Solved Infected netbt.sys

[lstalker]

I read we were supposed to reply with the results of the GMER and other scans. The virus I have seemed to come upon is a Trojan Horse Backdoor. Generic 14 that infected my netbt.sys. My AVG wont remove it because the file is "whitelisted" Can someone tell me how to remove it? Thank you for your time.

My logs are as follows

Malwarebytes' Anti-Malware 1.51.2.1300


Database version: 8393

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19170

12/18/2011 5:55:07 PM
mbam-log-2011-12-18 (17-55-07).txt

Scan type: Quick scan
Objects scanned: 199356
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15641 -
Rootkit scan 2011-12-19 18:00:42
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000052 ST325041 rev.3.AA
Running: b3v2l36g.exe; Driver: C:\Users\STALKE~1\AppData\Local\Temp\awtyypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9D7AFF3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9D7AFFE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9D7B0080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9D7B011C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 81CBFB74 4 Bytes [3C, FF, 7A, 9D] {CMP AL, 0xff; JP 0xffffffffffffffa1}
.text ntkrnlpa.exe!KeSetEvent + 621 81CBFDA4 8 Bytes [E4, FF, 7A, 9D, 80, 00, 7B, ...] {IN AL, 0xff; JP 0xffffffffffffffa1; ADD BYTE [EAX], 0x7b; POPF }
.text ntkrnlpa.exe!KeSetEvent + 681 81CBFE04 4 Bytes JMP FCCD1A8A
.text ntkrnlpa.exe!KeSetEvent + 3F1 81CBFB74 4 Bytes [3C, FF, 7A, 9D] {CMP AL, 0xff; JP 0xffffffffffffffa1}
.text ntkrnlpa.exe!KeSetEvent + 621 81CBFDA4 8 Bytes [E4, FF, 7A, 9D, 80, 00, 7B, ...] {IN AL, 0xff; JP 0xffffffffffffffa1; ADD BYTE [EAX], 0x7b; POPF }
.text ...
? System32\drivers\tqfx.sys The system cannot find the path specified. !
? System32\drivers\tqfx.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3196] ntdll.dll!LdrLoadDll 776793A8 5 Bytes JMP 63E22EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3196] USER32.dll!GetWindowInfo 75C7428E 5 Bytes JMP 63FA5210 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3196] ntdll.dll!LdrLoadDll 776793A8 5 Bytes JMP 63E22EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3196] USER32.dll!GetWindowInfo 75C7428E 5 Bytes JMP 63FA5210 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73D6A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73D48395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73D1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73D9CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73D3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73D6A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73D48395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73D1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73D9CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73D3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2028] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB52025$\1922021814 0 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\@ 2048 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\bckfg.tmp 852 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\cfg.ini 207 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\keywords 226 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\L 0 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\L\qnbwvoto 185856 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U 0 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\80000000.@ 1024 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\80000032.@ 98304 bytes
File C:\Windows\$NtUninstallKB52025$\2073580775 0 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814 0 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\@ 2048 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\bckfg.tmp 852 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\cfg.ini 207 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\keywords 226 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\L 0 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\L\qnbwvoto 185856 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U 0 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\00000001.@ 2048 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\80000000.@ 1024 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB52025$\1922021814\U\80000032.@ 98304 bytes
File C:\Windows\$NtUninstallKB52025$\2073580775 0 bytes

