Jump to content

"computer fix" hijack


WsW-WYATT-EARP
 Share

Recommended Posts

Friends computer from work, said he was on the net had a pop up said computer at risk need to do scan blah blah blah. He clicks on it and it takes over the pc. I booted up to nothing but the "computer fix" window and a bunch of errors. Rebooted into safe mode - ran a system restore to a week prior to the "incident". Got back to a working system and trying to make it clean for him.

 

everything seems to be decent now after running scans and fixes below - just looking to get an experts view on it and help with anything I may of missed.

 

THANKS SO MUCH !!!

 

Ben

 

So far -

 

1) system restore

 

2) delte cookies / temp internet files through browser tools

 

3) download, install and run Ad-Aware - fixed issues found

 

 

Logfile created: 2/5/2012 00:51:22

Ad-Aware version: 9.6.0

Extended engine: 3

Extended engine version: 3.1.2770

User performing scan: Owner

*********************** Definitions database information ***********************

Lavasoft definition file: 150.708

Genotype definition file version: 2011/09/21 13:56:01

Extended engine definition file: 11501.0

******************************** Scan results: *********************************

Scan profile name: Full Scan (ID: full)

Objects scanned: 79657

Objects detected: 13

 

Type Detected

==========================

Processes.......: 0

Registry entries: 0

Hostfile entries: 0

Files...........: 0

Folders.........: 0

LSPs............: 0

Cookies.........: 13

Browser hijacks.: 0

MRU objects.....: 0

 

Removed items:

Description: *mediaplex* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408991 Family ID: 0

Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0

Description: *casalemedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409152 Family ID: 0

Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0

Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0

Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0

Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0

Description: *adbrite* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409218 Family ID: 0

Description: *pro-market* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408823 Family ID: 0

Description: *adserv* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408921 Family ID: 0

Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0

Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0

Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0

Scan and cleaning complete: Finished correctly after 9478 seconds

*********************************** Settings ***********************************

Scan profile:

ID: full, enabled:1, value: Full Scan

ID: folderstoscan, enabled:1, value: C:\

ID: useantivirus, enabled:1, value: true

ID: sections, enabled:1

ID: scancriticalareas, enabled:1, value: true

ID: scanrunningapps, enabled:1, value: true

ID: scanregistry, enabled:1, value: true

ID: scanlsp, enabled:1, value: true

ID: scanads, enabled:1, value: true

ID: scanhostsfile, enabled:1, value: true

ID: scanmru, enabled:1, value: true

ID: scanbrowserhijacks, enabled:1, value: true

ID: scantrackingcookies, enabled:1, value: true

ID: closebrowsers, enabled:1, value: false

ID: filescanningoptions, enabled:1

ID: archives, enabled:1, value: true

ID: onlyexecutables, enabled:1, value: false

ID: skiplargerthan, enabled:1, value: 20480

ID: scanrootkits, enabled:1, value: true

ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict

ID: usespywareheuristics, enabled:1, value: true

Scan global:

ID: global, enabled:1

ID: addtocontextmenu, enabled:1, value: true

ID: playsoundoninfection, enabled:1, value: false

ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:

<Empty>

Update settings:

ID: updates, enabled:1

ID: launchthreatworksafterscan, enabled:1, value: silently, domain: normal,off,silently

ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: schedules, enabled:1, value: true

ID: updatedaily1, enabled:1, value: Daily 1

ID: time, enabled:1, value: Sun Feb 05 00:42:00 2012

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updatedaily2, enabled:1, value: Daily 2

ID: time, enabled:1, value: Sun Feb 05 06:42:00 2012

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updatedaily3, enabled:1, value: Daily 3

ID: time, enabled:1, value: Sun Feb 05 12:42:00 2012

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updatedaily4, enabled:1, value: Daily 4

ID: time, enabled:1, value: Sun Feb 05 18:42:00 2012

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updateweekly1, enabled:1, value: Weekly

ID: time, enabled:1, value: Sun Feb 05 00:42:00 2012

ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: true

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: true

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:

ID: appearance, enabled:1

ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource

ID: showtrayicon, enabled:1, value: true

ID: autoentertainmentmode, enabled:1, value: true

ID: guimode, enabled:1, value: mode_advanced, domain: mode_advanced,mode_simple

ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:

ID: realtime, enabled:1

ID: layers, enabled:1

ID: useantivirus, enabled:1, value: true

ID: usespywareheuristics, enabled:1, value: true

ID: maintainbackup, enabled:1, value: true

ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

ID: modules, enabled:1

ID: processprotection, enabled:1, value: true

ID: onaccessprotection, enabled:1, value: true

ID: registryprotection, enabled:1, value: true

ID: networkprotection, enabled:1, value: true

 

****************************** System information ******************************

Computer name: NEW-674AD70D4D2

Processor name: Intel® Core2 Duo CPU E4500 @ 2.20GHz

Processor identifier: x86 Family 6 Model 15 Stepping 13

Processor speed: ~2194MHZ

Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3853, number of processors 2, processor features: [MMX,SSE,SSE2]

Physical memory available: 1107017728 bytes

Physical memory total: 2136055808 bytes

Virtual memory available: 1893658624 bytes

Virtual memory total: 2147352576 bytes

Memory load: 48%

Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Windows startup mode:

Running processes:

PID: 556 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 608 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 632 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY

PID: 676 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY

PID: 688 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY

PID: 836 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 932 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 980 name: c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1016 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1100 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 1212 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1336 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1412 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1444 name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1464 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1544 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1604 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1888 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 2104 name: C:\WINDOWS\Explorer.EXE owner: Owner domain: NEW-674AD70D4D2

PID: 2164 name: C:\WINDOWS\system32\ctfmon.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2328 name: C:\WINDOWS\system32\igfxtray.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2336 name: C:\WINDOWS\system32\hkcmd.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2344 name: C:\WINDOWS\system32\igfxpers.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2352 name: C:\Program Files\Common Files\Java\Java Update\jusched.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2360 name: C:\Program Files\Microsoft Security Client\msseces.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2376 name: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2384 name: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2424 name: C:\Program Files\iTunes\iTunesHelper.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2460 name: C:\WINDOWS\system32\igfxsrvc.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2636 name: C:\Program Files\Messenger\msmsgs.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2772 name: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2932 name: C:\Program Files\OpenOffice.org 3\program\soffice.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2976 name: C:\Program Files\OpenOffice.org 3\program\soffice.bin owner: Owner domain: NEW-674AD70D4D2

