Jump to content

Recommended Posts

I've tried to follow some of the other threads to no avail. Somehow unbeknown to my neighbors they got infected with XP Anti-Virus 2011. I can get rkill.com to run but it doesn't seem to be helping me. Even after running it several times. I've run most of the other rkill variants as well.

Anyway, I thought I would start fresh and I'm looking for a little help.

Attached to this post is my Attach.zip file with Attach.txt file inside.

Here is my DDS.txt, which was run in safe mode w/ network support:

Thanks in advance for any help.

.

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK

Run by George Glading at 22:26:53.20 on Sun 04/10/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.502 [GMT -4:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe

C:\WINDOWS\explorer.exe

D:\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.google.com/news?ned=us

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://home.peoplepc.com/search

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [CY08W456F0] c:\windows\temp\Mk1.exe

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

dRunOnce: [cKe31001iLpBp31001] c:\documents and settings\all users\application data\cke31001ilpbp31001\cKe31001iLpBp31001.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel g-220v3 wireless usb adapter utility\ZyXEL G-220v3.exe

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\drivers\NEOFLTR_650_14951.SYS [2009-12-26 85288]

S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165264]

S1 MpKsl6be95f65;MpKsl6be95f65;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e188f7e8-5bf0-490a-8312-3124d82a20e1}\MpKsl6be95f65.sys [2011-4-10 28752]

S2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2009-5-4 20736]

S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2009-5-4 20608]

S3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [2009-5-14 735232]

.

=============== File Associations ===============

.

exefile="c:\documents and settings\networkservice\local settings\application data\bxe.exe" -a "%1" %*

.

=============== Created Last 30 ================

.

2011-04-11 02:06:34 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{e188f7e8-5bf0-490a-8312-3124d82a20e1}\MpKsl6be95f65.sys

2011-04-10 21:03:05 470016 ----a-w- c:\windows\system32\a.exe

2011-04-10 18:24:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\cKe31001iLpBp31001

2011-04-09 11:08:12 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{e188f7e8-5bf0-490a-8312-3124d82a20e1}\mpengine.dll

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600JB-75GVC0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F4F439]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f557d0]; MOV EAX, [0x86f5584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86F65AB8]

3 CLASSPNP[0xF7596FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x86EFDB98]

\Driver\atapi[0x86F7F5C8] -> IRP_MJ_CREATE -> 0x86F4F439

kernel: MBR read successfully

_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600JB-75GVC0_____________________08.02D08#5&2a84b1a5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x86F4F27F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 22:28:48.21 ===============

Attach.zip

Link to post
Share on other sites

:welcome:

I've tried to follow some of the other threads to no avail.
Never follow directions laid out to another computer. They are usually tailored for that specific computer.

Download OTL to your Desktop

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, tick the box beside Scan All Users at the top.
  • Underneath Output at the top set it to Standard Output.
  • Underneath the option Extra Registry set it to Use SafeList.
  • Underneath the option File Scans tick the boxes beside Use Company Name WhiteList, Skip Microsoft Files, LOP Check, Purity Check.
  • Click the Run Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Link to post
Share on other sites

Ok, here you go. Thank you for the help.

OTL logfile created on: 4/11/2011 6:47:10 AM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = D:\

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 772.00 Mb Available Physical Memory | 76.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 145.82 Gb Total Space | 122.66 Gb Free Space | 84.12% Space Free | Partition Type: NTFS

Drive D: | 1008.00 Mb Total Space | 988.56 Mb Free Space | 98.07% Space Free | Partition Type: FAT32

Computer Name: BUFFY1 | User Name: George Glading | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: All users

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: Off | File Age = 30 Days

========== Modules (SafeList) ==========

MOD - [2011/04/11 06:40:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- D:\OTL.scr

MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)

SRV - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)

SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

========== Driver Services (SafeList) ==========

DRV - [2011/04/10 22:06:35 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E188F7E8-5BF0-490A-8312-3124D82A20E1}\MpKsl6be95f65.sys -- (MpKsl6be95f65)

DRV - [2009/12/09 09:28:04 | 000,085,288 | ---- | M] (Juniper Networks) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NEOFLTR_650_14951.SYS -- (NEOFLTR_650_14951) Juniper Networks TDI Filter Driver (NEOFLTR_650_14951)

DRV - [2009/03/10 14:57:01 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)

DRV - [2009/03/10 14:56:52 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)

DRV - [2008/10/28 16:15:54 | 000,020,736 | ---- | M] (ZDC., Inc. (ZDC)) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\ZDCndis5.sys -- (ZDCNDIS5)

DRV - [2008/10/28 16:15:54 | 000,020,608 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BRGSp50.sys -- (BRGSp50)

DRV - [2008/10/28 04:19:24 | 000,735,232 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WlanGZXP.sys -- (ZG760_XP)

DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)

DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2004/09/17 15:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)

DRV - [2004/03/24 11:12:44 | 000,004,272 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\bvrp_pci.sys -- (bvrp_pci)

DRV - [2003/11/17 22:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2003/11/17 22:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2003/11/17 22:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=us

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie'>http://www.google.com/ie

IE - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

Hosts file not found

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKU\.DEFAULT..\Run: [CY08W456F0] C:\WINDOWS\Temp\Mk1.exe ()

O4 - HKU\S-1-5-18..\Run: [CY08W456F0] C:\WINDOWS\Temp\Mk1.exe ()

O4 - HKU\.DEFAULT..\RunOnce: [cKe31001iLpBp31001] C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001\cKe31001iLpBp31001.exe ()

O4 - HKU\S-1-5-18..\RunOnce: [cKe31001iLpBp31001] C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001\cKe31001iLpBp31001.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZyXEL G-220v3 Wireless USB Adapter Utility.lnk = C:\Program Files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe (ZyXEL Communications Corp.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab (Support.com Configuration Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe ()

O24 - Desktop WallPaper: C:\Documents and Settings\George Glading\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\George Glading\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()

O35 - HKU\S-1-5-21-3634577268-1262034776-152407426-1006..exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()

O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()

O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()

O37 - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()

========== Files/Folders - Created Within 30 Days ==========

[2011/04/10 17:02:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2011/04/10 17:02:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2011/04/10 16:46:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

[2011/04/10 14:24:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001

[2011/04/10 14:23:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2011/04/10 14:23:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun

[2011/04/10 07:28:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2011/04/10 07:28:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2011/04/09 20:30:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2011/04/09 20:30:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/11 06:48:13 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2011/04/11 06:47:22 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\George Glading\NTUSER.DAT

[2011/04/11 06:43:43 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/04/11 06:42:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/04/10 22:57:35 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\George Glading\ntuser.ini

[2011/04/10 22:57:33 | 001,656,424 | -H-- | M] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\IconCache.db

[2011/04/10 22:33:31 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/04/10 22:14:35 | 000,021,136 | -HS- | M] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\wr4s813p003535aw755mk40637803p2fsky8

[2011/04/10 22:14:35 | 000,021,136 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\wr4s813p003535aw755mk40637803p2fsky8

[2011/04/10 22:11:21 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2011/04/10 22:06:01 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

[2011/04/10 22:05:59 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

[2011/04/10 22:05:48 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

[2011/04/10 22:00:00 | 004,318,324 | ---- | M] () -- C:\Documents and Settings\George Glading\Desktop\ComboFix.exe

[2011/04/10 17:03:10 | 000,000,192 | ---- | M] () -- C:\WINDOWS\System32\a

[2011/04/10 17:03:05 | 000,470,016 | ---- | M] () -- C:\WINDOWS\System32\a.exe

[2011/04/10 15:01:28 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp

[2011/04/04 18:13:59 | 000,006,877 | ---- | M] () -- C:\Documents and Settings\George Glading\My Documents\Caldwell Reunion Mailing List.rtf

[2011/03/26 13:01:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/03/26 12:57:23 | 000,442,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011/03/26 12:57:23 | 000,071,732 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011/03/26 12:57:22 | 000,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/10 22:09:26 | 004,318,324 | ---- | C] () -- C:\Documents and Settings\George Glading\Desktop\ComboFix.exe

[2011/04/10 20:55:20 | 000,021,136 | -HS- | C] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\wr4s813p003535aw755mk40637803p2fsky8

[2011/04/10 17:52:45 | 000,021,140 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\wr4s813p003535aw755mk40637803p2fsky8

[2011/04/10 17:52:45 | 000,021,136 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wr4s813p003535aw755mk40637803p2fsky8

[2011/04/10 17:52:35 | 000,229,456 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe

[2011/04/10 17:03:10 | 000,000,192 | ---- | C] () -- C:\WINDOWS\System32\a

[2011/04/10 17:03:05 | 000,470,016 | ---- | C] () -- C:\WINDOWS\System32\a.exe

[2011/04/10 15:01:27 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp

[2011/04/10 14:21:32 | 000,000,252 | -H-- | C] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

[2011/04/10 14:20:42 | 000,000,252 | -H-- | C] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

[2011/04/10 14:20:39 | 000,000,252 | -H-- | C] () -- C:\WINDOWS\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

[2011/04/09 20:34:10 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/01/05 18:55:02 | 000,004,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys

[2010/12/24 16:05:50 | 000,000,736 | ---- | C] () -- C:\WINDOWS\SamsungMaster.INI

[2010/07/24 09:29:45 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2010/07/24 09:29:45 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2010/07/24 09:29:45 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\vidccleaner.exe

[2009/08/13 19:17:35 | 000,019,168 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

[2009/05/02 15:55:19 | 000,045,132 | ---- | C] () -- C:\Documents and Settings\George Glading\Application Data\JuniperExtXP.exe

[2008/08/20 16:16:22 | 000,000,019 | ---- | C] () -- C:\WINDOWS\CustomerPOIManager.INI

[2007/12/26 21:17:59 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2006/08/22 19:38:24 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\getpntid.exe

[2006/08/22 19:33:25 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.George Glading.ini

[2006/08/22 17:59:22 | 000,034,660 | ---- | C] () -- C:\WINDOWS\System32\ppaluninst.exe

[2006/08/22 17:59:02 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\RegHero.exe

[2006/08/22 17:59:01 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\PopWait.exe

[2006/08/22 17:44:26 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\fusioncache.dat

[2006/08/22 17:35:49 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\George Glading\Application Data\PFP120JPR.{PB

[2006/08/22 17:35:49 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\George Glading\Application Data\PFP120JCM.{PB

[2006/08/22 17:30:01 | 000,021,920 | ---- | C] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2006/08/22 17:22:00 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini

[2006/08/21 21:26:38 | 001,656,424 | -H-- | C] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\IconCache.db

[2006/08/17 17:17:42 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/08/17 17:10:07 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/08/17 17:07:08 | 000,712,704 | ---- | C] () -- C:\WINDOWS\System32\DellSystemRestore.dll

[2006/08/17 17:02:47 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2006/08/17 16:58:06 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe

[2006/08/17 16:58:06 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe

[2006/08/17 16:43:14 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe

[2006/08/17 16:42:56 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

[2006/08/17 16:42:54 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2005/11/10 09:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/10 14:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2004/08/10 14:04:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\control.ini

[2004/08/10 14:03:02 | 000,000,488 | RH-- | C] () -- C:\WINDOWS\System32\logonui.exe.manifest

[2004/08/10 14:02:55 | 000,000,749 | RH-- | C] () -- C:\WINDOWS\System32\cdplayer.exe.manifest

[2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2004/08/10 14:02:05 | 000,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini

[2004/08/10 14:02:05 | 000,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini

[2004/08/10 14:01:18 | 000,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini

[2004/08/10 14:01:18 | 000,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini

[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2004/08/10 13:57:53 | 000,524,016 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2004/08/10 13:57:15 | 000,122,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/08/10 13:51:43 | 000,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll

[2004/08/10 13:51:42 | 000,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll

[2004/08/10 13:51:34 | 000,069,886 | ---- | C] () -- C:\WINDOWS\System32\edit.com

[2004/08/10 13:51:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll

[2004/08/10 13:51:28 | 000,000,507 | ---- | C] () -- C:\WINDOWS\win.ini

[2004/08/10 13:51:27 | 000,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll

[2004/08/10 13:51:26 | 000,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini

[2004/08/10 13:51:26 | 000,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

[2004/08/10 13:51:22 | 000,011,753 | ---- | C] () -- C:\WINDOWS\System32\setver.exe

[2004/08/10 13:51:22 | 000,000,882 | ---- | C] () -- C:\WINDOWS\System32\share.exe

[2004/08/10 13:51:21 | 000,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll

[2004/08/10 13:51:21 | 000,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini

[2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/10 13:51:21 | 000,003,338 | ---- | C] () -- C:\WINDOWS\System32\redir.exe

[2004/08/10 13:51:20 | 001,291,776 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll

[2004/08/10 13:51:20 | 000,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll

[2004/08/10 13:51:20 | 000,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll

[2004/08/10 13:51:20 | 000,442,466 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/10 13:51:20 | 000,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll

[2004/08/10 13:51:20 | 000,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll

[2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/10 13:51:20 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll

[2004/08/10 13:51:20 | 000,071,732 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/10 13:51:20 | 000,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini

[2004/08/10 13:51:20 | 000,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini

[2004/08/10 13:51:20 | 000,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini

[2004/08/10 13:51:20 | 000,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini

[2004/08/10 13:51:20 | 000,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini

[2004/08/10 13:51:20 | 000,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini

[2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2004/08/10 13:51:17 | 000,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys

[2004/08/10 13:51:17 | 000,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys

[2004/08/10 13:51:17 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys

[2004/08/10 13:51:17 | 000,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys

[2004/08/10 13:51:17 | 000,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys

[2004/08/10 13:51:16 | 000,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys

[2004/08/10 13:51:16 | 000,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys

[2004/08/10 13:51:16 | 000,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys

[2004/08/10 13:51:16 | 000,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys

[2004/08/10 13:51:16 | 000,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys

[2004/08/10 13:51:16 | 000,007,052 | ---- | C] () -- C:\WINDOWS\System32\nlsfunc.exe

[2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2004/08/10 13:51:13 | 000,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll

[2004/08/10 13:51:13 | 000,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll

[2004/08/10 13:51:13 | 000,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini

[2004/08/10 13:51:13 | 000,000,817 | ---- | C] () -- C:\WINDOWS\System32\mscdexnt.exe

[2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/10 13:51:11 | 000,039,274 | ---- | C] () -- C:\WINDOWS\System32\mem.exe

[2004/08/10 13:51:11 | 000,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll

[2004/08/10 13:51:10 | 000,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys

[2004/08/10 13:51:10 | 000,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys

[2004/08/10 13:51:10 | 000,014,710 | ---- | C] () -- C:\WINDOWS\System32\kb16.com

[2004/08/10 13:51:10 | 000,001,131 | ---- | C] () -- C:\WINDOWS\System32\loadfix.com

[2004/08/10 13:51:09 | 000,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll

[2004/08/10 13:51:08 | 000,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys

[2004/08/10 13:51:07 | 000,019,694 | ---- | C] () -- C:\WINDOWS\System32\graphics.com

[2004/08/10 13:51:07 | 000,000,882 | ---- | C] () -- C:\WINDOWS\System32\fastopen.exe

[2004/08/10 13:51:06 | 001,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini

[2004/08/10 13:51:06 | 000,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll

[2004/08/10 13:51:06 | 000,012,642 | ---- | C] () -- C:\WINDOWS\System32\edlin.exe

[2004/08/10 13:51:06 | 000,008,424 | ---- | C] () -- C:\WINDOWS\System32\exe2bin.exe

[2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/10 13:50:58 | 000,053,840 | ---- | C] () -- C:\WINDOWS\System32\dosx.exe

[2004/08/10 13:50:56 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll

[2004/08/10 13:50:56 | 000,020,634 | ---- | C] () -- C:\WINDOWS\System32\debug.exe

[2004/08/10 13:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2004/08/10 13:50:55 | 000,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll

[2004/08/10 13:50:55 | 000,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll

[2004/08/10 13:50:55 | 000,050,620 | ---- | C] () -- C:\WINDOWS\System32\command.com

[2004/08/10 13:50:55 | 000,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys

[2004/08/10 13:50:53 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll

[2004/08/10 13:50:53 | 000,012,498 | ---- | C] () -- C:\WINDOWS\System32\append.exe

[2004/08/10 13:50:53 | 000,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys

[2001/08/17 23:36:42 | 000,055,296 | ---- | C] () -- C:\WINDOWS\System32\dvdplay.exe

[2001/08/17 23:36:28 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

[1997/07/11 01:00:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\XLREC.DLL

[1997/07/11 01:00:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\RECNCL.DLL

[1997/07/11 01:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL

[1997/07/11 01:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2011/04/10 14:24:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001

[2009/12/26 18:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks

[2008/02/10 21:10:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft

[2006/08/17 17:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2010/07/04 14:50:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George Glading\Application Data\Juniper Networks

[2006/08/22 17:47:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George Glading\Application Data\Leadertech

[2007/08/06 12:05:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George Glading\Application Data\My Sam's Club Digital Photo Center

[2008/08/04 18:16:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George Glading\Application Data\Skinux

[2008/09/07 13:14:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George Glading\Application Data\Wal-Mart Digital Photo Manager

[2007/07/16 10:16:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\George Glading\Application Data\Wal-Mart Digital Photo Viewer

[2011/04/11 06:48:13 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2011/04/10 22:05:59 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job

[2011/04/10 22:06:01 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

[2011/04/10 22:05:48 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

OTL Extras logfile created on: 4/11/2011 6:47:10 AM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = D:\

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 772.00 Mb Available Physical Memory | 76.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 145.82 Gb Total Space | 122.66 Gb Free Space | 84.12% Space Free | Partition Type: NTFS

Drive D: | 1008.00 Mb Total Space | 988.56 Mb Free Space | 98.07% Space Free | Partition Type: FAT32

Computer Name: BUFFY1 | User Name: George Glading | Logged in as Administrator.

Boot Mode: SafeMode with Networking | Scan Mode: All users

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: Off | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.exe [@ = exefile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe ()

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]

.exe [@ = exefile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe ()

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]

.exe [@ = exefile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe ()

[HKEY_USERS\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Classes\<extension>]

.exe [@ = exefile] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe ()

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 1

"AntiVirusOverride" = 1

"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

"9051:UDP" = 9051:UDP:LocalSubNet:Enabled:Verizon Tech Wizard

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL

"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe:*:Enabled:Kaspersky Anti-Virus

"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater

"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare

"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe:*:Enabled:Kaspersky Anti-Virus

"C:\Program Files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe" = C:\Program Files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe:*:Enabled:ZyXEL G-220v3 Wireless USB Adapter Utility -- (ZyXEL Communications Corp.)

