TechSpot

[A] Microsoft Security Essentials found a virus but had trouble removing it

Inactive
By shivmister
Mar 27, 2012
  1. As the title states i was unable to remove the virus/trojan. Though after running through these steps i do not see a pop up from microsoft security essentials telling me i have a trojan. can you look at the logs and tell me if i am still at risk?

    Thank you!
    ------------------------------------------------------------------------------------------
    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.22.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Administrator :: MANOJ_R_SHAH [administrator]

    Protection: Enabled

    3/21/2012 11:17:05 PM
    mbam-log-2012-03-21 (23-43-29).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 233856
    Time elapsed: 24 minute(s), 45 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\WINDOWS\system32\NEUSBw32.dll (Trojan.Dropper) -> No action taken.

    Registry Keys Detected: 1
    HKCU\SOFTWARE\MFJJEC0A1L (Trojan.FakeAlert) -> No action taken.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\WINDOWS\system32\NEUSBw32.dll (Trojan.Dropper) -> No action taken.
    C:\Documents and Settings\HP_Administrator\0.02356483905905471.exe (Trojan.Agent.Gen) -> No action taken.

    (end)
     
  2. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-03-22 00:10:52
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 SAMSUNG_ rev.VT10
    Running: 8ji4lkv4.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\agdoykob.sys


    ---- System - GMER 1.0.15 ----

    SSDT sptd.sys ZwEnumerateKey [0xB9ED684C]
    SSDT sptd.sys ZwEnumerateValueKey [0xB9ED6BEC]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\iaStor \Device\Ide\iaStor0 8B14B1D8
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8B14B1D8
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 8B14B1D8
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-2 8B14B1D8
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-3 8B14B1D8
    Device \Driver\akptod50 \Device\Scsi\akptod501Port2Path0Target0Lun0 8A615980
    Device \Driver\akptod50 \Device\Scsi\akptod501 8A615980
    Device \FileSystem\Ntfs \Ntfs 8B0D61D8
    Device \FileSystem\Fastfat \Fat 88BC6980

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
    -------------------------------------------------------------
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
    Run by HP_Administrator at 0:18:20 on 2012-03-22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1144 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    C:\Program Files\Citrix\Secure Access Client\nsload.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\system32\wuauclt.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\taskmgr.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.bing.com/
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: IDXHlprObj Class: {31816979-f864-4acf-919f-d0b3b56432e6} - c:\windows\downloaded program files\IDXIEController.DLL
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: Tunebite_WebRipPlugin Class: {aa102584-3b97-47e7-b9bc-75d54c110a7d} - c:\program files\rapidsolution\tunebite\plugins\ie\TB_WebRipIePlugin.dll
    BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: DictateBHO: {e12a882b-f14f-4440-9bc0-84a5eb766605} - c:\windows\downloaded program files\DictateBar.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    TB: TouchWorks Dictate: {6f60c5c5-61b3-4378-8902-ed9497663ac9} - c:\windows\downloaded program files\DictateBar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [NetMeter] c:\documents and settings\hp_administrator\my documents\netmeter\NetMeter114beta_4.exe
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [<NO NAME>]
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: mswsock.dll
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} - /Touchworks/AHSCompressionEngine.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {27B87596-448E-40CB-B3B4-4F329FF540EC} - /TouchWorks/ResultWorks/CHWorks/VitalSigns/wavitalsigns.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} - TouchWorks/Common/Components/AtalaSoft/ImgXDialog61.cab
    DPF: {46965FE7-2129-407B-938C-BE358A56D11E} - hxxp://tworks.amg.advocatehealth.com/TouchWorks/DocWorks/CHWorks/Unstructured/aicviewer3.cab
    DPF: {501D93F5-74BE-4306-A90C-9FFD1574A6A6} - hxxp://centricityweb-luth.advocatehealth.com/ami/install/amiviewer.cab
    DPF: {56B46BBB-F6C4-4B6B-8EDF-BEE6C9661E4E}
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174963884478
    DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} - /TouchWorks/Common/Components/AtalaSoft/ImgX61.cab
    DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} - /TouchWorks/ResultWorks/chworks/flowsheets/pe32.cab
    DPF: {8613571C-30D2-4BD4-9710-3DFDBADE8190} - hxxp://localhost/ami/install/amiviewer.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    DPF: {9A0CA502-7DA4-4B72-B5D4-D280DE8D4512} - /Touchworks/DictionaryManager.CAB
    DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} - hxxp://localhost/ami/install/amiviewer.cab
    DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
    DPF: {AECD14A8-F662-11D1-A395-00805F535788} - hxxp://www.investors.com/member/ocx/plotwon.ocx
    DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} - /TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab
    DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} - /Touchworks/DictateBar.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} - hxxp://tworks.amg.advocatehealth.com/TouchWorks/DocWorks/CHWorks/Unstructured/aic_viewer2.cab
    DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
    TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: NecUsb3Sevices - USB3Sw32.dll
    Notify: USB3Sw32 - USB3Sw32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\7gbqr2lq.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - prefs.js: network.proxy.ftp - 208.43.135.133
    FF - prefs.js: network.proxy.ftp_port - 80
    FF - prefs.js: network.proxy.gopher - 208.43.135.133
    FF - prefs.js: network.proxy.gopher_port - 80
    FF - prefs.js: network.proxy.http - 208.43.135.133
    FF - prefs.js: network.proxy.http_port - 80
    FF - prefs.js: network.proxy.socks - 208.43.135.133
    FF - prefs.js: network.proxy.socks_port - 80
    FF - prefs.js: network.proxy.ssl - 208.43.135.133
    FF - prefs.js: network.proxy.ssl_port - 80
    FF - prefs.js: network.proxy.type - 2
    FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\7gbqr2lq.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
    FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\citrix\secure access client\npagee.dll
    FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npaxctrl.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: content.max.tokenizing.time - 200000
    FF - user.js: content.notify.interval - 100000
    FF - user.js: content.switch.threshold - 650000
    FF - user.js: nglayout.initialpaint.delay - 300
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-6-17 20744]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-4-25 65584]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]
    R1 MpKsl402eaab5;MpKsl402eaab5;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df7d1a2c-3084-4cd7-981c-818738597d25}\MpKsl402eaab5.sys [2012-3-22 29904]
    R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-1-11 3744]
    R2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2009-10-22 80920]
    R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
    R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-1-11 3904]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-14 652360]
    R2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-1-19 154264]
    R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
    R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-1-19 41624]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-14 20464]
    RUnknown MpKsl7422ca67;MpKsl7422ca67; [x]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\common files\symantec shared\coshared\cw\1.0\monitor.sys --> c:\program files\common files\symantec shared\coshared\cw\1.0\Monitor.sys [?]
    S2 LMIRfsDriver;Vpctcom;c:\windows\system32\svchost.exe -k netsvcs [2004-8-9 14336]
    S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2004-8-9 14336]
    S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-6-17 29192]
    S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-8-24 82048]
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-8-5 39048]
    S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
    S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-9 14336]
    S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-8-24 468768]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v040 0.exe [2010-3-18 753504]
    S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
    S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    .
    =============== Created Last 30 ================
    .
    2012-03-22 05:09:41 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df7d1a2c-3084-4cd7-981c-818738597d25}\MpKsl402eaab5.sys
    2012-03-22 04:47:48 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df7d1a2c-3084-4cd7-981c-818738597d25}\MpKsl7422ca67.sys
    2012-03-22 04:02:23 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df7d1a2c-3084-4cd7-981c-818738597d25}\mpengine.dll
    2012-03-21 01:09:14 38400 ----a-w- c:\windows\system32\USB3Sw32.dll
    2012-03-21 00:59:08 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
    2012-03-19 16:49:39 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2012-03-19 16:49:39 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
    2012-02-25 20:39:32 -------- d-----w- c:\documents and settings\hp_administrator\application data\Windows Search
    .
    ==================== Find3M ====================
    .
    2012-03-19 13:57:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-23 03:42:58 208896 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
    2012-01-23 03:42:38 45056 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
    2012-01-23 03:42:37 44032 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
    2012-01-23 03:42:36 61440 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
    2012-01-23 03:42:36 40960 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
    2012-01-23 03:42:36 341048 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
    2012-01-23 03:42:36 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
    2012-01-23 03:42:36 32768 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
    2012-01-23 03:42:36 163840 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
    2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 0:19:13.40 ===============
     
