[Active] Please help me to finish clean-up from Microsoft Security Suite malware invasion

crunchie · Nov 14, 2010

Run OTL
Under the Custom Scans/Fixes box at the bottom, paste in the following
Code:
:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370
FF - prefs.js..network.proxy.http_port: 50370
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
:Commands
[emptytemp]
[resethosts]
[Reboot]
Then click the Run Fix button at the top.

Let the program run unhindered, reboot the PC when it is done.

Post log from this run.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
====

How are things now?

jbmorgan · Nov 22, 2010

Had a chance yet?

I don't mean to be impatient but it's been a week and I was wondering if you'd had a chance to look at this yet. I'm still having a few weird problems, such as when I try to pull up a site through Google and I get redirected to other sites.

crunchie · Nov 22, 2010

Go back up a post. I already answered a week ago. By rights I should have already closed the thread.

jbmorgan · Nov 22, 2010

OTL scans 1

Dear Crunchie, I apologize for the delay. I hadn't realized that this thread had gone onto a second page and didn't see your reply until after you called my attention to it.

The first time I ran OTL Custom Fix, when it was done I tried to reboot but as soon as I touched the keyboard I got the "blue screen of death" instead, and didn't get a chance to save the log. I restarted my machine and it seemed to be OK after that. I ran the Custom Fix again and the log is below. I'm not sure but it may have happened because I forgot to close my browser until after I started the Fix. Here's the log that was generated during the second fix:

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: 50370 removed from network.proxy.http_port
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: John B. Morgan IV
->Temp folder emptied: 634883 bytes
->Temporary Internet Files folder emptied: 46548 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5086803 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 793 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.3 log created on 11222010_124013

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

jbmorgan · Nov 22, 2010

Second OTL scan

Below is the scan I ran following the reboot after the OTL Fix was finished. By the way everything seems to be OK now - Google is working properly again.

OTL logfile created on: 11/22/2010 2:36:33 PM - Run 10
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\John B. Morgan IV\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 79.99 Gb Total Space | 1.62 Gb Free Space | 2.03% Space Free | Partition Type: NTFS
Drive D: | 61.20 Gb Total Space | 2.02 Gb Free Space | 3.31% Space Free | Partition Type: NTFS
Drive E: | 7.82 Gb Total Space | 1.68 Gb Free Space | 21.45% Space Free | Partition Type: NTFS

Computer Name: ATHENA | User Name: John B. Morgan IV | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/14 22:16:19 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John B. Morgan IV\Desktop\OTL.exe
PRC - [2010/02/26 00:10:20 | 021,979,992 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2009/12/18 00:55:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2009/12/18 00:54:24 | 000,197,928 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
PRC - [2009/10/07 14:03:36 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/08/26 18:44:34 | 000,902,144 | ---- | M] (Novatel Wireless Inc.) -- C:\Program Files\Novatel Wireless\Virgin Mobile\MobiLink3.exe
PRC - [2009/08/24 17:52:30 | 000,082,432 | ---- | M] () -- C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
PRC - [2009/04/23 08:51:38 | 000,691,656 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\daemon.exe
PRC - [2008/09/17 02:06:04 | 000,484,880 | ---- | M] (SAMSUNG ELECTRONICS) -- C:\Program Files\Samsung\EmoDio\SMSTray.exe
PRC - [2008/09/03 21:49:56 | 000,311,296 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
PRC - [2008/09/03 13:34:42 | 000,335,872 | ---- | M] (ELANTECH Devices Corp.) -- C:\Program Files\Elantech\ETDCTRL.EXE
PRC - [2008/09/02 22:32:00 | 000,593,920 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
PRC - [2008/09/02 22:28:14 | 000,106,496 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsTray.exe
PRC - [2008/08/22 19:18:44 | 000,204,800 | ---- | M] (ELANTECH Devices Corp.) -- C:\Program Files\Elantech\ETDDECT.EXE
PRC - [2008/05/21 03:56:24 | 000,094,208 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2007/12/20 01:07:40 | 000,163,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2007/05/28 11:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2007/01/04 21:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2004/08/04 02:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/11/14 22:16:19 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John B. Morgan IV\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe -- (PavPrSrv)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\brrgckcn.dll -- (LanmanSrv)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/04/05 06:48:54 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/25 20:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/12/18 00:55:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/08/24 17:52:30 | 000,082,432 | ---- | M] () [Auto | Running] -- C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe -- (NvtlService)
SRV - [2007/10/25 17:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/05/28 11:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2007/01/04 21:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)

