[SA8m]

Hey guys I'm sorry about the title but I need to fix this computer today asap for an important thing and I'm not sure if I did things correctly I scanned with Malwarebytes and I'm not sure if everything is gone from this

also this person is not owned by a tech savvy person, so I am trying to add an extra level of protection comprising of security addons for google chrome(like a noscript on ff but for chrome)+addblock+a good firewall.

So far I've installed adblock and noscript for chrome, removed some useless programs, and stopped a lot of useless things on startup, but I'm not sure if I can remove some things so if you could tell me which ones are okay to NOT allow on startup it would be awesome. i could provide a text list.

I've already removed a lot of the useless startups, but I'm not sure which programs are okay to remove and which are not when it comes to bloatware. I also want to get rid of all of the useless bloatware.

I just want to make it more robust.

Also CCleaner rports there are a lot of problems with the registry, but Im not sure what to do. I can provide a text list of that. Please help me fix that.

I also want to get rid of all this bloatware HP installs on their computer. I also want to remove all the useless startup programs.
I've installed microsoft security essentials, and malware byte with ccleaners\. along with adding these http://winhelp2002.mvps.org/hosts.htm hosts files is this good?



OTL logfile created on: 6/22/2011 4:05:52 PM - Run 2
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\salamim\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.75 Gb Total Physical Memory | 1.76 Gb Available Physical Memory | 63.94% Memory free
5.72 Gb Paging File | 4.74 Gb Available in Paging File | 82.85% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 287.21 Gb Total Space | 164.69 Gb Free Space | 57.34% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.37 Gb Free Space | 12.63% Space Free | Partition Type: NTFS

Computer Name: SALAMIM-PC | User Name: salamim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/22 15:54:55 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\salamim\Desktop\OTL.scr
PRC - [2011/05/07 00:23:29 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2010/12/14 07:49:23 | 001,169,408 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sdclt.exe
PRC - [2010/11/30 14:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/17 12:40:26 | 000,473,616 | ---- | M] () -- C:\Program Files\PdaNet for Android\PdaNetPC.exe
PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe


========== Modules (SafeList) ==========

MOD - [2011/06/22 15:54:55 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\salamim\Desktop\OTL.scr
MOD - [2010/08/31 08:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Norton Internet Security)
SRV - [2010/11/11 13:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/06 09:54:52 | 000,365,952 | ---- | M] () [Auto | Running] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)


========== Driver Services (SafeList) ==========

DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/10/24 22:25:38 | 000,054,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/10/24 22:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2010/09/02 17:49:06 | 000,013,312 | ---- | M] (June Fabrics Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pneteth.sys -- (pneteth)
DRV - [2009/07/23 21:01:00 | 009,791,072 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/06/10 17:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2009/04/10 21:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2008/06/05 09:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/05/09 12:17:32 | 000,043,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvhda32v.sys -- (NVHDA)
DRV - [2008/04/27 12:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/04/24 15:51:46 | 000,014,848 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2008/01/29 06:55:00 | 001,042,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/01/20 19:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007/10/17 16:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/09/28 14:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pnetmdm.sys -- (pnetmdm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...avilion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...64855&mkt=en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/05/07 00:23:59 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] c:\program files\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Users\salamim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: UseDefaultTile = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} https://h50203.www5....DataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....NPUplden-us.cab (MSN Photo Upload Tool)
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} http://h20264.www2.h...osticsVista.cab (HPDDClientExec Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.micro...gWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....NPUplden-us.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\salamim\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\salamim\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{2115517a-975a-11df-b222-001f1669fd43}\Shell\AutoRun\command - "" = F:\JDSecure\Windows\JDSecure31.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/22 15:54:52 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Users\salamim\Desktop\OTL.scr
[2011/06/22 13:48:33 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Roaming\Malwarebytes
[2011/06/22 13:48:20 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/06/22 13:48:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/22 13:48:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/22 13:48:16 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/06/22 13:48:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/22 13:46:59 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{D7F1CD9F-043B-463D-B5DC-F1B3A7FE9F07}
[2011/06/06 21:47:55 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{FC09395E-8E0C-47CD-81C9-C313E542F0D1}
[2011/06/04 13:47:29 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/06/04 13:42:09 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{A21E356C-D77F-4DE4-B26F-3EA145A9B479}
[2011/06/02 20:48:13 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{14CC8AB0-74E9-4B3C-8657-DF1C349CCAC6}
[2011/06/01 16:56:54 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{EE083DCF-CC56-4BF2-A12B-A932EA33DC8A}
[2011/05/31 20:49:03 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{51F03355-AA4C-4971-B3FA-255E753F7EBF}
[2011/05/31 19:43:27 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{941B9707-A4D8-4EDB-8A39-C8A45262FB07}
[2011/05/30 11:13:57 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{9D913730-4B77-47EF-9336-B50B94A61563}
[2011/05/30 10:42:11 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{D4F0E779-9847-4F4A-B905-16E876F7FA90}
[2011/05/26 21:44:41 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{A58B1EB9-AA1C-4F6C-926E-9FF0012B807E}
[2011/05/23 17:11:25 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{81719476-1A45-4521-8E5B-10C14CBEA2DB}
[2008/11/12 12:38:44 | 000,441,344 | ---- | C] ( ) -- C:\Windows\System32\savst.exe
[1996/11/18 00:00:00 | 000,018,944 | ---- | C] ( ) -- C:\Windows\System32\Implode.dll