  3. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/9/2007 10:35:00 PM
    System Uptime: 3/22/2012 12:05:18 AM (0 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | Basswood
    Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | Socket 775 | 2133/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 224 GiB total, 37.76 GiB free.
    D: is FIXED (NTFS) - 233 GiB total, 211.752 GiB free.
    E: is FIXED (FAT32) - 9 GiB total, 0.418 GiB free.
    F: is CDROM ()
    G: is CDROM ()
    H: is CDROM (UDF)
    J: is Removable
    K: is Removable
    L: is Removable
    M: is Removable
    N: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) 82562V 10/100 Network Connection
    Device ID: PCI\VEN_8086&DEV_104C&SUBSYS_2A36103C&REV_02\3&2411E6FE&0&C8
    Manufacturer: Intel
    Name: Intel(R) 82562V 10/100 Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_104C&SUBSYS_2A36103C&REV_02\3&2411E6FE&0&C8
    Service: e1express
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\FFA6C911D800
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\FFA6C911D800
    Service: NIC1394
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Wireless LAN PCI 802.11 b/g adapter WN5301A
    Device ID: PCI\VEN_168C&DEV_001B&SUBSYS_500111AD&REV_01\4&11B6166B&0&18F0
    Manufacturer: Liteon
    Name: Wireless LAN PCI 802.11 b/g adapter WN5301A
    PNP Device ID: PCI\VEN_168C&DEV_001B&SUBSYS_500111AD&REV_01\4&11B6166B&0&18F0
    Service: WN5301
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Bluetooth PAN Network Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: IVT Corporation
    Name: Bluetooth PAN Network Adapter
    PNP Device ID: ROOT\NET\0000
    Service: BT
    .
    ==== System Restore Points ===================
    .
    RP1472: 12/21/2011 9:43:31 AM - System Checkpoint
    RP1473: 12/21/2011 1:16:36 PM - Software Distribution Service 3.0
    RP1474: 12/22/2011 5:07:30 PM - Software Distribution Service 3.0
    RP1475: 12/23/2011 8:21:19 PM - Software Distribution Service 3.0
    RP1476: 12/24/2011 10:00:03 PM - Software Distribution Service 3.0
    RP1477: 12/26/2011 12:35:30 AM - Software Distribution Service 3.0
    RP1478: 12/26/2011 3:13:17 PM - Revo Uninstaller's restore point - dBpoweramp Music Converter
    RP1479: 12/26/2011 3:19:14 PM - Revo Uninstaller's restore point - dBpoweramp DSP Effects
    RP1480: 12/26/2011 3:21:32 PM - Revo Uninstaller's restore point - dBpoweramp Ogg Vorbis Codec
    RP1481: 12/26/2011 3:22:23 PM - Revo Uninstaller's restore point - Microsoft Halo
    RP1482: 12/26/2011 3:23:33 PM - Revo Uninstaller's restore point - dBpoweramp FLAC Codec
    RP1483: 12/26/2011 3:24:38 PM - Revo Uninstaller's restore point - Adobe Reader 9.4.6
    RP1484: 12/26/2011 3:25:18 PM - Removed Adobe Reader 9.4.6.
    RP1485: 12/26/2011 3:26:59 PM - Revo Uninstaller's restore point - dBpoweramp [Calculate Audio CRC] Codec
    RP1486: 12/26/2011 3:27:30 PM - Revo Uninstaller's restore point - dBpoweramp Dalet Codec
    RP1487: 12/26/2011 3:28:00 PM - Revo Uninstaller's restore point - dBpoweramp Monkeys Audio Codec
    RP1488: 12/26/2011 3:28:29 PM - Revo Uninstaller's restore point - dBpoweramp Mp2 and BwfMp2 codec
    RP1489: 12/27/2011 7:55:23 AM - Software Distribution Service 3.0
    RP1490: 12/28/2011 8:19:20 AM - Software Distribution Service 3.0
    RP1491: 12/29/2011 8:20:53 AM - System Checkpoint
    RP1492: 12/30/2011 1:10:43 AM - Software Distribution Service 3.0
    RP1493: 12/31/2011 3:28:15 AM - Software Distribution Service 3.0
    RP1494: 1/1/2012 8:28:53 AM - Software Distribution Service 3.0
    RP1495: 1/2/2012 9:30:36 AM - System Checkpoint
    RP1496: 1/3/2012 8:10:48 AM - Software Distribution Service 3.0
    RP1497: 1/4/2012 10:13:05 AM - Software Distribution Service 3.0
    RP1498: 1/5/2012 10:16:06 AM - System Checkpoint
    RP1499: 1/5/2012 6:03:12 PM - Software Distribution Service 3.0
    RP1500: 1/6/2012 6:07:16 PM - Software Distribution Service 3.0
    RP1501: 1/7/2012 7:02:41 PM - System Checkpoint
    RP1502: 1/7/2012 8:54:06 PM - Software Distribution Service 3.0
    RP1503: 1/8/2012 10:01:26 PM - Software Distribution Service 3.0
    RP1504: 1/10/2012 1:51:03 PM - Software Distribution Service 3.0
    RP1505: 1/11/2012 2:45:39 PM - System Checkpoint
    RP1506: 1/11/2012 11:11:28 PM - Software Distribution Service 3.0
    RP1507: 1/12/2012 8:29:51 AM - Software Distribution Service 3.0
    RP1508: 1/13/2012 8:33:12 AM - Software Distribution Service 3.0
    RP1509: 1/14/2012 10:12:23 AM - System Checkpoint
    RP1510: 1/14/2012 11:48:29 AM - Software Distribution Service 3.0
    RP1511: 1/15/2012 1:38:11 PM - System Checkpoint
    RP1512: 1/15/2012 4:58:40 PM - Software Distribution Service 3.0
    RP1513: 1/16/2012 7:31:49 PM - Software Distribution Service 3.0
    RP1514: 1/17/2012 7:39:25 PM - Software Distribution Service 3.0
    RP1515: 1/18/2012 8:06:43 PM - System Checkpoint
    RP1516: 1/19/2012 8:52:28 AM - Software Distribution Service 3.0
    RP1517: 1/20/2012 9:25:43 AM - Software Distribution Service 3.0
    RP1518: 1/21/2012 10:14:26 AM - System Checkpoint
    RP1519: 1/21/2012 11:04:18 AM - Software Distribution Service 3.0
    RP1520: 1/22/2012 10:49:42 AM - pre service pack 3, for windows xp
    RP1521: 1/22/2012 9:28:10 PM - Software Distribution Service 3.0
    RP1522: 1/22/2012 9:58:51 PM - Software Distribution Service 3.0
    RP1523: 1/22/2012 10:26:30 PM - Software Distribution Service 3.0
    RP1524: 1/22/2012 11:28:07 PM - Software Distribution Service 3.0
    RP1525: 1/23/2012 12:44:00 AM - Software Distribution Service 3.0
    RP1526: 1/24/2012 9:07:14 AM - Software Distribution Service 3.0
    RP1527: 1/24/2012 10:46:50 PM - Installed TurboTax 2011 wrapper
    RP1528: 1/25/2012 6:53:35 PM - Software Distribution Service 3.0
    RP1529: 1/26/2012 4:03:30 PM - Software Distribution Service 3.0
    RP1530: 1/27/2012 4:21:22 PM - System Checkpoint
    RP1531: 1/28/2012 8:41:30 AM - Software Distribution Service 3.0
    RP1532: 1/29/2012 10:27:51 AM - System Checkpoint