========== Driver Services (SafeList) ==========

DRV - [2009/08/24 17:53:24 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2009/05/15 13:34:30 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwvmser2.sys -- (NWVMPort2)
DRV - [2009/05/15 13:34:30 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwvmser.sys -- (NWVMPort)
DRV - [2009/05/15 13:34:30 | 000,174,720 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwvmmdm.sys -- (NWVMModem)
DRV - [2008/08/25 03:59:40 | 000,026,112 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/08/12 18:10:50 | 004,751,360 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/29 01:03:20 | 000,016,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rkpavproc1.sys -- (RkPavproc1)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/08 17:59:28 | 000,010,752 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2008/03/11 21:37:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/12/20 01:32:12 | 005,854,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/05/03 06:00:58 | 000,546,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2007/03/28 09:22:18 | 000,057,024 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2004/08/03 22:00:14 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\changer.sys -- (Changer)
DRV - [2004/08/03 21:59:34 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.arktos.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Softonic_English Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1142338&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "Ask"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.arktos.com/"
FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.0.8.0552
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..keyword.URL: "http://in.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_in&p="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\FFToolbar@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2010\bdaphffext\ [2010/08/01 11:59:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/28 00:37:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/28 00:37:55 | 000,000,000 | ---D | M]

[2009/03/07 12:36:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Extensions
[2010/11/17 17:08:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions
[2010/08/09 22:27:03 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/11 22:12:47 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/05/06 02:54:18 | 000,000,000 | ---D | M] (Softonic English Toolbar) -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{930f1200-f5f1-4870-bac6-e233ec8e7023}
[2010/07/20 22:49:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/06/19 02:42:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\DTToolbar@toolbarnet.com
[2009/05/20 08:11:27 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\searchplugins\ask.xml
[2009/03/25 01:22:56 | 000,000,894 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\searchplugins\conduit.xml
[2010/06/19 02:41:56 | 000,002,395 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\searchplugins\daemon-search.xml
[2010/11/17 17:08:12 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/19 08:29:44 | 000,047,104 | ---- | M] (BitDefender S.R.L.) -- C:\Program Files\Mozilla Firefox\components\FFComm.dll

O1 HOSTS File: ([2010/11/22 12:40:23 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [ETDWareDetect] C:\Program Files\Elantech\ETDDECT.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [SMSTray] C:\Program Files\Samsung\EmoDio\SMSTray.exe (SAMSUNG ELECTRONICS)
O4 - HKCU..\Run: [AlcoholAutomount] C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe (Alcohol Soft Development Team)
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKCU..\Run: [MobiLink3] C:\Program Files\Novatel Wireless\Virgin Mobile\MobiLink3.exe (Novatel Wireless Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O4 - Startup: C:\Documents and Settings\John B. Morgan IV\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\John B. Morgan IV\Application Data\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: bobibanking.com ([www] https in Local intranet)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263849575053 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263849552381 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\John B. Morgan IV\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Desktop Background.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/08/02 12:33:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/17 20:08:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John B. Morgan IV\Desktop\Blood Axis-Born Again
[2010/11/17 19:45:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John B. Morgan IV\Desktop\Sumkali
[2010/11/17 19:44:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John B. Morgan IV\Desktop\YP-Q1J (D)
[2010/11/14 22:16:18 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\John B. Morgan IV\Desktop\OTL.exe
[2010/11/12 15:07:14 | 000,000,000 | ---D | C] -- C:\Program Files\winlogon.exe
[2010/11/11 14:04:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John B. Morgan IV\Application Data\com.adobe.ExMan
[2010/04/09 03:51:33 | 000,190,464 | ---- | C] (Microsoft) -- C:\Program Files\Common Files\OnlineFilesManager.dll.old
[2008/09/11 08:03:04 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\Install AiGuruU1 Skype Phone.exe

