Solved Cannot remove Trojan:DOS/Alureon.A

S

seanmcquade

Posts: 16   +0
Hi all, hoping for some help.

I got a support call from a customer who had some nasty viruses. Hidden all his files, was popping up error messages etc. I ran MWB and CF but couldn't get the computer disinfected so I booted from Win 7 DVD, formatted C:\ and re-installed the OS, but left the OEM and Recovery partition intact.

After installing MSE, it was telling me it found a threat - Trojan:DOS/Alureon.A and tells me I need to restart to remove it, but it never works.

Security Essentials encountered the following error: Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
boot:\Device\HarddiskVolume4
boot:\Device\HarddiskVolume4\
boot:\\.\PHYSICALDRIVE0\Partition3 (Type 17)
Click to expand...

I ran the scans requested and here are the logs. Any help is appreciated:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.20.03

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
ChrisA :: CHRISA-PC [administrator]

20/01/2012 21:54:54
mbam-log-2012-01-20 (21-54-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 174536
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=





GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-20 21:53:42
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAKS-75L9A0 rev.02.03E02
Running: lhm9wiv9.exe; Driver: C:\Users\ChrisA\AppData\Local\Temp\kwdirpod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_30
Run by ChrisA at 22:07:12 on 2012-01-20
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2007.1203 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Desktop.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
c:\program files\teamviewer\version7\TeamViewer.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Users\ChrisA\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\chrisa\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\chrisa\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\chrisa\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\chrisa\appdata\roaming\micros~1\windows\startm~1\programs\startup\facebo~1.lnk - c:\program files\facebook desktop\Facebook Desktop.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{7D5B2573-D935-49EF-98EF-979D0B625DC5} : NameServer = 8.8.8.8
TCP: Interfaces\{7D5B2573-D935-49EF-98EF-979D0B625DC5} : DhcpNameServer = 192.168.1.254 192.168.1.254
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chrisa\appdata\roaming\mozilla\firefox\profiles\cp3kld4d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\users\chrisa\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2012-1-20 2214504]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-1-20 3027840]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-8-6 273960]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
.
=============== Created Last 30 ================
.
2012-01-21 03:59:37 -------- d-----w- c:\windows\Panther
2012-01-21 03:59:26 -------- d-sh--w- C:\Boot
2012-01-21 03:59:16 -------- d-----w- c:\windows\system32\OEM
2012-01-20 22:02:02 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{050ce254-1654-4415-a5a3-4202e52cda45}\offreg.dll
2012-01-20 21:55:33 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{050ce254-1654-4415-a5a3-4202e52cda45}\mpengine.dll
2012-01-20 21:06:15 66664 ----a-w- c:\windows\system32\nvshext.dll
2012-01-20 21:06:15 615528 ----a-w- c:\windows\system32\nvvsvc.exe
2012-01-20 21:06:15 3693672 ----a-w- c:\windows\system32\nvcpl.dll
2012-01-20 21:06:15 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2012-01-20 21:06:15 2557544 ----a-w- c:\windows\system32\nvsvc.dll
2012-01-20 21:06:15 111208 ----a-w- c:\windows\system32\nvmctray.dll
2012-01-20 21:06:13 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2012-01-20 21:05:50 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-01-20 21:05:47 -------- d-----w- c:\program files\NVIDIA Corporation
2012-01-20 20:47:07 -------- d-----w- c:\users\chrisa\appdata\local\VueSoft
2012-01-20 20:47:04 -------- d-----w- c:\users\chrisa\appdata\local\Real
2012-01-20 20:43:38 703824 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ca542980-3a96-42bd-813e-ff0f26cc1105}\gapaengine.dll
2012-01-20 20:40:49 -------- d-----w- c:\users\chrisa\appdata\local\ElevatedDiagnostics
2012-01-20 20:40:49 -------- d-----w- c:\users\chrisa\appdata\local\Apple Computer
2012-01-20 20:40:48 -------- d-----w- c:\users\chrisa\appdata\local\Adobe
2012-01-20 20:40:23 -------- d-----r- c:\users\chrisa\Dropbox
2012-01-20 20:40:08 -------- d-----w- c:\users\chrisa\appdata\roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2012-01-20 20:40:05 -------- d-----w- c:\users\chrisa\appdata\roaming\Intel Corporation
2012-01-20 20:40:05 -------- d-----w- c:\users\chrisa\appdata\roaming\com.facebookdesktop.app
2012-01-20 20:39:42 6557240 ------w- c:\programdata\microsoft\windows defender\definition updates\{c7155ee6-a26c-4ff1-843a-824a015aacd0}\mpengine.dll
2012-01-20 20:39:42 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-20 20:36:09 -------- d-----w- c:\program files\TeamViewer
2012-01-20 20:35:22 -------- d-----w- c:\users\chrisa\appdata\local\Mozilla
2012-01-20 20:33:57 -------- d-----w- c:\users\chrisa\appdata\roaming\Malwarebytes
2012-01-20 20:32:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 20:32:58 -------- d-----w- c:\programdata\Malwarebytes
2012-01-20 20:32:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-20 20:32:37 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-20 20:32:34 18944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2012-01-20 20:32:34 17920 ----a-w- c:\windows\system32\mdimon.dll
2012-01-20 20:32:09 -------- d-----w- c:\program files\Microsoft ActiveSync
2012-01-20 20:30:59 -------- d-----w- c:\users\chrisa\appdata\local\Apple
2012-01-20 20:30:40 132608 ----a-w- c:\windows\system32\cabview.dll
2012-01-20 20:30:39 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-01-20 20:25:58 -------- d-----w- c:\users\chrisa\appdata\roaming\Dropbox
2012-01-20 20:25:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-20 20:23:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-20 20:23:36 -------- d-----w- c:\users\chrisa\appdata\local\Google
2012-01-20 20:17:40 -------- d-----w- c:\program files\Broadcom
2012-01-20 20:17:20 -------- d-sh--w- c:\windows\Installer
2012-01-20 20:17:10 -------- d-----w- C:\dell
2012-01-20 20:07:31 -------- d-----w- c:\windows\system32\wbem\Performance
.
==================== Find3M ====================
.
2011-10-24 14:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 14:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 22:07:38.79 ===============
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

I still need Attach.txt log from DDS.

Then....

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Hi Broni, thanks for the help.

Below is attach.txt. C: is OS, D is Recovery, and F: is external directory containing a copy of the user's files. Apologies for posting this in a CODE box but was receiving the error "You have included 18 images in your message. You are limited to using 6 images so please go back and correct the problem and then continue again" when trying to paste it in
.