    RP1533: 1/29/2012 2:59:57 PM - Software Distribution Service 3.0
    RP1534: 1/30/2012 3:59:34 PM - System Checkpoint
    RP1535: 1/31/2012 9:31:02 AM - Software Distribution Service 3.0
    RP1536: 2/1/2012 10:00:38 AM - System Checkpoint
    RP1537: 2/1/2012 9:25:35 PM - Software Distribution Service 3.0
    RP1538: 2/2/2012 9:47:55 PM - Software Distribution Service 3.0
    RP1539: 2/4/2012 6:45:00 AM - Software Distribution Service 3.0
    RP1540: 2/5/2012 8:14:11 AM - Software Distribution Service 3.0
    RP1541: 2/6/2012 9:48:07 AM - Software Distribution Service 3.0
    RP1542: 2/7/2012 11:18:07 AM - System Checkpoint
    RP1543: 2/7/2012 3:06:29 PM - Software Distribution Service 3.0
    RP1544: 2/8/2012 3:37:55 PM - System Checkpoint
    RP1545: 2/8/2012 7:13:10 PM - Software Distribution Service 3.0
    RP1546: 2/9/2012 8:28:49 PM - Software Distribution Service 3.0
    RP1547: 2/10/2012 9:23:17 PM - System Checkpoint
    RP1548: 2/11/2012 12:38:04 AM - Software Distribution Service 3.0
    RP1549: 2/12/2012 7:50:31 AM - Software Distribution Service 3.0
    RP1550: 2/12/2012 7:42:26 PM - Installed TurboTax 2011 wiliper
    RP1551: 2/13/2012 8:18:46 AM - Software Distribution Service 3.0
    RP1552: 2/14/2012 1:22:07 PM - Software Distribution Service 3.0
    RP1553: 2/15/2012 2:25:24 PM - System Checkpoint
    RP1554: 2/16/2012 8:28:23 AM - Software Distribution Service 3.0
    RP1555: 2/16/2012 10:53:56 PM - Software Distribution Service 3.0
    RP1556: 2/17/2012 8:17:51 PM - Software Distribution Service 3.0
    RP1557: 2/18/2012 8:25:09 PM - System Checkpoint
    RP1558: 2/19/2012 12:04:46 AM - Software Distribution Service 3.0
    RP1559: 2/20/2012 8:34:38 AM - Software Distribution Service 3.0
    RP1560: 2/21/2012 8:57:50 AM - System Checkpoint
    RP1561: 2/21/2012 5:36:27 PM - Software Distribution Service 3.0
    RP1562: 2/22/2012 7:03:36 PM - System Checkpoint
    RP1563: 2/22/2012 9:39:08 PM - Software Distribution Service 3.0
    RP1564: 2/24/2012 8:26:58 AM - Software Distribution Service 3.0
    RP1565: 2/25/2012 8:44:42 AM - Software Distribution Service 3.0
    RP1566: 2/26/2012 10:40:40 AM - System Checkpoint
    RP1567: 2/26/2012 2:49:28 PM - Software Distribution Service 3.0
    RP1568: 2/27/2012 3:28:11 PM - System Checkpoint
    RP1569: 2/27/2012 5:44:04 PM - Software Distribution Service 3.0
    RP1570: 2/28/2012 6:14:56 PM - Software Distribution Service 3.0
    RP1571: 2/29/2012 9:51:24 PM - System Checkpoint
    RP1572: 3/1/2012 7:51:37 AM - Software Distribution Service 3.0
    RP1573: 3/2/2012 8:13:34 AM - Software Distribution Service 3.0
    RP1574: 3/3/2012 8:14:10 AM - Software Distribution Service 3.0
    RP1575: 3/4/2012 10:30:50 AM - Software Distribution Service 3.0
    RP1576: 3/5/2012 10:42:51 AM - System Checkpoint
    RP1577: 3/5/2012 5:49:26 PM - Software Distribution Service 3.0
    RP1578: 3/6/2012 8:54:12 PM - Software Distribution Service 3.0
    RP1579: 3/7/2012 8:59:26 PM - Software Distribution Service 3.0
    RP1580: 3/8/2012 10:46:58 PM - Software Distribution Service 3.0
    RP1581: 3/10/2012 9:29:26 AM - Software Distribution Service 3.0
    RP1582: 3/11/2012 1:20:30 PM - Software Distribution Service 3.0
    RP1583: 3/12/2012 1:50:04 PM - System Checkpoint
    RP1584: 3/12/2012 8:18:12 PM - Software Distribution Service 3.0
    RP1585: 3/13/2012 8:52:07 PM - System Checkpoint
    RP1586: 3/14/2012 8:20:49 AM - Software Distribution Service 3.0
    RP1587: 3/14/2012 7:21:38 PM - Software Distribution Service 3.0
    RP1588: 3/15/2012 10:52:37 PM - Software Distribution Service 3.0
    RP1589: 3/16/2012 11:37:39 PM - Software Distribution Service 3.0
    RP1590: 3/18/2012 10:00:36 AM - Software Distribution Service 3.0
    RP1591: 3/19/2012 10:51:31 AM - System Checkpoint
    RP1592: 3/19/2012 9:12:22 PM - Software Distribution Service 3.0
    RP1593: 3/20/2012 9:30:58 PM - Software Distribution Service 3.0
    RP1594: 3/21/2012 11:02:20 PM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    .
    µTorrent
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Digital Editions
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Shockwave Player
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.2.6
    Auto Gordian Knot 2.55
    AutoUpdate
    AviSynth 2.5
    BlueSoleil
    Bonjour
    BSPlayer
    BufferChm
    CCleaner
    CheckIt Diagnostics
    Citrix Access Gateway Plug-in
    Citrix online plug-in - web
    Citrix online plug-in (DV)
    Citrix online plug-in (HDX)
    Citrix online plug-in (USB)
    Citrix online plug-in (Web)
    Combined Community Codec Pack 2008-09-21 16:18
    Comical 0.8
    Compatibility Pack for the 2007 Office system
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    CueTour
    Customer Experience Enhancement
    Data Fax SoftModem with SmartCP
    dBpoweramp mp3 (Fraunhofer IIS) Codec
    dBpoweramp Real Audio (Helix) Encoder
    dBPoweramp tooLame MP2 codec
    dBpoweramp Wave64 Codec
    dBpoweramp WavPack Codec
    Destinations
    DeviceManagementQFolder
    Digsby
    DirectVobSub (remove only)
    DivX Codec
    DivX Player
    DivX Web Player
    DivXLand Media Subtitler
    Drive Manager
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    DVDFab 8.0.4.0 (11/11/2010)
    Enhanced Multimedia Keyboard Solution
    EVEREST Home Edition v2.20
    Exact Audio Copy 0.99pb5
    FileZilla Client 3.3.0.1
    FLAC 1.2.1b (remove only)
    foobar2000 v0.9.6.3
    Forces in 1D
    Foxit PDF Editor
    Foxit Reader
    Foxit Toolbar
    FullDPAppQFolder
    GameSpy Arcade
    GemMaster Mystic
    Google Chrome
    Google Talk (remove only)
    Google Talk Plugin
    Haali Media Splitter
    HandBrake 0.9.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB954550-v5)
    HP Boot Optimizer
    HP DigitalMedia Archive
    HP DVD Play 2.1
    HP Imaging Device Functions 7.0
    HP Photosmart for Media Center PC
    HP Photosmart Premier Software 6.5
    HP Precisionscan Pro 3.1
    HP Share-to-Web
    HP Update
    HP Web Helper
