Jump to content

198 PUP.MyWebSearch objects removed system still infected


Recommended Posts

Screen317 was helping me clean my system but due to a glitch all my posts were lost. I was last asked to update MBAM and run a quick scan and download and run ComboFix and send logs of both. I did both and sent the logs on 10/30/2012. The post was lost. I was instructed to try and pickup were we left off by way of a new post.

Please find MBAM log from from 11/17/2012 and the ComboFix log from 10/30/2012. The laptop has not been used since te 10/30/2012 logs.

PLEASE HELP me finish cleaning my system. Thanks in advance for any assistance!

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.16.11

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)

Internet Explorer 8.0.6001.18702

Administrator :: GEORGE [administrator]

11/17/2012 1:37:34 AM

mbam-log-2012-11-17 (01-37-34).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 271256

Time elapsed: 7 minute(s), 58 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

ComboFix 12-10-30.03 - Administrator 10/30/2012 23:29:22.1.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.550 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner\WINDOWS

c:\program files\Internet Explorer\bugreport.txt

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\EventSystem.log

c:\windows\system32\SET3B.tmp

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

c:\windows\Uninstall.ini

c:\windows\wc98pp.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MYWEBSEARCHSERVICE

.

.

((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-31 )))))))))))))))))))))))))))))))

.

.

2012-10-28 19:42 . 2012-10-28 19:42 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2012-10-27 11:09 . 2012-10-27 11:09 -------- d-----w- c:\windows\LastGood.Tmp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-30 00:54 . 2012-09-29 21:18 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-28 15:14 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-02-26 49152]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-27 274608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-30 766536]

"Malwarebytes Anti-Malware (cleanup)"="c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-09-30 1089608]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-6-22 217088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2007-11-16 02:46 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

backup=c:\windows\pss\Utility Tray.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^George Hocker^Start Menu^Programs^Startup^Anapod Manager.lnk]

path=c:\documents and settings\George Hocker\Start Menu\Programs\Startup\Anapod Manager.lnk

backup=c:\windows\pss\Anapod Manager.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]

Alaunch [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2004-10-08 02:50 88363 -c--a-w- c:\windows\AGRSMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-05-31 12:33 122941 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2006-03-21 01:34 86960 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

2005-10-12 22:16 315392 -c--a-w- c:\program files\Launch Manager\QtZgAcer.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

2007-08-03 23:09 63048 -c--a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]

2005-03-04 20:13 32768 -c--a-w- c:\windows\system32\Keyhook.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]

2005-02-26 02:35 49152 -c----w- c:\windows\system32\SiSPower.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2005-02-24 01:13 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2004-10-08 06:43 688218 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

2004-10-08 06:44 98394 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 3:25 PM 136176]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 6:09 PM 12992]

S2 SPDISK;SPDISK;c:\windows\system32\drivers\spdisk.sys [1/2/2007 5:16 AM 48294]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 3:25 PM 136176]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/13/2006 9:24 PM 47360]

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

2012-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 20:25]

.

2012-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 20:25]

.

2012-10-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3222023231-2948638799-1041803130-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

.

2012-10-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3222023231-2948638799-1041803130-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

.

2012-10-31 c:\windows\Tasks\User_Feed_Synchronization-{D7EBC81C-50ED-4530-8677-59A34A4DBDEE}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: {{5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nBnuqYynS

TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

MSConfigStartUp-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-LogitechQuickCamRibbon - c:\program files\Logitech\QuickCam\Quickcam.exe

MSConfigStartUp-MsnMsgr - c:\progra~1\WI1F86~1\MESSEN~1\MsnMsgr.Exe

MSConfigStartUp-PCMService - c:\program files\Arcade\PCMService.exe

MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

MSConfigStartUp-WebArmyKnife - c:\documents and settings\George Hocker\Desktop\WAK.exe

MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe

AddRemove-Typing Instructor Deluxe - c:\program files\Typing Instructor Deluxe\unwise.exe

AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE

.

.

.

**************************************************************************

.

disk not found C:\

.

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3222023231-2948638799-1041803130-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,83,0e,70,da,e9,f8,41,85,34,69,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,83,0e,70,da,e9,f8,41,85,34,69,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(604)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(188)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2012-10-30 23:51:15 - machine was rebooted

ComboFix-quarantined-files.txt 2012-10-31 04:51

.

Pre-Run: 4,263,485,440 bytes free

Post-Run: 4,466,413,568 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 0A1BD56C41992579B84D5729D17FA32F

Link to post
Share on other sites

Hi Screen317,

Sorry for the delay in getting back to you. Here is the MBAM log of quick scan after updating MBAM and the dds.txt & attach.txt logs Please advise if you need any thing else. Thank you in advance for your assistance with the cleaning of my machine.

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.24.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Troy :: GEORGE [administrator]

11/23/2012 11:42:13 PM

mbam-log-2012-11-23 (23-42-13).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 295760

Time elapsed: 24 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Run by Troy at 0:18:13 on 2012-11-24

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.490 [GMT -6:00]

.

.

============== Running Processes ================

.

C:\WINDOWS\Explorer.EXE

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://global.acer.com

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nBnuqYynS

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} - hxxp://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154501112562

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab

DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab

DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx

TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12

TCP: Interfaces\{8E8070A8-8804-4DDC-A8CF-7AD38275EC4C} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - <orphaned>

Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12992]

S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-11 46112]

S2 SPDISK;SPDISK;c:\windows\system32\drivers\spdisk.sys [2007-1-2 48294]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== File Associations ===============

.

FileExt: .jse: JSEFile=NOTEPAD.EXE %1

FileExt: .wsf: WSFFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2012-11-24 06:07:47 -------- d-sh--w- c:\documents and settings\troy\PrivacIE

2012-11-24 05:43:46 -------- d-----w- c:\documents and settings\troy\local settings\application data\PCHealth

2012-11-24 05:40:50 -------- d-----w- c:\documents and settings\troy\application data\Malwarebytes

2012-11-24 05:40:36 -------- d-----w- c:\documents and settings\troy\local settings\application data\ArcSoft

2012-11-24 05:40:19 -------- d-sh--w- c:\documents and settings\troy\IETldCache

2012-10-31 04:24:03 -------- d-sha-r- C:\cmdcons

2012-10-31 04:21:51 98816 ----a-w- c:\windows\sed.exe

2012-10-31 04:21:51 256000 ----a-w- c:\windows\PEV.exe

2012-10-31 04:21:51 208896 ----a-w- c:\windows\MBR.exe

.

==================== Find3M ====================

.

2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 0:20:19.21 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\Harddisk0\DP(2)0xbb487a00-0x894e00400+2

Install Date: 6/16/2006 1:44:55 PM

System Uptime: 11/24/2012 12:11:49 AM (0 hours ago)

.

Motherboard: Acer, Inc. | | Lugano M

Processor: Mobile AMD Sempron Processor 3100+ | Socket A | 1800/400mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 34 GiB total, 3.749 GiB free.

D: is CDROM ()

E: is FIXED (FAT32) - 3 GiB total, 0.457 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1643: 6/20/2012 3:11:46 AM - System Checkpoint

RP1644: 8/7/2012 8:50:13 PM - Software Distribution Service 3.0

RP1645: 9/29/2012 2:41:49 PM - Removed Microsoft Default Manager

RP1646: 9/29/2012 2:47:37 PM - Software Distribution Service 3.0

RP1647: 10/26/2012 10:36:15 PM - Software Distribution Service 3.0

RP1648: 10/27/2012 6:09:55 AM - Software Distribution Service 3.0

RP1649: 11/8/2012 12:21:18 PM - Software Distribution Service 3.0

RP1650: 11/19/2012 6:17:14 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Acer eManager for Notebook

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Agere Systems AC'97 Modem

All-Purpose Letters

All-Purpose Resumes

AMG Complete WordStudy CD

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft Print Creations

ArcSoft Print Creations - Greeting Card

ArcSoft Print Creations - Photo Calendar

AT&T Self Support Tool

ATT-AACE

Bonjour

Broadcom Driver v4.150.22.0_Foxconn Installation Program

BroadJump Client Foundation

Critical Update for Windows Media Player 11 (KB959772)

Download Updater (AOL LLC)

EPSON Stylus NX400 Series Printer Uninstall

GearDrvs

GoBit Games Plugin v1.5

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB981793)

InstallMgr

Java Auto Updater

Java 6 Update 21

Launch Manager

LiveUpdate Notice (Symantec Corporation)

LogMeIn

Malwarebytes Anti-Malware version 1.65.1.1000

Mavis Beacon Teaches Typing Deluxe 15

Merriam-Webster 3.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft WinUsb 1.0

Microsoft XML Parser

MSN

MSN Toolbar

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB954459)

NTI Backup NOW! 4

NTI CD & DVD-Maker

NTI CD & DVD-Maker Gold

PowerProducer

QuickTime

QuickVerse 2005 Standard

Quickverse 8.0 Books

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealPlayer

Realtek AC'97 Audio

RealUpgrade 1.1

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SiS 900 PCI Fast Ethernet Adapter Driver

SiS VGA Utilities

SiSAGP driver

Spelling Dictionaries Support For Adobe Reader 8

Subliminal Power

Synaptics Pointing Device Driver

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB972636)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Easy Transfer

Windows Imaging Component

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Live Photo Gallery

Windows Media Format 11 runtime

Windows Media Player 11

Windows Presentation Foundation

Windows XP Service Pack 3

.

==== Event Viewer Messages From Past Week ========

.

11/19/2012 6:15:24 PM, error: Service Control Manager [7000] - The int15.sys service failed to start due to the following error: The system cannot find the path specified.

11/19/2012 6:15:23 PM, error: Print [23] - Printer Virtual PDF Printer failed to initialize because a suitable Virtual PDF Printer driver could not be found.

11/17/2012 2:18:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

11/17/2012 10:43:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/17/2012 1:05:49 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

If after ComboFix reboots you get a message about an "Invalid Option Registry Key Marked for Deletion," please reboot again and the error will go away.

-screen317

Link to post
Share on other sites

Here are the logs for ComboFix and the new DDS as you requested. Please advise if you need anything else.

Thanks!

ComboFix 12-11-27.01 - Troy 11/27/2012 22:22:12.2.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.549 [GMT -6:00]

Running from: c:\documents and settings\Troy\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 )))))))))))))))))))))))))))))))

.

.