========== Files - Modified Within 30 Days ==========

[2010/11/22 12:41:50 | 000,000,330 | -HS- | M] () -- C:\WINDOWS\tasks\QPLOCLGP.job
[2010/11/22 12:41:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/22 12:40:27 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2010/11/22 12:40:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2010/11/22 12:40:23 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/11/22 12:25:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/11/22 12:17:28 | 042,583,353 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Inspire No2.pdf
[2010/11/22 01:20:29 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2010/11/22 01:20:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2010/11/21 18:30:51 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2010/11/21 18:30:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2010/11/21 18:20:37 | 000,012,620 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/19 21:05:04 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2010/11/19 21:05:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/11/19 19:53:20 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2010/11/19 19:53:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2010/11/19 18:46:44 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2010/11/19 18:46:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2010/11/19 18:01:04 | 013,690,606 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Sunic interviews Cushman.mp3
[2010/11/18 14:56:41 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2010/11/18 14:56:41 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2010/11/18 02:28:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2010/11/18 02:28:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2010/11/17 20:48:17 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2010/11/17 20:48:16 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2010/11/17 20:07:08 | 000,172,544 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Contemporary Esotericism - Traditionalism and ENR.doc
[2010/11/17 18:43:17 | 000,054,717 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Receipt 000149 - From MoneyWorks 1dc20a.pdf
[2010/11/16 20:33:21 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2010/11/16 20:33:21 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2010/11/16 16:46:21 | 000,382,464 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\droits.doc
[2010/11/16 04:12:28 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2010/11/16 04:12:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2010/11/15 05:20:57 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2010/11/15 05:20:57 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2010/11/15 03:40:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2010/11/15 03:40:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2010/11/14 22:16:19 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\John B. Morgan IV\Desktop\OTL.exe
[2010/11/14 19:36:12 | 013,836,576 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Sunic interviews Polignano.mp3
[2010/11/14 02:30:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2010/11/14 02:30:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2010/11/13 03:05:17 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2010/11/13 03:05:17 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2010/11/13 01:31:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2010/11/13 01:31:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2010/11/13 01:21:13 | 000,073,756 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\codreanu appendix.docx
[2010/11/13 01:00:40 | 000,097,792 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Codreanubilder-rev.doc
[2010/11/12 21:31:03 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/11/12 17:23:51 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2010/11/12 17:23:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2010/11/12 16:55:23 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2010/11/12 16:55:23 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2010/11/12 15:26:43 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2010/11/12 15:26:43 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2010/11/12 14:49:29 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2010/11/12 14:49:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2010/11/12 04:13:14 | 000,105,984 | RHS- | M] () -- C:\WINDOWS\System32\msvcrt208.dll
[2010/11/09 18:11:54 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\working copy letter 9NOV.doc
[2010/11/09 02:36:00 | 000,010,150 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Saturday 10 AM.docx
[2010/11/08 13:19:19 | 000,446,030 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/08 13:19:19 | 000,073,146 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/04 12:57:46 | 004,405,936 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\My Documents\Democracy_in_France.pdf
[2010/10/28 23:15:08 | 848,217,088 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\My Documents\jbmorgan.pst
[2010/10/27 23:38:11 | 000,002,341 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/10/27 23:09:16 | 000,013,609 | ---- | M] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Born Again.docx