    HPPhotoSmartExpress
    HpSdpAppCoreApp
    IDM Flash 4.4.0.468
    Image to PDF Converter Free 4.0
    ImTOO iPod Computer Transfer
    InstantShareAlert
    InstantShareDevices
    Intel(R) Matrix Storage Manager
    Intel(R) Network Connections Drivers
    Intel(R) Quick Resume Technology Drivers
    Intel® Viiv™ Software
    Investor's Toolkit
    iPad/iPhone/iPod to Computer Transfer 7.5.7
    iSEEK AnswerWorks English Runtime
    ItsDeductible Express
    iTunes
    Java(TM) 6 Update 14
    K-Lite Codec Pack 5.5.1 (Basic)
    LightScribe 1.4.105.1
    LiveUpdate 3.1 (Symantec Corporation)
    Magic ISO Maker v5.5 (build 0273)
    MagicDisc 2.7.105
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft ActiveSync
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional with FrontPage
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    mIRC
    mkv2vob
    MKVtoolnix 3.4.0
    MobileMe Control Panel
    Mozilla Firefox 11.0 (x86 en-US)
    Mp3tag v2.46a
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6 Service Pack 2 (KB973686)
    MusicBrainz Picard
    muvee autoProducer 5.0
    muvee autoProducer unPlugged 2.0
    NAIC Investor's Toolkit
    NAIC Stock Analyst
    NAIC Take $tock
    Nero 7 Ultra Edition
    NNScript
    Nokia Connectivity Cable Driver
    Notepad++
    NVIDIA Drivers
    Office Password Recovery v2.0 (remove only)
    OptionalContentQFolder
    Orbit Downloader
    Otto
    OverDrive Media Console
    Paint.NET v3.36
    Pando Media Booster
    PC-Doctor 5 for Windows
    PC Connectivity Solution
    Pepsky Free CD Maker 5.0.1
    PhotoGallery
    Python 2.6
    Quicken 2011
    QuickTime
    RandMap
    RealPlayer
    Realtek High Definition Audio Driver
    Rehan Pan Zoom Effects
    Revo Uninstaller 1.89
    Rhapsody
    Rhapsody Player Engine
    Safari
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2647518)
    SESAP 12
    SkinsHP1
    Skype Toolbars
    Skype™ 5.0
    SlideShow
    SlideShowMusic
    smARTupdate
    Sonic_PrimoSDK
    Sony Digital Voice Editor 3
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.4
    SpywareBlaster 4.2
    starwars_screensaver_pc
    Stock Investor Professional
    System Requirements Lab
    System Requirements Lab CYRI
    Take $tock 4
    Take $tock Companion
    Total Video Converter 3.10
    TouchWorks Web Controls
    Tunebite
    TurboTax 2008
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 wiliper
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2010
    TurboTax 2010 wiliper
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    TurboTax 2011
    TurboTax 2011 wiliper
    TurboTax 2011 WinPerFedFormset
    TurboTax 2011 WinPerReleaseEngine
    TurboTax 2011 WinPerTaxSupport
    TurboTax 2011 wrapper
    TurboTax ItsDeductible 2005
    TurboTax ItsDeductible 2006
    TurboTax Premier 2003
    TurboTax Premier 2004
    TurboTax Premier 2005
    TurboTax Premier 2007
    TurboTax Premier Investments 2006
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows Internet Explorer 8 (KB2632503)
    Update for Windows Internet Explorer 8 (KB976662)
    Updates from HP (remove only)
    VeryPDF PDF Split-Merge v3.0
    Vidomi (remove only)
    VLC media player 1.1.9
    VobSub v2.23 (Remove Only)
    WashMan (PocketPC and Smartphone) v 10.0.5 by Skyscape
    WebFldrs XP
    WexTech AnswerWorks
    WinAVI All in One Converter
    WinAVI MP4 Converter
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Media Format 11 runtime
    Windows Media Format 11 SDK
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    Windows Presentation Foundation
    Windows Search 4.0
    Windows XP Service Pack 3
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0
    Xvid 1.2.2 final uninstall
    XviD MPEG4 Video Codec (remove only)
    Yahoo! Anti-Spy
    Yahoo! Browser Services
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Install Manager
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/21/2012 9:48:53 AM, error: Service Control Manager [7023] - The UlSata service terminated with the following error: Access is denied.
    3/21/2012 9:33:53 AM, error: Service Control Manager [7023] - The VNUSB service terminated with the following error: Access is denied.
    3/21/2012 9:18:53 AM, error: Service Control Manager [7023] - The Avsvcmonitor service terminated with the following error: Access is denied.
    3/21/2012 9:03:54 AM, error: Service Control Manager [7023] - The Acrsch2svc service terminated with the following error: Access is denied.
    3/21/2012 8:48:56 PM, error: Service Control Manager [7023] - The Defrag32 service terminated with the following error: The specified procedure could not be found.
    3/21/2012 8:48:53 AM, error: Service Control Manager [7023] - The FA312 service terminated with the following error: Access is denied.
    3/21/2012 8:33:53 AM, error: Service Control Manager [7023] - The Co_mon service terminated with the following error: Access is denied.
    3/21/2012 8:19:53 AM, error: Service Control Manager [7023] - The Knobserv service terminated with the following error: Access is denied.
    3/21/2012 8:19:28 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
    3/21/2012 8:19:20 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
    3/21/2012 7:03:57 PM, error: Service Control Manager [7023] - The Atierecord service terminated with the following error: Access is denied.
    3/21/2012 6:48:57 PM, error: Service Control Manager [7023] - The Avgcoresvc service terminated with the following error: Access is denied.
    3/21/2012 6:33:58 PM, error: Service Control Manager [7023] - The Epsonbidirectionalagent service terminated with the following error: Access is denied.
    3/21/2012 6:18:57 PM, error: Service Control Manager [7023] - The Zebrceb service terminated with the following error: Access is denied.
    3/21/2012 6:03:57 PM, error: Service Control Manager [7023] - The Elotouchscreen service terminated with the following error: Access is denied.
