Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Remove Jollywallet


  • This topic is locked This topic is locked
28 replies to this topic

#1 abraxas123

abraxas123

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 December 2012 - 10:41 AM

Hi All,

The previous thread related to this issue is located here:
http://www.bleepingcomputer.com/forums/topic478162.html/page__pid__2920886#entry2920886

In a quick summary, a form of malware installed itself on my computer. Through the kind folks here, some removal has been completed, but adware is still occurring, and using ESET caused system instabilities. I suspect the adware is associated with a program called "Infoatoms". Any advice or guidance would be greatly appreciated.

From dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by bcrandal at 10:35:07 on 2012-12-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.922 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto: removed email address to prevent spam.-ST
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

From attach.txt:

E: is FIXED (NTFS) - 233 GiB total, 180.214 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP367: 11/29/2012 5:16:34 AM - Software Distribution Service 3.0
RP368: 11/30/2012 8:47:04 AM - Software Distribution Service 3.0
RP369: 12/1/2012 9:42:22 AM - Software Distribution Service 3.0
RP370: 12/2/2012 4:37:38 PM - Software Distribution Service 3.0
RP371: 12/3/2012 4:51:15 PM - Software Distribution Service 3.0
RP372: 12/4/2012 8:15:45 PM - System Checkpoint
RP373: 12/4/2012 8:46:03 PM - Software Distribution Service 3.0
RP374: 12/6/2012 4:07:08 PM - Software Distribution Service 3.0
RP375: 12/7/2012 7:24:06 PM - Software Distribution Service 3.0
RP376: 12/9/2012 7:06:51 AM - Software Distribution Service 3.0
RP377: 12/10/2012 5:38:41 PM - Software Distribution Service 3.0
RP378: 12/11/2012 8:42:21 PM - System Checkpoint
RP379: 12/11/2012 10:27:41 PM - Removed Strongvault Online Backup
RP380: 12/11/2012 10:44:46 PM - Software Distribution Service 3.0
RP381: 12/12/2012 7:09:04 AM - Software Distribution Service 3.0
RP382: 12/13/2012 7:23:06 AM - Software Distribution Service 3.0
RP383: 12/15/2012 2:12:47 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
Bonjour
Broadcom Gigabit Integrated Controller
Conexant HDA D330 MDC V.92 Modem
Dell Touchpad
DW WLAN Card Utility
ESET Online Scanner v3
Free YouTube to iPod Converter version 3.10.13.1123
GPL Ghostscript 8.71
GSview 4.9
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
InfoAtoms [Uninstall]
iTunes
Java Auto Updater
Java™ 6 Update 29

Edited by SweetTech, 16 December 2012 - 05:08 PM.
Moved from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:08 AM

Posted 16 December 2012 - 05:09 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

OTL Custom Scan

We need to run an OTL Custom Scan

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    %systemroot%\*. /rp /s
    C:\Program Files\Common Files\ComObjects\*.* /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



Running aswMBR.exe

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL.txt & Extras.txt log files.
3. aswMBR.txt log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 abraxas123

abraxas123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 16 December 2012 - 09:28 PM

2. From OTL:

OTL logfile created on: 12/16/2012 8:52:15 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\bcrandal\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.71 Gb Available Physical Memory | 37.99% Memory free
3.72 Gb Paging File | 2.67 Gb Available in Paging File | 71.69% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.90 Gb Total Space | 19.14 Gb Free Space | 34.25% Space Free | Partition Type: NTFS
Drive D: | 645.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BRIANPC | User Name: bcrandal | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/16 20:51:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bcrandal\My Documents\Downloads\OTL.exe
PRC - [2012/12/16 20:45:42 | 005,576,408 | ---- | M] (Spotify Ltd) -- C:\Documents and Settings\bcrandal\Application Data\Spotify\spotify.exe
PRC - [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 16:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/04/09 10:20:30 | 003,063,968 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2011/01/17 17:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 17:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/22 12:43:38 | 001,245,184 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/02/22 12:40:20 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
PRC - [2007/07/02 13:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/06/06 16:44:44 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/05/22 14:18:56 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2007/05/10 10:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2006/09/08 15:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe


========== Modules (No Company Name) ==========

MOD - [2012/12/16 20:45:27 | 020,219,096 | ---- | M] () -- C:\Documents and Settings\bcrandal\Application Data\Spotify\Data\libcef.dll
MOD - [2012/12/11 18:32:27 | 014,586,296 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll
MOD - [2012/10/28 15:58:54 | 002,295,264 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/11/03 10:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/11/01 21:44:52 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/10/07 15:01:34 | 000,143,360 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2009/10/07 15:01:14 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
MOD - [2008/02/22 12:45:06 | 000,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2005/10/13 12:53:36 | 000,090,223 | ---- | M] () -- C:\Program Files\Dell\QuickSet\preflibcl.dll


========== Services (SafeList) ==========

SRV - [2012/12/11 18:32:29 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/11/09 11:21:24 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/10/28 15:59:53 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/04/09 10:20:30 | 003,063,968 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2008/02/22 12:40:20 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe -- (NICCONFIGSVC)
SRV - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)

Extras,txt, from OTR:

OTL Extras logfile created on: 12/16/2012 8:52:15 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\bcrandal\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.71 Gb Available Physical Memory | 37.99% Memory free
3.72 Gb Paging File | 2.67 Gb Available in Paging File | 71.69% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.90 Gb Total Space | 19.14 Gb Free Space | 34.25% Space Free | Partition Type: NTFS
Drive D: | 645.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BRIANPC | User Name: bcrandal | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-515967899-1606980848-1177238915-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Add to archive] -- "C:\Program Files\PeaZip\PEAZIP.EXE" "-add2multi" "%1" (Giorgio Tani)
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse path with PeaZip] -- "C:\Program Files\PeaZip\PEAZIP.EXE" "-ext2browsepath" "%1" (Giorgio Tani)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\OpenOffice.org 3\program\soffice.bin" = C:\Program Files\OpenOffice.org 3\program\soffice.bin:*:Enabled:OpenOffice.org 3.3 -- (OpenOffice.org)
"C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE" = C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE:*:Enabled:Microsoft Application Error Reporting -- (Microsoft Corporation)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Xming\Xming.exe" = C:\Program Files\Xming\Xming.exe:*:Enabled:Xming X Server -- ()
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\bcrandal\Application Data\Spotify\spotify.exe" = C:\Documents and Settings\bcrandal\Application Data\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java™ 6 Update 29
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5A2BC38A-406C-4A5B-BF45-6991F9A05325}_is1" = PeaZip 3.9.1
"{5F503B34-022D-4C56-9D40-53D2916CE3C9}" = Music Rescue
"{611BD998-34B9-4DDA-00AE-0CB4632E86FA}" = SimCity 4 Rush Hour
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{EA17F4FC-FDBF-4CF8-A529-2D983132D053}" = Skype™ 6.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"DW WLAN Card Utility" = DW WLAN Card Utility
"ESET Online Scanner" = ESET Online Scanner v3
"Free YouTube to iPod Converter_is1" = Free YouTube to iPod Converter version 3.10.13.1123
"GPL Ghostscript 8.71" = GPL Ghostscript 8.71
"GSview 4.9" = GSview 4.9
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"InfoAtoms" = InfoAtoms [Uninstall]
"InstallShield_{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"JollyWallet" = JollyWallet
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 16.0.2 (x86 en-US)" = Mozilla Firefox 16.0.2 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Picasa 3" = Picasa 3
"R for Windows 2.15.1_is1" = R for Windows 2.15.1
"Recuva" = Recuva
"VLC media player" = VLC media player 1.1.11
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xming_is1" = Xming 6.9.0.31
"Xming-fonts_is1" = Xming-fonts 7.5.0.25

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-515967899-1606980848-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Larger Cul De Sac Mod" = Larger Cul De Sac Mod
"Network Addon Mod" = Network Addon Mod Version 30 with Essentials r132
"SC4Mapper" = SC4Mapper
"Spotify" = Spotify

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/5/2012 10:32:57 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8198375

Error - 8/5/2012 10:32:59 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 8/5/2012 10:32:59 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8200328

Error - 8/5/2012 10:32:59 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8200328

Error - 8/5/2012 10:33:01 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 8/5/2012 10:33:01 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8202281

Error - 8/5/2012 10:33:01 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8202281

Error - 8/5/2012 10:33:03 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 8/5/2012 10:33:03 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8204234

Error - 8/5/2012 10:33:03 PM | Computer Name = BRIANPC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8204234

[ System Events ]
Error - 12/12/2012 6:18:52 PM | Computer Name = BRIANPC | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 12/13/2012 8:07:49 AM | Computer Name = BRIANPC | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the ShellHWDetection service.

Error - 12/13/2012 9:21:51 AM | Computer Name = BRIANPC | Source = Microsoft Antimalware | ID = 3002
Description = %%860 Real-Time Protection feature has encountered an error and failed.

Feature:
%%834 Error Code: 0x80004005 Error description: Unspecified error Reason: %%838

Error - 12/14/2012 2:09:50 PM | Computer Name = BRIANPC | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the ShellHWDetection service.

Error - 12/15/2012 3:02:03 PM | Computer Name = BRIANPC | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.3 on
the Network Card with network address 001644C7AF2E.

Error - 12/15/2012 3:02:22 PM | Computer Name = BRIANPC | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Netman service.

Error - 12/16/2012 7:10:43 AM | Computer Name = BRIANPC | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 169.226.71.4 on
the Network Card with network address 001644C7AF2E.

Error - 12/16/2012 7:10:48 AM | Computer Name = BRIANPC | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the ShellHWDetection service.

Error - 12/16/2012 9:27:45 PM | Computer Name = BRIANPC | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the ShellHWDetection service.

Error - 12/16/2012 9:28:00 PM | Computer Name = BRIANPC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.15 for the Network Card with network
address 001644C7AF2E has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >


3. From aswMBR.txt:

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-16 21:08:18
-----------------------------
21:08:18.781 OS Version: Windows 5.1.2600 Service Pack 3
21:08:18.781 Number of processors: 2 586 0x6802
21:08:18.781 ComputerName: BRIANPC UserName:
21:08:18.984 Initialize success
21:10:59.890 AVAST engine defs: 12121601
21:15:37.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:15:37.359 Disk 0 Vendor: OCZ-AGILITY3 2.11 Size: 57241MB BusType: 3
21:15:37.359 Device \Driver\atapi -> DriverStartIo 8980b2e2
21:15:37.359 Disk 0 MBR read successfully
21:15:37.359 Disk 0 MBR scan
21:15:37.375 Disk 0 Windows XP default MBR code
21:15:37.375 Disk 0 MBR hidden
21:15:37.375 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 57239 MB offset 63
21:15:37.390 Disk 0 scanning sectors +117226305
21:15:37.390 Disk 0 scanning C:\WINDOWS\system32\drivers
21:15:48.906 Service scanning
21:15:57.078 Service MpKsla543545d c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5738BEDA-C644-49CF-B19C-B802BF36D825}\MpKsla543545d.sys **LOCKED** 32
21:16:08.203 Modules scanning
21:16:18.984 Disk 0 trace - called modules:
21:16:18.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8980b4b1]<<
21:16:19.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89cd7ab8]
21:16:19.000 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000007a[0x89ceaf18]
21:16:19.000 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x89d14b00]
21:16:19.000 \Driver\atapi[0x89bf1530] -> IRP_MJ_CREATE -> 0x8980b4b1
21:16:19.125 AVAST engine scan C:\WINDOWS
21:16:23.093 AVAST engine scan C:\WINDOWS\system32
21:19:25.078 AVAST engine scan C:\WINDOWS\system32\drivers
21:19:36.718 AVAST engine scan C:\Documents and Settings\bcrandal
21:23:48.156 AVAST engine scan C:\Documents and Settings\All Users
21:23:54.484 Scan finished successfully
21:25:43.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\bcrandal\My Documents\Downloads\MBR.dat"
21:25:43.828 The log file has been saved successfully to "C:\Documents and Settings\bcrandal\My Documents\Downloads\aswMBR.txt"

4. An update to aswMBR's virus definitions was required; an attempt to run without an update resulted in premature program termination. No instability issues noted in running of either program, though adware is still present.

Edited by abraxas123, 16 December 2012 - 09:29 PM.


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:08 AM

Posted 17 December 2012 - 06:22 PM

Hi!

It looks like part of the OTL.txt log file got cut off. The end of the log file should say: < End of report >

Could you see if the log file you have is like that?

-ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 abraxas123

abraxas123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 17 December 2012 - 07:38 PM

My apologies:

OTL logfile created on: 12/16/2012 8:52:15 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\bcrandal\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.71 Gb Available Physical Memory | 37.99% Memory free
3.72 Gb Paging File | 2.67 Gb Available in Paging File | 71.69% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.90 Gb Total Space | 19.14 Gb Free Space | 34.25% Space Free | Partition Type: NTFS
Drive D: | 645.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BRIANPC | User Name: bcrandal | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/16 20:51:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\bcrandal\My Documents\Downloads\OTL.exe
PRC - [2012/12/16 20:45:42 | 005,576,408 | ---- | M] (Spotify Ltd) -- C:\Documents and Settings\bcrandal\Application Data\Spotify\spotify.exe
PRC - [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 16:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/04/09 10:20:30 | 003,063,968 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2011/01/17 17:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 17:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/22 12:43:38 | 001,245,184 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/02/22 12:40:20 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
PRC - [2007/07/02 13:29:22 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/06/06 16:44:44 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/05/22 14:18:56 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2007/05/10 10:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2006/09/08 15:10:22 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe


========== Modules (No Company Name) ==========

MOD - [2012/12/16 20:45:27 | 020,219,096 | ---- | M] () -- C:\Documents and Settings\bcrandal\Application Data\Spotify\Data\libcef.dll
MOD - [2012/12/11 18:32:27 | 014,586,296 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll
MOD - [2012/10/28 15:58:54 | 002,295,264 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/11/03 10:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/11/01 21:44:52 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/10/07 15:01:34 | 000,143,360 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2009/10/07 15:01:14 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
MOD - [2008/02/22 12:45:06 | 000,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2005/10/13 12:53:36 | 000,090,223 | ---- | M] () -- C:\Program Files\Dell\QuickSet\preflibcl.dll


========== Services (SafeList) ==========

SRV - [2012/12/11 18:32:29 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/11/09 11:21:24 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/10/28 15:59:53 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/04/09 10:20:30 | 003,063,968 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2008/02/22 12:40:20 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe -- (NICCONFIGSVC)
SRV - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\bcrandal\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Boot | Stopped] -- -- (cerc6)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2009/10/07 15:01:32 | 002,649,216 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/10/07 15:01:28 | 000,033,664 | ---- | M] (CACE Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BCMWLNPF.SYS -- (BCMWLNPF)
DRV - [2007/08/02 17:35:12 | 000,989,952 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/08/02 17:34:30 | 000,211,200 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/08/02 17:34:26 | 000,731,136 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/07/27 23:30:26 | 002,371,584 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/06/25 18:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/05/10 10:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/16 15:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/07/01 22:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/08/12 16:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\..\SearchScopes\{D91B10B5-BC72-4848-B976-5BEC50A08E2F}: "URL" = http://www.mysearchresults.com/search?&c=4001&t=10&q={searchTerms}
IE - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledAddons: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:1.5
FF - prefs.js..extensions.enabledAddons: [email protected]:1.4.0.3
FF - prefs.js..extensions.enabledAddons: [email protected]:0.86.46
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=1.1.11: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Mozilla Firefox\extensions\[email protected] [2012/12/11 22:27:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/10/28 15:59:55 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 16.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/11/01 17:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Extensions
[2012/12/12 23:58:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions
[2012/12/12 23:58:53 | 000,000,000 | ---D | M] ("JollyWallet") -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\[email protected]
[2012/01/18 10:28:13 | 000,000,000 | ---D | M] (fluschipranie) -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\jid0-Dg47y8CbssHh7EDdmKEYB6phtn0@jetpack
[2012/12/12 23:58:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\[email protected]\chrome\content\extensionCode
[2012/07/19 12:24:22 | 000,001,552 | ---- | M] () (No name found) -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\[email protected]
[2012/12/11 19:59:21 | 000,036,098 | ---- | M] () (No name found) -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}.xpi
[2012/11/24 10:08:01 | 000,243,496 | ---- | M] () (No name found) -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
[2012/12/11 22:27:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/28 15:58:16 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/12/11 22:27:11 | 000,000,000 | ---D | M] (InfoAtoms) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2012/10/28 15:59:55 | 000,261,600 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/23 09:57:48 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/22 15:05:03 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - Extension: YouTube = C:\Documents and Settings\bcrandal\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\bcrandal\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Gmail = C:\Documents and Settings\bcrandal\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2011/11/06 11:29:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - Startup: C:\Documents and Settings\bcrandal\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-515967899-1606980848-1177238915-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Free YouTube to iPod Converter - C:\Documents and Settings\bcrandal\Application Data\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm ()
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320177274944 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320177332955 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6C346146-127C-49C5-8688-732A878D3250}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/01 14:58:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/27 03:23:52 | 011,595,776 | R--- | M] (Electronic Arts) - D:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2003/08/27 03:37:09 | 000,000,000 | R--D | M] - D:\autorun -- [ CDFS ]
O32 - AutoRun File - [2003/08/27 03:37:05 | 000,000,061 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/16 10:35:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/12/13 22:32:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/12/12 17:18:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2012/12/11 22:28:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bcrandal\Local Settings\Application Data\JollyWallet
[2012/12/11 22:28:02 | 000,000,000 | ---D | C] -- C:\Program Files\JollyWallet
[2012/12/11 22:27:06 | 000,000,000 | ---D | C] -- C:\Program Files\InfoAtoms
[2012/12/11 22:26:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bcrandal\Application Data\Strongvault
[2012/12/11 22:26:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bcrandal\Local Settings\Application Data\Stronghold_LLC
[2012/12/11 22:26:33 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\AI_RecycleBin
[2012/12/06 15:57:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2012/12/06 15:57:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype

========== Files - Modified Within 30 Days ==========

[2012/12/16 20:32:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/12/16 10:14:06 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/12/16 10:08:23 | 000,474,330 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/12/16 10:08:23 | 000,076,900 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/12/16 10:04:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/12/16 10:04:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/13 23:11:03 | 000,001,441 | ---- | M] () -- C:\scu.dat
[2012/12/12 17:22:04 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/12 17:18:29 | 000,173,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/12/12 07:12:21 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/12/11 23:04:36 | 000,002,453 | ---- | M] () -- C:\Documents and Settings\bcrandal\Desktop\HiJackThis.lnk
[2012/12/06 15:57:18 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/11/24 18:09:19 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\bcrandal\Local Settings\Application Data\PUTTY.RND

========== Files Created - No Company Name ==========

[2012/12/13 23:11:03 | 000,001,441 | ---- | C] () -- C:\scu.dat
[2012/12/11 22:32:41 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/06 15:57:18 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/03/09 19:35:12 | 000,000,711 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2012/02/14 20:47:16 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/19 22:23:44 | 000,018,440 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/12/17 12:07:38 | 000,128,958 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/12/17 12:07:38 | 000,128,958 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-515967899-1606980848-1177238915-1003-0.dat
[2011/12/01 16:53:37 | 000,000,439 | ---- | C] () -- C:\Documents and Settings\bcrandal\Application Data\com.kennettnet.MusicRescue4.plist
[2011/11/25 16:36:52 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\bcrandal\Local Settings\Application Data\PUTTY.RND
[2011/11/06 11:17:43 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/11/06 11:17:43 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/11/06 11:17:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/11/06 11:17:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/11/06 11:17:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/11/01 17:58:43 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/01 16:41:48 | 000,000,043 | ---- | C] () -- C:\Documents and Settings\bcrandal\gsview32.ini
[2011/11/01 15:20:09 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2011/11/01 15:20:09 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2011/11/01 15:20:09 | 000,025,088 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2011/11/01 15:16:52 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2011/11/01 15:16:52 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/11/01 15:16:52 | 000,972,072 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/11/01 15:16:51 | 000,151,367 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/11/01 15:00:09 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/11/01 14:55:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/11/01 09:41:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/11/01 09:40:41 | 000,173,872 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2011/11/01 16:00:30 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 07:00:00 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 07:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/12/12 17:18:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2011/11/30 22:41:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/11/01 21:31:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\Azureus
[2011/11/30 23:01:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\DVDVideoSoft
[2011/11/30 23:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\DVDVideoSoftIEHelpers
[2011/11/01 21:45:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\OpenOffice.org
[2011/11/01 16:57:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\PeaZip
[2012/12/16 20:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\Spotify
[2012/11/24 14:42:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\SSH
[2012/12/11 22:26:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\bcrandal\Application Data\Strongvault

========== Purity Check ==========



========== Custom Scans ==========

< %systemroot%\*. /rp /s >

< C:\Program Files\Common Files\ComObjects\*.* /s >
[2011/11/01 14:56:48 | 000,000,065 | RH-- | C] () -- C:\WINDOWS\Tasks\desktop.ini
[2011/11/01 15:03:28 | 000,000,006 | -H-- | C] () -- C:\WINDOWS\Tasks\SA.DAT
[2011/11/30 22:40:03 | 000,000,284 | ---- | C] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2012/04/14 09:29:59 | 000,000,830 | ---- | C] () -- C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
[2012/09/27 12:49:46 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/10/28 15:58:52 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/10/28 15:58:52 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/10/28 15:58:52 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/10/28 15:58:52 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/10/28 15:58:52 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/10/28 15:58:52 | 000,889,848 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/10/28 15:59:54 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/10/31 19:35:35 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-12-12 12:12:27

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
[C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 -> Junction

< End of report >

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:08 AM

Posted 17 December 2012 - 08:26 PM

Hi!

No worries!

OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    [2012/12/12 23:58:53 | 000,000,000 | ---D | M] ("JollyWallet") -- C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\[email protected]
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
    [2012/12/11 22:28:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bcrandal\Local Settings\Application Data\JollyWallet
    [2012/12/11 22:28:02 | 000,000,000 | ---D | C] -- C:\Program Files\JollyWallet
    :Reg
    
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    [EMPTYJAVA]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 abraxas123

abraxas123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 18 December 2012 - 10:47 PM

From OTL_Fix (12172012_221500.txt):

All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
Folder C:\Documents and Settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\[email protected]\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Folder C:\Documents and Settings\bcrandal\Local Settings\Application Data\JollyWallet\ not found.
Folder C:\Program Files\JollyWallet\ not found.
========== REGISTRY ==========
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\Hosts
C:\Documents and Settings\bcrandal\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\bcrandal\My Documents\Downloads\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\bcrandal\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\bcrandal\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

[EMPTYTEMP]

User: All Users

User: bcrandal
->Temp folder emptied: 218431982 bytes
->Temporary Internet Files folder emptied: 109782657 bytes
->Java cache emptied: 201317 bytes
->FireFox cache emptied: 84495183 bytes
->Flash cache emptied: 89341 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49554 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 760176 bytes
->Temporary Internet Files folder emptied: 4051097 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8437172 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 264943180 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 4266334005 bytes

Total Files Cleaned = 4,728.00 mb


[EMPTYFLASH]

User: All Users

User: bcrandal
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: bcrandal
->Java cache emptied: 0 bytes

User: Default User

User: LocalService
->Java cache emptied: 0 bytes

User: NetworkService

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12172012_221500

Files\Folders moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LCHOSIF8\1355369879282_1582223399780[2].htm moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

From log.txt:

ComboFix 12-12-17.02 - bcrandal 12/18/2012 22:28:24.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1328 [GMT -5:00]
Running from: c:\documents and settings\bcrandal\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
E:\Autorun.inf
E:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-19 to 2012-12-19 )))))))))))))))))))))))))))))))
.
.
2012-12-19 03:23 . 2012-12-19 03:23 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D2FEB9A4-ECED-4E71-8909-D06E0095E471}\MpKsl68a23991.sys
2012-12-19 03:02 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D2FEB9A4-ECED-4E71-8909-D06E0095E471}\mpengine.dll
2012-12-18 02:59 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-18 01:53 . 2012-12-18 01:53 -------- d-----w- C:\_OTL
2012-12-15 19:38 . 2012-12-15 19:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-12-12 22:18 . 2012-12-12 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-12-12 03:27 . 2012-12-12 03:27 -------- d-----w- c:\program files\InfoAtoms
2012-12-12 03:26 . 2012-12-12 03:26 -------- d-----w- c:\documents and settings\bcrandal\Application Data\Strongvault
2012-12-12 03:26 . 2012-12-12 03:26 -------- d-----w- c:\documents and settings\bcrandal\Local Settings\Application Data\Stronghold_LLC
2012-12-12 03:26 . 2012-12-12 03:27 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-12-06 20:57 . 2012-12-06 20:57 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 23:32 . 2012-04-14 14:29 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 23:32 . 2011-11-01 21:44 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2008-04-14 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41 . 2008-04-14 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2008-04-14 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04 . 2008-04-14 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2011-11-01 21:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-28 20:59 . 2012-10-28 20:58 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\bcrandal\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\bcrandal\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKsl68a23991;MpKsl68a23991;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D2FEB9A4-ECED-4E71-8909-D06E0095E471}\MpKsl68a23991.sys [12/18/2012 10:23 PM 29904]
S0 cerc6;cerc6; [x]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [4/9/2012 10:20 AM 3063968]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL68A23991
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 23:32]
.
2012-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-12-19 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:[email protected]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Free YouTube to iPod Converter - c:\documents and settings\bcrandal\Application Data\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\
FF - ExtSQL: 2012-11-24 10:08; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]
FF - ExtSQL: !HIDDEN! 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-JollyWallet - c:\program files\JollyWallet\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-18 22:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: OCZ-AGILITY3 rev.2.11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x88EFE2E2
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0b\03\02\01\"7?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\WININET.dll
.
Completion time: 2012-12-18 22:41:15
ComboFix-quarantined-files.txt 2012-12-19 03:41
ComboFix2.txt 2011-11-07 15:04
ComboFix3.txt 2011-11-06 17:46
ComboFix4.txt 2011-11-06 16:30
.
Pre-Run: 25,317,052,416 bytes free
Post-Run: 25,288,785,920 bytes free
.
- - End Of File - - 6C6E83DE4C76AD9F2A96652D92F831DF

When OTL Fix was completed, the Jollywallet button was gone from my browser, but the adware was still present. Adware still appears to be present after running combofix (pop-ups, hyperlinked words).

Attached Files



#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:08 AM

Posted 19 December 2012 - 06:47 PM

Hi!

Please try the following instructions and lets see where the scans lead us.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. MalwareBytes' Anti-Malware log file.
3. ESET Online Virus Scan log file.
4. SecurityCheck log file.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers..

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 abraxas123

abraxas123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 21 December 2012 - 05:11 PM

2. See attached MBAM file.

3. See attached ESETScan.txt file

4. See attached checkup file.

5. Significant instabilities have been occurring. In operation, the volume of the computer drops to a permament mute, and the browser will chug and eventually initiate a hard freeze of the computer, devoting an unnaturally large amount of space to svchost.exe and plugin-container.exe. Careful management of the task manager seems to be the only thing allowing the computer to operate for an extended period of time (>10 mins.)

Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 29
Java version out of Date!
Adobe Flash Player 11.5.502.135
Adobe Reader 10.1.4 Adobe Reader out of Date!
Mozilla Firefox 16.0.2 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 12% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Attached Files


Edited by SweetTech, 21 December 2012 - 07:13 PM.
Expanded SecurityCheck log.-ST


#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:08 AM

Posted 21 December 2012 - 07:15 PM

Hi!

Thanks for the progress update. Please run the following scan for me:


ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
DirLook::
c:\windows\system32\AI_RecycleBin
c:\documents and settings\All Users\Application Data\boost_interprocess
c:\program files\InfoAtoms
c:\documents and settings\bcrandal\Application Data\Strongvault
c:\documents and settings\bcrandal\Local Settings\Application Data\Stronghold_LLC
Registry::
Driver::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 abraxas123

abraxas123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 21 December 2012 - 08:39 PM

The system froze on the first attempt to run ComboFix. After leaving it to see if it would sort itself out over 30 minutes, it became apparent a reboot was necessary. The second attempt to run ComboFix was successful.

ComboFix 12-12-20.02 - bcrandal 12/21/2012 20:24:10.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1401 [GMT -5:00]
Running from: c:\documents and settings\bcrandal\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bcrandal\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-22 to 2012-12-22 )))))))))))))))))))))))))))))))
.
.
2012-12-21 00:40 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9BF0EB8D-8758-45DF-BA02-AA41962BB59F}\mpengine.dll
2012-12-19 03:02 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-18 01:53 . 2012-12-18 01:53 -------- d-----w- C:\_OTL
2012-12-15 19:38 . 2012-12-15 19:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-12-12 22:18 . 2012-12-12 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-12-12 03:27 . 2012-12-12 03:27 -------- d-----w- c:\program files\InfoAtoms
2012-12-12 03:26 . 2012-12-12 03:26 -------- d-----w- c:\documents and settings\bcrandal\Application Data\Strongvault
2012-12-12 03:26 . 2012-12-12 03:26 -------- d-----w- c:\documents and settings\bcrandal\Local Settings\Application Data\Stronghold_LLC
2012-12-12 03:26 . 2012-12-12 03:27 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-12-06 20:57 . 2012-12-06 20:57 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 23:32 . 2012-04-14 14:29 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 23:32 . 2011-11-01 21:44 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2008-04-14 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41 . 2008-04-14 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2008-04-14 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04 . 2008-04-14 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2011-11-01 21:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-28 20:59 . 2012-10-28 20:58 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\boost_interprocess ----
.
2012-12-12 22:18 . 2012-12-12 22:18 24 ----atw- c:\documents and settings\All Users\Application Data\boost_interprocess\skype_c2c_messaging_mutex
.
---- Directory of c:\documents and settings\bcrandal\Application Data\Strongvault ----
.
.
---- Directory of c:\documents and settings\bcrandal\Local Settings\Application Data\Stronghold_LLC ----
.
2012-12-12 03:26 . 2012-12-12 03:26 324 ----a-w- c:\documents and settings\bcrandal\Local Settings\Application Data\Stronghold_LLC\BackupLauncher.exe_Url_all4gq0piriirunlsxklkejmzs0p3zbo\1.0.0.0\user.config
2012-12-12 03:26 . 2012-12-12 03:26 631 ----a-w- c:\documents and settings\bcrandal\Local Settings\Application Data\Stronghold_LLC\SMessenger.exe_Url_xdvq1tirdjz5udqk5a33km1w0s1monuh\1.0.0.0\user.config
.
---- Directory of c:\program files\InfoAtoms ----
.
2012-12-12 03:27 . 2012-12-12 03:27 11737 ----a-w- c:\program files\InfoAtoms\FireFox\[email protected]
2012-12-12 03:27 . 2012-12-12 03:27 10094 ----a-w- c:\program files\InfoAtoms\Chrome\InfoAtoms.crx
2012-12-12 03:27 . 2012-12-12 03:27 373502 ----a-w- c:\program files\InfoAtoms\Uninstall.exe
2012-11-16 17:27 . 2012-11-16 17:27 27594 ----a-w- c:\program files\InfoAtoms\terms-of-service.rtf
2012-10-28 19:54 . 2012-10-28 19:54 7074 ----a-w- c:\program files\InfoAtoms\3rd Party Licenses\buildcrx-license.txt
2012-10-28 19:54 . 2012-10-28 19:54 2944 ----a-w- c:\program files\InfoAtoms\3rd Party Licenses\infozip-license.txt
.
---- Directory of c:\windows\system32\AI_RecycleBin ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\bcrandal\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\bcrandal\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [4/9/2012 10:20 AM 3063968]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]
S0 cerc6;cerc6; [x]
S1 MpKsl68a23991;MpKsl68a23991;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D2FEB9A4-ECED-4E71-8909-D06E0095E471}\MpKsl68a23991.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D2FEB9A4-ECED-4E71-8909-D06E0095E471}\MpKsl68a23991.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 23:32]
.
2012-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-12-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:[email protected]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Free YouTube to iPod Converter - c:\documents and settings\bcrandal\Application Data\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\
FF - ExtSQL: 2012-11-24 10:08; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]
FF - ExtSQL: !HIDDEN! 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-21 20:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: OCZ-AGILITY3 rev.2.11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x87AF72E2
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0b\03\02\01\"7?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\StacSV.exe
c:\windows\system32\wscntfy.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\DellTPad\HidFind.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\DellTPad\Apntex.exe
.
**************************************************************************
.
Completion time: 2012-12-21 20:37:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-22 01:37
ComboFix2.txt 2012-12-19 03:41
ComboFix3.txt 2011-11-07 15:04
ComboFix4.txt 2011-11-06 17:46
ComboFix5.txt 2012-12-22 00:24
.
Pre-Run: 25,368,305,664 bytes free
Post-Run: 25,365,565,440 bytes free
.
- - End Of File - - 122BA186B0EF8C3C3895D0A829AB389B