========== Files - Modified Within 30 Days ==========

[2011/06/22 15:54:55 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\salamim\Desktop\OTL.scr
[2011/06/22 15:50:00 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1208518912-1296582192-4238432265-1000UA.job
[2011/06/22 15:47:55 | 000,609,506 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/22 15:47:55 | 000,106,014 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/22 15:44:50 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/22 15:44:38 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/22 15:44:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/22 14:13:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/22 14:13:06 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/22 14:12:58 | 2951,110,656 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/22 13:56:09 | 000,001,971 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2011/06/22 13:50:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1208518912-1296582192-4238432265-1000Core.job
[2011/06/22 13:48:22 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/22 13:36:08 | 000,010,946 | -HS- | M] () -- C:\Users\salamim\AppData\Local\0a27430g3r550n54
[2011/06/22 13:36:08 | 000,010,946 | -HS- | M] () -- C:\ProgramData\0a27430g3r550n54
[2011/06/02 20:46:10 | 000,002,625 | ---- | M] () -- C:\Users\salamim\Desktop\Microsoft Office Word 2007.lnk
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2011/06/22 13:48:22 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/22 13:43:38 | 2951,110,656 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/04 15:46:56 | 000,010,946 | -HS- | C] () -- C:\Users\salamim\AppData\Local\0a27430g3r550n54
[2011/06/04 15:46:56 | 000,010,946 | -HS- | C] () -- C:\ProgramData\0a27430g3r550n54
[2010/05/03 20:01:24 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/03/08 22:17:51 | 000,000,000 | ---- | C] () -- C:\Windows\DbgOut.INI
[2009/12/18 23:57:47 | 000,000,000 | ---- | C] () -- C:\Users\salamim\AppData\Roaming\wklnhst.dat
[2009/09/24 18:50:13 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/24 18:50:12 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/06/16 19:45:38 | 000,000,037 | ---- | C] () -- C:\Windows\cdplayer.ini
[2009/04/28 18:27:38 | 000,337,603 | ---- | C] () -- C:\Windows\jgzr.dat
[2009/04/22 16:48:44 | 000,007,808 | ---- | C] () -- C:\Users\salamim\AppData\Local\d3d9caps.dat
[2009/04/11 15:47:02 | 000,028,029 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/04/11 15:46:59 | 000,028,029 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/04/09 23:37:54 | 000,022,528 | ---- | C] () -- C:\Users\salamim\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/04 20:41:36 | 000,000,246 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2009/02/04 20:07:37 | 000,003,948 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008/10/25 15:59:53 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/01/14 18:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[2006/11/02 05:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:47:37 | 000,423,568 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:33:01 | 000,609,506 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,106,014 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2005/08/26 16:28:34 | 000,143,360 | ---- | C] () -- C:\Windows\unzip.exe
[2005/08/26 16:28:20 | 000,024,576 | ---- | C] () -- C:\Windows\shortcut.exe
[2005/08/26 16:27:58 | 000,045,056 | ---- | C] () -- C:\Windows\devenum.exe
[2005/08/10 10:56:00 | 000,028,672 | ---- | C] () -- C:\Windows\System32\ESxUtil.dll
[2002/06/26 14:04:02 | 000,053,248 | ---- | C] () -- C:\Windows\regperm.exe
[1996/11/18 00:00:00 | 000,748,160 | ---- | C] () -- C:\Windows\System32\Co2c40en.dll
[1996/11/18 00:00:00 | 000,131,072 | ---- | C] () -- C:\Windows\System32\P2sodbc.dll
[1996/11/18 00:00:00 | 000,054,272 | ---- | C] () -- C:\Windows\System32\P2irdao.dll
[1996/11/18 00:00:00 | 000,050,176 | ---- | C] () -- C:\Windows\System32\P2ctdao.dll
[1996/11/18 00:00:00 | 000,036,352 | ---- | C] () -- C:\Windows\System32\P2bbnd.dll
[1996/05/25 16:00:00 | 000,107,008 | ---- | C] () -- C:\Windows\System32\fxtls432.dll