    3/21/2012 5:48:57 PM, error: Service Control Manager [7023] - The Issimon service terminated with the following error: Access is denied.
    3/21/2012 5:33:57 PM, error: Service Control Manager [7023] - The DfwWebAgent service terminated with the following error: Access is denied.
    3/21/2012 5:18:58 PM, error: Service Control Manager [7023] - The Vrservice service terminated with the following error: Access is denied.
    3/21/2012 5:03:57 PM, error: Service Control Manager [7023] - The Lxcj_device service terminated with the following error: Access is denied.
    3/21/2012 4:48:57 PM, error: Service Control Manager [7023] - The Stllssvr service terminated with the following error: Access is denied.
    3/21/2012 4:33:57 PM, error: Service Control Manager [7023] - The Vtserver service terminated with the following error: Access is denied.
    3/21/2012 4:18:57 PM, error: Service Control Manager [7023] - The Cics.region2 service terminated with the following error: Access is denied.
    3/21/2012 4:03:56 PM, error: Service Control Manager [7023] - The Oracle_load_balancer_60_server-forms6i service terminated with the following error: Access is denied.
    3/21/2012 3:48:56 PM, error: Service Control Manager [7023] - The Usbbus service terminated with the following error: Access is denied.
    3/21/2012 3:33:56 PM, error: Service Control Manager [7023] - The XTrapD12 service terminated with the following error: Access is denied.
    3/21/2012 3:18:57 PM, error: Service Control Manager [7023] - The Scramby service terminated with the following error: Access is denied.
    3/21/2012 3:13:36 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
    3/21/2012 3:03:56 PM, error: Service Control Manager [7023] - The WINUSB service terminated with the following error: Access is denied.
    3/21/2012 2:48:56 PM, error: Service Control Manager [7023] - The Defrag32 service terminated with the following error: Access is denied.
    3/21/2012 2:33:56 PM, error: Service Control Manager [7023] - The Hpqwmi service terminated with the following error: Access is denied.
    3/21/2012 2:18:56 PM, error: Service Control Manager [7023] - The USB28xxBGA service terminated with the following error: Access is denied.
    3/21/2012 2:03:56 PM, error: Service Control Manager [7023] - The S616unic service terminated with the following error: Access is denied.
    3/21/2012 12:48:55 PM, error: Service Control Manager [7023] - The Fsssvc service terminated with the following error: Access is denied.
    3/21/2012 12:33:55 PM, error: Service Control Manager [7023] - The Digisptiservice service terminated with the following error: Access is denied.
    3/21/2012 12:18:55 PM, error: Service Control Manager [7023] - The Tfsnifs service terminated with the following error: Access is denied.
    3/21/2012 12:03:55 PM, error: Service Control Manager [7023] - The Iksyssec service terminated with the following error: Access is denied.
    3/21/2012 11:48:55 AM, error: Service Control Manager [7023] - The ZD1211BU(ZyDAS) service terminated with the following error: Access is denied.
    3/21/2012 11:33:53 AM, error: Service Control Manager [7023] - The Nicconfigsvc service terminated with the following error: Access is denied.
    3/21/2012 11:18:53 AM, error: Service Control Manager [7023] - The CTEDSPSY.DLL service terminated with the following error: Access is denied.
    3/21/2012 11:03:53 AM, error: Service Control Manager [7023] - The Entertainment service terminated with the following error: Access is denied.
    3/21/2012 11:01:32 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    3/21/2012 10:48:53 AM, error: Service Control Manager [7023] - The Uclauncherservice service terminated with the following error: Access is denied.
    3/21/2012 10:33:53 AM, error: Service Control Manager [7023] - The N3900 service terminated with the following error: Access is denied.
    3/21/2012 10:18:53 AM, error: Service Control Manager [7023] - The PSDNServ service terminated with the following error: Access is denied.
    3/21/2012 10:03:53 AM, error: Service Control Manager [7023] - The Mfesmfk service terminated with the following error: Access is denied.
    3/21/2012 1:48:56 PM, error: Service Control Manager [7023] - The Imap4d32 service terminated with the following error: Access is denied.
    3/21/2012 1:33:55 PM, error: Service Control Manager [7023] - The UsbDiag service terminated with the following error: Access is denied.
    3/21/2012 1:18:55 PM, error: Service Control Manager [7023] - The Pdlnepkt service terminated with the following error: Access is denied.
    3/21/2012 1:03:55 PM, error: Service Control Manager [7023] - The Irbus service terminated with the following error: Access is denied.
    3/20/2012 9:18:51 PM, error: PSched [14103] - QoS [Adapter {6257C9F0-FE5C-4174-9E33-3F3DB0FA4F35}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
    3/20/2012 8:04:09 PM, error: Service Control Manager [7023] - The SNP2UVC service terminated with the following error: Access is denied.
    3/20/2012 8:03:09 PM, error: Service Control Manager [7023] - The Maplom service terminated with the following error: Access is denied.
    3/20/2012 7:59:09 PM, error: Service Control Manager [7023] - The SWNC8U51 service terminated with the following error: Access is denied.
    3/20/2012 6:30:02 PM, error: Dhcp [1002] - The IP address lease 192.168.1.7 for the Network Card with network address 00C0A8B96795 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    3/20/2012 10:32:13 PM, error: Service Control Manager [7023] - The CAMFLT service terminated with the following error: Access is denied.
    3/15/2012 9:03:41 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.121.1489.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8101.0 Error code: 0x80072ee2 Error description: The operation timed out
    .
    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Your previous topic was somehow marked as "Active" but nobody really replied to it.
    I apologize for that.
    I'll close your previous topic and we'll continue here.