Code: 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional 
Boot Device: \Device\HarddiskVolume3
Install Date: 20/01/2012 20:04:19
System Uptime: 21/01/2012 09:57:10 (1 hours ago)
.
Motherboard: Dell Inc. |  | 054KM3
Processor: Intel(R) Core(TM) i5 CPU         750  @ 2.67GHz | CPU 1 | 2507/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 238.049 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.865 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 257.119 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: 
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_04261028&REV_06\3&11583659&0&B0
Manufacturer: 
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_3B64&SUBSYS_04261028&REV_06\3&11583659&0&B0
Service: 
.
==== System Restore Points ===================
.
RP1: 20/01/2012 20:17:24 - Installed Broadcom Gigabit NetLink Controller.
RP2: 20/01/2012 20:31:27 - Windows Update
RP3: 20/01/2012 20:31:35 - Installed Microsoft Office Professional Edition 2003
RP4: 20/01/2012 20:39:32 - Windows Update
RP5: 20/01/2012 20:47:14 - Windows Update
RP6: 20/01/2012 21:05:07 - Windows Update
RP7: 20/01/2012 22:46:38 - Removed Microsoft Office Professional Edition 2003
RP8: 20/01/2012 22:48:18 - Installed Microsoft Office Professional Edition 2003
RP9: 20/01/2012 22:56:40 - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
Apple Application Support
Apple Software Update
Broadcom Gigabit NetLink Controller
Dropbox
ESET Online Scanner v3
Google Chrome
Java Auto Updater
Java(TM) 6 Update 30
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft Antimalware
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Mozilla Firefox 9.0.1 (x86 en-US)
NVIDIA Control Panel 275.33
NVIDIA Graphics Driver 275.33
NVIDIA Install Application
NVIDIA Update 1.3.5
NVIDIA Update Components
QuickTime
TeamViewer 7
WinRAR 4.10 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
21/01/2012 10:02:49, Error: atapi (11)  - The driver detected a controller error on \Device\Ide\IdePort0.
21/01/2012 09:59:24, Error: Microsoft-Windows-TerminalServices-Printers (1111)  - Driver PrimoPDF required for printer PrimoPDF is unknown. Contact the administrator to install the driver before you log in again.
21/01/2012 09:58:20, Error: Ntfs (55)  - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
21/01/2012 09:57:51, Error: Microsoft Antimalware (3002)  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.  	Feature: Behavior Monitoring  	Error Code: 0x80004005  	Error description: Unspecified error   	Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
21/01/2012 00:08:20, Error: Service Control Manager (7043)  - The Windows Update service did not shut down properly after receiving a preshutdown control.
20/01/2012 23:34:50, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\Device\HarddiskVolume4;boot:_\Device\HarddiskVolume4\  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: Real-Time Protection  	User: NT AUTHORITY\SYSTEM  	Process Name: System  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 23:18:06, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\Device\HarddiskVolume4;boot:_\Device\HarddiskVolume4\;boot:_\\.\PHYSICALDRIVE0\Partition3 (Type 17)  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: System  	User: NT AUTHORITY\SYSTEM  	Process Name: C:\Windows\System32\svchost.exe  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 22:02:35, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\Device\HarddiskVolume4;boot:_\Device\HarddiskVolume4\  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: Real-Time Protection  	User: ChrisA-PC\ChrisA  	Process Name: System  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 22:02:35, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\Device\HarddiskVolume4;boot:_\Device\HarddiskVolume4\  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: Real-Time Protection  	User: ChrisA-PC\ChrisA  	Process Name: System  	Action: Quarantine  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x80070032  	Error description: The request is not supported.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 21:49:37, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\Device\HarddiskVolume4;boot:_\Device\HarddiskVolume4\;boot:_\\.\PHYSICALDRIVE0\Partition3 (Type 17)  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: System  	User: NT AUTHORITY\SYSTEM  	Process Name: C:\Windows\System32\svchost.exe  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 21:39:17, Error: Microsoft Antimalware (3002)  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.  	Feature: Behavior Monitoring  	Error Code: 0x80004005  	Error description: Unspecified error   	Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
20/01/2012 21:37:35, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\\.\PHYSICALDRIVE0\Partition3 (Type 17)  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: User  	User: ChrisA-PC\ChrisA  	Process Name: Unknown  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 21:32:46, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\Device\HarddiskVolume4;boot:_\Device\HarddiskVolume4\  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: Real-Time Protection  	User: NT AUTHORITY\SYSTEM  	Process Name: C:\Windows\System32\svchost.exe  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 21:03:09, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\Device\HarddiskVolume4;boot:_\Device\HarddiskVolume4\;boot:_\\.\PHYSICALDRIVE0\Partition3 (Type 17)  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: System  	User: ChrisA-PC\ChrisA  	Process Name: C:\Windows\System32\svchost.exe  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 10.7.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 2.0.7707.0
20/01/2012 21:02:34, Error: Microsoft Antimalware (3002)  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.  	Feature: Behavior Monitoring  	Error Code: 0x80004005  	Error description: Unspecified error   	Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
20/01/2012 20:53:44, Error: Microsoft Antimalware (1119)  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software.  For more information please see the following: (url)[url]http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952(/url[/url])  	Name: Trojan:DOS/Alureon.E  	ID: 2147650952  	Severity: Severe  	Category: Trojan  	Path: boot:_\\.\PHYSICALDRIVE0\Partition3 (Type 17)  	Detection Origin: Local machine  	Detection Type: Concrete  	Detection Source: User  	User: ChrisA-PC\ChrisA  	Process Name: Unknown  	Action: Remove  	Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.  	To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website.   	Error Code: 0x800704ec  	Error description: This program is blocked by group policy. For more information, contact your system administrator.   	Signature Version: AV: 1.119.260.0, AS: 1.119.260.0, NIS: 0.0.0.0  	Engine Version: AM: 1.1.8001.0, NIS: 0.0.0.0
20/01/2012 20:43:28, Error: Microsoft Antimalware (3002)  - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.  	Feature: Network Inspection System  	Error Code: 0x8007042c  	Error description: The dependency service or group failed to start.   	Reason: The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the computer.
.
==== End Of File ===========================



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
.



aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-21 10:11:55
-----------------------------
10:11:55.606 OS Version: Windows 6.1.7600
10:11:55.606 Number of processors: 4 586 0x1E05
10:11:55.607 ComputerName: CHRISA-PC UserName: ChrisA
10:11:57.296 Initialize success
10:14:34.369 AVAST engine defs: 12012100
10:16:15.345 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:16:15.348 Disk 0 Vendor: WDC_WD3200AAKS-75L9A0 02.03E02 Size: 305245MB BusType: 11
10:16:15.367 Disk 0 MBR read successfully
10:16:15.369 Disk 0 MBR scan
10:16:15.452 Disk 0 Windows 7 default MBR code
10:16:15.454 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 94 MB offset 63
10:16:15.486 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10018 MB offset 194560
10:16:15.526 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 295131 MB offset 20711424
10:16:15.584 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 625139712
10:16:15.669 Disk 0 scanning sectors +625142432
10:16:16.540 Disk 0 scanning C:\Windows\system32\drivers
10:16:23.670 Service scanning
10:16:24.418 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
10:16:24.982 Modules scanning
10:16:28.177 Disk 0 trace - called modules:
10:16:28.191 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
10:16:28.197 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x856de308]
10:16:28.201 3 CLASSPNP.SYS[88ba059e] -> nt!IofCallDriver -> [0x8552e918]
10:16:28.205 5 ACPI.sys[886a73b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85522030]
10:16:28.907 AVAST engine scan C:\Windows
10:16:30.496 AVAST engine scan C:\Windows\system32
10:17:44.073 AVAST engine scan C:\Windows\system32\drivers
10:17:50.968 AVAST engine scan C:\Users\ChrisA
10:19:22.712 AVAST engine scan C:\ProgramData
10:19:28.140 Scan finished successfully
10:19:37.079 Disk 0 MBR has been saved successfully to "C:\Users\ChrisA\Desktop\MBR.dat"
10:19:37.142 The log file has been saved successfully to "C:\Users\ChrisA\Desktop\aswMBR.txt"


During the scan, I got another notification from MSE that it had found the threat even though I had realtime protection switched off while the scan was running. Don't know if this is relevant.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
.


Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`78100000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
ListParts by Farbar
Ran by ChrisA on 21-01-2012 at 16:56:25
Windows 7 (X86)
Running From: C:\Users\ChrisA\Desktop
************************************************************

========================= Memory info ======================

Percentage of memory in use: 33%
Total physical RAM: 2007.11 MB
Available physical RAM: 1340.76 MB
Total Pagefile: 4014.23 MB
Available Pagefile: 3330.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1963.45 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:288.21 GB) (Free:237.46 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:9.78 GB) (Free:4.87 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Fixed) (Total:465.76 GB) (Free:257.12 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B
Disk 1 Online 465 GB 2048 KB

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 94 MB 31 KB
Partition 2 Primary 9 GB 95 MB
Partition 3 Primary 288 GB 9 GB
Partition 4 Primary 1360 KB 298 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 9 GB Healthy

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 288 GB Healthy System (partition with boot components)

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 1024 KB

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Partition 465 GB Healthy



****** End Of Log ******

Thanks
 
It looks like we're dealing here with the newest TDL rootkit.

Download GETxPUD.exe to the desktop of your clean computer

  • Double click on GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Insert blank CD into your CD drive.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Boot bad computer from the CD
  • Press Tool at the top
  • Choose Open Terminal
  • Type parted /dev/sda set 3 boot on
  • Press Enter
  • Type parted /dev/sda rm 4
  • Press Enter
  • Remove xPUD CD, reboot, run aswMBR and post the log
 
Hi Broni,

I ran the program, entered the commands. Got some messages about the device being unmounted? But seemed to work. Have re-scanned with aswMBR:

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-22 14:29:00
-----------------------------
14:29:00.879 OS Version: Windows 6.1.7600
14:29:00.879 Number of processors: 4 586 0x1E05
14:29:00.895 ComputerName: CHRISA-PC UserName: ChrisA
14:29:03.141 Initialize success
14:29:08.383 AVAST engine defs: 12012100
14:29:12.517 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:29:12.517 Disk 0 Vendor: WDC_WD3200AAKS-75L9A0 02.03E02 Size: 305245MB BusType: 11
14:29:12.579 Disk 0 MBR read successfully
14:29:12.579 Disk 0 MBR scan
14:29:12.673 Disk 0 Windows 7 default MBR code
14:29:12.688 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 94 MB offset 63
14:29:12.797 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10018 MB offset 194560
14:29:12.860 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 295131 MB offset 20711424
14:29:12.891 Disk 0 scanning sectors +625139712
14:29:13.999 Disk 0 scanning C:\Windows\system32\drivers
14:29:32.095 Service scanning
14:29:40.129 Service MpKsl6cfe8305 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EA8E5767-A785-474D-8DE9-730B37E4F8D6}\MpKsl6cfe8305.sys **LOCKED** 32
14:29:40.144 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
14:29:41.065 Modules scanning
14:29:49.301 Disk 0 trace - called modules:
14:29:49.317 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
14:29:49.317 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x856deac8]
14:29:49.317 3 CLASSPNP.SYS[88b8a59e] -> nt!IofCallDriver -> [0x85534918]
14:29:49.333 5 ACPI.sys[8868d3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85532908]
14:29:51.454 AVAST engine scan C:\Windows
14:29:54.839 AVAST engine scan C:\Windows\system32
14:32:30.620 AVAST engine scan C:\Windows\system32\drivers
14:32:43.053 AVAST engine scan C:\Users\ChrisA
14:34:48.137 AVAST engine scan C:\ProgramData
14:34:56.395 Scan finished successfully
14:35:16.194 Disk 0 MBR has been saved successfully to "C:\Users\ChrisA\Desktop\MBR.dat"
14:35:16.197 The log file has been saved successfully to "C:\Users\ChrisA\Desktop\aswMBR.txt"
 