PID: 3048 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 3132 name: C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe owner: Owner domain: NEW-674AD70D4D2

PID: 3192 name: C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe owner: Owner domain: NEW-674AD70D4D2

PID: 3576 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Owner domain: NEW-674AD70D4D2

PID: 3620 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Owner domain: NEW-674AD70D4D2

PID: 3672 name: C:\WINDOWS\system32\msiexec.exe owner: SYSTEM domain: NT AUTHORITY

PID: 928 name: C:\Program Files\Internet Explorer\iexplore.exe owner: Owner domain: NEW-674AD70D4D2

PID: 2616 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY

PID: 2592 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Owner domain: NEW-674AD70D4D2

PID: 3268 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 3056 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY

PID: 3532 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Owner domain: NEW-674AD70D4D2

Startup items:

Name: IgfxTray

imagepath: C:\WINDOWS\system32\igfxtray.exe

Name: HotKeysCmds

imagepath: C:\WINDOWS\system32\hkcmd.exe

Name: Persistence

imagepath: C:\WINDOWS\system32\igfxpers.exe

Name: SunJavaUpdateSched

imagepath: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

Name: MSC

imagepath: "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

Name: HP Software Update

imagepath: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

Name: Adobe ARM

imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

Name: APSDaemon

imagepath: "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

Name: iTunesHelper

imagepath: "C:\Program Files\iTunes\iTunesHelper.exe"

Name: QuickTime Task

imagepath: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}

imagepath: Browseui preloader

Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}

imagepath: Component Categories cache daemon

Name: PostBootReminder

imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}

Name: CDBurn

imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}

Name: WebCheck

imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Name: SysTray

imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}

Name: WPDShServiceObj

imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}

Name:

imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Name:

location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Name:

location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

imagepath: C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

Name:

imagepath: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:

Name:

imagepath: autocheck autochk *

Running services:

Name: ALG

displayname: Application Layer Gateway Service

Name: Apple Mobile Device

displayname: Apple Mobile Device

Name: AudioSrv

displayname: Windows Audio

Name: BITS

displayname: Background Intelligent Transfer Service

Name: Bonjour Service

displayname: Bonjour Service

Name: CryptSvc

displayname: Cryptographic Services

Name: DcomLaunch

displayname: DCOM Server Process Launcher

Name: Dhcp

displayname: DHCP Client

Name: Dnscache

displayname: DNS Client

Name: ERSvc

displayname: Error Reporting Service

Name: Eventlog

displayname: Event Log

Name: EventSystem

displayname: COM+ Event System

Name: FastUserSwitchingCompatibility

displayname: Fast User Switching Compatibility

Name: helpsvc

displayname: Help and Support

Name: iPod Service

displayname: iPod Service

Name: JavaQuickStarterService

displayname: Java Quick Starter

Name: lanmanserver

displayname: Server

Name: lanmanworkstation

displayname: Workstation

Name: LmHosts

displayname: TCP/IP NetBIOS Helper

Name: MSIServer

displayname: Windows Installer

Name: MsMpSvc

displayname: Microsoft Antimalware Service

Name: Netman

displayname: Network Connections

Name: Nla

displayname: Network Location Awareness (NLA)

Name: PlugPlay

displayname: Plug and Play

Name: PolicyAgent

displayname: IPSEC Services

Name: ProtectedStorage

displayname: Protected Storage

Name: RasMan

displayname: Remote Access Connection Manager

Name: RpcSs

displayname: Remote Procedure Call (RPC)

Name: SamSs

displayname: Security Accounts Manager

Name: Schedule

displayname: Task Scheduler

Name: seclogon

displayname: Secondary Logon

Name: SENS

displayname: System Event Notification

Name: SharedAccess

displayname: Windows Firewall/Internet Connection Sharing (ICS)

Name: ShellHWDetection

displayname: Shell Hardware Detection

Name: Spooler

displayname: Print Spooler

Name: srservice

displayname: System Restore Service

Name: SSDPSRV

displayname: SSDP Discovery Service

Name: stisvc

displayname: Windows Image Acquisition (WIA)

Name: TapiSrv

displayname: Telephony

Name: TermService

displayname: Terminal Services

Name: Themes

displayname: Themes

Name: TrkWks

displayname: Distributed Link Tracking Client

Name: W32Time

displayname: Windows Time

Name: WebClient

displayname: WebClient

Name: winmgmt

displayname: Windows Management Instrumentation

Name: wscsvc

displayname: Security Center

Name: wuauserv

displayname: Automatic Updates

Name: WZCSVC

displayname: Wireless Zero Configuration

Name: Lavasoft Ad-Aware Service

displayname: Lavasoft Ad-Aware Service

 

4) download install and run Spybot S&D - fixed issues found

 

05.02.2012 04:32:58 - ##### check started #####

05.02.2012 04:32:58 - ### Version: 1.6.2

05.02.2012 04:32:58 - ### Date: 2/5/2012 4:32:58 AM

05.02.2012 04:33:00 - ##### checking bots #####

05.02.2012 04:42:23 - found: DoubleClick Tracking cookie (Internet Explorer: Owner)

05.02.2012 04:42:24 - ##### check finished #####

 

5) downlaod and run cwshredder - came up clean

 

6) downlaod, install and run superantispyware - fixed issues found

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 02/05/2012 at 01:52 PM

Application Version : 5.0.1144

Core Rules Database Version : 8203

Trace Rules Database Version: 6015

Scan type : Complete Scan

Total Scan Time : 00:33:49

Operating System Information

Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)

Administrator

Memory items scanned : 547

Memory threats detected : 0

Registry items scanned : 33420

Registry threats detected : 0

File items scanned : 57063

File threats detected : 37

Adware.Tracking Cookie

C:\Documents and Settings\Owner\Cookies\owner@adinterax[2].txt [ /adinterax ]