========== Files Created - No Company Name ==========

[2010/11/22 12:11:00 | 042,583,353 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Inspire No2.pdf
[2010/11/18 14:50:40 | 013,690,606 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Sunic interviews Cushman.mp3
[2010/11/17 20:07:08 | 000,172,544 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Contemporary Esotericism - Traditionalism and ENR.doc
[2010/11/17 18:43:16 | 000,054,717 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Receipt 000149 - From MoneyWorks 1dc20a.pdf
[2010/11/16 16:46:20 | 000,382,464 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\droits.doc
[2010/11/14 19:34:13 | 013,836,576 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Sunic interviews Polignano.mp3
[2010/11/13 01:09:10 | 000,073,756 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\codreanu appendix.docx
[2010/11/13 00:53:07 | 000,097,792 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Codreanubilder-rev.doc
[2010/11/12 15:36:17 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/11/12 04:13:15 | 000,000,330 | -HS- | C] () -- C:\WINDOWS\tasks\QPLOCLGP.job
[2010/11/12 04:13:14 | 000,105,984 | RHS- | C] () -- C:\WINDOWS\System32\msvcrt208.dll
[2010/11/09 16:06:01 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\working copy letter 9NOV.doc
[2010/11/09 02:36:00 | 000,010,150 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Saturday 10 AM.docx
[2010/11/04 12:55:46 | 004,405,936 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\My Documents\Democracy_in_France.pdf
[2010/10/27 23:38:11 | 000,002,341 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/10/27 18:06:28 | 000,013,609 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Desktop\Born Again.docx
[2010/09/29 13:23:08 | 000,015,228 | ---- | C] () -- C:\WINDOWS\alchemy.ini
[2010/08/17 11:45:04 | 000,445,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/08/02 16:00:20 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/07/19 14:28:03 | 000,000,054 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/04/09 03:51:33 | 000,052,355 | ---- | C] () -- C:\Program Files\Common Files\OnlineFilesManager.dll
[2010/02/24 04:56:46 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\libmySQL50.dll
[2009/11/24 15:45:16 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2009/04/24 06:53:26 | 000,016,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\rkpavproc1.sys
[2009/03/17 01:01:54 | 000,190,976 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/06 12:12:39 | 000,001,530 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Application Data\wklnhst.dat
[2009/03/06 11:02:52 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/02/13 08:45:41 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\John B. Morgan IV\Local Settings\Application Data\fusioncache.dat
[2008/09/17 02:06:22 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2008/09/17 02:06:20 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2008/09/17 02:06:20 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2008/09/17 02:06:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\Ogg.dll
[2008/09/11 22:22:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/09/11 08:07:09 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/09/11 08:07:09 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/09/11 08:07:09 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/09/11 08:07:09 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/09/11 08:07:09 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/09/11 08:07:09 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/09/11 05:59:45 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2008/08/09 09:32:28 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/08/09 02:41:18 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/30 21:31:52 | 000,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2008/03/17 17:54:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini

========== LOP Check ==========

[2010/08/04 11:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/08/01 12:00:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2009/09/10 23:49:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/06/19 02:42:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2010/08/04 10:38:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/02/24 04:58:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MagneticOne Store Manager for Magento
[2010/09/01 00:05:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Novatel Wireless
[2010/03/30 10:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2010/08/04 13:08:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/29 21:03:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/15 09:40:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/11/11 14:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\com.adobe.ExMan
[2010/06/19 03:11:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\DAEMON Tools Lite
[2010/07/01 09:06:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\DataCast
[2010/11/22 14:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\DNA
[2010/11/22 12:58:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Dropbox
[2008/09/11 22:15:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\InterVideo
[2010/09/15 16:11:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Kernel for Outlook
[2010/03/30 10:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Leadertech
[2009/03/06 12:12:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Template
[2010/06/19 05:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Uniblue
[2010/10/30 01:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\uTorrent
[2009/02/16 02:23:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\Windows Live Writer
[2010/06/21 07:48:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\ZTEEVDO
[2010/06/21 07:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John B. Morgan IV\Application Data\ZTEMTUI
[2010/11/22 12:25:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2010/11/12 21:31:03 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/11/22 12:41:50 | 000,000,330 | -HS- | M] () -- C:\WINDOWS\Tasks\QPLOCLGP.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 351779 bytes -> C:\WINDOWS\Temp:temp
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMPFC5A2B2