Good job :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix 12-01-21.02 - ChrisA 22/01/2012 21:21:21.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2007.1152 [GMT 0:00]
Running from: c:\users\ChrisA\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 21:24 . 2012-01-22 21:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-22 21:19 . 2012-01-22 21:19 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DD5974F-64FC-4F4E-A14F-470EB291D0B0}\MpKslc5f9912d.sys
2012-01-22 15:47 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2012-01-22 15:45 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2012-01-22 14:52 . 2012-01-22 14:52 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DD5974F-64FC-4F4E-A14F-470EB291D0B0}\offreg.dll
2012-01-22 14:51 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-22 14:51 . 2012-01-17 04:39 6557240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DD5974F-64FC-4F4E-A14F-470EB291D0B0}\mpengine.dll
2012-01-22 14:45 . 2012-01-22 14:45 -------- d-----w- c:\windows\system32\Wat
2012-01-22 14:35 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2012-01-22 14:31 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2012-01-22 14:30 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2012-01-21 17:02 . 2009-11-25 12:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-01-21 17:02 . 2009-11-25 12:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2012-01-21 17:02 . 2009-11-25 12:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2012-01-21 17:02 . 2009-11-25 12:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2012-01-21 17:02 . 2009-11-25 12:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-01-21 10:05 . 2010-06-29 05:02 1413632 ----a-w- c:\windows\system32\ole32.dll
2012-01-21 10:05 . 2010-06-29 04:57 4247040 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2012-01-21 10:05 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2012-01-21 10:05 . 2011-04-29 02:57 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2012-01-21 10:05 . 2011-04-29 02:57 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2012-01-21 10:05 . 2011-04-29 02:57 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2012-01-21 10:05 . 2011-04-25 02:35 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-21 10:05 . 2011-09-29 15:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-01-21 10:05 . 2010-08-21 05:32 316928 ----a-w- c:\windows\system32\spoolsv.exe
2012-01-21 10:05 . 2011-11-17 05:41 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-21 10:05 . 2011-02-18 05:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2012-01-21 10:04 . 2011-03-03 05:29 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2012-01-21 10:04 . 2011-03-03 05:27 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2012-01-21 10:04 . 2011-02-19 05:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-01-21 10:04 . 2011-02-19 03:37 294912 ----a-w- c:\windows\system32\atmfd.dll
2012-01-21 10:04 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2012-01-21 10:04 . 2011-10-01 04:43 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
2012-01-21 10:03 . 2010-07-29 06:30 197632 ----a-w- c:\windows\system32\ir32_32.dll
2012-01-21 10:03 . 2010-07-29 06:30 82944 ----a-w- c:\windows\system32\iccvid.dll
2012-01-21 10:03 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
2012-01-21 10:03 . 2010-08-26 04:39 109056 ----a-w- c:\windows\system32\t2embed.dll
2012-01-21 10:03 . 2010-10-12 04:25 516096 ----a-w- c:\program files\Windows Mail\wab.exe
2012-01-21 10:03 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll
2012-01-21 10:03 . 2011-11-24 04:23 2340352 ----a-w- c:\windows\system32\win32k.sys
2012-01-21 10:01 . 2010-12-18 05:29 541184 ----a-w- c:\windows\system32\kerberos.dll
2012-01-21 10:00 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2012-01-21 10:00 . 2010-08-31 04:32 954752 ----a-w- c:\windows\system32\mfc40.dll
2012-01-21 10:00 . 2010-08-31 04:32 954288 ----a-w- c:\windows\system32\mfc40u.dll
2012-01-21 03:59 . 2012-01-20 20:04 -------- d-----w- c:\windows\Panther
2012-01-21 03:59 . 2012-01-21 03:59 -------- d-----w- C:\Boot
2012-01-21 03:59 . 2012-01-21 03:59 -------- d-----w- c:\windows\system32\OEM
2012-01-20 23:18 . 2010-12-21 05:38 51200 ----a-w- c:\windows\system32\wscapi.dll
2012-01-20 22:59 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2012-01-20 22:59 . 2010-11-02 04:46 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2012-01-20 22:59 . 2010-11-02 04:23 107520 ----a-w- c:\windows\system32\cdd.dll
2012-01-20 22:48 . 2012-01-20 22:48 -------- d-----w- c:\program files\Microsoft ActiveSync
2012-01-20 22:48 . 2012-01-20 22:48 -------- d-----w- c:\windows\PCHEALTH
2012-01-20 22:48 . 2012-01-20 22:48 -------- d-----w- c:\program files\Microsoft.NET
2012-01-20 22:20 . 2012-01-20 22:20 -------- d-----w- c:\program files\ESET
2012-01-20 21:06 . 2012-01-20 21:39 -------- d-----w- c:\programdata\NVIDIA
2012-01-20 21:06 . 2012-01-20 21:06 -------- d-----w- c:\users\UpdatusUser
2012-01-20 21:06 . 2011-05-21 06:01 66664 ----a-w- c:\windows\system32\nvshext.dll
2012-01-20 21:06 . 2011-05-21 06:01 615528 ----a-w- c:\windows\system32\nvvsvc.exe
2012-01-20 21:06 . 2011-05-21 06:01 3693672 ----a-w- c:\windows\system32\nvcpl.dll
2012-01-20 21:06 . 2011-05-21 06:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2012-01-20 21:06 . 2011-05-21 06:01 2557544 ----a-w- c:\windows\system32\nvsvc.dll
2012-01-20 21:06 . 2011-05-21 06:01 111208 ----a-w- c:\windows\system32\nvmctray.dll
2012-01-20 21:06 . 2011-05-21 06:01 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2012-01-20 21:05 . 2012-01-20 21:05 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-01-20 21:05 . 2012-01-20 21:06 -------- d-----w- c:\program files\NVIDIA Corporation
2012-01-20 20:43 . 2011-10-04 17:22 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CA542980-3A96-42BD-813E-FF0F26CC1105}\gapaengine.dll
2012-01-20 20:39 . 2012-01-17 04:39 6557240 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C7155EE6-A26C-4FF1-843A-824A015AACD0}\mpengine.dll
2012-01-20 20:39 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-20 20:36 . 2012-01-20 20:36 -------- d-----w- c:\program files\TeamViewer
2012-01-20 20:32 . 2012-01-20 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-20 20:32 . 2012-01-20 20:32 -------- d-----w- c:\programdata\Malwarebytes
2012-01-20 20:32 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-20 20:32 . 2012-01-20 20:32 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-20 20:32 . 2007-04-09 13:23 28552 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2012-01-20 20:32 . 2007-04-09 13:23 28040 ----a-w- c:\windows\system32\mdimon.dll
2012-01-20 20:31 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2012-01-20 20:31 . 2012-01-20 20:31 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-20 20:31 . 2012-01-20 20:31 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-20 20:31 . 2012-01-20 20:31 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-20 20:31 . 2012-01-20 20:31 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-20 20:31 . 2012-01-20 20:31 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-20 20:31 . 2012-01-20 20:31 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-20 20:31 . 2012-01-20 20:31 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-20 20:31 . 2012-01-20 20:31 -------- d-----w- c:\program files\QuickTime
2012-01-20 20:31 . 2012-01-20 20:31 -------- d-----w- c:\programdata\Apple Computer
2012-01-20 20:30 . 2012-01-20 20:30 -------- d-----w- c:\program files\Apple Software Update
2012-01-20 20:30 . 2012-01-20 20:30 -------- d-----w- c:\programdata\Apple
2012-01-20 20:30 . 2012-01-20 20:30 -------- d-----w- c:\program files\Common Files\Apple
2012-01-20 20:30 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2012-01-20 20:30 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-01-20 20:28 . 2012-01-20 20:28 -------- d-----w- c:\program files\Common Files\Adobe
2012-01-20 20:25 . 2012-01-20 20:25 -------- d-----w- c:\program files\Common Files\Java
2012-01-20 20:25 . 2012-01-20 20:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-20 20:25 . 2012-01-20 20:25 -------- d-----w- c:\program files\Java
2012-01-20 20:24 . 2012-01-20 20:24 -------- d-----w- c:\program files\Microsoft Silverlight
2012-01-20 20:23 . 2012-01-20 20:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-20 20:23 . 2012-01-20 20:23 -------- d-----w- c:\windows\system32\Macromed
2012-01-20 20:17 . 2012-01-20 20:17 -------- d-----w- c:\program files\Broadcom
2012-01-20 20:17 . 2012-01-22 15:46 -------- d-sh--w- c:\windows\Installer
2012-01-20 20:17 . 2012-01-20 20:17 -------- d-----w- C:\dell
2012-01-20 20:07 . 2012-01-20 23:11 -------- d-----w- c:\windows\system32\wbem\Performance
2012-01-20 20:04 . 2012-01-20 20:40 -------- d-----w- c:\users\ChrisA
2012-01-20 20:04 . 2012-01-20 20:04 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-21 07:24 . 2012-01-20 20:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\ChrisA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\ChrisA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\ChrisA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\ChrisA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\ChrisA\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24183152]
Facebook Desktop.lnk - c:\program files\Facebook Desktop\Facebook Desktop.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-22 1343400]
S1 MpKslc5f9912d;MpKslc5f9912d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4DD5974F-64FC-4F4E-A14F-470EB291D0B0}\MpKslc5f9912d.sys [2012-01-22 29904]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-06 273960]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLC5F9912D
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-697273298-2210447868-2631082076-1000Core.job
- c:\users\ChrisA\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 06:15]
.
2012-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-697273298-2210447868-2631082076-1000UA.job
- c:\users\ChrisA\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 06:15]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\users\ChrisA\AppData\Roaming\Mozilla\Firefox\Profiles\cp3kld4d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3092)
c:\users\ChrisA\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2012-01-22 21:25:24
ComboFix-quarantined-files.txt 2012-01-22 21:25
.
Pre-Run: 251,144,589,312 bytes free
Post-Run: 251,107,078,144 bytes free
.
- - End Of File - - A08C86F1538EF5F6847BC7FC17EFE5A4
 
Looks good :)

How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Machine looks good! MSE no longer reporting the presence of a virus. OTL logs below:

OTL logfile created on: 22/01/2012 21:41:26 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\ChrisA\Desktop
Professional (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.96 Gb Total Physical Memory | 1.16 Gb Available Physical Memory | 59.22% Memory free
3.92 Gb Paging File | 3.17 Gb Available in Paging File | 80.98% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.21 Gb Total Space | 241.14 Gb Free Space | 83.67% Space Free | Partition Type: NTFS
Drive D: | 9.78 Gb Total Space | 4.87 Gb Free Space | 49.73% Space Free | Partition Type: NTFS

Computer Name: CHRISA-PC | User Name: ChrisA | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/22 21:39:45 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\ChrisA\Desktop\OTL.exe
PRC - [2012/01/19 11:47:20 | 003,027,840 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/21 07:24:51 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/05/21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/05/21 06:01:00 | 000,839,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
PRC - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/02/26 05:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/14 01:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 01:14:30 | 000,172,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rdpclip.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/09 19:44:20 | 000,166,912 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2011/12/21 07:24:51 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/01/22 14:31:08 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2012/01/19 11:47:20 | 003,027,840 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/05/21 06:01:00 | 002,214,504 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/07/14 01:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 01:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 01:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2011/05/21 06:01:00 | 010,589,800 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/09/17 19:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2009/08/06 04:43:52 | 000,273,960 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\k57nd60x.sys -- (k57nd60x) Broadcom NetLink (TM)
DRV - [2009/07/14 01:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 01:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 01:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 23:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 23:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CB 01 E6 12 B1 D7 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/?ref=hp"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\ChrisA\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\ChrisA\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/20 20:31:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/01/20 20:40:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ChrisA\AppData\Roaming\Mozilla\Extensions
[2010/11/19 09:10:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ChrisA\AppData\Roaming\Mozilla\Firefox\Profiles\cp3kld4d.default\extensions
[2012/01/20 20:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/20 20:25:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
[2011/12/21 07:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/12/21 04:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/12/21 04:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}