C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[1].txt [ /content.yieldmanager ]

C:\Documents and Settings\Owner\Cookies\owner@invitemedia[1].txt [ /invitemedia ]

C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt [ /revsci ]

C:\Documents and Settings\Owner\Cookies\B6INQDUK.txt [ /server.iad.liveperson.net ]

C:\Documents and Settings\Owner\Cookies\WXSYDNKC.txt [ /adserver.adtechus.com ]

C:\Documents and Settings\Owner\Cookies\KP8O62Q7.txt [ /interclick.com ]

C:\Documents and Settings\Owner\Cookies\04DV9TDR.txt [ /collective-media.net ]

C:\Documents and Settings\Owner\Cookies\ZI2M3D5J.txt [ /atdmt.com ]

C:\Documents and Settings\Owner\Cookies\V7MCDBVU.txt [ /liveperson.net ]

C:\Documents and Settings\Owner\Cookies\U14BA0R7.txt [ /liveperson.net ]

C:\Documents and Settings\Owner\Cookies\JGGS65A1.txt [ /doubleclick.net ]

C:\Documents and Settings\Owner\Cookies\XZYEQ9OJ.txt [ /ad.yieldmanager.com ]

C:\Documents and Settings\Owner\Cookies\2PGX863S.txt [ /serving-sys.com ]

C:\Documents and Settings\Owner\Cookies\RXL9ETGA.txt [ /accounts.google.com ]

C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\QMTGWXSD.txt [ Cookie:owner@www.google.com/accounts ]

C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\P2Z5M5DH.txt [ Cookie:owner@google.com/accounts/ ]

C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\721M3EEJ.txt [ Cookie:owner@www.google.com/support/accounts/ ]

C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\AQ1G3O4L.txt [ Cookie:owner@google.com/accounts/recovery/ ]

C:\DOCUMENTS AND SETTINGS\OWNER\Cookies\6NB0R8DG.txt [ Cookie:owner@google.com/support/accounts/ ]

a.ads2.msads.net [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

ad.insightexpressai.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

ads2.msads.net [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

cdn.media.abc.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

cdn.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

cdn5.tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

media.wfaa.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

media10.washingtonpost.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

msnbcmedia.msn.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

nashvillecountryclub.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

speed.pointroll.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

static.discoverymedia.com [ C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\UGF4NMTU ]

 

7) download, install and run malwarebytes - clean

 

8) download , run and save hijackthis

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:08:14 PM, on 2/5/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\Desktop\virus removal\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1296154538984

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296252183312

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 6831 bytes

Link to comment
Share on other sites

Hi Conspire,

 

I understand you guys / gals are all busy and helping others. I just wait cause I know good help is coming.

 

Yes, I am still looking for assistance. As you see the above logs. Also, after posting all that I attempted to go to windows update and I couldn't access it. I keep getting a security warning. It tells me to go in an enable a security setting but it is already enabled. I even reset the security for the internet with the same results .

 

Thanks for the help and your time! I don't see it taking to long to ensure the system is clean ..... at least I hope...

 

Ben

Link to comment
Share on other sites

Hello there,

 

Thanks for your understanding :)

 

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click on Minimal Output at the top
  • Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select "Save"
  • Double click inside the Custom Scan box at the bottom
  • A window will appear saying "Click OK to load a custom scan from a file or Cancel to cancel"
  • Click the OK button and navigate to the file scan.txt which we just saved to your desktop
  • Select scan.txt and click Open. Writing will now appear under the Custom Scan box
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
===================================================

 

Posted Image

  • Please download GMER from one of the following locations, and save it to your desktop:

  • Main Mirror

    This version will download a randomly named file (Recommended)

  • Zip Mirror

    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
  • Double click Posted Image or Posted Image on your desktop.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image

     

    Posted Image

    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

===================================================

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===================================================

 

On your next reply please post :

OTL log

GMER log

Checkup log

Let me know if you have any problems in performing with the steps above or any questions you may have.

 

Good Day!

Link to comment
Share on other sites

Conspire -

 

Everything ran good, logs as requested below

 

OTL LOG -

 

OTL logfile created on: 2/12/2012 2:29:10 PM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

1.99 Gb Total Physical Memory | 1.11 Gb Available Physical Memory | 55.78% Memory free

3.84 Gb Paging File | 3.34 Gb Available in Paging File | 86.95% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 108.72 Gb Free Space | 72.97% Space Free | Partition Type: NTFS

 

Computer Name: NEW-674AD70D4D2 | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Processes (SafeList) ==========

 

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)

PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)

PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)

PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)

PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe (Hewlett-Packard Development Company, L.P.)

 

 

========== Modules (No Company Name) ==========

 

MOD - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libMachoUniv.dll ()

MOD - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libBase64.dll ()

MOD - C:\Program Files\Lavasoft\Ad-Aware\VipreBridge.dll ()

MOD - C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll ()

MOD - C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\thorax.aaw ()

MOD - c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_abac0ea3\mscorlib.dll ()

MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_c8156999\system.drawing.dll ()

MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_40e0655d\system.xml.dll ()

MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_c6141195\system.windows.forms.dll ()

MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_8922bd06\system.dll ()

MOD - c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll ()

MOD - c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll ()

MOD - C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll ()

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()

MOD - c:\windows\assembly\gac\hpqisrtb\4.0.0.0__a53cf5803f4c3827\hpqisrtb.dll ()

MOD - c:\windows\assembly\gac\hpqedit\3.0.0.0__a53cf5803f4c3827\hpqedit.dll ()

MOD - c:\windows\assembly\gac\hpqbakup\3.0.0.0__a53cf5803f4c3827\hpqbakup.dll ()

MOD - c:\windows\assembly\gac\hpqvideo\3.0.0.0__a53cf5803f4c3827\hpqvideo.dll ()

MOD - c:\windows\assembly\gac\hpqprrsc\4.0.0.0__a53cf5803f4c3827\hpqprrsc.dll ()

MOD - c:\windows\assembly\gac\hpqovskn\3.0.0.0__a53cf5803f4c3827\hpqovskn.dll ()