"C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe" = C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy -- (Juniper Networks)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{29DFAB41-7D73-4E92-9329-FB1ECBD2EF83}" = ZyXEL G-220v3 Wireless USB Adapter Utility

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform

"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting

"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon

"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module

"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon

"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal

"{6D75B1F6-1A91-42F5-B637-FABB5095C830}" = Security Advisor

"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer

"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03

"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore

"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware

"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client

"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport

"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver

"{8C19F391-A225-4F32-8681-EDB8AFE6E436}" = ML-1200 Series

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio

"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2

"{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}" = Samsung Master

"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C7C9A07F-EC37-40C8-B6C2-5BAC806FD668}" = Magellan RoadMate POI Manager

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU

"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center

"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect

"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem

"Coupon Printer for Windows4.0" = Coupon Printer for Windows

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft Security Client" = Microsoft Security Essentials

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"Neoteris_Secure_Application_Manager" = Juniper Networks Secure Application Manager

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"Office8.0" = Microsoft Office 97, Professional Edition

"PeoplePC Toolbar" = PeoplePC: PeoplePal Toolbar 6.2

"PROSet" = Intel® PRO Network Adapters and Drivers

"QuickTime" = QuickTime

"ViewpointMediaPlayer" = Viewpoint Media Player

"WIC" = Windows Imaging Component

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3634577268-1262034776-152407426-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Juniper_Networks_Cache_Cleaner 6.5.0" = Juniper Networks Cache Cleaner 6.5.0

"Juniper_Setup_Client" = Juniper Networks Setup Client

"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 4/10/2011 6:05:57 PM | Computer Name = BUFFY1 | Source = MPSampleSubmission | ID = 5000

Description = EventType avsubmit, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),

P2 1.1.6702.0, P3 1.101.1132.0, P4 1.101.1132.0, P5 200083b3e7fbdd23_5e871e01ffacb61935da701759338d1fc2ee810e,

P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 4/10/2011 9:43:09 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/10/2011 9:43:09 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/10/2011 9:43:10 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 4/10/2011 9:43:10 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/10/2011 9:43:11 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 4/10/2011 9:43:11 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/10/2011 9:43:11 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 4/10/2011 9:43:15 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The connection with the server was terminated abnormally

Error - 4/10/2011 9:43:15 PM | Computer Name = BUFFY1 | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

[ System Events ]

Error - 4/10/2011 10:26:49 PM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/10/2011 10:26:49 PM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/10/2011 10:29:20 PM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/10/2011 10:42:29 PM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/10/2011 10:42:30 PM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/10/2011 10:57:34 PM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/11/2011 6:43:59 AM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/11/2011 6:44:03 AM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/11/2011 6:44:03 AM | Computer Name = BUFFY1 | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/11/2011 6:44:31 AM | Computer Name = BUFFY1 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Fips intelppm MpFilter

< End of report >

Link to post
Share on other sites

From the logs I can see that you've downloaded ComboFix.

Running powerful tools like ComboFix without supervision can be dangerous and isn't advisable to do.

Step 1.

OTL-fix:

Run OTL.exe

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
    O4 - HKU\.DEFAULT..\RunOnce: [cKe31001iLpBp31001] C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001\cKe31001iLpBp31001.exe ()
    O4 - HKU\S-1-5-18..\RunOnce: [cKe31001iLpBp31001] C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001\cKe31001iLpBp31001.exe ()
    O35 - HKLM\..exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()
    O35 - HKU\S-1-5-21-3634577268-1262034776-152407426-1006..exefile [open] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()
    O37 - HKLM\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()
    O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()
    O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()
    O37 - HKU\S-1-5-21-3634577268-1262034776-152407426-1006\...exe [@ = exefile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* ()
    [2011/04/10 22:14:35 | 000,021,136 | -HS- | M] () -- C:\Documents and Settings\George Glading\Local Settings\Application Data\wr4s813p003535aw755mk40637803p2fsky8
    [2011/04/10 22:14:35 | 000,021,136 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\wr4s813p003535aw755mk40637803p2fsky8
    [2011/04/10 22:06:01 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
    [2011/04/10 22:05:59 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
    [2011/04/10 22:05:48 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
    [2011/04/10 17:03:10 | 000,000,192 | ---- | M] () -- C:\WINDOWS\System32\a
    [2011/04/10 17:03:05 | 000,470,016 | ---- | M] () -- C:\WINDOWS\System32\a.exe
    [2011/04/10 15:01:28 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
    [2011/04/10 22:09:26 | 004,318,324 | ---- | C] () -- C:\Documents and Settings\George Glading\Desktop\ComboFix.exe
    [2011/04/10 17:52:45 | 000,021,140 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\wr4s813p003535aw755mk40637803p2fsky8
    [2011/04/10 17:52:45 | 000,021,136 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wr4s813p003535aw755mk40637803p2fsky8
    [2011/04/10 17:52:35 | 000,229,456 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe
    [2011/04/10 14:24:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = DWORD:0
    "FirewallDisableNotify" = DWORD:0
    "UpdatesDisableNotify" = DWORD:0
    "AntiVirusOverride" = DWORD:0
    "FirewallOverride" = DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = DWORD:0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = DWORD:0
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog

Step 2.

ComboFix:

Download ComboFix from one of these locations:

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. Here is a howto for some of the applications.
    They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 3.

Things I would like to see in your reply:

  1. The content of the fixlog from OTL in step 1.
  2. The content of C:\ComboFix.txt from step 2.
  3. Information on how your computer is running after those steps.

Link to post
Share on other sites

From the logs I can see that you've downloaded ComboFix.

Running powerful tools like ComboFix without supervision can be dangerous and isn't advisable to do.

I guess it's good I wasn't able to get it to run then. :)

I've been running DDS & OTL in safe mode. Is there a preference?

I'll run this tonight but it won't be until late evening. Thanks for the help. I really appreciate it and ultimately my neighbors appreciate it.

Link to post
Share on other sites

OTL Fixlog

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\\cKe31001iLpBp31001 deleted successfully.

C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001\cKe31001iLpBp31001.exe moved successfully.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\cKe31001iLpBp31001 not found.

File C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001\cKe31001iLpBp31001.exe not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\'' updated successfully.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe moved successfully.

Registry value HKEY_USERS\S-1-5-21-3634577268-1262034776-152407426-1006_Classes\exefile\shell\open\command\\'' updated successfully.

File "C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe" -a "%1" %* not found.

HKEY_LOCAL_MACHINE\Software\Classes\.exe\shell\open\command\\|"%1" %* /E : value set successfully!

HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!

Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.

Registry key HKEY_USERS\.DEFAULT\Software\Classes\exefile\ deleted successfully.

HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!

Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.

Registry key HKEY_USERS\S-1-5-18\Software\Classes\exefile\ not found.

HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!

Registry key HKEY_USERS\S-1-5-21-3634577268-1262034776-152407426-1006_Classes\.exe\ deleted successfully.

Registry key HKEY_USERS\S-1-5-21-3634577268-1262034776-152407426-1006_Classes\exefile\ deleted successfully.

HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!

File C:\Documents and Settings\George Glading\Local Settings\Application Data\wr4s813p003535aw755mk40637803p2fsky8 not found.

C:\Documents and Settings\All Users\Application Data\wr4s813p003535aw755mk40637803p2fsky8 moved successfully.

C:\WINDOWS\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job moved successfully.

C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job moved successfully.

C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job moved successfully.

C:\WINDOWS\system32\a moved successfully.

C:\WINDOWS\system32\a.exe moved successfully.

C:\fsqwr.bmp moved successfully.

File C:\Documents and Settings\George Glading\Desktop\ComboFix.exe not found.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\wr4s813p003535aw755mk40637803p2fsky8 moved successfully.

File C:\Documents and Settings\All Users\Application Data\wr4s813p003535aw755mk40637803p2fsky8 not found.

File C:\Documents and Settings\NetworkService\Local Settings\Application Data\bxe.exe not found.

Folder C:\Documents and Settings\All Users\Application Data\cKe31001iLpBp31001\ not found.

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"AntiVirusDisableNotify" | DWORD:0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirewallDisableNotify" | DWORD:0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"UpdatesDisableNotify" | DWORD:0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"AntiVirusOverride" | DWORD:0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\"FirewallOverride" | DWORD:0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\"DisableNotifications" | DWORD:0 /E : value set successfully!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"DisableNotifications" | DWORD:0 /E : value set successfully!

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: George Glading

->Temp folder emptied: 227945865 bytes

->Temporary Internet Files folder emptied: 272305417 bytes

->Java cache emptied: 1859434 bytes

->Flash cache emptied: 68899 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 5469789 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 3878 bytes

User: NetworkService

->Temp folder emptied: 2453208 bytes

->Temporary Internet Files folder emptied: 138391860 bytes

->Java cache emptied: 1450053 bytes

->Flash cache emptied: 18435 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 119110718 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 27223124 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 55319 bytes

RecycleBin emptied: 3878014905 bytes

Total Files Cleaned = 4,458.00 mb

[EMPTYFLASH]

User: All Users

User: Default User

User: George Glading

->Flash cache emptied: 0 bytes

User: LocalService

->Flash cache emptied: 0 bytes

User: NetworkService

->Flash cache emptied: 0 bytes

User: Owner

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04112011_212216

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Link to post
Share on other sites

ComboFix Log

ComboFix 11-04-11.02 - George Glading 04/11/2011 22:03:25.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -4:00]

Running from: c:\documents and settings\George Glading\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\George Glading\Application Data\JuniperExtXP.exe

.