2012-11-24 06:01 . 2012-11-24 06:01 -------- d-----w- c:\windows\LastGood.Tmp

2012-11-24 05:39 . 2012-11-24 06:07 -------- d-----w- c:\documents and settings\Troy

2012-11-08 18:19 . 2012-11-08 18:19 -------- d-----w- c:\documents and settings\Owner.GEORGE\Local Settings\Application Data\PCHealth

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-30 00:54 . 2012-09-29 21:18 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSPower"="SiSPower.dll" [2005-02-26 49152]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-27 274608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2008-6-22 217088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2007-11-16 02:46 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

backup=c:\windows\pss\Utility Tray.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^George Hocker^Start Menu^Programs^Startup^Anapod Manager.lnk]

path=c:\documents and settings\George Hocker\Start Menu\Programs\Startup\Anapod Manager.lnk

backup=c:\windows\pss\Anapod Manager.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]

Alaunch [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]

2004-10-08 02:50 88363 -c--a-w- c:\windows\AGRSMMSG.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-05-31 12:33 122941 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2006-03-21 01:34 86960 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

2005-10-12 22:16 315392 -c--a-w- c:\program files\Launch Manager\QtZgAcer.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

2007-08-03 23:09 63048 -c--a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]

2005-03-04 20:13 32768 -c--a-w- c:\windows\system32\Keyhook.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]

2005-02-26 02:35 49152 -c----w- c:\windows\system32\SiSPower.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2005-02-24 01:13 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2004-10-08 06:43 688218 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

2004-10-08 06:44 98394 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

.

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 5:09 PM 12992]

S2 SPDISK;SPDISK;c:\windows\system32\drivers\spdisk.sys [1/2/2007 4:16 AM 48294]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/13/2006 8:24 PM 47360]

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

.

2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 20:25]

.

2012-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 20:25]

.

2012-11-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3222023231-2948638799-1041803130-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

.

2012-11-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3222023231-2948638799-1041803130-1009.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 19:33]

.

2012-11-24 c:\windows\Tasks\User_Feed_Synchronization-{D7EBC81C-50ED-4530-8677-59A34A4DBDEE}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://global.acer.com

IE: {{5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nBnuqYynS

TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

.

**************************************************************************

.

disk not found C:\

.

please note that you need administrator rights to perform deep scan

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(604)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(188)

c:\windows\system32\WININET.dll

.

Completion time: 2012-11-27 22:35:45

ComboFix-quarantined-files.txt 2012-11-28 04:35

ComboFix2.txt 2012-10-31 04:51

.

Pre-Run: 3,953,430,528 bytes free

Post-Run: 4,051,181,568 bytes free

.

- - End Of File - - 0766D3AD4CBF7FB1A99307873A1C2717

DDS LOG

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Run by Troy at 22:42:14 on 2012-11-27

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.399 [GMT -6:00]

.

.

============== Running Processes ================

.

C:\WINDOWS\explorer.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://global.acer.com

BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nBnuqYynS

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} - hxxp://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154501112562

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab

DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab

DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.ocx

TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12

TCP: Interfaces\{8E8070A8-8804-4DDC-A8CF-7AD38275EC4C} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - <orphaned>

Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} -

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12992]

S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-11-11 46112]

S2 SPDISK;SPDISK;c:\windows\system32\drivers\spdisk.sys [2007-1-2 48294]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== File Associations ===============

.

FileExt: .jse: JSEFile=NOTEPAD.EXE %1

FileExt: .wsf: WSFFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2012-11-24 06:07:47 -------- d-sh--w- c:\documents and settings\troy\PrivacIE

2012-11-24 06:01:26 -------- d-----w- c:\windows\LastGood.Tmp

2012-11-24 05:43:46 -------- d-----w- c:\documents and settings\troy\local settings\application data\PCHealth

2012-11-24 05:40:50 -------- d-----w- c:\documents and settings\troy\application data\Malwarebytes

2012-11-24 05:40:36 -------- d-----w- c:\documents and settings\troy\local settings\application data\ArcSoft

2012-11-24 05:40:19 -------- d-sh--w- c:\documents and settings\troy\IETldCache

2012-10-31 04:24:03 -------- d-sha-r- C:\cmdcons

2012-10-31 04:21:51 98816 ----a-w- c:\windows\sed.exe

2012-10-31 04:21:51 256000 ----a-w- c:\windows\PEV.exe

2012-10-31 04:21:51 208896 ----a-w- c:\windows\MBR.exe

.

==================== Find3M ====================

.

2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 22:42:29.57 ===============

Link to post
Share on other sites

  • Staff

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Export the threats found (if any), and post them here.

Next, please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Next, download my Security Check from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

17:31:37.0859 3912 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

17:31:38.0375 3912 ============================================================

17:31:38.0375 3912 Current date / time: 2012/12/01 17:31:38.0375

17:31:38.0375 3912 SystemInfo:

17:31:38.0375 3912

17:31:38.0375 3912 OS Version: 5.1.2600 ServicePack: 3.0

17:31:38.0375 3912 Product type: Workstation

17:31:38.0375 3912 ComputerName: GEORGE

17:31:38.0375 3912 UserName: Troy

17:31:38.0375 3912 Windows directory: C:\WINDOWS

17:31:38.0375 3912 System windows directory: C:\WINDOWS

17:31:38.0375 3912 Processor architecture: Intel x86

17:31:38.0375 3912 Number of processors: 1

17:31:38.0375 3912 Page size: 0x1000

17:31:38.0375 3912 Boot type: Normal boot

17:31:38.0375 3912 ============================================================

17:31:40.0328 3912 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

17:31:40.0328 3912 ============================================================

17:31:40.0328 3912 \Device\Harddisk0\DR0:

17:31:40.0328 3912 MBR partitions:

17:31:40.0328 3912 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x5DA43D, BlocksNum 0x44A7002

17:31:40.0328 3912 ============================================================

17:31:40.0328 3912 Initialize success

17:31:40.0328 3912 ============================================================

17:31:42.0062 2516 ============================================================

17:31:42.0062 2516 Scan started

17:31:42.0062 2516 Mode: Manual;

17:31:42.0062 2516 ============================================================

17:31:43.0109 2516 ================ Scan system memory ========================

17:31:43.0109 2516 System memory - ok

17:31:43.0109 2516 ================ Scan services =============================

17:31:43.0171 2516 Abiosdsk - ok

17:31:43.0203 2516 abp480n5 - ok

17:31:43.0218 2516 ACDaemon - ok

17:31:43.0234 2516 ACPI - ok

17:31:43.0265 2516 ACPIEC - ok

17:31:43.0281 2516 adpu160m - ok

17:31:43.0312 2516 aec - ok

17:31:43.0328 2516 AFD - ok

17:31:43.0343 2516 AgereSoftModem - ok

17:31:43.0375 2516 Aha154x - ok

17:31:43.0390 2516 aic78u2 - ok

17:31:43.0421 2516 aic78xx - ok

17:31:43.0421 2516 ALCXWDM - ok

17:31:43.0453 2516 Alerter - ok

17:31:43.0468 2516 ALG - ok

17:31:43.0484 2516 AliIde - ok

17:31:43.0500 2516 AmdK8 - ok

17:31:43.0515 2516 amsint - ok

17:31:43.0531 2516 anbmService - ok

17:31:43.0546 2516 Apple Mobile Device - ok

17:31:43.0578 2516 AppMgmt - ok

17:31:43.0593 2516 asc - ok

17:31:43.0609 2516 asc3350p - ok

17:31:43.0625 2516 asc3550 - ok

17:31:43.0671 2516 aspnet_state - ok

17:31:43.0671 2516 AsyncMac - ok

17:31:43.0687 2516 atapi - ok

17:31:43.0703 2516 Atdisk - ok

17:31:43.0734 2516 Atmarpc - ok

17:31:43.0750 2516 AudioSrv - ok

17:31:43.0765 2516 audstub - ok

17:31:43.0781 2516 BCM43XX - ok

17:31:43.0796 2516 Beep - ok

17:31:43.0828 2516 BITS - ok

17:31:43.0843 2516 Bonjour Service - ok

17:31:43.0859 2516 Browser - ok

17:31:43.0875 2516 catchme - ok

17:31:43.0890 2516 cbidf2k - ok

17:31:43.0906 2516 CCDECODE - ok

17:31:43.0921 2516 cd20xrnt - ok

17:31:43.0937 2516 Cdaudio - ok

17:31:43.0953 2516 Cdfs - ok

17:31:43.0968 2516 Cdrom - ok

17:31:43.0984 2516 Changer - ok

17:31:44.0000 2516 CiSvc - ok

17:31:44.0015 2516 ClipSrv - ok

17:31:44.0031 2516 clr_optimization_v2.0.50727_32 - ok

17:31:44.0062 2516 CmBatt - ok

17:31:44.0078 2516 CmdIde - ok

17:31:44.0093 2516 Compbatt - ok

17:31:44.0109 2516 COMSysApp - ok

17:31:44.0140 2516 Cpqarray - ok

17:31:44.0156 2516 CryptSvc - ok

17:31:44.0171 2516 dac2w2k - ok

17:31:44.0187 2516 dac960nt - ok

17:31:44.0203 2516 DcomLaunch - ok

17:31:44.0218 2516 Dhcp - ok

17:31:44.0234 2516 Disk - ok

17:31:44.0250 2516 DKbFltr - ok

17:31:44.0265 2516 dmadmin - ok

17:31:44.0281 2516 dmboot - ok

17:31:44.0312 2516 dmio - ok

17:31:44.0328 2516 dmload - ok

17:31:44.0343 2516 dmserver - ok

17:31:44.0359 2516 DMusic - ok

17:31:44.0375 2516 Dnscache - ok

17:31:44.0390 2516 Dot3svc - ok

17:31:44.0406 2516 dpti2o - ok

17:31:44.0421 2516 drmkaud - ok

17:31:44.0437 2516 drvmcdb - ok

17:31:44.0453 2516 drvnddm - ok

17:31:44.0484 2516 EapHost - ok

17:31:44.0500 2516 ERSvc - ok

17:31:44.0515 2516 Eventlog - ok

17:31:44.0531 2516 EventSystem - ok

17:31:44.0546 2516 Fastfat - ok

17:31:44.0562 2516 FastUserSwitchingCompatibility - ok

17:31:44.0578 2516 Fax - ok

17:31:44.0593 2516 Fdc - ok

17:31:44.0609 2516 Fips - ok

17:31:44.0640 2516 Flpydisk - ok

17:31:44.0656 2516 FltMgr - ok

17:31:44.0671 2516 FontCache3.0.0.0 - ok

17:31:44.0687 2516 Fs_Rec - ok

17:31:44.0687 2516 Ftdisk - ok

17:31:44.0718 2516 gagp30kx - ok

17:31:44.0734 2516 GEARAspiWDM - ok

17:31:44.0750 2516 Gpc - ok

17:31:44.0765 2516 gupdate - ok

17:31:44.0781 2516 gupdatem - ok

17:31:44.0796 2516 gusvc - ok

17:31:44.0812 2516 helpsvc - ok

17:31:44.0828 2516 HidServ - ok

17:31:44.0843 2516 HidUsb - ok

17:31:44.0875 2516 hkmsvc - ok

17:31:44.0890 2516 hpn - ok

17:31:44.0906 2516 HPZid412 - ok

17:31:44.0921 2516 HPZipr12 - ok

17:31:44.0937 2516 HPZius12 - ok

17:31:44.0953 2516 HTTP - ok

17:31:44.0968 2516 HTTPFilter - ok

17:31:44.0984 2516 i2omgmt - ok

17:31:45.0000 2516 i2omp - ok

17:31:45.0015 2516 i8042prt - ok

17:31:45.0031 2516 ICAM5USB - ok

17:31:45.0046 2516 IDriverT - ok

17:31:45.0062 2516 idsvc - ok

17:31:45.0656 2516 Imapi - ok

17:31:45.0671 2516 ImapiService - ok

17:31:45.0703 2516 ini910u - ok

17:31:45.0734 2516 int15.sys - ok

17:31:45.0750 2516 IntelIde - ok

17:31:45.0765 2516 Ip6Fw - ok

17:31:45.0796 2516 IpFilterDriver - ok

17:31:45.0812 2516 IpInIp - ok

17:31:45.0843 2516 IpNat - ok

17:31:45.0859 2516 IPSec - ok

17:31:45.0875 2516 IRENUM - ok

17:31:45.0906 2516 isapnp - ok

17:31:45.0921 2516 JavaQuickStarterService - ok

17:31:45.0937 2516 Kbdclass - ok

17:31:45.0953 2516 kbdhid - ok

17:31:45.0953 2516 kmixer - ok

17:31:45.0984 2516 KSecDD - ok

17:31:46.0000 2516 lanmanserver - ok

17:31:46.0015 2516 lanmanworkstation - ok

17:31:46.0031 2516 lbrtfdc - ok

17:31:46.0062 2516 LmHosts - ok

17:31:46.0093 2516 LMIInfo - ok

17:31:46.0109 2516 LMIMaint - ok

17:31:46.0125 2516 lmimirr - ok

17:31:46.0140 2516 LMIRfsClientNP - ok

17:31:46.0156 2516 LMIRfsDriver - ok

17:31:46.0171 2516 LogMeIn - ok

17:31:46.0187 2516 LVUSBSta - ok

17:31:46.0203 2516 MCSTRM - ok

17:31:46.0218 2516 Messenger - ok

17:31:46.0234 2516 mnmdd - ok

17:31:46.0250 2516 mnmsrvc - ok

17:31:46.0265 2516 Modem - ok

17:31:46.0281 2516 Mouclass - ok

17:31:46.0296 2516 mouhid - ok

17:31:46.0312 2516 MountMgr - ok

17:31:46.0343 2516 mraid35x - ok

17:31:46.0359 2516 MREMPR5 - ok

17:31:46.0375 2516 MRENDIS5 - ok

17:31:46.0390 2516 MRxDAV - ok

17:31:46.0406 2516 MRxSmb - ok

17:31:46.0421 2516 MSDTC - ok

17:31:46.0453 2516 Msfs - ok

17:31:46.0468 2516 MSIServer - ok

17:31:46.0468 2516 MSKSSRV - ok

17:31:46.0484 2516 MSPCLOCK - ok

17:31:46.0515 2516 MSPQM - ok

17:31:46.0531 2516 mssmbios - ok

17:31:46.0546 2516 MSTEE - ok

17:31:46.0562 2516 Mup - ok

17:31:46.0578 2516 NABTSFEC - ok

17:31:46.0593 2516 napagent - ok

17:31:46.0609 2516 NDIS - ok

17:31:46.0625 2516 NdisIP - ok

17:31:46.0640 2516 NdisTapi - ok

17:31:46.0671 2516 Ndisuio - ok

17:31:46.0687 2516 NdisWan - ok

17:31:46.0703 2516 NDProxy - ok

17:31:46.0718 2516 NetBIOS - ok

17:31:46.0718 2516 NetBT - ok

17:31:46.0734 2516 NetDDE - ok

17:31:46.0765 2516 NetDDEdsdm - ok

17:31:46.0781 2516 Netlogon - ok

17:31:46.0796 2516 Netman - ok

17:31:46.0812 2516 NetTcpPortSharing - ok

17:31:46.0828 2516 Nla - ok

17:31:46.0843 2516 Npfs - ok

17:31:46.0859 2516 Ntfs - ok

17:31:46.0875 2516 NTIDrvr - ok

17:31:46.0890 2516 NtLmSsp - ok

17:31:46.0906 2516 NtmsSvc - ok

17:31:46.0937 2516 NuidFltr - ok

17:31:46.0953 2516 Null - ok

17:31:46.0968 2516 NwlnkFlt - ok

17:31:46.0984 2516 NwlnkFwd - ok

17:31:46.0984 2516 osaio - ok

17:31:47.0000 2516 osanbm - ok

17:31:47.0031 2516 ose - ok

17:31:47.0046 2516 Parport - ok

17:31:47.0062 2516 PartMgr - ok

17:31:47.0078 2516 ParVdm - ok

17:31:47.0109 2516 PCI - ok

17:31:47.0125 2516 PCIDump - ok

17:31:47.0140 2516 PCIIde - ok

17:31:47.0156 2516 Pcmcia - ok

17:31:47.0171 2516 pcouffin - ok

17:31:47.0187 2516 PDCOMP - ok

17:31:47.0203 2516 PDFRAME - ok

17:31:47.0218 2516 PDRELI - ok

17:31:47.0234 2516 PDRFRAME - ok

17:31:47.0250 2516 pepifilter - ok

17:31:47.0265 2516 perc2 - ok

17:31:47.0281 2516 perc2hib - ok

17:31:47.0328 2516 pfc - ok

17:31:47.0343 2516 PID_PEPI - ok

17:31:47.0375 2516 PlugPlay - ok

17:31:47.0390 2516 Pml Driver HPZ12 - ok

17:31:47.0406 2516 PolicyAgent - ok

17:31:47.0421 2516 PptpMiniport - ok

17:31:47.0437 2516 ProtectedStorage - ok

17:31:47.0453 2516 PSched - ok

17:31:47.0468 2516 Ptilink - ok

17:31:47.0484 2516 ql1080 - ok

17:31:47.0500 2516 Ql10wnt - ok

17:31:47.0515 2516 ql12160 - ok

17:31:47.0531 2516 ql1240 - ok

17:31:47.0546 2516 ql1280 - ok

17:31:47.0562 2516 RasAcd - ok

17:31:47.0578 2516 RasAuto - ok

17:31:47.0593 2516 Rasl2tp - ok

17:31:47.0625 2516 RasMan - ok

17:31:47.0640 2516 RasPppoe - ok

17:31:47.0656 2516 Raspti - ok

17:31:47.0671 2516 Rdbss - ok

17:31:47.0687 2516 RDPCDD - ok

17:31:47.0718 2516 RDPWD - ok

17:31:47.0734 2516 RDSessMgr - ok

17:31:47.0750 2516 redbook - ok

17:31:47.0765 2516 RemoteAccess - ok

17:31:47.0796 2516 RpcLocator - ok

17:31:47.0812 2516 RpcSs - ok

17:31:47.0828 2516 RSVP - ok

17:31:47.0843 2516 SamSs - ok

17:31:47.0859 2516 SCardSvr - ok

17:31:47.0875 2516 Schedule - ok

17:31:47.0906 2516 Secdrv - ok

17:31:47.0921 2516 seclogon - ok

17:31:47.0937 2516 SENS - ok

17:31:47.0953 2516 Serial - ok

17:31:48.0000 2516 Sfloppy - ok

17:31:48.0015 2516 SharedAccess - ok

17:31:48.0015 2516 ShellHWDetection - ok

17:31:48.0031 2516 Simbad - ok

17:31:48.0046 2516 SiS315 - ok

17:31:48.0078 2516 SISAGP - ok

17:31:48.0093 2516 SiSide - ok

17:31:48.0109 2516 sisidex - ok

17:31:48.0125 2516 SiSkp - ok

17:31:48.0140 2516 SISNICXP - ok

17:31:48.0156 2516 sisperf - ok

17:31:48.0171 2516 SLIP - ok

17:31:48.0203 2516 Sparrow - ok

17:31:48.0218 2516 SPDISK - ok

17:31:48.0234 2516 splitter - ok

17:31:48.0250 2516 Spooler - ok

17:31:48.0265 2516 sr - ok

17:31:48.0281 2516 srservice - ok

17:31:48.0296 2516 Srv - ok

17:31:48.0312 2516 sscdbhk5 - ok

17:31:48.0328 2516 SSDPSRV - ok

17:31:48.0343 2516 ssrtln - ok

17:31:48.0359 2516 stisvc - ok

17:31:48.0375 2516 streamip - ok

17:31:48.0390 2516 swenum - ok

17:31:48.0421 2516 swmidi - ok

17:31:48.0437 2516 SwPrv - ok

17:31:48.0453 2516 symc810 - ok

17:31:48.0468 2516 symc8xx - ok

17:31:48.0500 2516 SymIM - ok

17:31:48.0515 2516 SymIMMP - ok

17:31:48.0531 2516 sym_hi - ok

17:31:48.0531 2516 sym_u3 - ok

17:31:48.0546 2516 SynTP - ok

17:31:48.0578 2516 sysaudio - ok

17:31:48.0593 2516 SysmonLog - ok

17:31:48.0609 2516 TapiSrv - ok

17:31:48.0625 2516 Tcpip - ok

17:31:48.0640 2516 TDPIPE - ok

17:31:48.0656 2516 TDTCP - ok

17:31:48.0671 2516 TermDD - ok

17:31:48.0687 2516 TermService - ok

17:31:48.0703 2516 tfsnboio - ok

17:31:48.0718 2516 tfsncofs - ok

17:31:48.0750 2516 tfsndrct - ok

17:31:48.0765 2516 tfsndres - ok

17:31:48.0781 2516 tfsnifs - ok

17:31:48.0781 2516 tfsnopio - ok

17:31:48.0796 2516 tfsnpool - ok

17:31:48.0828 2516 tfsnudf - ok

17:31:48.0843 2516 tfsnudfa - ok

17:31:48.0859 2516 Themes - ok

17:31:48.0875 2516 TosIde - ok

17:31:48.0890 2516 TrkWks - ok

17:31:48.0921 2516 TVICHW32 - ok

17:31:48.0937 2516 UBHelper - ok

17:31:48.0953 2516 Udfs - ok

17:31:48.0968 2516 ultra - ok

17:31:48.0984 2516 Update - ok

17:31:49.0015 2516 upnphost - ok

17:31:49.0031 2516 UPS - ok

17:31:49.0046 2516 USBAAPL - ok

17:31:49.0062 2516 usbaudio - ok

17:31:49.0078 2516 usbccgp - ok

17:31:49.0093 2516 usbehci - ok

17:31:49.0109 2516 usbhub - ok

17:31:49.0125 2516 usbohci - ok

17:31:49.0140 2516 usbprint - ok

17:31:49.0156 2516 usbscan - ok

17:31:49.0187 2516 USBSTOR - ok

17:31:49.0203 2516 VgaSave - ok

17:31:49.0218 2516 ViaIde - ok

17:31:49.0234 2516 VolSnap - ok

17:31:49.0250 2516 VSS - ok

17:31:49.0281 2516 W32Time - ok

17:31:49.0296 2516 Wanarp - ok

17:31:49.0312 2516 Wdf01000 - ok

17:31:49.0328 2516 WDICA - ok

17:31:49.0343 2516 wdmaud - ok

17:31:49.0359 2516 WebClient - ok

17:31:49.0390 2516 winmgmt - ok

17:31:49.0468 2516 winusb - ok

17:31:49.0484 2516 WmdmPmSN - ok

17:31:49.0515 2516 WmiApSrv - ok

17:31:49.0531 2516 WMPNetworkSvc - ok

17:31:49.0546 2516 WpdUsb - ok

17:31:49.0562 2516 WS2IFSL - ok

17:31:49.0578 2516 wscsvc - ok

17:31:49.0593 2516 WSTCODEC - ok

17:31:49.0609 2516 wuauserv - ok

17:31:49.0625 2516 WudfPf - ok

17:31:49.0640 2516 WudfRd - ok

17:31:49.0656 2516 WudfSvc - ok

17:31:49.0671 2516 WZCSVC - ok

17:31:49.0703 2516 xmlprov - ok

17:31:49.0734 2516 ================ Scan global ===============================

17:31:49.0734 2516 [Global] - ok

17:31:49.0750 2516 ================ Scan MBR ==================================

17:31:49.0765 2516 [ 99852D5C3A78447C3D6D82B6155FE848 ] \Device\Harddisk0\DR0

17:31:53.0296 2516 \Device\Harddisk0\DR0 - ok

17:31:53.0296 2516 ================ Scan VBR ==================================

17:31:53.0312 2516 [ 0AF962E960F5C7ECDF322C209A98EDD1 ] \Device\Harddisk0\DR0\Partition1

17:31:53.0312 2516 \Device\Harddisk0\DR0\Partition1 - ok

17:31:53.0312 2516 ============================================================

17:31:53.0312 2516 Scan finished

17:31:53.0312 2516 ============================================================

17:31:53.0343 0760 Detected object count: 0

17:31:53.0343 0760 Actual detected object count: 0

17:31:57.0578 2184 Deinitialize success

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Export the threats found (if any), and post them here.

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1646\A0332875.dll Win32/Adware.Gamevance application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1646\A0332876.exe a variant of Win32/Adware.Gamevance.AE application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1646\A0332877.scr Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1646\A0332878.DLL probably a variant of Win32/Toolbar.MyWay application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1646\A0332879.DLL a variant of Win32/Toolbar.MyWebSearch.K application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333087.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333088.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333089.DLL Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333090.DLL Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333091.DLL Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333092.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333093.DLL Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333094.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333095.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333096.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333097.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333098.DLL Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333099.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333100.DLL Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333101.DLL Win32/Toolbar.MyWebSearch.J application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333102.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333103.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333104.SCR Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333105.DLL Win32/Toolbar.MyWebSearch.G application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333106.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333107.EXE Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333108.DLL Win32/FunWeb application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333109.DLL Win32/Toolbar.MyWebSearch.H application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333113.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333114.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333117.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333118.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333119.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333120.EXE Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333121.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP1648\A0333122.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined

Next, please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

# AdwCleaner v2.010 - Logfile created 12/01/2012 at 20:15:54

# Updated 29/11/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Troy - GEORGE

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Troy\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

File Found : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll

File Found : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt

File Found : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll

File Found : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt

Folder Found : C:\Documents and Settings\All Users\Application Data\Trymedia

Folder Found : C:\Program Files\Common Files\Software Update Utility

Folder Found : C:\Program Files\PlaySushi

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}

Key Found : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}

Key Found : HKLM\SOFTWARE\Classes\AppID\{E89A07B5-BD7A-43F9-BDA4-0DAA48AC4FA5}

Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE

Key Found : HKLM\SOFTWARE\Classes\AppID\PSText.DLL

Key Found : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}

Key Found : HKLM\SOFTWARE\Classes\dnUpdate

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController

Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1

Key Found : HKLM\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}

Key Found : HKLM\SOFTWARE\Classes\Interface\{120927BF-1700-43BC-810F-FAB92549B390}

Key Found : HKLM\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}

Key Found : HKLM\SOFTWARE\Classes\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}

Key Found : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

Key Found : HKLM\SOFTWARE\Classes\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}