MOD - c:\windows\assembly\gac\hpqmdmr\4.0.0.0__a53cf5803f4c3827\hpqmdmr.dll ()

MOD - c:\windows\assembly\gac\lead.wrapper\13.0.0.113__9cf889f53ea9b907\lead.wrapper.dll ()

MOD - c:\windows\assembly\gac\lead\13.0.0.113__9cf889f53ea9b907\lead.dll ()

MOD - c:\windows\assembly\gac\lead.windows.forms.drawingcontainer\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.drawingcontainer.dll ()

MOD - c:\windows\assembly\gac\lead.windows.forms\13.0.0.113__9cf889f53ea9b907\lead.windows.forms.dll ()

MOD - c:\windows\assembly\gac\lead.drawing.imaging.imageprocessing\13.0.0.113__9cf889f53ea9b907\lead.drawing.imaging.imageprocessing.dll ()

MOD - c:\windows\assembly\gac\lead.drawing\13.0.0.113__9cf889f53ea9b907\lead.drawing.dll ()

MOD - c:\windows\assembly\gac\lead.drawing.imaging.codecs\13.0.0.113__9cf889f53ea9b907\lead.drawing.imaging.codecs.dll ()

MOD - c:\windows\assembly\gac\interop.hpqvideo\4.0.0.0__a53cf5803f4c3827\interop.hpqvideo.dll ()

MOD - c:\windows\assembly\gac\interop.hprblog\3.0.0.0__a53cf5803f4c3827\interop.hprblog.dll ()

MOD - c:\windows\assembly\gac\interop.hpqcxm08\3.0.0.0__a53cf5803f4c3827\interop.hpqcxm08.dll ()

MOD - c:\windows\assembly\gac\interop.hpqimgr\4.0.0.0__a53cf5803f4c3827\interop.hpqimgr.dll ()

MOD - c:\windows\assembly\gac\hpqntrop\4.0.0.0__a53cf5803f4c3827\hpqntrop.dll ()

MOD - c:\windows\assembly\gac\hpqimvlt\3.0.0.0__a53cf5803f4c3827\hpqimvlt.dll ()

MOD - c:\windows\assembly\gac\hpqimgrc\4.0.0.0__a53cf5803f4c3827\hpqimgrc.dll ()

MOD - c:\windows\assembly\gac\hpqtray\4.0.0.0__a53cf5803f4c3827\hpqtray.dll ()

MOD - c:\windows\assembly\gac\hpqthumb\3.0.0.0__a53cf5803f4c3827\hpqthumb.dll ()

MOD - c:\windows\assembly\gac\hpqglutl\4.0.0.0__a53cf5803f4c3827\hpqglutl.dll ()

MOD - c:\windows\assembly\gac\hpqimlib\3.0.0.0__a53cf5803f4c3827\hpqimlib.dll ()

MOD - c:\windows\assembly\gac\hpqcprsc\3.0.0.0__a53cf5803f4c3827\hpqcprsc.dll ()

MOD - c:\windows\assembly\gac\hpqutils\4.0.0.0__a53cf5803f4c3827\hpqutils.dll ()

MOD - c:\windows\assembly\gac\hpqfmrsc\4.0.0.0__a53cf5803f4c3827\hpqfmrsc.dll ()

MOD - c:\windows\assembly\gac\hpqasset\4.0.0.0__a53cf5803f4c3827\hpqasset.dll ()

MOD - c:\windows\assembly\gac\hpqiface\4.0.0.0__a53cf5803f4c3827\hpqiface.dll ()

MOD - c:\windows\assembly\gac\hpqcc2\3.0.0.0__a53cf5803f4c3827\hpqcc2.dll ()

MOD - c:\windows\assembly\gac\system.xml\1.0.5000.0__b77a5c561934e089\system.xml.dll ()

MOD - c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll ()

MOD - c:\windows\assembly\gac\accessibility\1.0.5000.0__b03f5f7f11d50a3a\accessibility.dll ()

MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()

MOD - C:\Program Files\HP\Digital Imaging\bin\crm\xmltok.dll ()

MOD - C:\Program Files\HP\Digital Imaging\bin\crm\xmlparse.dll ()

 

 

========== Win32 Services (SafeList) ==========

 

SRV - (HidServ) -- File not found

SRV - (AppMgmt) -- File not found

SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft Limited)

SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

 

 

========== Driver Services (SafeList) ==========

 

DRV - (MpKsl96316364) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{360F542F-6AA7-423B-BCE0-BE314AA8E5A7}\MpKsl96316364.sys (Microsoft Corporation)

DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)

DRV - (Lavasoft Kernexplorer) -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys ()

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (P17) -- C:\WINDOWS\system32\drivers\P17.sys (Creative Technology Ltd.)

DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)

DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)

 

 

========== Standard Registry (SafeList) ==========

 

 

========== Internet Explorer ==========

 

 

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

 

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

 

 

 

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10l_ActiveX.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)

O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1296154538984 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296252183312 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.27.4

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6F039B33-06B1-46A8-8B57-7A703A0CD0F3}: DhcpNameServer = 192.168.27.4

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2011/01/27 12:06:41 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O34 - HKLM BootExecute: (lsdelete)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

 

NetSvcs: 6to4 - File not found

NetSvcs: AppMgmt - File not found

NetSvcs: HidServ - File not found

NetSvcs: Ias - File not found

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

 

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)

Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()

Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)

Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

Drivers32: vidc.LEAD - LCODCCMP.DLL File not found

Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

 

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

 

========== Files/Folders - Created Within 30 Days ==========

 

[2012/02/12 14:16:26 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2012/02/05 15:06:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes

[2012/02/05 15:05:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/02/05 15:05:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2012/02/05 15:05:51 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2012/02/05 15:05:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2012/02/05 05:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com

[2012/02/05 05:10:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware

[2012/02/05 05:10:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2012/02/05 05:10:37 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2012/02/05 04:29:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy

[2012/02/05 04:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2012/02/05 04:29:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2012/02/05 00:47:17 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2012/02/05 00:42:21 | 000,064,512 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys

[2012/02/05 00:42:05 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft

[2012/02/05 00:42:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft

[2012/02/05 00:42:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

[2012/02/05 00:39:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\virus removal

[2012/02/05 00:27:16 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent

[2011/01/27 12:41:25 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files - Modified Within 30 Days ==========

 

[2012/02/12 14:16:32 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2012/02/12 01:50:02 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2012/02/12 00:44:13 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2012/02/12 00:43:51 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat

[2012/02/12 00:43:51 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat

[2012/02/08 12:26:01 | 000,000,284 | -H-- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2012/02/05 15:01:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2012/02/05 05:10:43 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2012/02/05 00:47:17 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2012/02/05 00:47:15 | 000,016,432 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe

[2012/02/05 00:16:23 | 000,000,440 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\QxWqp3ywnZxYQN

[2012/02/05 00:15:58 | 000,000,280 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~QxWqp3ywnZxYQN

[2012/02/05 00:14:21 | 000,013,646 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2012/01/31 06:44:05 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2012/01/30 17:27:45 | 000,000,192 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~QxWqp3ywnZxYQNr

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

 

========== Files Created - No Company Name ==========

 

[2012/02/05 13:17:01 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat

[2012/02/05 13:17:01 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat

[2012/02/05 05:10:43 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2012/02/05 03:47:11 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe

[2012/02/05 00:42:33 | 000,000,486 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2012/01/30 17:27:45 | 000,000,280 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~QxWqp3ywnZxYQN

[2012/01/30 17:27:45 | 000,000,192 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~QxWqp3ywnZxYQNr

[2012/01/30 17:27:41 | 000,000,440 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QxWqp3ywnZxYQN

[2011/03/31 22:42:33 | 000,037,880 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2011/03/30 22:14:29 | 000,000,128 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat

[2011/03/29 16:42:24 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll

[2011/03/29 16:38:32 | 000,124,805 | -H-- | C] () -- C:\WINDOWS\HPHins12.dat

[2011/03/29 16:38:32 | 000,014,916 | -H-- | C] () -- C:\WINDOWS\hphmdl12.dat

[2011/01/28 15:28:24 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll

[2011/01/28 15:28:24 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini

[2011/01/28 15:28:23 | 000,810,496 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2011/01/28 15:28:23 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2011/01/28 15:28:23 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2011/01/27 12:41:49 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll

[2011/01/27 12:41:25 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\P17.dll

[2011/01/27 12:41:25 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll

[2011/01/27 12:07:53 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2011/01/27 12:04:46 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2011/01/27 05:55:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2011/01/27 05:54:47 | 000,185,016 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/08/04 06:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin

[2004/08/04 06:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/04 06:00:00 | 000,481,532 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/04 06:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/04 06:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/04 06:00:00 | 000,079,862 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/04 06:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/04 06:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/04 06:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/04 06:00:00 | 000,004,461 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat

[2004/08/04 06:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin

[2004/08/04 06:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat

 

========== Custom Scans ==========

 

 

< >

 

< %SYSTEMDRIVE%\*.* >

[2012/02/05 15:01:26 | 000,000,444 | ---- | M] () -- C:\aaw7boot.log

[2011/01/27 12:06:41 | 000,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT

[2011/01/27 12:03:00 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2011/01/27 12:06:41 | 000,000,000 | -H-- | M] () -- C:\CONFIG.SYS

[2011/01/27 12:06:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2011/01/27 12:06:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2011/01/27 17:18:54 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2012/02/05 15:01:27 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

 

< %systemroot%\Fonts\*.com >

[2006/04/18 15:39:28 | 000,026,040 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

[2006/06/29 14:53:56 | 000,026,489 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont

[2006/04/18 15:39:28 | 000,029,779 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont

[2006/06/29 14:58:52 | 000,030,808 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

 

< %systemroot%\Fonts\*.dll >

[2006/02/19 02:28:56 | 000,012,288 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

 

< %systemroot%\Fonts\*.ini >

[2011/01/27 12:06:25 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

 

< %systemroot%\Fonts\*.ini2 >

 

< %systemroot%\Fonts\*.exe >

 

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

[2008/07/06 06:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

[2006/06/03 20:29:06 | 000,076,288 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp4pi.dll

[2006/10/26 18:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll

[2008/07/06 04:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

 

< %systemroot%\REPAIR\*.bak1 >

 

< %systemroot%\REPAIR\*.ini >

 

< %systemroot%\system32\*.jpg >

 

< %systemroot%\*.jpg >

 

< %systemroot%\*.png >

 

< %systemroot%\*.scr >

 

< %systemroot%\*._sy >

 

< %APPDATA%\Adobe\Update\*.* >

 

< %ALLUSERSPROFILE%\Favorites\*.* >

 

< %APPDATA%\Microsoft\*.* >

[2011/04/01 23:17:05 | 000,001,650 | -H-- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\LastFlashConfig.WFC

 

< %PROGRAMFILES%\*.* >

 

< %APPDATA%\Update\*.* >

 

< %systemroot%\*. /mp /s >

 

< %systemroot%\System32\config\*.sav >

[2011/01/27 05:53:54 | 000,094,208 | -H-- | M] () -- C:\WINDOWS\System32\config\default.sav

[2011/01/27 05:53:54 | 000,634,880 | -H-- | M] () -- C:\WINDOWS\System32\config\software.sav

[2011/01/27 05:53:54 | 000,892,928 | -H-- | M] () -- C:\WINDOWS\System32\config\system.sav

 

< %PROGRAMFILES%\bak. /s >

 

< %systemroot%\system32\bak. /s >

 

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

[2011/01/27 17:21:39 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

 

< %systemroot%\system32\config\systemprofile\*.dat /x >

 

< %systemroot%\*.config >

 

< %systemroot%\system32\*.db >

 

< %PROGRAMFILES%\Internet Explorer\*.dat >

 

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

[2011/01/27 17:55:23 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini

 

< %USERPROFILE%\Desktop\*.exe >

[2012/02/12 14:16:32 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

 