---- EOF - GMER 1.0.15 ----

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/22/2011 8:49:03 PM
System Uptime: 12/18/2011 5:44:24 PM (25 hours ago)
.
Motherboard: alienware | | alienware
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6400+ | Socket M2 | 3200/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 226 GiB total, 41.567 GiB free.
D: is CDROM ()
E: is FIXED (FAT32) - 298 GiB total, 236.233 GiB free.
F: is FIXED (FAT32) - 298 GiB total, 183.572 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP173: 11/29/2011 2:24:32 AM - Windows Update
RP174: 12/2/2011 1:42:28 AM - Windows Update
RP175: 12/6/2011 2:24:29 AM - Windows Update
RP176: 12/8/2011 2:24:39 AM - Windows Update
RP177: 12/9/2011 2:24:44 AM - Windows Update
RP178: 12/15/2011 3:00:13 AM - Windows Update
RP179: 12/15/2011 9:41:12 PM - Scheduled Checkpoint
RP180: 12/16/2011 12:30:09 PM - Scheduled Checkpoint
RP181: 12/16/2011 8:55:24 PM - Installed AVG 2012
RP182: 12/16/2011 8:56:10 PM - Installed AVG 2012
.
==== Installed Programs ======================
.
7-Zip 9.20
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2012
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Editor 6
AVS Video Recorder 2.4
AVS4YOU Software Navigator 1.4
Bonjour
Deus Ex: Human Revolution
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java Auto Updater
Java(TM) 6 Update 26
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Excel 2000 SR-1
Microsoft PowerPoint 2000 SR-1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Word 2000 SR-1
Mozilla Firefox 8.0 (x86 en-US)
NVIDIA 3D Vision Controller Driver
NVIDIA 3D Vision Controller Driver 270.61
NVIDIA 3D Vision Driver 270.61
NVIDIA Control Panel 270.61
NVIDIA Drivers
NVIDIA Graphics Driver 270.61
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 1.1.34
NVIDIA Update Components
Oblivion
QuickTime
Roblox for StalkerAdmin
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Skype Click to Call
Skype™ 5.5
StartNow Toolbar
Steam
The Elder Scrolls V: Skyrim
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
.
==== Event Viewer Messages From Past Week ========
.
12/18/2011 5:46:24 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Null
12/18/2011 5:46:24 PM, Error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
12/18/2011 5:46:24 PM, Error: Service Control Manager [7023] - The Network ProService service terminated with the following error: The specified module could not be found.
12/18/2011 5:46:24 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
12/18/2011 5:46:24 PM, Error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends the following service: NetBT. This service might not be installed.
12/18/2011 5:46:24 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
12/18/2011 5:46:24 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
12/16/2011 8:48:54 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
12/16/2011 8:48:26 AM, Error: Service Control Manager [7030] - The Network ProService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
12/16/2011 11:59:22 AM, Error: EventLog [6008] - The previous system shutdown at 11:52:59 AM on 12/16/2011 was unexpected.
12/15/2011 4:09:16 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Updater Service for StartNow Toolbar service to connect.
12/15/2011 4:08:23 PM, Error: EventLog [6008] - The previous system shutdown at 2:56:06 PM on 12/15/2011 was unexpected.
12/13/2011 8:28:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
12/13/2011 8:28:40 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_26
Run by StalkerAdmin at 18:03:42 on 2011-12-19
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.1094 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{C2AE57E4-E12C-4A90-B2EF-8B6782518A74} : DhcpNameServer = 10.0.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\stalkeradmin\appdata\roaming\mozilla\firefox\profiles\41gxg4ef.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\users\stalkeradmin\appdata\local\roblox\versions\version-fb3436d54f9e4598\NPRobloxProxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2011-5-26 4608]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-5-26 21504]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-22 2218600]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-4-7 378472]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-10-4 136176]
S2 XMLProvS;Network ProService;c:\windows\system32\svchost.exe -k xmlpros [2011-5-26 21504]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-10-4 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2011-5-26 16896]
.
=============== Created Last 30 ================
.
2011-12-18 22:35:21 -------- d-----w- c:\users\stalkeradmin\appdata\roaming\Malwarebytes
2011-12-18 22:35:19 -------- d-----w- c:\programdata\Malwarebytes
2011-12-18 22:35:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-18 22:35:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-17 02:18:37 -------- d--h--w- C:\$AVG
2011-12-17 01:58:35 -------- d-----w- c:\users\stalkeradmin\appdata\roaming\AVG2012
2011-12-17 01:56:56 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-17 01:56:56 -------- d-----w- c:\programdata\AVG2012
2011-12-17 01:55:47 -------- d-----w- c:\program files\AVG
2011-12-17 01:51:47 -------- d--h--w- c:\programdata\Common Files
2011-12-17 01:51:29 -------- d-----w- c:\programdata\MFAData
2011-12-09 07:25:11 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{8d408ee1-f023-4844-afc2-695f270c1db9}\mpengine.dll
.
==================== Find3M ====================
.
2011-12-12 01:41:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 06:22:04 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 06:17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-03 06:17:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 06:17:08 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-11-03 06:17:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-03 05:22:43 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 04:45:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-03 04:43:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-14 16:02:19 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21:16 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
.
============= FINISH: 18:04:11.77 ===============

I am new to the forums and I might be a little slow so be warned. Thank you once again!

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[lstalker]

ran the scans - clean?

I removed avg and malaware anti-virus (because I couldn't figure out how to disable this), and ran both scans. I initially thought combofix was hanging up midway because it seemed frozen, so I started over and left it running all night. This morning I have a log. Here are both logs. Is my computer clean? Thanks so much!!!

aswMBR version 0.9.9.1116 Copyright(c) 2011 AVAST Software
Run date: 2011-12-21 18:22:23
-----------------------------
18:22:23.521 OS Version: Windows 6.0.6002 Service Pack 2
18:22:23.521 Number of processors: 2 586 0x4303
18:22:23.521 ComputerName: STALKERADMIN-PC UserName: StalkerAdmin
18:22:33.739 Initialize success
18:24:04.991 AVAST engine defs: 11122102
18:33:56.371 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004b
18:33:56.371 Disk 0 Vendor: ST325041 3.AA Size: 238475MB BusType: 6
18:33:58.399 Disk 0 MBR read successfully
18:33:58.399 Disk 0 MBR scan
18:33:58.415 Disk 0 Windows VISTA default MBR code
18:33:58.415 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 231107 MB offset 63
18:33:58.446 Disk 0 Partition 2 00 12 Compaq diag NTFS 7364 MB offset 473309184
18:33:58.477 Disk 0 scanning sectors +488390656
18:33:58.540 Disk 0 scanning C:\Windows\system32\drivers
18:34:03.220 File: C:\Windows\system32\drivers\netbt.sys **INFECTED** Win32:Smadow [Rtk]
18:34:07.697 Service scanning
18:34:08.680 Modules scanning
18:34:13.250 Disk 0 trace - called modules:
18:34:13.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
18:34:13.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86765130]
18:34:13.796 3 CLASSPNP.SYS[8a3b28b3] -> nt!IofCallDriver -> [0x857a0958]
18:34:13.796 5 acpi.sys[8220f6bc] -> nt!IofCallDriver -> \Device\0000004b[0x857a0b88]
18:34:14.764 AVAST engine scan C:\Windows
18:34:16.979 AVAST engine scan C:\Windows\system32
18:36:24.852 AVAST engine scan C:\Windows\system32\drivers
18:36:29.688 File: C:\Windows\system32\drivers\netbt.sys **INFECTED** Win32:Smadow [Rtk]
18:36:34.992 AVAST engine scan C:\Users\StalkerAdmin
18:50:11.132 Disk 0 MBR has been saved successfully to "C:\Users\StalkerAdmin\Desktop\MBR.dat"
18:50:11.147 The log file has been saved successfully to "C:\Users\StalkerAdmin\Desktop\aswMBR.txt"