< End of report >




Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6922

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

6/22/2011 2:11:17 PM
mbam-log-2011-06-22 (14-11-17).txt

Scan type: Quick scan
Objects scanned: 172981
Time elapsed: 8 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\salamim\AppData\Local\slw.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\salamim\downloads\fastantivirus2011 (1).exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\Users\salamim\downloads\fastantivirus2011 (2).exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\Users\salamim\downloads\fastantivirus2011.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\Users\salamim\local settings\application data\wcl.exe (Malware.Gen) -> Quarantined and deleted successfully.

Edited by SA8m, 23 June 2011 - 11:25 AM.

[Advertisements]

Hi
. My name is Michael and I am here to help you fix your computer.
If you have already received help elsewhere please inform me so that this topic can be closed.
If you haven't, please keep reading:
Note: Before we start the process you should:

• POST your logs, don't attach them, as it makes it harder to read. Also please don't edit any log in any case
• Disable ANY programs that offer real-time protection features while executing my instructions. That includes your antivirus, antispyware, windows defender or any other program that offers protection. When you're clean or waiting for my next set of instructions, re-enable them .If you need any help disabling them, ask.
• Each time I instruct you to download a file to use it, please do it even if I have told you before to download it again. This is because these tools are frequently updated to detect newer infections.
• Last, as most of the tools we use here need administrative rights in order to function properly, I expect that you will be running them from an administrator account.

Thank you for waiting
I'd suggest not to use any tool that 'fixes' the registry, as the only thing that may provide you are problems





Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Next:


Please delete the copy of OTL.exe you have, as it's outdated.
Download OTL to your Desktop
Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - File not found [Auto | Stopped] -- -- (Norton Internet Security)
  IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  O4 - HKLM..\Run: [] File not found
  O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
  O33 - MountPoints2\{2115517a-975a-11df-b222-001f1669fd43}\Shell\AutoRun\command - "" = F:\JDSecure\Windows\JDSecure31.exe
  [2011/06/22 13:46:59 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{D7F1CD9F-043B-463D-B5DC-F1B3A7FE9F07}
  [2011/06/06 21:47:55 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{FC09395E-8E0C-47CD-81C9-C313E542F0D1}
  [2011/06/04 13:42:09 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{A21E356C-D77F-4DE4-B26F-3EA145A9B479}
  [2011/06/02 20:48:13 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{14CC8AB0-74E9-4B3C-8657-DF1C349CCAC6}
  [2011/06/01 16:56:54 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{EE083DCF-CC56-4BF2-A12B-A932EA33DC8A}
  [2011/05/31 20:49:03 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{51F03355-AA4C-4971-B3FA-255E753F7EBF}
  [2011/05/31 19:43:27 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{941B9707-A4D8-4EDB-8A39-C8A45262FB07}
  [2011/05/30 11:13:57 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{9D913730-4B77-47EF-9336-B50B94A61563}
  [2011/05/30 10:42:11 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{D4F0E779-9847-4F4A-B905-16E876F7FA90}
  [2011/05/26 21:44:41 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{A58B1EB9-AA1C-4F6C-926E-9FF0012B807E}
  [2011/05/23 17:11:25 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{81719476-1A45-4521-8E5B-10C14CBEA2DB}
  [2011/06/22 13:36:08 | 000,010,946 | -HS- | M] () -- C:\Users\salamim\AppData\Local\0a27430g3r550n54
  [2011/06/22 13:36:08 | 000,010,946 | -HS- | M] () -- C:\ProgramData\0a27430g3r550n54
  [2011/06/04 15:46:56 | 000,010,946 | -HS- | C] () -- C:\Users\salamim\AppData\Local\0a27430g3r550n54
  [2011/06/04 15:46:56 | 000,010,946 | -HS- | C] () -- C:\ProgramData\0a27430g3r550n54
  [2009/12/18 23:57:47 | 000,000,000 | ---- | C] () -- C:\Users\salamim\AppData\Roaming\wklnhst.dat
  [2009/04/28 18:27:38 | 000,337,603 | ---- | C] () -- C:\Windows\jgzr.dat
  
  :Services
  
  :Reg
  
  :Files
  C:\Users\salamim\AppData\Local\slw.exe
  c:\Users\salamim\local settings\application data\wcl.exe
  
  :Commands
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again.
• Under Extra Registry select Use SafeList
• Click the Run Scan button. Post the two logs it produces in your next reply.