< %PROGRAMFILES%\Common Files\*.* >

 

< %systemroot%\*.src >

 

< %systemroot%\install\*.* >

 

< %systemroot%\system32\DLL\*.* >

 

< %systemroot%\system32\HelpFiles\*.* >

 

< %systemroot%\system32\rundll\*.* >

 

< %systemroot%\winn32\*.* >

 

< %systemroot%\Java\*.* >

 

< %systemroot%\system32\test\*.* >

 

< %systemroot%\system32\Rundll32\*.* >

 

< %systemroot%\AppPatch\Custom\*.* >

 

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

 

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-01-12 09:10:40

< End of report >

 

 

OTL EXTRAS LOG

 

OTL Extras logfile created on: 2/12/2012 2:29:10 PM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

 

1.99 Gb Total Physical Memory | 1.11 Gb Available Physical Memory | 55.78% Memory free

3.84 Gb Paging File | 3.34 Gb Available in Paging File | 86.95% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

 

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.01 Gb Total Space | 108.72 Gb Free Space | 72.97% Space Free | Partition Type: NTFS

 

Computer Name: NEW-674AD70D4D2 | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

 

========== Extra Registry (SafeList) ==========

 

 

========== File Associations ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

 

========== Shell Spawning ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

 

========== Security Center Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

 

========== System Restore Settings ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

 

========== Firewall Settings ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

 

========== Authorized Applications List ==========

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)

 

 

========== HKEY_LOCAL_MACHINE Uninstall List ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware

"{069730C2-755A-485B-A205-27A1AAFA836A}" = InstantShareAlert

"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow

"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{20749F76-4228-43AD-8AB5-E7B20D8040C4}" = hph_readme

"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress

"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java 6 Update 23

"{29ED20C9-5E15-4969-9279-25BF3727A3DA}" = iTunes

"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK

"{3004FB81-7B9E-4808-BD13-BC5A530BA60B}" = cp_PrintOnCDConfig

"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone

"{36D620AD-EEBA-4973-BA86-0C9AE6396620}" = OptionalContentQFolder

"{36DC3E2F-CD8C-4953-9E8F-9A1916D10AA1}" = hph_software

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1

"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant

"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder

"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client

"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg

"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap

"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder

"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox

"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour

"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime

"{82081779-4175-4666-A457-AB711CD37EF0}" = cp_LightScribeConfig

"{82E55892-6FFD-403F-AA97-D726846768AA}" = CP_AtenaShokunin1Config

"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status

"{866A0078-DEA7-4348-9C9A-999AF2991EAA}" = SlideShowMusic

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload

"{8E9976D2-E563-43DE-A51F-5AEBC38D1F08}" = Ad-Aware

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{A00B9A50-3090-4CFF-9CDA-82DA0BEDAA21}" = Apple Mobile Device Support

"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support

"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)

"{ACCCEE83-B49B-4964-8A4F-378B8FBC9F75}" = hph_ProductContext

"{B19F9155-9337-4807-B5EF-ED471DDB2CCE}" = hph_software_req

"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour

"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config

"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery

"{C3FAA091-B278-44A7-BF48-190811C5F9F7}" = cp_UpdateProjectsConfig

"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D2A3C9D5-0B56-4656-8277-7EDC65D62B6E}" = HP Photosmart and Deskjet 7.0 Software

"{D8185007-3F98-413E-B22D-BA513517383A}" = D5100_Help

"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp

"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch

"{ED23E382-E5E3-4E21-B616-01FC59A40916}" = OpenOffice.org 3.3

"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1

"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC

"{FD100EAE-33D2-420D-BCEB-361AC512B0BB}" = D5100

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"HP Imaging Device Functions" = HP Imaging Device Functions 7.0

"HP Photo & Imaging" = HP Photosmart Premier Software 6.5

"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0

"HPExtendedCapabilities" = HP Customer Participation Program 7.0

"ie8" = Windows Internet Explorer 8

"KLiteCodecPack_is1" = K-Lite Codec Pack 6.7.0 (Full)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft Security Client" = Microsoft Security Essentials

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

 

========== Last 10 Event Log Errors ==========

 

[ Application Events ]

Error - 1/1/2012 4:13:59 AM | Computer Name = NEW-674AD70D4D2 | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: Continuously busy for more than a second

 

Error - 1/1/2012 4:13:59 AM | Computer Name = NEW-674AD70D4D2 | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 26123704

 

Error - 1/1/2012 4:13:59 AM | Computer Name = NEW-674AD70D4D2 | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 26123704

 

Error - 1/8/2012 7:41:19 PM | Computer Name = NEW-674AD70D4D2 | Source = Application Error | ID = 1000

Description = Faulting application hpqtra08.exe, version 70.0.170.0, faulting module

unknown, version 0.0.0.0, fault address 0x011434f0.

 

Error - 1/12/2012 7:12:07 AM | Computer Name = NEW-674AD70D4D2 | Source = .NET Runtime Optimization Service | ID = 1103

Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)

- Tried to start a service that wasn't the latest version of CLR Optimization service.

Will shutdown

 

Error - 1/21/2012 9:56:18 AM | Computer Name = NEW-674AD70D4D2 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting

module mshtml.dll, version 8.0.6001.19170, fault address 0x000710a6.

 

Error - 1/21/2012 9:56:26 AM | Computer Name = NEW-674AD70D4D2 | Source = Application Error | ID = 1001

Description = Fault bucket -1557053477.

 

Error - 1/28/2012 6:54:55 AM | Computer Name = NEW-674AD70D4D2 | Source = Application Hang | ID = 1002

Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

 

Error - 1/28/2012 6:55:02 AM | Computer Name = NEW-674AD70D4D2 | Source = Application Hang | ID = 1001

Description = Fault bucket 1180947459.

 

Error - 2/9/2012 3:50:32 AM | Computer Name = NEW-674AD70D4D2 | Source = MPSampleSubmission | ID = 5000

Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,

P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),

P8 NIL, P9 NIL, P10 NIL.