    ====================================================================

    Your MBAM log says " No action taken"
    Re-run it, FIX all issues and post new log.

    Then....

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===============================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I marked it Active and was preparing the reply- the internet went down for 20 mins. Go ahead- I'll delete what I had.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,684   +267

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Guess you missed what the OP posted:

    However, it was 'this' thread I had just marked Active.
     
  8. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    Thank you for your answer. And I am sorry for the confusion. I will follow your instructions Broni, though I do not think I will have the time to perform these actions for a couple days. I should have the logs post by Thursday evening CST at the latest. Thank you again for your help in this matter.
     
  9. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    Malwarebytes Anti-Malware (Trial) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.31.14

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    HP_Administrator :: MANOJ_R_SHAH [administrator]

    Protection: Disabled

    3/31/2012 6:02:50 PM
    mbam-log-2012-03-31 (18-02-50).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 240092
    Time elapsed: 24 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  10. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-31 08:40:08
    -----------------------------
    08:40:08.375 OS Version: Windows 5.1.2600 Service Pack 3
    08:40:08.375 Number of processors: 2 586 0xF06
    08:40:08.375 ComputerName: MANOJ_R_SHAH UserName:
    08:40:12.734 Initialize success
    08:42:48.812 AVAST engine defs: 12033100
    08:43:48.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
    08:43:48.140 Disk 0 Vendor: SAMSUNG_ VT10 Size: 238475MB BusType: 3
    08:43:48.140 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-3
    08:43:48.140 Disk 1 Vendor: SAMSUNG_ VT10 Size: 238475MB BusType: 3
    08:43:48.156 Disk 0 MBR read successfully
    08:43:48.156 Disk 0 MBR scan
    08:43:48.203 Disk 0 unknown MBR code
    08:43:48.203 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 229585 MB offset 63
    08:43:48.234 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 8879 MB offset 470206485
    08:43:49.265 Disk 0 scanning sectors +488392065
    08:43:49.343 Disk 0 scanning C:\WINDOWS\system32\drivers
    08:44:10.750 Service scanning
    08:44:27.437 Service MpKsl4024d574 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{29761225-5F12-42E6-95BF-C847515CD135}\MpKsl4024d574.sys **LOCKED** 32
    08:44:35.531 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
    08:44:41.625 Modules scanning
    08:44:49.609 Disk 0 trace - called modules:
    08:44:49.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b14b1d8]<<
    08:44:49.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b0715b8]
    08:44:49.625 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8ab1f030]
    08:44:49.625 \Driver\iaStor[0x8b01c6c0] -> IRP_MJ_CREATE -> 0x8b14b1d8
    08:44:50.234 AVAST engine scan C:\WINDOWS
    08:45:02.203 AVAST engine scan C:\WINDOWS\system32
    08:50:09.031 AVAST engine scan C:\WINDOWS\system32\drivers
    08:50:34.765 AVAST engine scan C:\Documents and Settings\HP_Administrator
    09:30:55.000 AVAST engine scan C:\Documents and Settings\All Users
    09:36:51.781 Scan finished successfully
    10:15:02.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
    10:15:02.593 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
     
  11. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 74c9b8a519aa05c22f46e134715d1f6f

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
    ==================================================================

    There was a bootkit log that was created as well. Do you want me paste that as well? The output above is what the black screen box showed.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    No, I don't need that log.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  13. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    Getting ComboFix to run was very difficult. Kept telling me that Microsoft Security Essentials was running even after I ended the process tree from the task manager. I went one step further and uninstalled the antivirus all together. Now i have got Combofix to run. Only problem is after it restarted my computer and ran through its stages, it shows a blue dos box saying "making log. Do not start any programs till combo fix is done" This message has been up for a couple hours now. Computer seems to be doing something because every time i go back to the computer i hear the fans running. Is there a problem?
     
  14. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    Scan Finished. Re-installed Microsoft Security Essentials. (tell me if I should not have done this. I can quickly remove it). Log posted below:
    EDIT: Log seems to have a few emoticon...I do not know why.
    =========================================================
    ComboFix 12-04-01.01 - HP_Administrator 04/01/2012 22:05:37.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1577 [GMT -5:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\HP_Administrator\Application Data\inst.exe
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\assembly\tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL0001.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL0004.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL0057.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL0140.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL1143.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL1976.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL2043.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL2170.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL2594.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL2648.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL3292.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL3519.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL3786.tmp
    c:\documents and settings\HP_Administrator\My Documents\~WRL4062.tmp
    c:\documents and settings\HP_Administrator\WINDOWS
    C:\kmd.exe
    c:\program files\Mozilla Firefox\components\AskHPRFF.js
    c:\windows\$NtUninstallKB62280$
    c:\windows\$NtUninstallKB62280$\1410525442
    c:\windows\$NtUninstallKB62280$\485945278\@
    c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
    c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
    c:\windows\$NtUninstallKB62280$\485945278\L\aqaeidou
    c:\windows\$NtUninstallKB62280$\485945278\oemid
    c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
    c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
    c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
    c:\windows\$NtUninstallKB62280$\485945278\version
    c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
    c:\windows\iun6002.exe
    c:\windows\kb913800.exe
    c:\windows\system32\akygfpkx.ini
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\dds_trash_log.cmd
    c:\windows\system32\dgaxkexk.ini
    c:\windows\system32\drivers\etc\hosts.ics
    c:\windows\system32\ggjlm.bak1
    c:\windows\system32\ggjlm.bak2
    c:\windows\system32\ggjlm.ini
    c:\windows\system32\ggjlm.ini2
    c:\windows\system32\ggjlm.tmp
    c:\windows\system32\gjvxwnqo.ini
    c:\windows\system32\hfetawgm.ini
    c:\windows\system32\jasqfijo.ini
    c:\windows\system32\mqdsanra.ini
    c:\windows\system32\pvqpgikc.ini
    c:\windows\system32\RegClean.exe
    c:\windows\system32\SET1C.tmp
    c:\windows\system32\SET1E.tmp
    c:\windows\system32\SET42.tmp
    c:\windows\system32\SET43.tmp
    c:\windows\system32\SET45.tmp
    c:\windows\system32\SETE3.tmp
    c:\windows\system32\SETE8.tmp
    c:\windows\system32\tjhlhxed.ini
    c:\windows\system32\tmp.reg
    c:\windows\system32\uadhpkyc.ini
    c:\windows\system32\uatuewts.ini
    c:\windows\system32\vrfbcpij.ini
    c:\windows\system32\whibqbhr.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_SSHNAS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-29 14:15 . 2001-08-18 03:36 99328 ----a-w- c:\windows\system32\srusd.dll
    2012-03-29 14:15 . 2001-08-18 03:36 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
    2012-03-29 14:15 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
    2012-03-29 14:15 . 2001-08-17 18:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
    2012-03-29 14:15 . 2001-08-18 03:36 71680 ----a-w- c:\windows\system32\fnfilter.dll
    2012-03-29 14:15 . 2001-08-18 03:36 71680 ----a-w- c:\windows\system32\dllcache\fnfilter.dll
    2012-03-19 16:49 . 2012-03-19 16:49 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
    2012-03-19 16:49 . 2012-03-19 16:49 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-19 13:57 . 2011-08-08 13:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-02-03 09:22 . 2007-04-04 03:14 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2010-06-05 15:10 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-23 03:42 . 2012-01-23 03:42 208896 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
    2012-01-23 03:42 . 2012-01-23 03:42 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
    2012-01-23 03:42 . 2012-01-23 03:42 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
    2012-01-23 03:42 . 2012-01-23 03:42 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
    2012-01-23 03:42 . 2012-01-23 03:42 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
    2012-01-23 03:42 . 2012-01-23 03:42 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
    2012-01-23 03:42 . 2012-01-23 03:42 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
    2012-01-23 03:42 . 2012-01-23 03:42 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
    2012-01-23 03:42 . 2012-01-23 03:42 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
    2012-01-13 21:59 . 2012-01-13 21:59 10 ----a-w- c:\windows\Fonts\wfonts.key
    2012-01-11 19:06 . 2012-02-16 16:04 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2004-08-09 21:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-04-25 07:58 . 2011-04-25 07:58 124864 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2011-04-25 08:48 . 2011-04-25 08:48 13760 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2011-04-25 08:00 . 2011-04-25 08:00 71104 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2011-04-25 07:59 . 2011-04-25 07:59 92096 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2011-04-25 07:58 . 2011-04-25 07:58 22976 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2011-04-25 07:57 . 2011-04-25 07:57 255936 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2011-04-25 07:58 . 2011-04-25 07:58 32192 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2011-04-25 07:58 . 2011-04-25 07:58 40896 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2011-04-25 07:51 . 2011-04-25 07:51 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2011-04-25 08:00 . 2011-04-25 08:00 24512 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2012-03-19 16:49 . 2011-04-02 22:12 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-11-18 18:58 333192 ------w- c:\program files\AskBarDis\bar\bin\askBar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