Next:

File Scanner
There are some files I need you to upload for checking

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • C:\Windows\System32\savst.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

[michaelg9]

Hi
. My name is Michael and I am here to help you fix your computer.
If you have already received help elsewhere please inform me so that this topic can be closed.
If you haven't, please keep reading:
Note: Before we start the process you should:

• POST your logs, don't attach them, as it makes it harder to read. Also please don't edit any log in any case
• Disable ANY programs that offer real-time protection features while executing my instructions. That includes your antivirus, antispyware, windows defender or any other program that offers protection. When you're clean or waiting for my next set of instructions, re-enable them .If you need any help disabling them, ask.
• Each time I instruct you to download a file to use it, please do it even if I have told you before to download it again. This is because these tools are frequently updated to detect newer infections.
• Last, as most of the tools we use here need administrative rights in order to function properly, I expect that you will be running them from an administrator account.

Thank you for waiting
I'd suggest not to use any tool that 'fixes' the registry, as the only thing that may provide you are problems





Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Next:


Please delete the copy of OTL.exe you have, as it's outdated.
Download OTL to your Desktop
Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - File not found [Auto | Stopped] -- -- (Norton Internet Security)
  IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  O4 - HKLM..\Run: [] File not found
  O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
  O33 - MountPoints2\{2115517a-975a-11df-b222-001f1669fd43}\Shell\AutoRun\command - "" = F:\JDSecure\Windows\JDSecure31.exe
  [2011/06/22 13:46:59 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{D7F1CD9F-043B-463D-B5DC-F1B3A7FE9F07}
  [2011/06/06 21:47:55 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{FC09395E-8E0C-47CD-81C9-C313E542F0D1}
  [2011/06/04 13:42:09 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{A21E356C-D77F-4DE4-B26F-3EA145A9B479}
  [2011/06/02 20:48:13 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{14CC8AB0-74E9-4B3C-8657-DF1C349CCAC6}
  [2011/06/01 16:56:54 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{EE083DCF-CC56-4BF2-A12B-A932EA33DC8A}
  [2011/05/31 20:49:03 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{51F03355-AA4C-4971-B3FA-255E753F7EBF}
  [2011/05/31 19:43:27 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{941B9707-A4D8-4EDB-8A39-C8A45262FB07}
  [2011/05/30 11:13:57 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{9D913730-4B77-47EF-9336-B50B94A61563}
  [2011/05/30 10:42:11 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{D4F0E779-9847-4F4A-B905-16E876F7FA90}
  [2011/05/26 21:44:41 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{A58B1EB9-AA1C-4F6C-926E-9FF0012B807E}
  [2011/05/23 17:11:25 | 000,000,000 | ---D | C] -- C:\Users\salamim\AppData\Local\{81719476-1A45-4521-8E5B-10C14CBEA2DB}
  [2011/06/22 13:36:08 | 000,010,946 | -HS- | M] () -- C:\Users\salamim\AppData\Local\0a27430g3r550n54
  [2011/06/22 13:36:08 | 000,010,946 | -HS- | M] () -- C:\ProgramData\0a27430g3r550n54
  [2011/06/04 15:46:56 | 000,010,946 | -HS- | C] () -- C:\Users\salamim\AppData\Local\0a27430g3r550n54
  [2011/06/04 15:46:56 | 000,010,946 | -HS- | C] () -- C:\ProgramData\0a27430g3r550n54
  [2009/12/18 23:57:47 | 000,000,000 | ---- | C] () -- C:\Users\salamim\AppData\Roaming\wklnhst.dat
  [2009/04/28 18:27:38 | 000,337,603 | ---- | C] () -- C:\Windows\jgzr.dat
  
  :Services
  
  :Reg
  
  :Files
  C:\Users\salamim\AppData\Local\slw.exe
  c:\Users\salamim\local settings\application data\wcl.exe
  
  :Commands
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again.
• Under Extra Registry select Use SafeList
• Click the Run Scan button. Post the two logs it produces in your next reply.

Next:

File Scanner
There are some files I need you to upload for checking

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  • C:\Windows\System32\savst.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

[michaelg9]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.