ComboFix 11-12-21.02 - StalkerAdmin 12/21/2011 21:01:12.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.2111 [GMT -5:00]
Running from: c:\users\StalkerAdmin\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 )))))))))))))))))))))))))))))))
.
.
2011-12-22 02:13 . 2011-12-22 03:09 -------- d-----w- c:\users\StalkerAdmin\AppData\Local\temp
2011-12-22 02:13 . 2011-12-22 02:13 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-12-22 02:13 . 2011-12-22 02:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-18 22:35 . 2011-12-18 22:35 -------- d-----w- c:\users\StalkerAdmin\AppData\Roaming\Malwarebytes
2011-12-18 22:35 . 2011-12-18 22:35 -------- d-----w- c:\programdata\Malwarebytes
2011-12-18 22:35 . 2011-12-21 23:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-17 02:18 . 2011-12-17 02:18 -------- d-----w- C:\$AVG
2011-12-17 01:58 . 2011-12-17 01:58 -------- d-----w- c:\users\StalkerAdmin\AppData\Roaming\AVG2012
2011-12-17 01:56 . 2011-12-21 22:47 -------- d-----w- c:\programdata\AVG2012
2011-12-17 01:51 . 2011-12-17 01:51 -------- d--h--w- c:\programdata\Common Files
2011-12-17 01:51 . 2011-12-21 22:45 -------- d-----w- c:\programdata\MFAData
2011-12-09 07:25 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D408EE1-F023-4844-AFC2-695F270C1DB9}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-12 01:41 . 2011-05-22 22:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-09 22:46 . 2011-05-23 00:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Steam"="c:\program files\Steam\Steam.exe" [2011-09-07 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 136176]
R2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 136176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 2218600]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-08 378472]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 20:16]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 20:16]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\StalkerAdmin\AppData\Roaming\Mozilla\Firefox\Profiles\41gxg4ef.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-21 22:09
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,a3,3c,41,a0,ba,66,42,a3,d1,90,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,a3,3c,41,a0,ba,66,42,a3,d1,90,\
.
Completion time: 2011-12-21 22:11:45
ComboFix-quarantined-files.txt 2011-12-22 03:11
.
Pre-Run: 45,057,929,216 bytes free
Post-Run: 45,110,566,912 bytes free
.
- - End Of File - - F354C625C28D9882CB0CA5F6EF6D5376

 

[Broni]

It looks like netbt.sys file is still infected.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:
  

  :filefind
  netbt.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[lstalker]

Ran the Scan

I just wanted to say thank you once again for helping me. I am on Winter Break right now and I'm really thankful that you are helping me fix my computer. I hope virus is gone now! :wave:

SystemLook 30.07.11 by jpshortstuff
Log created at 08:34 on 23/12/2011 by StalkerAdmin
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\Windows\System32\drivers\netbt.sys --a---- 185856 bytes [01:48 14/07/2011] [04:45 11/04/2009] 5C5C366A95A15CE1272BDAC611F97DA1
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys --a---- 184320 bytes [08:57 02/11/2006] [08:57 02/11/2006] E3A168912E7EEFC3BD3B814720D68B41
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys --a---- 184320 bytes [19:58 26/05/2011] [05:55 19/01/2008] 7C5FEE5B1C5728507CD96FB4A13E7A02

-= EOF =-


I also have a question if you would please answer. Is it safe to use my computers for games? Thanks again!

 

[Broni]

You can play games

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys | C:\Windows\System32\drivers\netbt.sys

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

Post new aswMBR log as well.

 

[lstalker]

ComboFix 11-12-23.01 - StalkerAdmin 12/23/2011 12:53:32.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.2444 [GMT -5:00]
Running from: c:\users\StalkerAdmin\Downloads\ComboFix.exe
Command switches used :: c:\users\StalkerAdmin\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys --> c:\windows\System32\drivers\netbt.sys
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-23 17:57 . 2011-12-23 17:58 -------- d-----w- c:\users\StalkerAdmin\AppData\Local\temp
2011-12-23 17:57 . 2011-12-23 17:57 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2011-12-23 17:57 . 2011-12-23 17:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-18 22:35 . 2011-12-18 22:35 -------- d-----w- c:\users\StalkerAdmin\AppData\Roaming\Malwarebytes
2011-12-18 22:35 . 2011-12-18 22:35 -------- d-----w- c:\programdata\Malwarebytes
2011-12-18 22:35 . 2011-12-21 23:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-17 02:18 . 2011-12-17 02:18 -------- d-----w- C:\$AVG
2011-12-17 01:58 . 2011-12-17 01:58 -------- d-----w- c:\users\StalkerAdmin\AppData\Roaming\AVG2012
2011-12-17 01:56 . 2011-12-21 22:47 -------- d-----w- c:\programdata\AVG2012
2011-12-17 01:51 . 2011-12-17 01:51 -------- d--h--w- c:\programdata\Common Files
2011-12-17 01:51 . 2011-12-21 22:45 -------- d-----w- c:\programdata\MFAData
2011-12-09 07:25 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8D408EE1-F023-4844-AFC2-695F270C1DB9}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-12 01:41 . 2011-05-22 22:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-09 22:46 . 2011-05-23 00:08 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Steam"="c:\program files\Steam\Steam.exe" [2011-09-07 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 136176]
R2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 136176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 2218600]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-08 378472]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
xmlpros REG_MULTI_SZ XMLProvS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 20:16]
.
2011-12-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-04 20:16]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\StalkerAdmin\AppData\Roaming\Mozilla\Firefox\Profiles\41gxg4ef.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-23 12:58
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,a3,3c,41,a0,ba,66,42,a3,d1,90,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,30,a3,3c,41,a0,ba,66,42,a3,d1,90,\
.
Completion time: 2011-12-23 12:59:35
ComboFix-quarantined-files.txt 2011-12-23 17:59
ComboFix2.txt 2011-12-22 03:11
.
Pre-Run: 49,033,592,832 bytes free
Post-Run: 49,011,552,256 bytes free
.
- - End Of File - - AA67099EB3559F9C9E9676895442BAAE

Above is the combofix log. I don't have a new aswMBR log. Did I need to run something else too? So it's ok to play skyrim, minecraft, wow, etc? Thanks again! You are very helpful.