O1 HOSTS File: ([2009/06/10 21:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\ChrisA\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Desktop.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D5B2573-D935-49EF-98EF-979D0B625DC5}: DhcpNameServer = 192.168.1.254 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/01/22 21:40:06 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\ChrisA\Desktop\OTL.exe
[2012/01/22 21:25:00 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/22 21:20:37 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/22 14:45:52 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2012/01/21 03:59:37 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2012/01/21 03:59:26 | 000,000,000 | ---D | C] -- C:\Boot
[2012/01/21 03:59:16 | 000,000,000 | ---D | C] -- C:\Windows\System32\OEM
[2012/01/20 22:49:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012/01/20 22:48:57 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft ActiveSync
[2012/01/20 22:48:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2012/01/20 22:48:34 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2012/01/20 22:48:34 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012/01/20 22:48:34 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2012/01/20 22:47:26 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2012/01/20 22:20:24 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/20 21:06:24 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2012/01/20 21:05:50 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2012/01/20 21:05:47 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2012/01/20 20:59:33 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Winter Images
[2012/01/20 20:59:30 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\WalkNI
[2012/01/20 20:59:24 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Video
[2012/01/20 20:59:23 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Venture Outdoors
[2012/01/20 20:59:23 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Tourism Ireland FAM
[2012/01/20 20:59:23 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Tourism Ireland Blog
[2012/01/20 20:59:22 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Top Task Analysis
[2012/01/20 20:59:22 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\TO Fam Photos
[2012/01/20 20:59:22 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\The Irish News
[2012/01/20 20:59:18 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Tag Tournament and Quiz
[2012/01/20 20:59:14 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Tag
[2012/01/20 20:59:00 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Sportive Photos
[2012/01/20 20:58:58 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Sportive
[2012/01/20 20:58:56 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Send to Brendan
[2012/01/20 20:58:56 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\PR Plan 2012-13
[2012/01/20 20:58:46 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\PR
[2012/01/20 20:58:46 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Powerpoint slides
[2012/01/20 20:58:45 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\OutdoorNI Awards
[2012/01/20 20:58:43 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\OutdoorNI
[2012/01/20 20:58:42 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\NITB Industry Communications
[2012/01/20 20:58:41 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\NC Canoe Trail
[2012/01/20 20:58:40 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\National Trails Day Press Release s
[2012/01/20 20:58:40 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\MTB Website
[2012/01/20 20:58:33 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\MTB Mournes
[2012/01/20 20:58:33 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\London
[2012/01/20 20:58:33 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Learning Journey Photos 2011
[2012/01/20 20:58:32 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Kitchen
[2012/01/20 20:58:18 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Images
[2012/01/20 20:58:17 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Holly Hunt
[2012/01/20 20:58:17 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\General
[2012/01/20 20:58:17 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Francis Bradley FAM
[2012/01/20 20:58:16 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Countryfile
[2012/01/20 20:58:16 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Competition
[2012/01/20 20:58:16 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Chain Reaction Photos
[2012/01/20 20:58:12 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\CD
[2012/01/20 20:58:08 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Castle Ward
[2012/01/20 20:58:08 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\CanoeNI
[2012/01/20 20:58:08 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Brendan Coffey
[2012/01/20 20:57:56 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Bouldering
[2012/01/20 20:57:56 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Belfast Telegraph
[2012/01/20 20:57:55 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\B'Bourne
[2012/01/20 20:52:29 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Artwork
[2012/01/20 20:52:28 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\Ad'land 2012
[2012/01/20 20:52:28 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\48 hours in
[2012/01/20 20:52:28 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\Desktop\+1
[2012/01/20 20:47:07 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\VueSoft
[2012/01/20 20:47:04 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Real
[2012/01/20 20:40:49 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\ElevatedDiagnostics
[2012/01/20 20:40:49 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Apple Computer
[2012/01/20 20:40:48 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Adobe
[2012/01/20 20:40:23 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Dropbox
[2012/01/20 20:40:08 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2012/01/20 20:40:08 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Roxio
[2012/01/20 20:40:07 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Real
[2012/01/20 20:40:05 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Intel Corporation
[2012/01/20 20:40:05 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Google
[2012/01/20 20:40:05 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\com.facebookdesktop.app
[2012/01/20 20:38:23 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Apple Computer
[2012/01/20 20:36:09 | 000,000,000 | ---D | C] -- C:\Program Files\TeamViewer
[2012/01/20 20:35:22 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Mozilla
[2012/01/20 20:35:22 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Mozilla
[2012/01/20 20:34:41 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Macromedia
[2012/01/20 20:34:37 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Adobe
[2012/01/20 20:33:57 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Malwarebytes
[2012/01/20 20:32:58 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/20 20:32:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/20 20:32:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/20 20:32:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/20 20:32:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/01/20 20:31:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/01/20 20:31:03 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012/01/20 20:31:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2012/01/20 20:30:59 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2012/01/20 20:30:59 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Apple
[2012/01/20 20:30:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2012/01/20 20:30:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2012/01/20 20:28:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2012/01/20 20:28:44 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2012/01/20 20:28:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2012/01/20 20:26:16 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2012/01/20 20:25:58 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Dropbox
[2012/01/20 20:25:21 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\WinRAR
[2012/01/20 20:25:21 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
[2012/01/20 20:25:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
[2012/01/20 20:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2012/01/20 20:25:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/01/20 20:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/01/20 20:25:10 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/01/20 20:24:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2012/01/20 20:24:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012/01/20 20:23:47 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2012/01/20 20:23:40 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/01/20 20:23:36 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Google
[2012/01/20 20:22:21 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/01/20 20:17:40 | 000,000,000 | ---D | C] -- C:\Program Files\Broadcom
[2012/01/20 20:17:20 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2012/01/20 20:17:10 | 000,000,000 | ---D | C] -- C:\dell
[2012/01/20 20:04:41 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/01/20 20:04:41 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Searches
[2012/01/20 20:04:41 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/01/20 20:04:40 | 000,000,000 | -H-D | C] -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/01/20 20:04:33 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Identities
[2012/01/20 20:04:32 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Contacts
[2012/01/20 20:04:22 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\VirtualStore
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\AppData\Local\Temporary Internet Files
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Templates
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Start Menu
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\SendTo
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Recent
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\PrintHood
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\NetHood
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Documents\My Videos
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Documents\My Pictures
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Documents\My Music
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\My Documents
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Local Settings
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\AppData\Local\History
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Cookies
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\Application Data
[2012/01/20 20:04:21 | 000,000,000 | -HSD | C] -- C:\Users\ChrisA\AppData\Local\Application Data
[2012/01/20 20:04:20 | 000,000,000 | --SD | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Videos
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Saved Games
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Pictures
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Music
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Links
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Favorites
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Downloads
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Documents
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\Desktop
[2012/01/20 20:04:20 | 000,000,000 | R--D | C] -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/01/20 20:04:20 | 000,000,000 | -H-D | C] -- C:\Users\ChrisA\AppData
[2012/01/20 20:04:20 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Temp
[2012/01/20 20:04:20 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Local\Microsoft
[2012/01/20 20:04:20 | 000,000,000 | ---D | C] -- C:\Users\ChrisA\AppData\Roaming\Media Center Programs
[2012/01/20 20:04:17 | 000,000,000 | ---D | C] -- C:\Recovery
[2012/01/20 20:04:14 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/01/20 20:00:39 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2012/01/20 20:00:07 | 000,000,000 | -HSD | C] -- C:\System Volume Information