 

 

< End of report >

 

GMER LOG

 

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-02-12 15:40:38

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160815AS rev.3.ADA

Running: ulpnzscc.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgwdyaob.sys

 

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8A9B640]

---- EOF - GMER 1.0.15 ----

 

CHECK UP LOG

 

Results of screen317's Security Check version 0.99.31

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Microsoft Security Essentials

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Spybot - Search & Destroy

SUPERAntiSpyware

Java 6 Update 23

Java version out of date!

Adobe Flash Player 10.1.102.64 Flash Player out of Date!

Adobe Reader X (10.1.2)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

Microsoft Security Essentials msseces.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

Link to comment
Share on other sites

Please read through these instructions to familarize yourself with what to expect when this tool runs

 

Refer to the ComboFix User's Guide

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

 

 

* IMPORTANT- Save ComboFix.exe to your Desktop

 

====================================================

 

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

 

====================================================

 

 

Double click on ComboFix.exe & follow the prompts.

 

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

     

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

 

Posted Image

 

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

 

Posted Image

 

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:ComboFix.txt in your next reply for further review.

Link to comment
Share on other sites

Conspire - Combo fix ran good, did install or update the recovery console. Log is below as requested

 

ComboFix 12-02-13.01 - Owner 02/13/2012 13:09:07.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1083 [GMT -6:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\~QxWqp3ywnZxYQN

c:\documents and settings\All Users\Application Data\~QxWqp3ywnZxYQNr

c:\documents and settings\All Users\Application Data\QxWqp3ywnZxYQN

c:\documents and settings\Owner\g2ax_customer_downloadhelper_win32_x86.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-01-13 to 2012-02-13 )))))))))))))))))))))))))))))))

.

.

2012-02-13 07:58 . 2012-02-13 07:58 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5DF25698-7BC2-4A89-8816-916F51B22C53}\offreg.dll

2012-02-13 07:58 . 2012-02-13 07:58 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5DF25698-7BC2-4A89-8816-916F51B22C53}\MpKsld7d3faa2.sys

2012-02-13 07:52 . 2012-01-06 02:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5DF25698-7BC2-4A89-8816-916F51B22C53}\mpengine.dll

2012-02-05 21:06 . 2012-02-05 21:06 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2012-02-05 21:05 . 2012-02-05 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-02-05 21:05 . 2012-02-05 21:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-02-05 21:05 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-05 11:11 . 2012-02-05 11:11 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2012-02-05 11:10 . 2012-02-05 11:11 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-02-05 11:10 . 2012-02-05 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2012-02-05 10:29 . 2012-02-05 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-02-05 10:29 . 2012-02-05 10:32 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-02-05 09:47 . 2012-02-05 06:47 16432 ----a-w- c:\windows\system32\lsdelete.exe

2012-02-05 06:47 . 2012-02-05 06:47 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2012-02-05 06:42 . 2011-12-23 13:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2012-02-05 06:42 . 2012-02-05 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2012-02-05 06:42 . 2012-02-05 06:42 -------- d-----w- c:\program files\Lavasoft

2012-02-05 06:29 . 2012-02-05 06:29 -------- d-----w- c:\windows\system32\wbem\Repository

2012-02-05 06:20 . 2012-02-05 06:23 -------- d-s---w- c:\documents and settings\Administrator

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-31 12:44 . 2011-01-28 22:02 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-01-06 02:19 . 2011-01-29 16:14 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 4617600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/5/2012 12:42 AM 64512]

R1 MpKsld7d3faa2;MpKsld7d3faa2;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5DF25698-7BC2-4A89-8816-916F51B22C53}\MpKsld7d3faa2.sys [2/13/2012 1:58 AM 29904]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/23/2011 7:12 AM 2152152]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/23/2011 7:12 AM 15232]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 6:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - FGWDYAOB

*NewlyCreated* - MPKSLD7D3FAA2

*Deregistered* - fgwdyaob

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 06:47]

.

2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2012-02-13 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.27.4

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-13 13:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(648)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2012-02-13 13:16:22

ComboFix-quarantined-files.txt 2012-02-13 19:16

.

Pre-Run: 116,877,021,184 bytes free

Post-Run: 117,327,540,224 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 9AB9E4557B0980ABEEF58AA026300AEB

Link to comment
Share on other sites

Hi,

 

Looking good so far.

 

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan

 

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

 

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

 

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin

    scanning your computer. Please be patient as this can take some time.

  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:Program FilesESETESET Online Scannerlog.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push Posted Image
===================================================

 

Re-run Malwarebytes' Anti-Malware

  • Double-click MalwareBytes' (Note to Vista users, please right-click and select Run as Administrator.)

    • Go to Update tab to update Malwarebytes' Anti-Malware
  • Then click Check for Updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:

    C:Documents and SettingsUsernameApplication DataMalwarebytesMalwarebytes' Anti-MalwareLogsmbam-log-date (time).txt

  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

 

===================================================

 

On your next reply please post :

ESET log

MBAM log

 

Please STOP and let me know if you have any problems in performing with the steps above or any questions you may have.

 

Good Day!

Edited by Conspire
Link to comment
Share on other sites

Conspire -

 

Both scans ran good, mbam came up clean so no restart or any issues - logs below as requested

 

ESET -

 

C:\Documents and Settings\Owner\Desktop\My Documents\Debby folder\coupons\couponprinter.exe probably a variant of Win32/Adware.Softomate.AD application

 

 

MBAM -

 

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.14.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Owner :: NEW-674AD70D4D2 [administrator]

2/14/2012 2:08:36 PM

mbam-log-2012-02-14 (14-08-36).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 187050

Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to comment
Share on other sites

Hi there,

 

Do you use Coupon Printer? Otherwise just delete the folder.

 

I think we're done here :)

 

Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now copy/paste the code into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
Combofix /Uninstall
Posted Image

 

===================================================

 

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
===================================================

 

 

Thank you for your patience, and performing all of the procedures requested. I would also like to take this opportunity to apologize for any delay that may have occurred.

 

--------------------------------------------------------------------------------------------------------------

 

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

 

 

Passwords

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article

Strong passwords: How to create and use them and consider a password keeper, to keep all your passwords safe.