 

[Broni]

You can play games.

I need you to re-run aswMBR. You have it on your desktop.

 

[lstalker]

aswmbr won't work

aswmbr wasn't on desktop. won't open from downloads anymore. says the directory is not available. tried getting new copy from your previous link. same error message. should i try to download the free trial copy from avast.com or do you have another suggestion? I am definitely going to give you a donation for your time. So sorry and thanks again!

 

[Broni]

What are the current issues?

Is AVG still complaining?

Download Bootkit Remover to your Desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[lstalker]

can't open downloads

avg was uninstalled so that is not the problem.

I cannot open bootkit either. The error message says "the directory name is invalid."

What do you think is wrong?

 

[Broni]

Lets run the following tool. This will help determine which files need permissions restored.

Please download and save Junction.zip

Unzip it and place Junction.exe in the Windows directory (C:\Windows).
Go to Start>Run (Vista and Windows 7 users use "Start search" box).
Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system.
Wait until a log file opens.
Copy and paste the log in your next reply.

 

[lstalker]

No progress

It doesn't appear that anything happened. No screen appeared. No log. It has been about 30 minutes. Should I wait longer? Another idea?

What kinds of things should I avoid using this computer for, aka what will this virus do?

Thank you for any suggestions!!!

 

[Broni]

Turn the computer off.
Wait 1 minute.
Restart.
Try aswMBR and Bootkit Remover again.

 

[lstalker]

Restarting!

Restarting worked! For some reason though Boot Cleaner log would not copy.

aswMBR version 0.9.9.1116 Copyright(c) 2011 AVAST Software
Run date: 2011-12-23 15:38:30
-----------------------------
15:38:30.390 OS Version: Windows 6.0.6002 Service Pack 2
15:38:30.390 Number of processors: 2 586 0x4303
15:38:30.390 ComputerName: STALKERADMIN-PC UserName: StalkerAdmin
15:38:31.514 Initialize success
15:40:37.585 AVAST engine defs: 11122301
15:41:31.468 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004c
15:41:31.468 Disk 0 Vendor: ST325041 3.AA Size: 238475MB BusType: 6
15:41:33.511 Disk 0 MBR read successfully
15:41:33.527 Disk 0 MBR scan
15:41:33.542 Disk 0 Windows VISTA default MBR code
15:41:33.542 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 231107 MB offset 63
15:41:33.574 Disk 0 Partition 2 00 12 Compaq diag NTFS 7364 MB offset 473309184
15:41:33.620 Disk 0 scanning sectors +488390656
15:41:33.714 Disk 0 scanning C:\Windows\system32\drivers
15:41:47.879 Service scanning
15:41:49.033 Modules scanning
15:41:53.963 Disk 0 trace - called modules:
15:41:53.994 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
15:41:53.994 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866f5940]
15:41:54.010 3 CLASSPNP.SYS[8a3ab8b3] -> nt!IofCallDriver -> [0x8535e478]
15:41:54.010 5 acpi.sys[822086bc] -> nt!IofCallDriver -> \Device\0000004c[0x8498e2f8]
15:41:55.055 AVAST engine scan C:\Windows
15:41:58.019 AVAST engine scan C:\Windows\system32
15:44:24.128 AVAST engine scan C:\Windows\system32\drivers
15:44:33.052 AVAST engine scan C:\Users\StalkerAdmin
15:48:18.284 Disk 0 MBR has been saved successfully to "C:\Users\StalkerAdmin\Desktop\MBR.dat"
15:48:18.300 The log file has been saved successfully to "C:\Users\StalkerAdmin\Desktop\aswMBR 3.txt"

Is this a good sign?

 

[Broni]

That looks good

Any current issues?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[lstalker]

Thank You

Thanks so much for all you've done! :grinthumb

Here is the OTL one.

OTL logfile created on: 12/23/2011 5:58:36 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\StalkerAdmin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.14 Gb Available Physical Memory | 71.47% Memory free
6.20 Gb Paging File | 5.21 Gb Available in Paging File | 84.03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 225.69 Gb Total Space | 45.51 Gb Free Space | 20.16% Space Free | Partition Type: NTFS
Drive E: | 298.02 Gb Total Space | 236.23 Gb Free Space | 79.27% Space Free | Partition Type: FAT32
Drive F: | 298.02 Gb Total Space | 183.57 Gb Free Space | 61.60% Space Free | Partition Type: FAT32

