh
2012/04/07 22:33:51 -0400 JHOME jacob MESSAGE Stopping IP protection

Edited by jamiemad1, 08 April 2012 - 06:57 AM.

  • 0

#6
WhiteHat
Posted 08 April 2012 - 01:26 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
# Step 1 #

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
Posted Image


# Step 2 #
Please reopen Posted Image on your desktop.


  • Under the Posted Image box at the bottom, paste in the following

    :Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect...mrud=19-08-2010
IE - HKLM\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...q={SEARCHTERMS}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsea...CFQTd4AodQnow0Q
IE - HKCU\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask...3A-D3739C5E4364
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"


:Files
Type C:\WINDOWS\tasks\At1.job /c
Type C:\WINDOWS\tasks\At2.job /c
Type C:\WINDOWS\tasks\At3.job /c
Type C:\WINDOWS\tasks\At4.job /c

:Commands
[EMPTYTEMP]
[EMPTYFLASH]
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • 0

#7
jamiemad1
Posted 08 April 2012 - 06:38 PM

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello, here is the OTL log:

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}\ not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}\ not found.
Prefs.js: "Ask.com" removed from browser.search.defaultengine
Prefs.js: "Ask.com" removed from browser.search.defaultenginename
Prefs.js: "Ask.com" removed from browser.search.order.1
========== FILES ==========
< Type C:\WINDOWS\tasks\At1.job /c >

D:\jacobs downloads\cmd.bat deleted successfully.
D:\jacobs downloads\cmd.txt deleted successfully.
< Type C:\WINDOWS\tasks\At2.job /c >

D:\jacobs downloads\cmd.bat deleted successfully.
D:\jacobs downloads\cmd.txt deleted successfully.
< Type C:\WINDOWS\tasks\At3.job /c >

D:\jacobs downloads\cmd.bat deleted successfully.
D:\jacobs downloads\cmd.txt deleted successfully.
< Type C:\WINDOWS\tasks\At4.job /c >

D:\jacobs downloads\cmd.bat deleted successfully.
D:\jacobs downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.JHOME
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: jacob
->Temp folder emptied: 139535821 bytes
->Temporary Internet Files folder emptied: 11073366 bytes
->Java cache emptied: 676099803 bytes
->FireFox cache emptied: 55908862 bytes
->Google Chrome cache emptied: 6224703 bytes
->Flash cache emptied: 15884 bytes

User: jamie madigan

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 80796 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 4554 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 912178 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 22834 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1162337 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 850.00 mb


[EMPTYFLASH]

User: Administrator

User: Administrator.JHOME

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: jacob
->Flash cache emptied: 0 bytes

User: jamie madigan

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.39.2 log created on 04082012_194854

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#8
WhiteHat
Posted 10 April 2012 - 03:53 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
# Step 1 #

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Commands
[CREATERESTOREPOINT]

:Files
C:\WINDOWS\tasks\At*.job
C:\Program Files\MsnMusic\MyWebSearch
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



# Step 2 #

Disable your antivirus software
  • Acess the Eset Online Scanner website using Internet Explorer navigator.
    http://www.eset.com/us/online-scanner/
  • Do the scan according the image:

    Posted Image
  • At the end, check the box "Delete Quarantined files" and click in [FINISH]
  • It will be generated a log in C:\Program Files\EsetOnlineScanner\Log.txt
    PS: If you didn't find the log.txt file in \EsetOnlineScanner\, look on \Program Files\Eset\EsetOnlineScanner\log.txt
  • Post that log.

  • 0

#9
jamiemad1
Posted 10 April 2012 - 04:10 PM

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\Program Files\MsnMusic\MyWebSearch\bar\History folder moved successfully.
C:\Program Files\MsnMusic\MyWebSearch\bar\1.bin folder moved successfully.
C:\Program Files\MsnMusic\MyWebSearch\bar folder moved successfully.
C:\Program Files\MsnMusic\MyWebSearch folder moved successfully.