 

 

SPYWARE PREVENTION

This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an add-on available for both Firefox and IE.

  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here

  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.
Follow this list and keep your antivirus program and antispyware programs updated and scan with them on a regular basis. By doing so, your potential for being infected again will reduce dramatically.

 

Hopefully this should take care of your problems! Good luck.

 

Do you have any questions or problems to ask? Please do not hesitate to do so.

 

**Please respond this one more time to ensure it is resolved and close this topic.

Link to comment
Share on other sites

Conspire - I removed combofix and otl like you said. It rebooted, I attempted to run microsoft updates and still get the security error as seen below.

 

 

 

 

 

[Error number: 0x800A0046]

Posted ImagePlease change your Internet Explorer security settings

To save changes to your settings for this website, you need to enable userdata persistence for Internet Explorer. Complete the steps below, and then click Change settings to the left and try saving your changes again.

  • In Internet Explorer, on the Tools menu, click Internet Options.
  • Click the Security tab, click the Internet security zone icon, and then click Custom Level.
  • In the Settings dialog box, scroll to the Miscellaneous section.
  • Under Userdata persistence , select Enable.
  • Click OK and when the security warning dialog box appears, click Yes.
Read more about steps you can take to resolve this problem (error number 0x800A0046) yourself.

post-9855-0-42460600-1329299072_thumb.jpg

Link to comment
Share on other sites

Have you tried the following methods?

 

Method 1: Remove the user account that is experiencing difficulty from the Guests or Limited account groups

  • Click Start, click Run, type control admintools, and then click OK.
  • Click Computer Management.
  • Expand Local Users and Groups.
  • Select Users.
  • Open the account that is used to access Windows Update or Microsoft Update.
  • Click the Member Of tab.
  • Select the user account that you want to remove, and then click Remove.
Method 2: Set the Security Descriptor

  • Click Start, click Run, type cmd, and then click OK.
  • Type sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU), and then press ENTER.

     

    You will receive a "Success" message.

     

    Note The Sc.exe tool is not available in a default Windows 2000 installation. The Sc.exe tool can be found from the Microsoft Windows 2000 Server Resource Kit.

  • Type Exit to close the command prompt.
  • Try Windows Update or Microsoft Update again.
Method 3: Add the Local Administrator and Service accounts to the Impersonate a client after authentication policy

  • Click Start, click Run, type secpol.msc, and then press ENTER.
  • Expand Local Policies.
  • Click User Rights Assignment.
  • Double-click to open the Impersonate a client after authentication policy
  • On the Local Security Settings tab, click Add User or Group, and then add the Administrator and Service to the list of Users and Groups.
  • Click OK, and then restart the computer.
Method 4: Configure the Remote Procedure Call (RPC) service to log on as a Local System account

  • Click Start, click Run, type services.msc, and then click OK.
  • Locate and right-click the Remote Procedure Call (RPC) service, and then click Properties.
  • On the Log On tab, click Local System account, click Apply, and then click OK.
Link to comment
Share on other sites

method 1 - local users and groups is not in this area ? Under computer management is system tools, storage and services and applications. Local users and groups are not in any of these.

 

method 2 - tried - got the success message - same results

 

method 3 - secpol.msc cannot be found

 

method 4 - did this - same results even rebooted with same results

Link to comment
Share on other sites

Conspire - I tried in safe mode and got a different error. The account I log in on is adminstrator account. I tried creating a new account "administrator" also with the same results.

 

[Error number: 0x8DDD0002]

Posted Image To install updates from this website, you must be logged on as an administrator or a member of the Administrators group on your computer. If you use Windows XP, you can see if you are an administrator by going to User Accounts in Control Panel.

 

Note: If your computer is connected to a network, network policy settings might also prevent you using this website. Contact your system administrator for help with updates.

Link to comment
Share on other sites

That is really odd. My apologies, did you boot to safe mode with networking or without?

 

We will try this workaround.

 

Perform this in normal boot.

 

SFC – System File Checker Workaround

 

Please try this workaround (you will need your Windows® XP SP2 CD).

 

(In the event that you do not have a Windows® XP CD with SP2, you will need to 'borrow' one from a friend or colleague, as the manufacturer's "Recovery Discs" will not work in this instance.)

 

Insert the Windows® XP CD in your drive. (Hold down the Shift Key to prevent it from starting.)

 

Go Start > Run ...in the box type in sfc /scannow …please take note of the space between the sfc and the /.

 

This is the System File Checker...it will scan all the Windows® core system files to ensure that they are in their respective correct places, and if not replace them from the CD.

 

During the scan you may be asked to Insert the CD, if this happens just go retry and let it do its thing.

One important point: While sfc is running, it is not advisable to do any other work, or have any browsers/programs running on the computer, until the scan is complete. (This process will generally take around 45-65 minutes to complete).

Edited by Conspire
Link to comment
Share on other sites

I was in safe mode with networking -

I ran sfc - same results after it was finished.

 

When I got home this morning the system had rebooted. It was on the login screen. I restarted and went into safe mode, tried to access update. Then rebooted and went and did some stuff. When I came back and logged in the autoupdate had a balloon that said a critical update was installed and needed to be rebooted....... Some how it is accessing it - just not through the browser

Link to comment
Share on other sites

Conspire -

 

I haven't done anything but what you have instructed. I did some searching last night at work but kept coming up with stuff you have already mentioned. I didn't see the issue until after I made my initial post here and then decided to wait for assistance so I didn't mess anything else up in the process.

 

I don't know when or how the automatic updates ran.

 

I tried your link - same results

 

I also clicked on the link at the bottom of that page and checked them settings. Everything was set as desired. Same results again......

 

Ben

Link to comment
Share on other sites

Conspire -

 

I ran the "fix" and it reconfigured 2 items. Tried update and same results. Ran fix again - reconfigured 1 item, restarted IE - same result. I went into internet options, restored advanced settings and reset IE settings to default condition, restarted IE, ran update - got the active x warning hit ok and the error came up.

Link to comment
Share on other sites

I think I got it this time. I overlooked one entry in OTL.

 

I need to get an updated OTL from you again.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.

    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.

  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...