Computer Name: STALKERADMIN-PC | User Name: StalkerAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/23 17:56:53 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\StalkerAdmin\Desktop\OTL.exe
PRC - [2011/12/13 20:28:28 | 000,419,624 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe
PRC - [2011/11/09 17:46:08 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/09/07 17:55:07 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\steam.exe
PRC - [2011/06/06 11:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/04/08 00:14:00 | 002,218,600 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2011/04/07 21:44:58 | 000,373,864 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
PRC - [2011/04/07 21:44:48 | 000,841,832 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
PRC - [2011/04/07 20:54:52 | 000,378,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/13 20:28:28 | 014,410,024 | ---- | M] () -- C:\Program Files\Steam\bin\libcef.dll
MOD - [2011/12/13 20:27:57 | 000,194,344 | ---- | M] () -- C:\Program Files\Steam\bin\chromehtml.dll
MOD - [2011/12/13 20:27:56 | 000,914,216 | ---- | M] () -- C:\Program Files\Steam\bin\avcodec-52.dll
MOD - [2011/12/13 20:27:56 | 000,155,432 | ---- | M] () -- C:\Program Files\Steam\bin\avformat-52.dll
MOD - [2011/12/13 20:27:56 | 000,091,432 | ---- | M] () -- C:\Program Files\Steam\bin\avutil-50.dll
MOD - [2011/11/09 17:46:08 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/03/21 16:30:20 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (XMLProvS)
SRV - File not found [Auto | Stopped] -- -- (FastUserSwitchingCompatibility)
SRV - [2011/12/13 20:28:28 | 000,419,624 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/06/06 11:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/04/08 00:14:00 | 002,218,600 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/04/07 20:54:52 | 000,378,472 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)


========== Driver Services (SafeList) ==========

DRV - [2011/04/08 00:14:00 | 010,690,024 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/08/01 18:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/01/19 01:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/08/09 17:12:30 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2007/02/03 09:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/02/03 09:25:56 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=Z206&install_date=20111012
IE - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C0 0E 72 9A 9E 80 CC 01 [binary data]
IE - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@nsroblox.roblox.com/launcher: C:\Users\StalkerAdmin\AppData\Local\Roblox\Versions\version-fb3436d54f9e4598\\NPRobloxProxy.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/09 17:46:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/05/22 19:30:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\StalkerAdmin\AppData\Roaming\Mozilla\Extensions
[2011/12/21 17:47:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\StalkerAdmin\AppData\Roaming\Mozilla\Firefox\Profiles\41gxg4ef.default\extensions
[2011/11/09 17:46:09 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/27 17:10:15 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
() (No name found) -- C:\USERS\STALKERADMIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\41GXG4EF.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
[2011/11/09 17:46:08 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2011/11/09 17:46:08 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{googleriginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.106\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.106\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.106\pdf.dll
CHR - plugin: Skype Toolbars (Enabled) = C:\Users\StalkerAdmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8312_0\npSkypeChromePlugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
CHR - plugin: NVIDIA 3D Vision (Enabled) = C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll
CHR - plugin: NVIDIA 3D VISION (Enabled) = C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Skype Click to Call = C:\Users\StalkerAdmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8312_0\

Hosts file not found
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-4145713665-4275765477-3218478355-1001..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4145713665-4275765477-3218478355-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-4145713665-4275765477-3218478355-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C2AE57E4-E12C-4A90-B2EF-8B6782518A74}: DhcpNameServer = 10.0.0.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Forest.jpg
O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Forest.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/01/22 15:55:48 | 000,000,000 | ---D | M] - E:\autorun -- [ FAT32 ]
O32 - AutoRun File - [2008/01/22 15:55:48 | 000,000,000 | ---D | M] - F:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/12/23 17:56:53 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\StalkerAdmin\Desktop\OTL.exe
[2011/12/23 15:35:34 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/23 14:14:31 | 000,000,000 | ---D | C] -- C:\Users\StalkerAdmin\Desktop\bootkit_remover(1)
[2011/12/23 12:59:37 | 000,000,000 | ---D | C] -- C:\Users\StalkerAdmin\AppData\Local\temp
[2011/12/23 12:59:12 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/23 12:49:52 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/12/21 18:53:36 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/12/21 18:53:36 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/12/21 18:53:36 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/12/21 18:53:34 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/12/21 18:53:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/21 17:43:40 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/12/18 17:35:21 | 000,000,000 | ---D | C] -- C:\Users\StalkerAdmin\AppData\Roaming\Malwarebytes
[2011/12/18 17:35:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/12/18 17:35:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/16 21:18:37 | 000,000,000 | ---D | C] -- C:\$AVG
[2011/12/16 20:58:35 | 000,000,000 | ---D | C] -- C:\Users\StalkerAdmin\AppData\Roaming\AVG2012
[2011/12/16 20:56:56 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012
[2011/12/16 20:51:47 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2011/12/16 20:51:29 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2011/12/16 11:59:22 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