OTL by OldTimer - Version 3.2.39.2 log created on 04102012_180841
  • 0

#10
WhiteHat
Posted 10 April 2012 - 04:19 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi

Please, do the Eset Online Scanner Step and update me about the situation of your computer. Are you still having any problems with the computer?
  • 0

Advertisements

#11
jamiemad1
Posted 10 April 2012 - 08:39 PM

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello, and thank you again. The computer seems to be doing better now and here is the eset log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a8d64ab3a4246542a644b4b7956862cf
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-11 01:11:50
# local_time=2012-04-10 09:11:50 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776534 100 100 75382495 174698016 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=72919
# found=0
# cleaned=0
# scan_time=10662
  • 0

#12
WhiteHat
Posted 12 April 2012 - 06:26 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

The following will implement some cleanup procedures as well as reset System Restore points:

Remove OTL:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • (If you use Windows 7/Vista)
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

  • (If you use Windows XP)
  • Go to Start > All Programs > Acessories > System Tools > System Restore.
  • Select the option Create a restore point and click in Next.
  • Type in a name i.e. Clean
  • Select Create



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe.


  • 0

#13
jamiemad1
Posted 14 April 2012 - 09:11 AM

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello and thank you again for all your help. I followed your instructions, and computer seems ok I do however keep getting a message from mbam stating it is blocking "outgoing" to a IP address is this ok and normal. Thank you again you have been a great help.
  • 0

#14
jamiemad1
Posted 14 April 2012 - 09:13 AM

jamiemad1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Hello and thank you again for all your help. I followed your instructions, and computer seems ok I do however keep getting a message from mbam stating it is blocking "outgoing" to a IP address is this ok and normal. Thank you again you have been a great help.

2012/04/14 01:10:42 -0400 JHOME jacob MESSAGE Executing scheduled update: Flash Scan | Daily
2012/04/14 01:11:06 -0400 JHOME jacob MESSAGE Starting database refresh
2012/04/14 01:11:06 -0400 JHOME jacob MESSAGE Scheduled update executed successfully: database updated from version v2012.04.13.01 to version v2012.04.14.02
2012/04/14 01:11:09 -0400 JHOME jacob MESSAGE Executing scheduled scan: Flash Scan | -terminate
2012/04/14 01:11:09 -0400 JHOME jacob MESSAGE Scheduled scan executed successfully
2012/04/14 01:14:58 -0400 JHOME jacob MESSAGE Database refreshed successfully
2012/04/14 02:00:00 -0400 JHOME jacob MESSAGE Executing scheduled scan: Quick Scan | Daily | Silent | -remove | -terminate | -reboot | -log
2012/04/14 02:00:00 -0400 JHOME jacob MESSAGE Scheduled scan executed successfully
2012/04/14 10:56:23 -0400 JHOME MESSAGE Starting protection
2012/04/14 10:57:01 -0400 JHOME MESSAGE Protection started successfully
2012/04/14 10:57:04 -0400 JHOME MESSAGE Starting IP protection
2012/04/14 10:58:17 -0400 JHOME jacob MESSAGE IP Protection started successfully
2012/04/14 11:05:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:05:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:05:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:05:54 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:05:54 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:05:54 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:00 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:00 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:12 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:15 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:21 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:37 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:38 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:40 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:41 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:42 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:45 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:45 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:46 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:47 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:56 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:59 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:06:59 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:02 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:03 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:05 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:06 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:08 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:12 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:17 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:20 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:07:26 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:09 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:09 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:12 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:12 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:18 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:18 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:30 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:33 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:09:39 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:11:42 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:11:45 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:11:45 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:11:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:11:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:12:03 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:12:07 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
2012/04/14 11:12:13 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)
  • 0

#15
WhiteHat
Posted 14 April 2012 - 04:16 PM

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

Please, could you tell me what you're doing when MBAM detected that IP? Your browser was opened?

2012/04/14 11:05:51 -0400 JHOME jacob IP-BLOCK 204.137.28.82 (Type: outgoing)


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP