Solved Health check, please - after Grinler's tutorial re: XP Security 2012 rogue

Okay.
What is the best way to halt the current process.
I don't want to create more problems.
ctrl-alt-del --> task manager --> end process? (don't know if this will even work)
or just power-down?
Thanks
 
Had to power down manually again after it ran the fix,
but now things "seem" back to normal.
I will procede to the chkdsk now.

====Here is OTL Log====
All processes killed
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@viewpoint.com/VMP\ deleted successfully.
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1177238915-1343024091-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1177238915-1343024091-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4982D40A-C53B-4615-B15B-B5B5E98D167C}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UpdReg deleted successfully.
C:\WINDOWS\Updreg.EXE moved successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk moved successfully.
Registry key HKEY_USERS\S-1-5-21-1177238915-1343024091-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aol.com\objects\ deleted successfully.
Starting removal of ActiveX control {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}
C:\WINDOWS\Downloaded Program Files\qdiagcc.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B}\ not found.
C:\Documents and Settings\Becki Price\Local Settings\Application Data\43m33wg567uyjpn54h0pl6p0ukt3t4fgbrmc4g5f8d234 moved successfully.
C:\Documents and Settings\All Users\Application Data\43m33wg567uyjpn54h0pl6p0ukt3t4fgbrmc4g5f8d234 moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9Plus folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell\AOL9 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\UserShell folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome\BH00 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\Welcome folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03 folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02 folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01 folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00 folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Viewpoint\Viewpoint Experience Technology\Resources folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Viewpoint\Viewpoint Experience Technology folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Viewpoint folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update\prepare folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update\backup folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Temp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\scanlogs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\TEMP folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\OUT folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\ACTIVE folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Dumps folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\CfgAll folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Cfg folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\AvgApi folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\AvgAm folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\admincli folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\AVG9\cfgall folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\AVG9 folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Uniblue\Registry Booster2 folder moved successfully.
C:\Documents and Settings\Becki Price\Application Data\Uniblue folder moved successfully.
ADS F:\Documents and Settings\Becki Price\My Documents\New Folder\ROCK_skinnycross_finalpants.png:SummaryInformation deleted successfully.
ADS F:\Documents and Settings\Becki Price\My Documents\New Folder\ROCK_skinnycross_final.jpg:SummaryInformation deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 57043 bytes

User: All Users
->Flash cache emptied: 148 bytes

User: Becki Price
->Temp folder emptied: 19113 bytes
->Temporary Internet Files folder emptied: 3324160 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 5173248 bytes
->Flash cache emptied: 1961892 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56558 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 31141 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33251 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users
->Flash cache emptied: 0 bytes

User: Becki Price
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01082012_224143

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
--- Chkdsk report ---
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 419 unused index entries from index $SII of file 0x9.
Cleaning up 419 unused index entries from index $SDH of file 0x9.
Cleaning up 419 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc000009c at offset 0x2a3262000 for 0x9000 bytes.
Read failure with status 0xc000009c at offset 0x2a3267000 for 0x1000 bytes.
Windows replaced bad clusters in file 52360
of name \DOCUME~1\ALLUSE~1\APPLIC~1\AOL\USERPR~1\ALLUSE~1\cls\common.cls.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Adding 1 bad clusters to the Bad Clusters File.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

78116030 KB total disk space.
37102456 KB in 137677 files.
72492 KB in 16274 indexes.
4 KB in bad sectors.
314878 KB in use by the system.
65536 KB occupied by the log file.
40626200 KB available on disk.

4096 bytes in each allocation unit.
19529007 total allocation units on disk.
10156550 allocation units available on disk.
 
--- security check ---

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Norton Ghost
Java(TM) 6 Update 30
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````
 
Farbar Service Scanner
Ran by Becki Price (administrator) on 09-01-2012 at 16:25:01
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000700000006000000
IpSec Tag value is correct.

**** End of log ****
 
Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Make sure you complete all the above steps.

When done install this on your computer to prevent any infection through USB device...
Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer

Now you're safe to connect external drive and scan it with your AV program.
 
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users
->Flash cache emptied: 0 bytes

User: Becki Price
->Temp folder emptied: 376174 bytes
->Temporary Internet Files folder emptied: 12167843 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 546221 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 439085062 bytes

Total Files Cleaned = 431.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users
->Flash cache emptied: 0 bytes

User: Becki Price
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 01092012_223656

Files\Folders moved on Reboot...
C:\Documents and Settings\Becki Price\Local Settings\Temporary Internet Files\Content.IE5\SBV0LEKQ\favicon[6].png moved successfully.
C:\Documents and Settings\Becki Price\Local Settings\Temporary Internet Files\Content.IE5\SBV0LEKQ\topic175783-2[1].htm moved successfully.
C:\Documents and Settings\Becki Price\Local Settings\Temporary Internet Files\Content.IE5\MS9UO1EX\favicon[7].png moved successfully.
C:\Documents and Settings\Becki Price\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_694.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_28c.dat moved successfully.

Registry entries deleted on Reboot...
=======
Going on to remove tools.
 
Thanks Broni...
I will pass your tips along.
I am not done yet, but getting close now.
Steps yet to take for my freinds...

Install Firewall - Planning to Use Online Armor, as I know from personal experience it works well with Avira. I have found that AVG will not install with OA installed, so I am staying with Avira for them. Do you have a different suggestion?

Finish Updates (Windows / MS primarily, but will check for others using the two resources you suggested, also plan to reinstall Adobe reader, latest version. Previous was not wanting to update, so I uninstalled it).

I don't like the way MBAM insists on starting with every startup. Any suggestions here?

I see they have Safari. I don't know if WOT works with it or with IE8. I use Firefox (with WOT) and will install these for them.

I also intend to see if I can change some services to manual instead of automatic, so that startup will be cleaner and quicker for them.

After that, I will install the Flash Disinfector and run AV on the external drive.

Any other thoughts for me, at this point?
Again. Thanks for all your help, and for your patience even with my messup on the script.
I was really afraid I had borked the machine.
 
You're very welcome
smiley_says_hello.gif


Free MBAM version doesn't have to be a startup.
There is an option in "Preferences" to disable it as a startup.

I believe there is WOT version for Safari.

Good luck and stay safe :)
 
Question: Googled and am not finding answers.
Does Online Armor have this correct?

"Online Armor has detected that this file is a virus or dangerous program"
"The program InstallFlashPlayer.exe was determined to be dangerous. It is highly recommended that you Block this action."
Product Version 11,1,102,55
Description: Adobe Flash Plaher Installer / Uninstaller 11.1 r102
Parent Program:
C:\windows\system32\macromed\flash\flashuitl11c_Activex.exe

Thanks
 
Okay...
Thanks so much... again!
The external drive checked clean with AVG on my own machine.
I'll check it again on this one with Avira (though that is pro'ly overkill).

Still working on updates... dotNet1.1 had an update that would not install, so I ended up uninstalling all of dotNet, and will reinstall it from the ground up.

The way things stand now... I'd say lock this thread,
If I need to, I can message you asking to reopen it.
Blessings!
 
You're very welcome
smiley_says_hello.gif


Some of those .NET updates are pain in the butt.
In some cases you'll have download standalone file and install it that way not through Windows updates.
 
hmmm
looks like Avira is doing ITS job,
and it looks like a basic conflict with disinfector's autorun.inf files.
They are being repeatedly blocked.
I am wondering why anything would be trying to open them though,
after the system is up an running.
Wondering if I should remove those files,
or if we need to do more looking at what is happening?
 
Hello Broni
Should we reopen this thread?

Does this look like we may need to do more work?
When I started MS Office (Word), in order to check version information,
Online Armor Blocked some processes...

First
dde
w_1^VH%!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 \n \dde
Hash(MD5): E5DC625D58450B9D75D3A81E3FD35DC2\dde
file date 12/30/1899

Second
e
w_1^VH%!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 \e
Hash(MD5): 2AC80ADC9772C13340B91726CAD1FAA6\e
file date 12/30/1899

Third
w_1^VH%!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 %1
w_1^VH%!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 %1
Hash(MD5): F0463252FE68B66842A6F3CF7E204E16

Tried to "open file location" for these
"Path does not exist or is not a directory."

Also find these as allowed
tmp21E.tmp, 0.0.0.0, (0.0.0.0)
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp21E.tmp
Hash(MD5): 5FDB643E2B86AA45951B140C72FFB1E6

pv.exe, 0.0.0.0, (0.0.0.0)
C:\Documents and Settings\Administrator\Local Settings\temp\pv.exe
Hash(MD5): 92BD80F82FE8A28385B7D9D3F215E8B3

I have not gone looking for these yet.
I am not sure if all of these were spawned by opening MSWord.
 
OA info is pretty cryptic.
I'm not sure how to read it.

Re-run TFC.

Update MBAM, post new log.
 
Thanks Broni...
Wondering if they had an infected document corrupt their normal.dot template, so now it is calling for malware we have already removed? But, if so, why would OA deal with it until it tried to start? You are the expert here, I am just grasping at straws. In any case, I am thinking of removing their normal.dot templates, all instances, just in case, and let them be respawned next time Word starts.
=======

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.11.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: BALTIMOR-1MBHXM [administrator]

Protection: Disabled

1/11/2012 2:01:49 PM
mbam-log-2012-01-11 (14-01-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221618
Time elapsed: 19 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Back