Jump to content

Recommended Posts

I've tried a few things and it still pops up.

I ran the TDSS Killer app and then the dds, but the malware still runs.

I just start the task manater and kill the app when it starts.

Here is the DDS log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Dave at 18:50:05 on 2011-11-26

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1509 [GMT -8:00]

.

AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\dave\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{1B535209-D1D1-41EA-B609-67B8ECBD8354} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: igfxcui - igfxdev.dll

Notify: psfus - fusstub.dll

Notify: VESWinlogon - VESWinlogon.dll

LSA: Notification Packages = scecli fusstub

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\dave\application data\mozilla\firefox\profiles\jpiddyop.default\

FF - plugin: c:\documents and settings\dave\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2002-3-10 9216]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]

R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]

R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]

R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-7-10 6609920]

R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2011-7-14 1173824]

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-1-1 71961]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2011-5-15 226304]

S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\scutum50.sys --> c:\windows\system32\drivers\Scutum50.sys [?]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-8-22 24576]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2011-9-28 252416]

S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2011-9-28 398720]

.

=============== Created Last 30 ================

.

2011-11-26 20:17:05 -------- d-----w- c:\documents and settings\dave\application data\Malwarebytes

2011-11-26 20:16:58 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-26 20:16:54 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-26 20:16:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-20 23:53:14 -------- d-----w- C:\Temp

.

==================== Find3M ====================

.

2011-11-08 01:54:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 18:50:15.82 ===============

Link to post
Share on other sites

Welcome to the forum.

See if following this guide works.

Make sure you run rkill and then immediately run MBAM as desribed.

Most important....update MBAM before you run it.

The link below explains how to rename MBAM if needed:

http://forums.malwarebytes.org/index.php?showtopic=55485&view=findpost&p=274963

There's more info on getting rid of it at the link below also:

http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

Post the logs back here, Good Luck....MrC

Link to post
Share on other sites

Thanks, Charlie, after reading the guide, it almost seems easier to reformat and reinstall.

I'll give it a shot though.

But this bugs me:

I run my system as a limited user, run eset Smart Security. I have been free of Malware, viruses and other bugs for some time.

I can't even install programs unless I switch to an admin account.

How does this crap get installed and my registry modified if a limited user account can't ??

Link to post
Share on other sites

Rkill Log

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 11/27/2011 at 8:25:31.

Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 11/27/2011 at 8:25:42.

Malware Bytes Log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8252

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/27/2011 9:17:06 AM

mbam-log-2011-11-27 (09-17-06).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 311856

Time elapsed: 49 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Eset Log:

11/27/2011 9:20:24 AM Startup scanner file Operating memory » C:\Documents and Settings\Dave_2\Local Settings\Application Data\kif.exe a variant of Win32/Adware.XPAntiSpyware.AC application cleaned by deleting - quarantined WEBBDAWG\Dave_2

After running the above, I rebooted and my Eset found and quarantined the file. Malware was never able to find it which is just as distressing as Eset allowing it to be installed in the first place. I have contacted Eset with the information and wait for a response.

I run as a limited user exclusively.

I use Firefox 4.0.1 (and will apply updates as I see there are some)

I only use IE when Win Updates are run.

If I could Run Linux and my Macromedia 8 Suite in WINE without it crashing, I would ditch Windows forever.

Thanks for the help.

Link to post
Share on other sites

If you still want to continue ....... please do this:

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

Link to post
Share on other sites

Charlie, Thanks. I just got home so, give me a few days as tomorrow is back to work and I have to leave my van to get worked on also.

I like the output, I looked at the tutorial.

I've built my own systems since 1990 when I got my first one and have done some basic VB and PHP programming. SO like I said the output of OTL looks interesting and maybe I can learn something too.

Dave

Link to post
Share on other sites

Charlie, I am guessing I fixed it because I no longer have the XP Antivirus 2012 poping up. But these things have hooks too.

Let me know what you find. But like I said, Things seem to be back to normal.

Here is the OTL.txt ( I put the xxxx in place of my computer name) :P

OTL logfile created on: 11/28/2011 4:56:40 PM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dave_2\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.71% Memory free

11.61 Gb Paging File | 11.30 Gb Available in Paging File | 97.38% Paging File free

Paging file location(s): D:\pagefile.sys 9999 10000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 75.00 Gb Total Space | 31.65 Gb Free Space | 42.19% Space Free | Partition Type: NTFS

Drive D: | 10.00 Gb Total Space | 0.18 Gb Free Space | 1.79% Space Free | Partition Type: NTFS

Drive E: | 26.78 Gb Total Space | 26.77 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Drive Z: | 931.51 Gb Total Space | 904.60 Gb Free Space | 97.11% Space Free | Partition Type: NTFS

Computer Name: XXXXXX | User Name: Dave_2 | NOT logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/28 16:56:11 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave_2\Desktop\OTL.exe

PRC - [2011/01/12 15:41:24 | 002,219,184 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe

PRC - [2011/01/12 14:16:06 | 001,210,640 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2004/11/17 18:47:00 | 000,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe

PRC - [2004/08/19 07:40:00 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe

========== Modules (No Company Name) ==========

========== Win32 Services (SafeList) ==========

========== Driver Services (SafeList) ==========

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-790525478-630328440-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-790525478-630328440-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/

IE - HKU\S-1-5-21-790525478-630328440-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-790525478-630328440-1417001333-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CA 9F 17 A0 90 16 CC 01 [binary data]

IE - HKU\S-1-5-21-790525478-630328440-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/27 17:31:03 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.16\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/11/27 17:39:39 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.16\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2011/05/23 14:47:33 | 000,000,000 | ---D | M]

[2011/05/18 17:30:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave_2\Application Data\Mozilla\Extensions

[2011/05/18 17:30:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave_2\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2011/05/18 17:30:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dave_2\Application Data\Mozilla\Firefox\Profiles\s5ts8t0h.default\extensions

[2011/05/18 17:30:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dave_2\Application Data\Mozilla\Firefox\Profiles\s5ts8t0h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2011/11/27 17:31:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2011/09/28 16:59:44 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

[2011/11/27 17:31:02 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2011/11/27 17:30:58 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2011/11/27 17:30:58 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}

CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Dave_2\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\gcswf32.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll

CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll

CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll

CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL

CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Dave_2\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\pdf.dll

CHR - plugin: Chrome NaCl (Enabled) = C:\Documents and Settings\Dave_2\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\ppGoogleNaClPluginChrome.dll

CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Documents and Settings\Dave_2\Local Settings\Application Data\Google\Chrome\Application\14.0.835.187\gears.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll

CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll

CHR - plugin: Default Plug-in (Enabled) = default_plugin

CHR - Extension: Entanglement = C:\Documents and Settings\Dave_2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.5.7_0\

CHR - Extension: Poppit = C:\Documents and Settings\Dave_2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

CHR - Extension: Greyscale = C:\Documents and Settings\Dave_2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\penkfbldfkaelnnhblmfmajlggdielfm\1.0_0\

O1 HOSTS File: ([2011/09/24 11:10:07 | 000,000,769 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)

O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)

O4 - HKLM..\Run: [intelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)

O4 - HKU\S-1-5-21-790525478-630328440-1417001333-1004..\Run: [1553187517] C:\Documents and Settings\Dave_2\Local Settings\Application Data\kif.exe File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-790525478-630328440-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1B535209-D1D1-41EA-B609-67B8ECBD8354}: DhcpNameServer = 192.168.1.1

O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\psfus: DllName - (fusstub.dll) - C:\WINDOWS\System32\fusstub.dll (UPEK Inc.)

O20 - Winlogon\Notify\VESWinlogon: DllName - (VESWinlogon.dll) - File not found

O24 - Desktop WallPaper: C:\Documents and Settings\Dave_2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dave_2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2011/05/14 23:23:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/28 16:56:11 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dave_2\Desktop\OTL.exe

[2011/11/26 12:16:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/11/26 12:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2011/11/26 12:16:54 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2011/11/26 12:16:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011/11/20 15:53:14 | 000,000,000 | ---D | C] -- C:\Temp

[2011/11/02 15:37:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dave_2\Application Data\Skype

========== Files - Modified Within 30 Days ==========

[2011/11/28 16:56:11 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dave_2\Desktop\OTL.exe

[2011/11/28 16:37:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/11/28 16:37:00 | 2137,051,136 | -HS- | M] () -- C:\hiberfil.sys

[2011/11/27 19:22:00 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1004UA.job

[2011/11/27 19:22:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1004Core.job

[2011/11/27 18:34:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1003UA.job

[2011/11/27 17:36:19 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/11/27 09:51:00 | 000,002,311 | ---- | M] () -- C:\Documents and Settings\Dave_2\Application Data\Microsoft\Internet Explorer\Quick Launch\Macromedia Dreamweaver 8.lnk

[2011/11/27 09:20:10 | 000,017,810 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8

[2011/11/27 09:20:09 | 000,017,810 | -HS- | M] () -- C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8

[2011/11/27 08:20:33 | 001,008,114 | ---- | M] () -- C:\Documents and Settings\Dave_2\Desktop\rkill.exe

[2011/11/26 12:34:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1003Core.job

[2011/11/26 12:16:59 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/11/19 09:23:09 | 000,002,271 | ---- | M] () -- C:\Documents and Settings\Dave_2\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2011/11/19 09:23:08 | 000,002,293 | ---- | M] () -- C:\Documents and Settings\Dave_2\Desktop\Google Chrome.lnk

[2011/11/09 20:54:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/11/07 17:54:33 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

[2011/11/06 10:44:00 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2011/11/06 09:04:12 | 000,432,924 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/11/06 09:04:12 | 000,067,714 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011/11/02 15:37:36 | 000,002,415 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

========== Files Created - No Company Name ==========

[2011/11/27 08:20:33 | 001,008,114 | ---- | C] () -- C:\Documents and Settings\Dave_2\Desktop\rkill.exe

[2011/11/26 18:26:07 | 2137,051,136 | -HS- | C] () -- C:\hiberfil.sys

[2011/11/26 12:16:59 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/11/26 09:09:35 | 000,017,810 | -HS- | C] () -- C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8

[2011/11/26 09:09:35 | 000,017,810 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8

[2011/07/14 18:17:17 | 000,014,119 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat

[2011/07/14 18:17:16 | 000,000,068 | ---- | C] () -- C:\WINDOWS\System32\RT148F3573.ini

[2011/07/10 15:33:44 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll

[2011/06/19 17:03:29 | 000,480,608 | ---- | C] () -- C:\WINDOWS\System32\DiagFunc.dll

[2011/05/18 19:20:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI

[2011/05/18 18:36:47 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat

[2011/05/18 18:36:47 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat

[2011/05/18 18:36:47 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat

[2011/05/18 18:36:47 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat

[2011/05/18 18:36:47 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat

[2011/05/18 18:36:47 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat

[2011/05/18 18:36:47 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat

[2011/05/18 18:36:47 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat

[2011/05/18 18:36:47 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat

[2011/05/18 18:36:47 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat

[2011/05/18 18:36:47 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat

[2011/05/18 18:36:47 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat

[2011/05/18 18:36:47 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat

[2011/05/18 18:36:47 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat

[2011/05/18 18:36:47 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat

[2011/05/18 18:36:47 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini

[2011/05/18 18:35:29 | 000,000,090 | ---- | C] () -- C:\WINDOWS\EPWF610.ini

[2011/05/18 17:30:53 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Dave_2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/05/15 08:23:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2011/05/15 05:28:52 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll

[2011/05/14 23:26:10 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2011/05/14 23:20:41 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2005/01/01 15:39:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2005/01/01 15:38:00 | 000,270,192 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/08/04 04:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2004/08/04 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/04 04:00:00 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/04 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/04 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/04 04:00:00 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/04 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/04 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/04 04:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/04 04:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2004/08/04 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2004/08/04 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

Here is the Extras.txt

OTL Extras logfile created on: 11/28/2011 4:56:40 PM - Run 1

OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dave_2\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.71% Memory free

11.61 Gb Paging File | 11.30 Gb Available in Paging File | 97.38% Paging File free

Paging file location(s): D:\pagefile.sys 9999 10000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 75.00 Gb Total Space | 31.65 Gb Free Space | 42.19% Space Free | Partition Type: NTFS

Drive D: | 10.00 Gb Total Space | 0.18 Gb Free Space | 1.79% Space Free | Partition Type: NTFS

Drive E: | 26.78 Gb Total Space | 26.77 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Drive Z: | 931.51 Gb Total Space | 904.60 Gb Free Space | 97.11% Space Free | Partition Type: NTFS

Computer Name: WEBBDAWG | User Name: Dave_2 | NOT logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE:*:Enabled:Microsoft OneNote -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Epson Software\Event Manager\EEventManager.exe" = C:\Program Files\Epson Software\Event Manager\EEventManager.exe:*:Enabled:EEventManager Application -- (SEIKO EPSON CORPORATION)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8

"{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}" = Epson FAX Utility

"{0E95DA08-2514-4399-AD87-349C350FA9DE}" = Intel® PROSet/Wireless WiFi Software

"{1417F599-1DBD-4499-9375-B2813E9F890C}" = VAIO Camera Utility

"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java 6 Update 26

"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility

"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{38D80A4C-D893-4985-BA3F-0B1D9E848CED}" = ESET Smart Security

"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}" = Macromedia Fireworks 8

"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager

"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series

"{5958CAC6-373E-402F-84FE-0A699AA920B9}" = LAN Setting Utility

"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer

"{71A51A91-E7D3-11DB-A386-005056C00008}" = Vimicro USB2.0 UVC PC Camera

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{7E1A3562-C36E-4B2B-B083-336DE8E30A88}" = TRENDnet Wireless LAN

"{885A63EA-382B-4DD4-A755-14809B8557D6}" = Macromedia Flash Player 8

"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder

"{8DF4C627-4AF3-4245-9F13-3518FC8584DC}" = Protector Suite QL 5.3

"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14

"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010

"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio

"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5

"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)

"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CD41B576-4787-4D5C-95EE-24A4ABD89CD3}" = System Requirements Lab for Intel

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL

"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service

"{FCAFEEB3-3520-4539-89AF-4B743D2DFAEC}" = HTC Sync

"474492506B458A0013C8197612FA45B887DF7B06" = Windows Driver Package - Sony Corporation (SPI) HIDCLASS (08/20/2002 7.0.3.820)

"6228B4FE0926AA3D873E8209B97FB99D06CC1DD8" = Windows Driver Package - Sony Corporation (SNC) HIDClass (06/04/2002 6.0.0.2)

"75CFB2C43D1C9AE2A7A0E5B0453B7550102420DB" = Windows Driver Package - NVIDIA (nv) Display (06/20/2006 8.4.9.1)

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003" = HDAUDIO SoftV92 Data Fax Modem with SmartCP

"EPSON PC-FAX Driver 2" = Epson PC-FAX Driver

"EPSON Scanner" = EPSON Scan

"EPSON WorkForce 610 Series" = EPSON WorkForce 610 Series Printer Uninstall

"HDMI" = Intel® Graphics Media Accelerator Driver

"ie8" = Windows Internet Explorer 8

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox 8.0.1 (x86 en-US)" = Mozilla Firefox 8.0.1 (x86 en-US)

"Mozilla Thunderbird (3.1.16)" = Mozilla Thunderbird (3.1.16)

"Nero - Burning Rom!UninstallKey" = Nero OEM

"NeroVision!UninstallKey" = NeroVision Express 2

"NMPUninstallKey" = Nero Media Player

"NVIDIA Drivers" = NVIDIA Drivers

"Office14.SingleImage" = Microsoft Office Home and Student 2010

"ProInst" = Intel PROSet Wireless

"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-790525478-630328440-1417001333-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

Link to post
Share on other sites

At some point please update your Java (Java Plug-in 1.6.0_26) should be Java Plug-in 1.6.0_29.

Just go to your control panel > Java > update

-----------------------------------------------

Please do this:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKU\S-1-5-21-790525478-630328440-1417001333-1004..\Run: [1553187517] C:\Documents and Settings\Dave_2\Local Settings\Application Data\kif.exe File not found
    O20 - Winlogon\Notify\VESWinlogon: DllName - (VESWinlogon.dll) - File not found
    [2011/11/27 09:20:10 | 000,017,810 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8
    [2011/11/27 09:20:09 | 000,017,810 | -HS- | M] () -- C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8
    [2011/11/26 09:09:35 | 000,017,810 | -HS- | C] () -- C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8
    [2011/11/26 09:09:35 | 000,017,810 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

I noticed all the users having the same /xxxxxxx

under the /appdata/folder.

Here is the Log file fro the fix.

All processes killed

========== OTL ==========

Registry key HKEY_USERS\S-1-5-21-790525478-630328440-1417001333-1004\Software\Microsoft\Windows\CurrentVersion\Run not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VESWinlogon\ deleted successfully.

C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8 moved successfully.

C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8 moved successfully.

File C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8 not found.

File C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8 not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 117835459 bytes

->Temporary Internet Files folder emptied: 3168801 bytes

->Java cache emptied: 349050 bytes

->FireFox cache emptied: 36798174 bytes

->Flash cache emptied: 849 bytes

User: All Users

User: Dave

->Temp folder emptied: 340845515 bytes

->Temporary Internet Files folder emptied: 843262 bytes

->FireFox cache emptied: 37373824 bytes

->Google Chrome cache emptied: 15783460 bytes

->Flash cache emptied: 615 bytes

User: DaveT

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->FireFox cache emptied: 7568580 bytes

->Flash cache emptied: 562 bytes

User: Dave_2

->Temp folder emptied: 329236421 bytes

->Temporary Internet Files folder emptied: 25499183 bytes

->Java cache emptied: 352581 bytes

->FireFox cache emptied: 42501514 bytes

->Google Chrome cache emptied: 55643213 bytes

->Flash cache emptied: 2836517 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 684909 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 970.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 11302011_174348

Files\Folders moved on Reboot...

C:\WINDOWS\temp\inf1clrg.tmp moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

I noticed all the users having the same /xxxxxxx

under the /appdata/folder.

I'm not sure what you mean by this.

-------------------------------

One more scan to run...ComboFix

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Link to post
Share on other sites

I'm not sure what you mean by this.

Notice the string at the end of each line. That is what I meant.

[2011/11/27 09:20:10 | 000,017,810 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8

[2011/11/27 09:20:09 | 000,017,810 | -HS- | M] () -- C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8

[2011/11/26 09:09:35 | 000,017,810 | -HS- | C] () -- C:\Documents and Settings\Dave_2\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8

[2011/11/26 09:09:35 | 000,017,810 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\157850g1p046c522p184r5dtv4q8

Here is the Combofix.txt.

ComboFix 11-12-01.03 - Dave 12/01/2011 19:37:04.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1407 [GMT -8:00]

Running from: c:\documents and settings\Dave_2\Desktop\ComboFix.exe

AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\EventSystem.log

c:\windows\system32\usmt\migwiz_a.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-02 to 2011-12-02 )))))))))))))))))))))))))))))))

.

.

2011-12-01 01:43 . 2011-12-01 01:43 -------- d-----w- C:\_OTL

2011-11-28 01:31 . 2011-11-28 01:31 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-11-28 01:31 . 2011-11-28 01:31 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-11-27 03:17 . 2011-11-27 03:17 -------- d-----w- c:\documents and settings\DaveT

2011-11-26 20:17 . 2011-11-26 20:17 -------- d-----w- c:\documents and settings\Dave\Application Data\Malwarebytes