Key Found : HKLM\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}

Key Found : HKLM\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}

Key Found : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Found : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}

Key Found : HKLM\SOFTWARE\Classes\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}

Key Found : HKLM\SOFTWARE\Classes\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}

Key Found : HKLM\SOFTWARE\Classes\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}

Key Found : HKLM\SOFTWARE\Classes\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}

Key Found : HKLM\SOFTWARE\Classes\Interface\{991AAC62-B100-47CE-8B75-253965244F69}

Key Found : HKLM\SOFTWARE\Classes\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}

Key Found : HKLM\SOFTWARE\Classes\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}

Key Found : HKLM\SOFTWARE\Classes\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}

Key Found : HKLM\SOFTWARE\Classes\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}

Key Found : HKLM\SOFTWARE\Classes\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}

Key Found : HKLM\SOFTWARE\Classes\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}

Key Found : HKLM\SOFTWARE\Classes\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}

Key Found : HKLM\SOFTWARE\Classes\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}

Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}

Key Found : HKLM\SOFTWARE\FCTB000060231

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mywebsearch bar uninstall

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PlaySushi

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

Key Found : HKLM\Software\TENCENT

Key Found : HKU\S-1-5-21-3222023231-2948638799-1041803130-1010\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [4940 octets] - [01/12/2012 20:15:54]

########## EOF - C:\AdwCleaner[R1].txt - [5000 octets] ##########

Next, download my Security Check from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.56

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

ESET Online Scanner v3

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Java 6 Update 21

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Reader 8 Adobe Reader out of Date!

Adobe Reader XI (KB403742..)

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 49% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

Let me know how things are running now and what issues remain.

-screen317

Screen317

I hope I did this right by using the quote and posting the logs where they are. If not please let me know and I redo or whatever you need me to do.

The machine appears to be running great at this time. I will await further instructions from you. Again, Thank you so much for assisting in the cleaning of this machine.

-HighlyFavored1

Link to post
Share on other sites

Screen317

I received this laptop from my sister (Sonja) which was the only user profile on the laptop when I received it. All of the issues appear to be associated with that profile.

I could only run MBAM logged on that user profile in normal log on. DDS.txt and Attach.txt I could not download using that profile in normal mode. I had to log in "safe mode" to download DDS.

I recently created the user profile Troy to attempt the scans and logs that you last asked for. In normal mode the only thing I could not download was ESET. I went into "safe mode" to download but logged in normal mode to run the scan. Other than that everything else worked in normal mode.

After posting the logs you last requested, I logged in normally as the user profile "Sonja" and the attached screen shot appears at every attempt to open Internet Explorer.

The internet appears to work fine with the new user profile "Troy". If need be, I can delete the user profile "Sonja". Unless after completion of the cleaning you are assisting me with fixes that user profile.

I just wanted to advise you of this but as I said in the previous post, I will await further instructions from you. Thanks again.

Link to post
Share on other sites

  • Staff

Hi,

Run TFC by OldTimer to clear temporary files:

  • Open TFC.exe if you already have it. If not, please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck and TDSSKiller.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java™ 6 Update 21

Adobe Flash Player 10

Adobe Reader XI

Adobe Reader 8

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Reboot.

Defragmenting is a must. It's one of the large reasons for system slowdowns. I use Defraggler to defragment. It is free to download and you can use it forever. I recommend installing it and defragmenting as soon as possible.

Reboot.

I highly recommend deleting that profile after backing up any important documents, pictures, etc. from it.

Link to post
Share on other sites

Hi,

Here is the logfile with the results of the AdwCleaner after clicking delete:

# AdwCleaner v2.011 - Logfile created 12/06/2012 at 07:44:05

# Updated 02/12/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Troy - GEORGE

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Troy\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Trymedia

Folder Deleted : C:\Program Files\Common Files\Software Update Utility

Folder Deleted : C:\Program Files\PlaySushi

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{E89A07B5-BD7A-43F9-BDA4-0DAA48AC4FA5}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE

Key Deleted : HKLM\SOFTWARE\Classes\AppID\PSText.DLL

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{120927BF-1700-43BC-810F-FAB92549B390}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{991AAC62-B100-47CE-8B75-253965244F69}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F165085B-6B85-4AD5-AD00-95552A823F6D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}

Key Deleted : HKLM\SOFTWARE\FCTB000060231

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\mywebsearch bar uninstall

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PlaySushi

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

Key Deleted : HKLM\Software\TENCENT

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [5069 octets] - [01/12/2012 20:15:54]

AdwCleaner[R2].txt - [4800 octets] - [06/12/2012 07:42:59]

AdwCleaner[s1].txt - [4837 octets] - [06/12/2012 07:44:05]

########## EOF - C:\AdwCleaner[s1].txt - [4897 octets] ##########

I will complete the last things listed in your post (#9):

Uninstalling ComboFix components as well as SecurityCheck and TDSSKiller.

Then I will uninstall Java 6 Update 21, Adobe Flash Player 10, Adobe Reader XI and Adobe Reader 8.

Restart laptop.

Then install the latest versions of Java, Adobe Reader and Adobe Flash Player

Reboot and then defrag the system with Defraggler.

I will also delete that profile (Sonja) after saving anything of importance in it.

Thank you for all of your assistance and help with this matter Screen317. Please let me know if I need to do anything further after this post.

-HighlyFavored1

Link to post
Share on other sites

  • Staff

Glad to hear things are running well! :)

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.