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( Files Created from 2011-03-12 to 2011-04-12 )))))))))))))))))))))))))))))))

.

.

2011-04-10 21:47 . 2011-04-10 21:47 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-04-10 21:02 . 2011-04-10 21:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-04-10 18:24 . 2011-04-12 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\cKe31001iLpBp31001

2011-04-10 18:23 . 2011-04-10 18:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-04-09 11:08 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E188F7E8-5BF0-490A-8312-3124D82A20E1}\mpengine.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-15 04:05 . 2010-02-28 00:49 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-02-09 13:53 . 2004-08-10 17:51 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-10 17:51 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2004-08-10 18:01 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2004-08-10 18:01 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-10 17:51 439296 ----a-w- c:\windows\system32\shimgvw.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-17 98304]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ZyXEL G-220v3 Wireless USB Adapter Utility.lnk - c:\program files\ZyXEL G-220v3 Wireless USB Adapter Utility\ZyXEL G-220v3.exe [2009-5-14 10792960]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

backup=c:\windows\pss\Office Startup.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2006-05-03 08:12 98304 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

2005-07-13 00:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-08-17 21:03 98304 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\ZyXEL G-220v3 Wireless USB Adapter Utility\\ZyXEL G-220v3.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

.

R1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\drivers\NEOFLTR_650_14951.SYS [12/26/2009 6:59 PM 85288]

S3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [5/14/2009 5:26 PM 735232]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-12 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://news.google.com/news?ned=us

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

.

MSConfigStartUp-Verizon Custom Uninstall Tracking - c:\docume~1\GEORGE~1\LOCALS~1\Temp\InstallHelper.exe

MSConfigStartUp-VerizonServicepoint - c:\program files\Verizon\VSP\VerizonServicepoint.exe

MSConfigStartUp-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-11 22:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-04-11 22:12:45

ComboFix-quarantined-files.txt 2011-04-12 02:12

.

Pre-Run: 135,226,912,768 bytes free

Post-Run: 135,187,402,752 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 6A3086C55967C4B210507A981FD31934

Link to post
Share on other sites

The PC seems to be running a lot better but it's still infected with something or part of the OS is now corrupt.

Security Essentials wouldn't update. Removed & re-installed and that seems fine now.

Windows Update doesn't work. An error stating the website has encountered a problem and can't display the page you are trying to view. The machine is connected to the internet and IE & Chrome appear to work fine.

Also Automatic Updates are shown as off. If I go into the Security Center, I can manually turn them on but it's still not reflected as being on in the Security Center.

Notes about my experiences:

1) When I ran OLT with the info pasted in I got a message that I recovered from a serious error. It seemed to continue the process, so I let it go. Here is a screenshot:

screenshot.jpg

2) Moving on to ComboFix. I installed the Recovery Console because it couldn't find it. Rebooted because of presence of rootkit. I got an error that PEV.exe has encountered a problem and needs to close. ComboFix continued to work, so I let it press on.

3) After everything was done and I rebooted, started MSE, pulled out the flash drive, and suddenly lost video. No idea what that's all about. It hasn't done it since but I'm mentioning it anyway. Could see anything so I powered down clean and powered back up.

4) Decided to skip MSE for now. Instead I ran Malwarebytes after updating it several times. The version that was on there was old. I ran it. During the malware scan MSE must have been doing it's normal scanning. I didn't tell it to. It found 2 items (Winwebsec & FakeRean). I deleted them. Malwarebytes finally finished it's thing and detected 3 items, some of which may have been the same ones I deleted with MSE. I deleted the detected items.

Here is the mbam log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6339

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2011 12:49:42 AM
mbam-log-2011-04-12 (00-49-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 202222
Time elapsed: 1 hour(s), 8 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP804\A0130297.exe (Trojan.FakeAlert) -> No action taken.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP804\A0130298.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP804\A0130299.exe (Trojan.FakeAlert) -> No action taken.

5) I just finished running a full scan using MSE and it says everything looks clean now.

Looks like I just need to get Windows Update working and the Automatic Updates to really be on (I can't tell by the conflicting messages).

Thanks again for the help.

Link to post
Share on other sites

I suspect that the hiccup with OTL were due to the malware that Combofix took care of later.

What MBAM found were stuff in system restore. When we are done we'll reset system restore.

Is MSE functioning as it should now?

Before we fix Windows update we'll do an on line scan. (You should never update a infected computer)

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check esetScanArchives.png and check Remove found threats
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, push esetListThreats.png

[*]Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Push the esetBack.png button.