========== Files - Modified Within 30 Days ==========

[2011/12/23 17:56:53 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\StalkerAdmin\Desktop\OTL.exe
[2011/12/23 17:35:35 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/23 17:35:35 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/23 17:31:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/23 17:31:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/23 15:48:18 | 000,000,512 | ---- | M] () -- C:\Users\StalkerAdmin\Desktop\MBR.dat
[2011/12/23 15:42:56 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/23 15:42:56 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/23 15:35:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/23 15:35:33 | 3220,758,528 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/23 14:40:25 | 000,150,392 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Windows\junction.exe
[2011/12/23 14:39:12 | 000,079,623 | ---- | M] () -- C:\Users\StalkerAdmin\Desktop\Junction.zip
[2011/12/23 14:09:18 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Users\StalkerAdmin\Desktop\boot_cleaner.exe
[2011/12/16 18:01:25 | 000,000,000 | ---- | M] () -- C:\ProgramData\NXrQT5Hl.exe.b
[2011/12/16 11:59:10 | 272,239,396 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/12/16 08:52:26 | 000,103,365 | ---- | M] () -- C:\Windows\System32\itusbcore.dat
[2011/12/16 08:52:26 | 000,000,197 | ---- | M] () -- C:\Windows\System32\itlsvc.dat
[2011/12/16 08:51:26 | 000,000,112 | ---- | M] () -- C:\ProgramData\2LiM02.dat
[2011/12/16 08:51:26 | 000,000,000 | ---- | M] () -- C:\Windows\System32\1KG2qoW.exe.b
[2011/12/15 03:22:13 | 000,247,096 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2011/12/23 14:39:12 | 000,079,623 | ---- | C] () -- C:\Users\StalkerAdmin\Desktop\Junction.zip
[2011/12/21 18:53:36 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/12/21 18:53:36 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/12/21 18:53:36 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/12/21 18:53:36 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/12/21 18:53:36 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/12/21 18:50:11 | 000,000,512 | ---- | C] () -- C:\Users\StalkerAdmin\Desktop\MBR.dat
[2011/12/16 18:01:25 | 000,000,000 | ---- | C] () -- C:\ProgramData\NXrQT5Hl.exe.b
[2011/12/16 11:59:10 | 272,239,396 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/12/16 08:52:26 | 000,103,365 | ---- | C] () -- C:\Windows\System32\itusbcore.dat
[2011/12/16 08:52:26 | 000,000,197 | ---- | C] () -- C:\Windows\System32\itlsvc.dat
[2011/12/16 08:51:26 | 000,000,000 | ---- | C] () -- C:\Windows\System32\1KG2qoW.exe.b
[2011/12/16 08:48:41 | 000,000,112 | ---- | C] () -- C:\ProgramData\2LiM02.dat
[2011/07/13 20:49:23 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/07/13 20:49:22 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/07/13 15:53:25 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2011/07/12 21:00:27 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/05/23 14:48:24 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/05/23 14:41:47 | 000,006,144 | ---- | C] () -- C:\Users\StalkerAdmin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/22 17:21:40 | 000,000,680 | ---- | C] () -- C:\Users\StalkerAdmin\AppData\Local\d3d9caps.dat
[2007/02/03 07:59:04 | 000,050,127 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,247,096 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2011/11/09 17:45:51 | 000,000,000 | ---D | M] -- C:\Users\StalkerAdmin\AppData\Roaming\.minecraft
[2011/12/16 20:58:35 | 000,000,000 | ---D | M] -- C:\Users\StalkerAdmin\AppData\Roaming\AVG2012
[2011/12/21 20:54:35 | 000,018,102 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2011/05/22 23:35:04 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2011/12/23 12:59:36 | 000,006,715 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2011/12/23 15:35:33 | 3220,758,528 | -HS- | M] () -- C:\hiberfil.sys
[2007/11/13 11:58:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/11/13 11:58:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/12/23 15:35:22 | 3534,364,672 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >
[2006/11/02 07:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2011/07/14 08:42:29 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 07:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2011/07/12 17:21:12 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/07/13 20:33:18 | 000,000,286 | -HS- | M] () -- C:\Users\StalkerAdmin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2011/12/23 14:09:18 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Users\StalkerAdmin\Desktop\boot_cleaner.exe
[2011/05/23 14:59:00 | 000,270,142 | ---- | M] () -- C:\Users\StalkerAdmin\Desktop\Minecraft.exe
[2011/12/23 17:56:53 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\StalkerAdmin\Desktop\OTL.exe
[2011/07/12 16:48:31 | 001,287,016 | ---- | M] (Microsoft Corporation) -- C:\Users\StalkerAdmin\Desktop\wlsetup-web.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/05/22 17:22:16 | 000,000,402 | -HS- | M] () -- C:\Users\StalkerAdmin\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/12/16 18:01:25 | 000,000,000 | ---- | M] () -- C:\ProgramData\NXrQT5Hl.exe.b

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< End of report >

 

[lstalker]

Thank You Part 2

Here is the second one!:monkey:


OTL Extras logfile created on: 12/23/2011 5:58:36 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\StalkerAdmin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.14 Gb Available Physical Memory | 71.47% Memory free
6.20 Gb Paging File | 5.21 Gb Available in Paging File | 84.03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 225.69 Gb Total Space | 45.51 Gb Free Space | 20.16% Space Free | Partition Type: NTFS
Drive E: | 298.02 Gb Total Space | 236.23 Gb Free Space | 79.27% Space Free | Partition Type: FAT32
Drive F: | 298.02 Gb Total Space | 183.57 Gb Free Space | 61.60% Space Free | Partition Type: FAT32