========== Files - Modified Within 30 Days ==========

[2012/01/22 21:39:45 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\ChrisA\Desktop\OTL.exe
[2012/01/22 21:33:05 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-697273298-2210447868-2631082076-1000UA.job
[2012/01/22 21:22:14 | 000,014,032 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/22 21:22:14 | 000,014,032 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/22 21:14:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/22 21:14:47 | 1578,455,040 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/22 15:56:02 | 000,001,407 | ---- | M] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/22 15:50:10 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2012/01/22 15:39:43 | 000,001,103 | ---- | M] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/01/22 15:39:41 | 000,611,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/22 15:39:41 | 000,105,214 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/22 14:47:06 | 000,355,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/01/22 14:35:16 | 000,000,512 | ---- | M] () -- C:\Users\ChrisA\Desktop\MBR.dat
[2012/01/22 14:34:15 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-697273298-2210447868-2631082076-1000Core.job
[2012/01/21 03:59:27 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2012/01/21 00:00:34 | 2768,978,943 | ---- | M] () -- C:\personalbackup.pst
[2012/01/21 00:00:34 | 1296,188,416 | ---- | M] () -- C:\archivebackup.pst
[2012/01/20 22:49:41 | 000,000,376 | ---- | M] () -- C:\Windows\ODBC.INI
[2012/01/20 22:02:42 | 000,002,279 | ---- | M] () -- C:\Users\ChrisA\Desktop\Google Chrome.lnk
[2012/01/20 21:04:41 | 000,002,000 | ---- | M] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/01/20 20:32:47 | 000,002,154 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/01/20 20:22:22 | 000,001,096 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/01/20 20:15:16 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/01/20 20:02:21 | 000,040,833 | ---- | M] () -- C:\Windows\System32\license.rtf
[2012/01/20 18:25:39 | 000,001,031 | ---- | M] () -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Desktop.lnk
[2012/01/20 12:11:14 | 000,000,505 | ---- | M] () -- C:\Users\ChrisA\Desktop\New Public Files.lnk
[2012/01/18 14:53:55 | 000,165,792 | ---- | M] () -- C:\Users\ChrisA\Desktop\walkni - with strapline.jpg
[2012/01/18 14:45:03 | 000,053,394 | ---- | M] () -- C:\Users\ChrisA\Desktop\Ti.ashx.jpg
[2012/01/18 14:16:19 | 000,070,808 | ---- | M] () -- C:\Users\ChrisA\Desktop\05.jpg
[2012/01/18 11:01:34 | 001,041,667 | ---- | M] () -- C:\Users\ChrisA\Desktop\Omagh.jpg
[2012/01/18 11:00:40 | 000,215,895 | ---- | M] () -- C:\Users\ChrisA\Desktop\Glenelly River.jpg
[2012/01/18 10:59:36 | 000,107,444 | ---- | M] () -- C:\Users\ChrisA\Desktop\Sperrins Walking.jpg
[2012/01/18 10:58:39 | 000,140,553 | ---- | M] () -- C:\Users\ChrisA\Desktop\Folk Park.jpg
[2012/01/18 10:57:28 | 000,126,936 | ---- | M] () -- C:\Users\ChrisA\Desktop\Sperrins.jpg
[2012/01/17 17:03:48 | 000,632,924 | ---- | M] () -- C:\Users\ChrisA\Desktop\River Foyle.jpg
[2012/01/17 17:03:14 | 000,709,882 | ---- | M] () -- C:\Users\ChrisA\Desktop\Foyle.jpg
[2012/01/17 17:02:27 | 001,169,114 | ---- | M] () -- C:\Users\ChrisA\Desktop\Foyle Canoe Trail.jpg
[2012/01/17 14:51:29 | 000,166,620 | ---- | M] () -- C:\Users\ChrisA\Desktop\Shooter.pdf
[2012/01/17 14:51:01 | 000,355,030 | ---- | M] () -- C:\Users\ChrisA\Desktop\North Belfast News.pdf
[2012/01/17 12:53:00 | 000,133,777 | ---- | M] () -- C:\Users\ChrisA\Desktop\45949-Cushendall.jpg
[2012/01/17 12:27:00 | 001,876,441 | ---- | M] () -- C:\Users\ChrisA\Desktop\NI Bootcamp Abseiling.jpg
[2012/01/17 12:27:00 | 001,776,714 | ---- | M] () -- C:\Users\ChrisA\Desktop\NI Bootcamp.jpg
[2012/01/16 17:10:31 | 000,463,333 | ---- | M] () -- C:\Users\ChrisA\Desktop\Belfast Telegraph.pdf
[2012/01/09 14:20:02 | 001,454,024 | ---- | M] () -- C:\Users\ChrisA\Desktop\Paddle around Ireland.JPG
[2012/01/09 14:19:48 | 001,932,912 | ---- | M] () -- C:\Users\ChrisA\Desktop\Elaine 'Shooter' Alexander.JPG
[2012/01/09 14:19:17 | 000,782,126 | ---- | M] () -- C:\Users\ChrisA\Desktop\Shooter.jpg
[2012/01/09 14:18:52 | 002,195,614 | ---- | M] () -- C:\Users\ChrisA\Desktop\Elaine Paddle.jpg
[2012/01/09 12:11:53 | 001,327,366 | ---- | M] () -- C:\Users\ChrisA\Desktop\Tollymore Mountain Biking.jpg