    .
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NetMeter"="c:\documents and settings\HP_Administrator\My Documents\Netmeter\NetMeter114beta_4.exe" [2009-12-02 296960]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ftutil2"="ftutil2.dll" [2004-06-07 106496]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8466432]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-24 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-24 27136]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Citrix Access Gateway.lnk - c:\program files\Citrix\Secure Access Client\nsload.exe [2010-1-19 1483928]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
    backup=c:\windows\pss\Updates From HP.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-10-06 06:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-11-02 05:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2005-09-08 17:06 94208 ------w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
    2006-04-13 09:05 90112 ------w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-09-29 21:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-08-22 20:31 136176 -----tw- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 19:39 1289000 ------w- c:\program files\Microsoft ActiveSync\wcescomm.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-01-16 23:22 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2012-01-13 19:53 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2001-07-03 14:11 57344 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AVG Anti-Spyware Guard"=2 (0x2)
    "MBAMService"=2 (0x2)
    "LiveUpdate"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Citrix\\Secure Access Client\\nsepa.exe"=
    "c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
    "c:\\Program Files\\Intelore\\Office Password Recovery\\OfficePasswordRecovery.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
    "56115:TCP"= 56115:TCP:pando Media Booster
    "56115:UDP"= 56115:UDP:pando Media Booster
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [6/17/2009 2:01 PM 20744]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/26/2007 11:07 PM 639224]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/25/2011 2:49 AM 65584]
    R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [1/11/2007 12:57 AM 3744]
    R2 cag;Citrix cag plugin for Access Gateway;c:\program files\Common Files\Deterministic Networks\Common Files\cag.sys [10/22/2009 4:34 PM 80920]
    R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 6:53 PM 13672]
    R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [1/11/2007 12:57 AM 3904]
    R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [1/19/2010 6:56 AM 154264]
    R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [1/19/2010 6:58 AM 41624]
    R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/13/2010 8:49 PM 47360]
    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [8/24/2006 7:43 PM 468768]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
    S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys --> c:\program files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys [?]
    S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [8/9/2004 4:00 PM 14336]
    S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [6/17/2009 2:02 PM 29192]
    S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [8/24/2006 7:43 PM 82048]
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [8/5/2008 9:15 PM 39048]
    S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [6/17/2009 2:01 PM 25480]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/14/2011 9:19 PM 20464]
    S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/9/2004 4:00 PM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
    S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/14/2011 9:19 PM 652360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    NecUsb3Sevic REG_MULTI_SZ NecUsb3
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    truecrypt
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2208169220-740877916-2677079891-1007Core.job
    - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-22 20:31]
    .
    2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2208169220-740877916-2677079891-1007UA.job
    - c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-22 20:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    TCP: DhcpNameServer = 192.168.1.1
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} - /Touchworks/AHSCompressionEngine.cab
    DPF: {27B87596-448E-40CB-B3B4-4F329FF540EC} - /TouchWorks/ResultWorks/CHWorks/VitalSigns/wavitalsigns.cab
    DPF: {46965FE7-2129-407B-938C-BE358A56D11E} - hxxp://tworks.amg.advocatehealth.com/TouchWorks/DocWorks/CHWorks/Unstructured/aicviewer3.cab
    DPF: {501D93F5-74BE-4306-A90C-9FFD1574A6A6} - hxxp://centricityweb-luth.advocatehealth.com/ami/install/amiviewer.cab
    DPF: {56B46BBB-F6C4-4B6B-8EDF-BEE6C9661E4E}
    DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} - /TouchWorks/ResultWorks/chworks/flowsheets/pe32.cab
    DPF: {9A0CA502-7DA4-4B72-B5D4-D280DE8D4512} - /Touchworks/DictionaryManager.CAB
    DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
    DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} - /TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab
    DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} - /Touchworks/DictateBar.cab
    DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} - hxxp://tworks.amg.advocatehealth.com/TouchWorks/DocWorks/CHWorks/Unstructured/aic_viewer2.cab
    FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\7gbqr2lq.default\
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - prefs.js: network.proxy.ftp - 208.43.135.133
    FF - prefs.js: network.proxy.ftp_port - 80
    FF - prefs.js: network.proxy.gopher - 208.43.135.133
    FF - prefs.js: network.proxy.gopher_port - 80
    FF - prefs.js: network.proxy.http - 208.43.135.133
    FF - prefs.js: network.proxy.http_port - 80
    FF - prefs.js: network.proxy.socks - 208.43.135.133
    FF - prefs.js: network.proxy.socks_port - 80
    FF - prefs.js: network.proxy.ssl - 208.43.135.133
    FF - prefs.js: network.proxy.ssl_port - 80
    FF - prefs.js: network.proxy.type - 2
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: content.max.tokenizing.time - 200000
    FF - user.js: content.notify.interval - 100000
    FF - user.js: content.switch.threshold - 650000
    FF - user.js: nglayout.initialpaint.delay - 300
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    Notify-NavLogon - (no file)
    MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
    AddRemove-smARTupdate - c:\windows\iun6002.exe
    AddRemove-{F46BF5EA-0B4E-4A41-8C4B-3B127346E30F} - c:\documents and settings\HP_Administrator\Local Settings\Application Data\{F9ABF6FF-B068-4877-9373-3B5353A65A36}\NBCDirectInstaller.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-01 22:56
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\windows\system32\drivers\etc\hosts.ics 374 bytes
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3656)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
    c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\hp\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-02 03:12:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-02 08:12
    ComboFix2.txt 2008-02-27 06:39
    .
    Pre-Run: 39,710,420,992 bytes free
    Post-Run: 41,069,850,624 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
    [spybotsd]
    timeout.old=3
    .
    - - End Of File - - 37E9394FB2B2FE0373C52ABDE5842932
     
  15. Broni

    Broni Malware Annihilator Posts: 47,684   +267

    Looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.