Computer Name: STALKERADMIN-PC | User Name: StalkerAdmin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-4145713665-4275765477-3218478355-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{069F0DC3-DAB4-4241-A032-67989259857F}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\skyrim\skyrimlauncher.exe |
"{0FBECAF4-8F13-4595-85F5-8EF4473531DD}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\world of goo\worldofgoo.exe |
"{16772457-5634-4A9F-8222-185BA79ADDC4}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\droplitz\cascade.exe |
"{1CAA63C6-AF53-4574-901C-4D0EC919323C}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"{1D64E7AF-9F6C-41A2-BDCA-EF41E9BEEDEB}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\spore\support\ea help\electronic_arts_technical_support.htm |
"{2A635975-6780-4D45-A82B-4663EF5D3FF1}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\spore\runme.exe |
"{3244E7C2-C60D-40EC-AB71-E1849471A0C5}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\spore\runme.exe |
"{3CD0A2EF-DE58-482A-AF76-D4F8138C072E}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\launcher.patch.exe |
"{3DFD1EE3-20D2-4E68-905B-4175165244EA}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{48481FE7-9D88-4649-A71C-0105B71FB340}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\skyrim\skyrimlauncher.exe |
"{51937550-FFD6-4062-B077-F87522589C31}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\spore\sporebinep1\sporeapp.exe |
"{5F9A703A-D8E5-4C5B-B595-CEA7FEB8D879}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\spore\support\ea help\electronic_arts_technical_support.htm |
"{78335D2E-CE44-4C2A-AFFA-F19A896ACC7C}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{9AD566E2-793E-4881-B9E3-A058307C4DFF}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{B7829169-EB45-4190-980B-1A245D6B537A}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\launcher.patch.exe |
"{BD7F667E-605D-44E4-A9B2-EA923784F9F9}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
"{C62E4C27-6437-4EE4-82F8-C8CA1AFD330D}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
"{C7DDCCFA-C231-4B6D-932E-AA9AF2810ADA}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\deus ex - human revolution\dxhr.exe |
"{D198C6BD-0CD2-4B92-BBC0-97FBFC6D72CC}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{D91FC420-A9F9-4FC5-9035-02F4FAEA1D24}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\deus ex - human revolution\dxhr.exe |
"{DD10E5D3-28D6-4C67-91C0-586280488752}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E1807A5A-1755-4AE0-BD65-759A0E4982A4}" = protocol=6 | dir=in | app=c:\program files\starcraft ii\starcraft ii.exe |
"{E40D8748-BFC2-4A75-8F56-F273E224F985}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\spore\sporebinep1\sporeapp.exe |
"{E5E61C3B-41A3-444F-A6AD-D865C445ABA9}" = protocol=17 | dir=in | app=c:\program files\starcraft ii\starcraft ii.exe |
"{ECAAB6C2-6ED8-470E-8DD6-5595BFDEE481}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\droplitz\cascade.exe |
"{F3AA501E-45EB-4BD7-94AC-E46E7ED2D60B}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\world of goo\worldofgoo.exe |
"TCP Query User{64CD5E6C-70FF-4FE7-917C-CAAA2114F890}C:\program files\starcraft ii\support\blizzarddownloader.exe" = protocol=6 | dir=in | app=c:\program files\starcraft ii\support\blizzarddownloader.exe |
"TCP Query User{6C0368F2-D0EF-4127-B496-C3D4BA6A2D5B}C:\program files\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe |
"TCP Query User{A2BF38E7-5765-4EFD-8CD7-66F455E73373}C:\program files\java\jre6\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"TCP Query User{BAA48C16-0E22-444C-A4B8-BF3FC3523F19}C:\program files\world of warcraft\temp\wow-4.2.1.2609-enus-tools-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.1.2609-enus-tools-downloader.exe |
"TCP Query User{BC533550-B5D6-4E29-923B-0533A59C6D31}C:\program files\world of warcraft\backgrounddownloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\backgrounddownloader.exe |
"TCP Query User{C4B30029-A9C9-4288-AAD0-35773E81CBDE}C:\program files\world of warcraft\temp\wow-4.2.1.2617-enus-tools-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.1.2617-enus-tools-downloader.exe |
"TCP Query User{F17BCE9B-1407-48C3-95DA-AD26C83029AB}C:\program files\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe |
"UDP Query User{1C63D839-8381-40A4-83FC-A2FF5CB07FE8}C:\program files\world of warcraft\backgrounddownloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\backgrounddownloader.exe |
"UDP Query User{42FE4B3D-CEA7-4DB1-8F1D-70C27448D5CD}C:\program files\java\jre6\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\javaw.exe |
"UDP Query User{48E6A69C-B747-41E1-98B2-2CBC15D762EC}C:\program files\world of warcraft\temp\wow-4.2.1.2609-enus-tools-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.1.2609-enus-tools-downloader.exe |
"UDP Query User{ABF5918B-BBBC-47D5-AACB-3ECBC3547A06}C:\program files\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.0.2506-enus-tools-downloader.exe |
"UDP Query User{D9DBCE68-7C5B-45A1-BCAE-CFCB56E702F8}C:\program files\starcraft ii\support\blizzarddownloader.exe" = protocol=17 | dir=in | app=c:\program files\starcraft ii\support\blizzarddownloader.exe |
"UDP Query User{EB9B863A-DDBE-463B-BAA3-C6FA059B172B}C:\program files\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.0.2552-enus-tools-downloader.exe |
"UDP Query User{FF555FAC-C9B9-4BD6-8E08-FF6E7E1626F7}C:\program files\world of warcraft\temp\wow-4.2.1.2617-enus-tools-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\temp\wow-4.2.1.2617-enus-tools-downloader.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00110409-78E1-11D2-B60F-006097C998E7}" = Microsoft Excel 2000 SR-1
"{00130409-78E1-11D2-B60F-006097C998E7}" = Microsoft PowerPoint 2000 SR-1
"{00170409-78E1-11D2-B60F-006097C998E7}" = Microsoft Word 2000 SR-1
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 26
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7E6066E6-8B5B-4100-B0FA-1D9E9B663CBA}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 270.61
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 270.61
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 270.61
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 270.61
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.10.0514
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.1.34
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 9.20
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AVS Screen Capture_is1" = AVS Screen Capture version 2.0.1
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS Video Editor_is1" = AVS Video Editor 6
"AVS Video Recorder_is1" = AVS Video Recorder 2.4
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
"Google Chrome" = Google Chrome
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA StereoUSB Driver" = NVIDIA 3D Vision Controller Driver
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Steam App 28050" = Deus Ex: Human Revolution
"Steam App 72850" = The Elder Scrolls V: Skyrim

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4145713665-4275765477-3218478355-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{373B1718-8CC5-4567-8EE2-9033AD08A680}" = Roblox for StalkerAdmin

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/18/2011 5:08:29 PM | Computer Name = StalkerAdmin-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 12/18/2011 5:25:04 PM | Computer Name = StalkerAdmin-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 12/18/2011 5:35:46 PM | Computer Name = StalkerAdmin-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 12/18/2011 6:24:31 PM | Computer Name = StalkerAdmin-PC | Source = MsiInstaller | ID = 11706
Description =

Error - 12/18/2011 7:37:51 PM | Computer Name = StalkerAdmin-PC | Source = Application Error | ID = 1000
Description = Faulting application b3v2l36g.exe, version 1.0.15.15641, time stamp
0x4e21f2b1, faulting module b3v2l36g.exe, version 1.0.15.15641, time stamp 0x4e21f2b1,
exception code 0xc0000005, fault offset 0x0000c676, process id 0x96c, application
start time 0x01ccbdddd2307dcf.