========== Files Created - No Company Name ==========

[2012/01/22 15:50:10 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2012/01/21 10:19:37 | 000,000,512 | ---- | C] () -- C:\Users\ChrisA\Desktop\MBR.dat
[2012/01/21 03:59:27 | 000,008,192 | RHS- | C] () -- C:\BOOTSECT.BAK
[2012/01/21 03:59:26 | 000,383,562 | RHS- | C] () -- C:\bootmgr
[2012/01/20 23:18:01 | 000,001,103 | ---- | C] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/01/20 20:52:28 | 001,327,366 | ---- | C] () -- C:\Users\ChrisA\Desktop\Tollymore Mountain Biking.jpg
[2012/01/20 20:52:28 | 000,782,126 | ---- | C] () -- C:\Users\ChrisA\Desktop\Shooter.jpg
[2012/01/20 20:52:28 | 000,632,924 | ---- | C] () -- C:\Users\ChrisA\Desktop\River Foyle.jpg
[2012/01/20 20:52:28 | 000,222,151 | ---- | C] () -- C:\Users\ChrisA\Desktop\Sportive Scene.jpg
[2012/01/20 20:52:28 | 000,166,620 | ---- | C] () -- C:\Users\ChrisA\Desktop\Shooter.pdf
[2012/01/20 20:52:28 | 000,165,792 | ---- | C] () -- C:\Users\ChrisA\Desktop\walkni - with strapline.jpg
[2012/01/20 20:52:28 | 000,126,936 | ---- | C] () -- C:\Users\ChrisA\Desktop\Sperrins.jpg
[2012/01/20 20:52:28 | 000,122,469 | ---- | C] () -- C:\Users\ChrisA\Desktop\SCot Widows Offset Saver account.pdf
[2012/01/20 20:52:28 | 000,107,444 | ---- | C] () -- C:\Users\ChrisA\Desktop\Sperrins Walking.jpg
[2012/01/20 20:52:28 | 000,053,394 | ---- | C] () -- C:\Users\ChrisA\Desktop\Ti.ashx.jpg
[2012/01/20 20:48:32 | 2768,978,943 | ---- | C] () -- C:\personalbackup.pst
[2012/01/20 20:48:32 | 001,776,714 | ---- | C] () -- C:\Users\ChrisA\Desktop\NI Bootcamp.jpg
[2012/01/20 20:48:32 | 001,454,024 | ---- | C] () -- C:\Users\ChrisA\Desktop\Paddle around Ireland.JPG
[2012/01/20 20:48:32 | 001,041,667 | ---- | C] () -- C:\Users\ChrisA\Desktop\Omagh.jpg
[2012/01/20 20:48:32 | 000,355,030 | ---- | C] () -- C:\Users\ChrisA\Desktop\North Belfast News.pdf
[2012/01/20 20:48:31 | 001,876,441 | ---- | C] () -- C:\Users\ChrisA\Desktop\NI Bootcamp Abseiling.jpg
[2012/01/20 20:48:31 | 000,342,743 | ---- | C] () -- C:\Users\ChrisA\Desktop\Newsletter Article.jpg
[2012/01/20 20:48:31 | 000,275,987 | ---- | C] () -- C:\Users\ChrisA\Desktop\Newsletter 2.jpg
[2012/01/20 20:48:31 | 000,002,693 | ---- | C] () -- C:\Users\ChrisA\Desktop\Microsoft Office Outlook 2003.lnk
[2012/01/20 20:48:31 | 000,002,675 | ---- | C] () -- C:\Users\ChrisA\Desktop\Microsoft Office Word 2003.lnk
[2012/01/20 20:48:31 | 000,000,505 | ---- | C] () -- C:\Users\ChrisA\Desktop\New Public Files.lnk
[2012/01/20 20:48:30 | 008,820,737 | ---- | C] () -- C:\Users\ChrisA\Desktop\JPGS.zip
[2012/01/20 20:48:30 | 002,195,614 | ---- | C] () -- C:\Users\ChrisA\Desktop\Elaine Paddle.jpg
[2012/01/20 20:48:30 | 001,932,912 | ---- | C] () -- C:\Users\ChrisA\Desktop\Elaine 'Shooter' Alexander.JPG
[2012/01/20 20:48:30 | 001,169,114 | ---- | C] () -- C:\Users\ChrisA\Desktop\Foyle Canoe Trail.jpg
[2012/01/20 20:48:30 | 000,709,882 | ---- | C] () -- C:\Users\ChrisA\Desktop\Foyle.jpg
[2012/01/20 20:48:30 | 000,215,895 | ---- | C] () -- C:\Users\ChrisA\Desktop\Glenelly River.jpg
[2012/01/20 20:48:30 | 000,140,553 | ---- | C] () -- C:\Users\ChrisA\Desktop\Folk Park.jpg
[2012/01/20 20:48:30 | 000,001,415 | ---- | C] () -- C:\Users\ChrisA\Desktop\Internet Explorer.lnk
[2012/01/20 20:48:29 | 005,381,640 | ---- | C] () -- C:\Users\ChrisA\Desktop\Cycling Weekly Feature.pdf
[2012/01/20 20:48:29 | 001,847,599 | ---- | C] () -- C:\Users\ChrisA\Desktop\download.php.air
[2012/01/20 20:48:29 | 000,463,333 | ---- | C] () -- C:\Users\ChrisA\Desktop\Belfast Telegraph.pdf
[2012/01/20 20:48:29 | 000,000,574 | ---- | C] () -- C:\Users\ChrisA\Desktop\chrisa docs on server.lnk
[2012/01/20 20:47:17 | 1296,188,416 | ---- | C] () -- C:\archivebackup.pst
[2012/01/20 20:47:17 | 000,133,777 | ---- | C] () -- C:\Users\ChrisA\Desktop\45949-Cushendall.jpg
[2012/01/20 20:47:17 | 000,070,808 | ---- | C] () -- C:\Users\ChrisA\Desktop\05.jpg
[2012/01/20 20:47:15 | 000,001,031 | ---- | C] () -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Desktop.lnk
[2012/01/20 20:47:14 | 000,002,187 | ---- | C] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/01/20 20:47:14 | 000,002,000 | ---- | C] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/01/20 20:40:08 | 000,001,990 | ---- | C] () -- C:\Users\ChrisA\Documents\Default.rdp
[2012/01/20 20:36:12 | 000,001,132 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 7.lnk
[2012/01/20 20:32:47 | 000,002,154 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/01/20 20:32:39 | 000,001,897 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/01/20 20:32:36 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2012/01/20 20:30:59 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
[2012/01/20 20:28:51 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012/01/20 20:26:29 | 000,001,004 | ---- | C] () -- C:\Users\ChrisA\Desktop\Dropbox.lnk
[2012/01/20 20:26:21 | 000,000,984 | ---- | C] () -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2012/01/20 20:23:43 | 000,000,912 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-697273298-2210447868-2631082076-1000UA.job
[2012/01/20 20:23:42 | 000,000,860 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-697273298-2210447868-2631082076-1000Core.job
[2012/01/20 20:23:40 | 000,002,279 | ---- | C] () -- C:\Users\ChrisA\Desktop\Google Chrome.lnk
[2012/01/20 20:22:22 | 000,001,108 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/01/20 20:22:22 | 000,001,096 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/01/20 20:21:19 | 000,001,407 | ---- | C] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/20 20:15:16 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2012/01/20 20:04:42 | 000,001,413 | ---- | C] () -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/01/20 20:04:20 | 000,000,290 | ---- | C] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/01/20 20:04:20 | 000,000,272 | ---- | C] () -- C:\Users\ChrisA\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2012/01/20 20:02:15 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/01/20 20:02:10 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/01/20 20:00:07 | 1578,455,040 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/14 04:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 04:33:53 | 000,355,704 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/14 02:05:48 | 000,611,996 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/14 02:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/14 02:05:48 | 000,105,214 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/14 02:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/14 02:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/14 02:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/14 00:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009/07/13 23:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 23:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 23:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 21:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2012/01/20 20:40:05 | 000,000,000 | ---D | M] -- C:\Users\ChrisA\AppData\Roaming\com.facebookdesktop.app
[2012/01/22 21:16:38 | 000,000,000 | ---D | M] -- C:\Users\ChrisA\AppData\Roaming\Dropbox
[2012/01/20 20:40:08 | 000,000,000 | ---D | M] -- C:\Users\ChrisA\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2009/07/14 04:53:46 | 000,003,340 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2012/01/21 00:00:34 | 1296,188,416 | ---- | M] () -- C:\archivebackup.pst
[2009/06/10 21:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/07/14 01:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
[2012/01/21 03:59:27 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2012/01/22 21:25:24 | 000,015,652 | ---- | M] () -- C:\ComboFix.txt
[2009/06/10 21:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2012/01/22 21:14:47 | 1578,455,040 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/22 21:14:48 | 2104,610,816 | -HS- | M] () -- C:\pagefile.sys
[2012/01/21 00:00:34 | 2768,978,943 | ---- | M] () -- C:\personalbackup.pst
[2012/01/20 21:20:47 | 000,074,310 | ---- | M] () -- C:\TDSSKiller.2.7.6.0_20.01.2012_21.17.16_log.txt
[2012/01/20 21:50:55 | 000,076,954 | ---- | M] () -- C:\TDSSKiller.2.7.6.0_20.01.2012_21.50.34_log.txt