[*]Push esetFinish.png

Link to post
Share on other sites

Is MSE functioning as it should now?

Yeah, MSE seems to be running fine now. It ran fine after the OLT & ComboFix but just wouldn't update. But all is good with a reinstall. It updates fine.

I rescanned with MSE & Malwarebytes last night and both came up clean again.

I'll do a scan later tonight with ESET when I return home.

Link to post
Share on other sites

Scanned with ESET and found 0 threats. There was no option for "List of Found Threats" when it finished scanning to send you a log. Presumably because it's clean and didn't find anything.

While I was at it, I fixed the Windows Update issue and it's updating XP now. The machine appears to be in it's old state. My neighbors are going to be quite happy. Thank you. You'll be getting the credit, not me.

I think I'm good but I'll refrain from saying that positively until you tell me. :) Is there anything else you would like me to do and post?

What do you recommend for actually blocking this particular crap on XP? Worse case I'll give them a limited account but I'd rather not. Would the paid version of Malwarebytes have blocked this? I have switched them from IE to Chrome, my browser of choice. It'll help but I realize it's not the perfect solution. They're old (late 70's), so I need a simple solution for them.

Link to post
Share on other sites

While I was at it, I fixed the Windows Update issue and it's updating XP now.
OK as your logs are clean. But remember NEVER update windows on an infected computer, clean it first.
I think I'm good but I'll refrain from saying that positively until you tell me. :) Is there anything else you would like me to do and post?
I like you to do this Security check.

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

It looks as some Norton/Symantec product has been running on this computer, is that correct? Has it been uninstalled?

What do you recommend for actually blocking this particular crap on XP?
I'll give some recommendations when we do the housekeeping (cleanup from the tools we've used).
Worse case I'll give them a limited account but I'd rather not. Would the paid version of Malwarebytes have blocked this?
With the paid version you get:
Activating the full version unlocks realtime protection, scheduled scanning, and scheduled updating. For consumers and personal use, it is a one time fee of $24.95.
I have switched them from IE to Chrome, my browser of choice. It'll help but I realize it's not the perfect solution. They're old (late 70's), so I need a simple solution for them.
I know the situation. My folks are in the mid to late 80's. They should use what they are comfortable with. Are there any other users on that computer like grandchildren? Kids/Youngsters often just clicks on things and don't think. I'll see what I can come up with that's simnple.

First I'd like to see the content of checkup.txt and answer to the questions.

/heir

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Microsoft Security Essentials

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 2 Runtime Environment, SE v1.4.2_03

Adobe Flash Player

Adobe Reader 8.1.2

Adobe Reader 8.1.2 Security Update 1 (KB403742)

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Microsoft Security Essentials msseces.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

Link to post
Share on other sites

It looks as some Norton/Symantec product has been running on this computer, is that correct? Has it been uninstalled?

I think a Norton trial may have come on it but it was uninstalled right away. I had Kaspersky on there for a couple years and then switched them to Security Essentials when it came out. It's uninstalled too.

When I said "Limited Account" I was actually referring to the Windows XP User Account. By doing that they shouldn't be able to install anything. It's a solution but somewhat of an annoyance in XP. The little they do with the computer, it might work though. I did this with another neighbor and haven't gotten a call since then. It was the 2010 version of this variant. Nasty crap. I just reinstalled Windows and all the apps that time. This time I found you. :)

Are there any other users on that computer like grandchildren?

This was my first thought too. It seemed to happen on Sunday and the grandkids haven't been around for awhile. But there not 100% sure how they got it. I dunno.

Thanks.

Adobe Reader looks to be out of date. I'll be sure to update that.

Link to post
Share on other sites

One final thing. Their firewall is disabled. I know that. But they are indeed behind a router. The machine isn't sitting on the internet.

A software firewall isn't the same thing as a hardware firewall in a router. The possibilities of settings in a hardware firewall inside the router differs between routers and are often limited. I would recommend that a software firewall be used as well.

Adobe Reader looks to be out of date. I'll be sure to update that.

Make sure that the old ones get uninstalled first.

Recommendations below is just that - you need to decide which and what to use yourself

Hey there, clambert !

OK! Well done, your log is clean again!

Time for some housekeeping.

Step 1.

Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Run_ComboFix {47}Uninstall.jpg

Second:

Double-click OTL to start it.

Click the Clean up button

Click Yes to the reboot.

Now delete any tools/logs that is left over after you ran OTL Clean up.

Step 2.

Prevention:

Upgrading Java:

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 24 .
  • Click the JDK 6 Update 24 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u24-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u24-windows-i586.exe and select "Run as an Administrator.")

Second:

One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the Internet.
  • Click Apply then OK.

Third:

Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware

  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.

.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

Fourth:

Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls

Lastly:

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.