Error - 12/18/2011 7:40:00 PM | Computer Name = StalkerAdmin-PC | Source = Perflib | ID = 1010
Description =

Error - 12/21/2011 8:56:20 PM | Computer Name = StalkerAdmin-PC | Source = Application Error | ID = 1000
Description = Faulting application PEV.exe, version 0.0.0.0, time stamp 0x4e06cfe8,
faulting module PEV.exe, version 0.0.0.0, time stamp 0x4e06cfe8, exception code
0x40000015, fault offset 0x0008d1c0, process id 0x4d8, application start time 0x01ccc04484a3cb8b.

Error - 12/22/2011 9:26:54 AM | Computer Name = StalkerAdmin-PC | Source = VSS | ID = 12293
Description =

Error - 12/22/2011 9:26:54 AM | Computer Name = StalkerAdmin-PC | Source = System Restore | ID = 8193
Description =

Error - 12/22/2011 9:26:54 AM | Computer Name = StalkerAdmin-PC | Source = System Restore | ID = 8210
Description =


< End of report >

Thank you so very very much! I hope these help!

 

[Broni]

You didn't say:

Any current issues?

Don't forget to reinstall AVG.

It looks like have "hosts" file missing.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. File is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

NOTE.
If you receive You don't have permission to save in this location message take ownership of C:\windows\system32\drivers\etc folder: http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/
If the above doesn't work save the file to some known location, like your desktop, copy it from there and paste it to "etc" folder.

Then...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :dir
  C:\WINDOWS\SYSTEM32\DRIVERS\ETC

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

================================================================

OTL log looks perfectly clean.

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[lstalker]

Scaned and Placed

Oops, sorry about that! There are no issues at all at the moment. Thank you
For some reason though, TFC wouldn't work. It would just crash my computer. Therefor, I was unable to get a log. Here are the other logs though!

System Look

SystemLook 30.07.11 by jpshortstuff
Log created at 08:34 on 23/12/2011 by StalkerAdmin
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\Windows\System32\drivers\netbt.sys --a---- 185856 bytes [01:48 14/07/2011] [04:45 11/04/2009] 5C5C366A95A15CE1272BDAC611F97DA1
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys --a---- 184320 bytes [08:57 02/11/2006] [08:57 02/11/2006] E3A168912E7EEFC3BD3B814720D68B41
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys --a---- 184320 bytes [19:58 26/05/2011] [05:55 19/01/2008] 7C5FEE5B1C5728507CD96FB4A13E7A02

-= EOF =-

ESET's Results

C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToOLbar32.dll.vir a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe.vir a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\drivers\netbt.sys.vir a variant of Win32/Rootkit.Kryptik.FQ trojan cleaned by deleting - quarantined
C:\Users\StalkerAdmin\Downloads\registrybooster.exe Win32/RegistryBooster application deleted - quarantined

Also I thought I would mention this, when I did my AVG scan, it found no viruses now! But when I ran the ESET, it found four viruses, that were deleted. Thank you again for your time!:wave:

 

[Broni]

You ran wrong script in System Look.
Please redo.

I also need Security Check log.

Instead of TFC....
Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Unselect Cookies.
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Unselect Cookies.
Click the Empty Selected button.

If you use Opera browser
Click Opera at the top and choose: Select All
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Unselect Cookies.
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

 

[lstalker]

Here are the two logs. I didn't get a log from ATF but I think that is correct. Thank you!

Results of screen317's Security Check version 0.99.24
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
AVG 2012
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 30
Adobe Flash Player 11.1.102.55
Adobe Reader X (10.1.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


SystemLook 30.07.11 by jpshortstuff
Log created at 12:22 on 27/12/2011 by StalkerAdmin
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\SYSTEM32\DRIVERS\ETC - Parameters: "(none)"

---Files---
hosts --a---- 759 bytes [02:10 24/12/2011] [02:08 24/12/2011]
lmhosts.sam --a---- 3683 bytes [06:38 02/11/2006] [21:41 18/09/2006]
networks --a---- 407 bytes [10:23 02/11/2006] [21:41 18/09/2006]
protocol --a---- 1358 bytes [10:23 02/11/2006] [21:41 18/09/2006]
services --a---- 17244 bytes [10:23 02/11/2006] [21:41 18/09/2006]

---Folders---
None found.

-= EOF =-

 

[Broni]

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[lstalker]

Thank You So Much!

Thank you for everything!

You saved my winter break. I will never forget what you have done for me. My computer is running as it should and their are not noticeable issues. Here is hopefully my last log! :grinthumb

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: StalkerAdmin
->Temp folder emptied: 2339 bytes
->Temporary Internet Files folder emptied: 45913357 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 204036989 bytes
->Google Chrome cache emptied: 8138773 bytes
->Flash cache emptied: 40534 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 56887 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 246.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Public

User: StalkerAdmin
->Flash cache emptied: 0 bytes

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 12292011_115150

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Thank you once again!

 

[Broni]

Way to go!!

Good luck and stay safe