< %systemroot%\Fonts\*.com >
[2009/07/14 04:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/14 04:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/14 04:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/14 04:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 21:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2009/07/14 01:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll
[2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\mdippr.dll
[2009/07/14 01:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\winprint.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2009/07/14 04:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2012/01/22 15:56:02 | 000,000,221 | -HS- | M] () -- C:\Users\ChrisA\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2012/01/22 21:39:45 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\ChrisA\Desktop\OTL.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2009/06/10 21:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >
[2012/01/22 15:45:58 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
[2012/01/22 15:45:58 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
[2012/01/22 15:45:58 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
[2012/01/22 15:45:58 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs
[2012/01/22 15:45:58 | 000,786,432 | ---- | M] () -- C:\Windows\SECURITY\Database\edbtmp.log
[2012/01/22 15:45:58 | 001,056,768 | ---- | M] () -- C:\Windows\SECURITY\Database\tmp.edb

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2012/01/22 15:56:01 | 000,000,402 | -HS- | M] () -- C:\Users\ChrisA\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >
 
< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< End of report >




+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=




OTL Extras logfile created on: 22/01/2012 21:41:26 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\ChrisA\Desktop
Professional (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.96 Gb Total Physical Memory | 1.16 Gb Available Physical Memory | 59.22% Memory free
3.92 Gb Paging File | 3.17 Gb Available in Paging File | 80.98% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.21 Gb Total Space | 241.14 Gb Free Space | 83.67% Space Free | Partition Type: NTFS
Drive D: | 9.78 Gb Total Space | 4.87 Gb Free Space | 49.73% Space Free | Partition Type: NTFS

Computer Name: CHRISA-PC | User Name: ChrisA | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java(TM) 6 Update 30
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{A325B368-A9EC-40EF-A95C-9DEAD3683AE3}" = Broadcom Gigabit NetLink Controller
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.3.5
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"ESET Online Scanner" = ESET Online Scanner v3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"TeamViewer 7" = TeamViewer 7
"WinRAR archiver" = WinRAR 4.10 (32-bit)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 20/01/2012 17:10:24 | Computer Name = ChrisA-PC | Source = Application Hang | ID = 1002
Description = The program OUTLOOK.EXE version 11.0.5510.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 874 Start
Time: 01ccd7b74791e46f Termination Time: 0 Application Path: C:\Program Files\Microsoft
Office\OFFICE11\OUTLOOK.EXE Report Id: 2683e861-43ab-11e1-97ac-a4badbff0786

Error - 20/01/2012 17:13:15 | Computer Name = ChrisA-PC | Source = Application Hang | ID = 1002
Description = The program OUTLOOK.EXE version 11.0.5510.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: c5c Start
Time: 01ccd7b83e063a2f Termination Time: 0 Application Path: C:\Program Files\Microsoft
Office\OFFICE11\OUTLOOK.EXE Report Id: 8e78bf59-43ab-11e1-97ac-a4badbff0786

Error - 20/01/2012 17:27:50 | Computer Name = ChrisA-PC | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 20/01/2012 17:29:50 | Computer Name = ChrisA-PC | Source = Application Hang | ID = 1002
Description = The program OUTLOOK.EXE version 11.0.5510.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: cbc Start
Time: 01ccd7ba5a46a397 Termination Time: 0 Application Path: C:\Program Files\Microsoft
Office\OFFICE11\OUTLOOK.EXE Report Id: df9cbbd8-43ad-11e1-97ac-a4badbff0786

Error - 20/01/2012 18:46:16 | Computer Name = ChrisA-PC | Source = Application Hang | ID = 1002
Description = The program OUTLOOK.EXE version 11.0.5510.0 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: f08 Start
Time: 01ccd7c53c93d4c9 Termination Time: 15 Application Path: C:\Program Files\Microsoft
Office\OFFICE11\OUTLOOK.EXE Report Id: 8b46d740-43b8-11e1-9967-a4badbff0786

Error - 22/01/2012 10:45:48 | Computer Name = ChrisA-PC | Source = Microsoft-Windows-CertificateServicesClient | ID = 1001
Description = Certificate Services Client failed to load Provider pautoenr.dll.
Error code 32.

Error - 22/01/2012 10:45:48 | Computer Name = ChrisA-PC | Source = Microsoft-Windows-CertificateServicesClient | ID = 1003
Description = Certificate Services Client failed to invoke the Providers in response
to event 256. Error code 2147942432.

[ System Events ]
Error - 22/01/2012 10:44:35 | Computer Name = ChrisA-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.119.260.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8001.0 Error
code: 0x8024001e Error description: An unexpected problem occurred while checking
for updates. For information on installing or troubleshooting updates, see Help
and Support.

Error - 22/01/2012 10:45:52 | Computer Name = ChrisA-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 22/01/2012 10:47:29 | Computer Name = ChrisA-PC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%835 Error Code: 0x80004005 Error description: Unspecified error Reason: %%842

Error - 22/01/2012 10:47:43 | Computer Name = ChrisA-PC | Source = Service Control Manager | ID = 7023
Description = The Windows Modules Installer service terminated with the following
error: %%16405

Error - 22/01/2012 10:49:08 | Computer Name = ChrisA-PC | Source = UmrdpService | ID = 1111
Description = Driver PrimoPDF required for printer PrimoPDF is unknown. Contact
the administrator to install the driver before you log in again.

Error - 22/01/2012 11:55:59 | Computer Name = ChrisA-PC | Source = UmrdpService | ID = 1111
Description = Driver PrimoPDF required for printer PrimoPDF is unknown. Contact
the administrator to install the driver before you log in again.

Error - 22/01/2012 17:16:33 | Computer Name = ChrisA-PC | Source = UmrdpService | ID = 1111
Description = Driver PrimoPDF required for printer PrimoPDF is unknown. Contact
the administrator to install the driver before you log in again.

Error - 22/01/2012 17:21:16 | Computer Name = ChrisA-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 22/01/2012 17:22:57 | Computer Name = ChrisA-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 22/01/2012 17:24:35 | Computer Name = ChrisA-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.


< End of report >
 
Good news :)

OTL log is perfectly clean.

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Results of screen317's Security Check version 0.99.24
Windows 7 x86 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
Microsoft Security Essentials
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 30
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.2)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



Farbar Service Scanner Version: 18-01-2012 01
Ran by ChrisA (administrator) on 22-01-2012 at 22:09:06
Microsoft Windows 7 Professional (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2012-01-21 10:05] - [2011-09-29 15:43] - 1285488 ____A (Microsoft Corporation) 56C198AC82EFA622DD93E9E43575F79C

C:\Windows\system32\dnsrslvr.dll
[2012-01-21 10:04] - [2011-03-03 05:29] - 0132608 ____A (Microsoft Corporation) B15BE77A2BACF9C3177D27518AFE26A9

C:\Windows\system32\mpssvc.dll
[2009-07-13 23:53] - [2009-07-14 01:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 23:54] - [2009-07-14 01:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 23:23] - [2009-07-14 01:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 23:24] - [2009-07-14 01:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll
[2012-01-20 23:18] - [2010-12-21 05:38] - 0073728 ____A (Microsoft Corporation) A661A76333057B383A06E65F0073222F

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-14 00:15] - [2009-07-14 01:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 23:30] - [2009-07-14 01:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-07-13 23:33] - [2009-07-14 01:15] - 0135680 ____A (Microsoft Corporation) 9C231178CE4FB385F4B54B0A9080B8A4

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****




=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



No threats found on ESET
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current (including Service Pack 1 installation!!!)

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: ChrisA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2760375 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 13866044 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 1653845 bytes

Total Files Cleaned = 17.00 mb


[EMPTYFLASH]

User: All Users

User: ChrisA
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Public

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: ChrisA
->Java cache emptied: 0 bytes

User: Default

User: Default User

User: Public

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 01222012_232623

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\FXSTIFFDebugLogFile.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Everything seems to be running good. Thank you Broni :grinthumb
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
2K
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
3K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
3K
adidaman27
A

Latest posts

Back