< End of report >

crunchie · Nov 22, 2010

Keep your eye on it for a couple of days and see how it is then and let me know.

crunchie · Nov 24, 2010

How are things?

jbmorgan · Dec 1, 2010

Current status

It seems to be OK. Occasionally Google (occasionally sending me to advertising sites instead of ones requested) or Outlook (90% of my messages suddenly disappear, then come back) do weird things, but I'm not sure if it's related to malware. What do you think?

crunchie · Dec 1, 2010

Very strange.

Please delete the version of combofix that you have on the PC now and download and run the latest version.

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop

Physically disconnect from the internet.

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply.

Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

jbmorgan · Dec 9, 2010

New, severe problems...

Dear Crunchie,

I've been travelling a lot over the past week which is why I've been out of touch. As I said, since my last attempt at a clean-up I've had some problems, although they were minor until today. I switched on my laptop today and now there's a whole host of new problems. There's definitely some sort of malware on my system currently. Earlier I was getting an error message from "eee PC Tray" (that's the type of laptop I have) every minute or so popping up on my screen, telling me it needed to shut down, and an icon which claimed it was the Tray started replacing all of the other icons in my menu bar, as has happened before with malware. It was not quite as severe in that I could still use the Internet and such. I went into Safe Mode and ran TFC, Microsoft Security Essentials (which found and removed a worm) and Malwarebytes. Malwarebytes keeps finding three items on my computer but when I try to have MB remove them, the program freezes, even in safe mode. Also, I can't seem to use WiFi right now, only LAN, which seems to be the result of the virus. The Tray error messages have stopped coming but I'm sure there must still be an infection(s). Any suggestions for this latest round?

jbmorgan · Dec 9, 2010

Further update

Well, since I last posted, I tried running MB in Safe Mode again - twice - and it didn't find anything! Which is strange since, as far as I know, it didn't successfully delete the things it found the previous time. I'm not sure that actually fixed the problem, either, since my WiFi is still not working, although that may be an unrelated problem. Anyway, just wanted to keep you up-to-date.

crunchie · Dec 9, 2010

jbmorgan said: ↑

Dear Crunchie,Any suggestions for this latest round?

My suggestion has already been posted above.

jbmorgan · Dec 10, 2010

Didn't work...

Dear Crunchie,
I just tried running Combofix but I got the blue screen of death and my system crashed while I was running it. I'm not sure if that was the result of me touching the mouse a moment before the crash but it didn't say anything about not touching the keys/mouse. I'd run it again but the instructions specifically say to only run it once. Where should I go from here?

crunchie · Dec 10, 2010

Can you try it again, but this time run it from safe mode please.

jbmorgan · Dec 11, 2010

Combofix log

Dear Crunchie, it worked in safe mode. However, I neglected to disconnect from the Internet before I ran the program...hope that's not a problem. Log below.