2011-11-26 20:16 . 2011-11-26 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-26 20:16 . 2011-11-26 20:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-26 20:16 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-20 23:53 . 2011-11-20 23:53 -------- d-----w- C:\Temp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-08 01:54 . 2011-05-19 17:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2011-05-15 07:21 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-11-28 01:31 . 2011-05-15 16:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-12 1210640]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2006-02-23 01:11 39936 ----a-w- c:\windows\system32\fusstub.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli fusstub

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Seagate Product Registration.lnk]

path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Seagate Product Registration.lnk

backup=c:\windows\pss\Seagate Product Registration.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Biomenu]

2006-02-23 01:10 1354240 ----a-w- c:\program files\Protector Suite QL\menusw.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]

2009-01-12 16:54 669520 ------w- c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON WorkForce 610 Series]

2009-01-26 06:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFJA.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]

2009-02-06 07:00 843776 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2011-05-15 16:14 136176 ----atw- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]

2011-01-12 22:26 1400832 ----a-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]

2004-02-20 21:12 32768 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite]

2009-11-19 23:19 598016 ----a-r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 10:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-06-21 00:45 7561216 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-04-08 19:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]

2006-02-14 19:11 176128 ----a-w- c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOCameraUtility]

2005-12-27 20:58 69632 ----a-w- c:\program files\Sony\VAIO Camera Utility\VCUServe.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMonitorVMUVC]

2008-08-30 00:27 143360 ----a-w- c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [3/10/2002 10:55 PM 9216]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 2:04 PM 115008]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [1/12/2011 3:41 PM 810144]

R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 5:13 PM 13440]

R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 5:13 PM 33024]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [7/10/2011 3:31 PM 6609920]

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [1/1/2005 3:41 PM 71961]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [5/15/2011 5:46 AM 226304]

S2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\Drivers\Scutum50.sys --> c:\windows\system32\Drivers\Scutum50.sys [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [8/22/2011 6:13 PM 24576]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]

S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [9/28/2011 9:42 AM 252416]

S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [9/28/2011 9:42 AM 398720]

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1003Core.job

- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-15 16:14]

.

2011-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1003UA.job

- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-15 16:14]

.

2011-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1004Core.job

- c:\documents and settings\Dave_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-20 02:27]

.

2011-12-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-630328440-1417001333-1004UA.job

- c:\documents and settings\Dave_2\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-20 02:27]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\jpiddyop.default\

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Seagate Dashboard - c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-01 19:39

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1852)

c:\windows\system32\fusstub.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus.dll

c:\windows\system32\biologon.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\passport.dll

c:\program files\Protector Suite QL\BhTcAll.dll

c:\program files\Protector Suite QL\BhDevTfm.dll

c:\program files\Protector Suite QL\AlgVer.dll

c:\program files\Protector Suite QL\TCBioLib.dll

c:\program files\Protector Suite QL\remote.dll

c:\windows\system32\netprovcredman.dll

c:\windows\system32\igfxdev.dll

c:\program files\Protector Suite QL\config.dll

.

- - - - - - - > 'lsass.exe'(1912)

c:\windows\system32\fusstub.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homefus.dll

.

Completion time: 2011-12-01 19:41:07

ComboFix-quarantined-files.txt 2011-12-02 03:41

.

Pre-Run: 35,015,479,296 bytes free

Post-Run: 35,103,346,688 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - E544FE26E5B5AFC7CACC8A4B3AE1C2D4

I can say that this is getting a bit tedious. A HD wipe and fresh install would be much easier.

I hope this helps others in the future.

Thanks.

Link to post
Share on other sites

The listed infections have been removed after this log was created.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8293

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/2/2011 8:35:44 PM

mbam-log-2011-12-02 (20-35-32).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 310067

Time elapsed: 41 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Dave_2\local settings\application data\ube.exe (Trojan.FakeAV) -> No action taken.

c:\documents and settings\Dave_2\local settings\Temp\msimg32.dll (Rootkit.0Access) -> No action taken.

Link to post
Share on other sites

OK, if everything is OK.......

Please Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

------------

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

-----------

Please update your Java > Control panel > Java > Update. Should be BrowserJavaVersion: 1.6.0_29

---------------------------

Any questions...please post back.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.