ComboFix 10-12-09.08 - John B. Morgan IV 12/11/2010 17:24:43.4.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1703 [GMT 5.5:30]
Running from: c:\documents and settings\John B. Morgan IV\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\winlogon.exe
c:\program files\winlogon.exe\changes.rtf
c:\program files\winlogon.exe\Languages\arabic.lng
c:\program files\winlogon.exe\Languages\belarusian.lng
c:\program files\winlogon.exe\Languages\bosnian.lng
c:\program files\winlogon.exe\Languages\bulgarian.lng
c:\program files\winlogon.exe\Languages\catalan.lng
c:\program files\winlogon.exe\Languages\chineseSI.lng
c:\program files\winlogon.exe\Languages\chineseTR.lng
c:\program files\winlogon.exe\Languages\croatian.lng
c:\program files\winlogon.exe\Languages\czech.lng
c:\program files\winlogon.exe\Languages\danish.lng
c:\program files\winlogon.exe\Languages\dutch.lng
c:\program files\winlogon.exe\Languages\english.lng
c:\program files\winlogon.exe\Languages\estonian.lng
c:\program files\winlogon.exe\Languages\finnish.lng
c:\program files\winlogon.exe\Languages\french.lng
c:\program files\winlogon.exe\Languages\german.lng
c:\program files\winlogon.exe\Languages\greek.lng
c:\program files\winlogon.exe\Languages\hebrew.lng
c:\program files\winlogon.exe\Languages\hungarian.lng
c:\program files\winlogon.exe\Languages\italian.lng
c:\program files\winlogon.exe\Languages\korean.lng
c:\program files\winlogon.exe\Languages\latvian.lng
c:\program files\winlogon.exe\Languages\lithuanian.lng
c:\program files\winlogon.exe\Languages\macedonian.lng
c:\program files\winlogon.exe\Languages\norwegian.lng
c:\program files\winlogon.exe\Languages\polish.lng
c:\program files\winlogon.exe\Languages\portugueseBR.lng
c:\program files\winlogon.exe\Languages\portuguesePT.lng
c:\program files\winlogon.exe\Languages\romanian.lng
c:\program files\winlogon.exe\Languages\russian.lng
c:\program files\winlogon.exe\Languages\serbian.lng
c:\program files\winlogon.exe\Languages\slovak.lng
c:\program files\winlogon.exe\Languages\slovenian.lng
c:\program files\winlogon.exe\Languages\spanish.lng
c:\program files\winlogon.exe\Languages\swedish.lng
c:\program files\winlogon.exe\Languages\turkish.lng
c:\program files\winlogon.exe\license.txt
c:\program files\winlogon.exe\mbam.chm
c:\program files\winlogon.exe\mbam.dll
c:\program files\winlogon.exe\mbam.exe
c:\program files\winlogon.exe\mbamcore.dll
c:\program files\winlogon.exe\mbamext.dll
c:\program files\winlogon.exe\mbamgui.exe
c:\program files\winlogon.exe\mbamnet.dll
c:\program files\winlogon.exe\mbamservice.exe
c:\program files\winlogon.exe\ssubtmr6.dll
c:\program files\winlogon.exe\unins000.dat
c:\program files\winlogon.exe\unins000.exe
c:\program files\winlogon.exe\unins000.msg
c:\program files\winlogon.exe\vbalsgrid6.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.

2010-12-10 16:22 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33826E67-075B-4FF1-BB76-36B189FE3FE8}\mpengine.dll
2010-11-11 19:04 . 2010-11-11 19:04 -------- d-----w- c:\documents and settings\John B. Morgan IV\Application Data\com.adobe.ExMan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 12:12 . 2010-08-14 03:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 12:12 . 2010-08-14 03:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 20:51 . 2010-08-04 21:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2010-08-04 21:49 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-05-23 14:37 . 2010-04-09 08:51 52355 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
2010-04-23 15:27 . 2010-04-09 08:51 190464 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll.old
2008-05-07 23:34 . 2008-09-11 13:03 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe
2009-10-19 13:29 . 2010-07-09 06:42 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Online Files]
@="{B82655E9-B81D-4A97-8154-0D84A4C048E4}"
[HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}]
2010-05-23 14:37 52355 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]
"MobiLink3"="c:\program files\Novatel Wireless\Virgin Mobile\MobiLink3.exe" [2009-08-26 902144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2008-09-17 484880]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-20 131072]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-20 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-20 159744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ETDWareDetect"="c:\program files\Elantech\ETDDect.exe" [2008-08-23 204800]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-09-03 335872]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-09-03 106496]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-09-03 593920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\John B. Morgan IV\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-5-29 113664]
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-9-11 311296]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\John B. Morgan IV\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R2 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [8/25/2009 4:22 AM 82432]
S2 LanmanSrv;Trusted Center;c:\windows\system32\svchost.exe -k netsvcs [11/25/2009 2:15 AM 14336]
S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [5/16/2009 12:04 AM 174720]
S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [5/16/2009 12:04 AM 174720]
S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [5/16/2009 12:04 AM 174720]
S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\rkpavproc1.sys [4/24/2009 5:23 PM 16952]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd
.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-12-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.arktos.com/
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: bobibanking.com\www
TCP: {2268D7D2-E6CB-40AB-AFFF-3898388F4A02} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1142338&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.arktos.com/
FF - prefs.js: keyword.URL - hxxp://in.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_in&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Extension: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\DTToolbar@toolbarnet.com
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\John B. Morgan IV\Application Data\Mozilla\Firefox\Profiles\wlrr7xnj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----

.
- - - - ORPHANS REMOVED - - - -

AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\winlogon.exe\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 17:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-835585458-1146130675-857608242-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5DE01600-F5B7-C8B1-7CD2-7297AF3CA1DA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaaoilmkjcecdghoci"=hex:6a,61,65,62,6d,67,70,65,62,69,6c,66,66,6c,70,6c,61,63,
64,6d,00,00
"haglooakcohnhhmp"=hex:6a,61,64,62,6f,67,68,6b,6f,6e,66,70,6e,6b,63,70,6f,6f,
63,6e,00,6e
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2772)
c:\windows\system32\WININET.dll
c:\documents and settings\John B. Morgan IV\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
c:\program files\eee storage\xpclient.dll
c:\program files\eee storage\logicnp.eznamespaceextensions.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2010-12-11 17:42:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-11 12:12
ComboFix2.txt 2010-08-18 16:45
ComboFix3.txt 2010-08-04 15:08
ComboFix4.txt 2010-08-03 16:07

Pre-Run: 2,479,628,288 bytes free
Post-Run: 2,465,161,216 bytes free

Current=6 Default=6 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - AC0BE219B2FC36542225ED3B00E76170

crunchie · Dec 11, 2010

Looks ok. How are things now?

jbmorgan · Dec 15, 2010

So far

So far so good. I still get a couple of weird pop-ups when I start my machine, such as it tells me "New Hardware detected" when nothing new has been installed. But the functionality seems unimpaired.

crunchie · Dec 16, 2010

Check in device manager to make sure there are no exclamation marks next to any of the hardware and let me know. There could be a corrupt driver there somewhere.

jbmorgan · Mar 1, 2011

Dear Crunchie,

There haven't been any more problems since the last time I wrote to you, fortunately. I still occasionally get that strange device error, but there are no exclamation points in Device Manager. The error I get is for AYHYYYUJ IDE Controller. It only happens sometimes, not every time I boot up. It's not a major problem but I'm not sure if it's a symptom of something that's still lingering.

--John

TechSpot

[Active] Please help me to finish clean-up from Microsoft Security Suite malware invasion

crunchie Malware Helper

jbmorgan Newcomer, in training

crunchie Malware Helper

jbmorgan Newcomer, in training

jbmorgan Newcomer, in training

crunchie Malware Helper

crunchie Malware Helper

jbmorgan Newcomer, in training

crunchie Malware Helper

jbmorgan Newcomer, in training

jbmorgan Newcomer, in training

crunchie Malware Helper

jbmorgan Newcomer, in training

crunchie Malware Helper

jbmorgan Newcomer, in training

crunchie Malware Helper

jbmorgan Newcomer, in training

crunchie Malware Helper

jbmorgan Newcomer, in training