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:08 AM

Posted 22 December 2012 - 01:23 PM

Hi!

We need to run another fix with ComboFix.

Can you confirm that when you ran ComboFix the first time it installed the Recovery Console for you??

Please note when you run the below fix, it will be submitting a file to me for review.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Suspect::[102]
C:\Documents and Settings\bcrandal\My Documents\Downloads\MBR.dat
KillAll::
Folder::
c:\windows\system32\AI_RecycleBin
FireFox::
FF - ProfilePath - c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\
FF - ExtSQL: 2012-11-24 10:08; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]
FF - ExtSQL: !HIDDEN! 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Edited by SweetTech, 22 December 2012 - 01:26 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 abraxas123

abraxas123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 22 December 2012 - 06:29 PM

The Recovery Console was installed on my computer prior to the infection.

From log.txt:

ComboFix 12-12-22.02 - bcrandal 12/22/2012 18:15:10.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1362 [GMT -5:00]
Running from: c:\documents and settings\bcrandal\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\bcrandal\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
file zipped: c:\documents and settings\bcrandal\My Documents\Downloads\MBR.dat
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
c:\windows\system32\AI_RecycleBin
.
.
((((((((((((((((((((((((( Files Created from 2012-11-22 to 2012-12-22 )))))))))))))))))))))))))))))))
.
.
2012-12-22 23:23 . 2012-12-22 23:23 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A43584A-A46C-4F89-9FE2-218D91B2A182}\MpKsl8fa2d9fe.sys
2012-12-22 23:11 . 2012-12-22 23:11 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A43584A-A46C-4F89-9FE2-218D91B2A182}\MpKsle4c0a5dd.sys
2012-12-22 01:55 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A43584A-A46C-4F89-9FE2-218D91B2A182}\mpengine.dll
2012-12-22 01:38 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-18 01:53 . 2012-12-18 01:53 -------- d-----w- C:\_OTL
2012-12-15 19:38 . 2012-12-15 19:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-12-12 22:18 . 2012-12-12 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-12-12 03:27 . 2012-12-12 03:27 -------- d-----w- c:\program files\InfoAtoms
2012-12-12 03:26 . 2012-12-12 03:26 -------- d-----w- c:\documents and settings\bcrandal\Application Data\Strongvault
2012-12-12 03:26 . 2012-12-12 03:26 -------- d-----w- c:\documents and settings\bcrandal\Local Settings\Application Data\Stronghold_LLC
2012-12-06 20:57 . 2012-12-06 20:57 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-11 23:32 . 2012-04-14 14:29 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-11 23:32 . 2011-11-01 21:44 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2008-04-14 12:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 00:41 . 2008-04-14 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-02 02:02 . 2008-04-14 12:00 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-10-02 18:04 . 2008-04-14 12:00 58368 ----a-w- c:\windows\system32\synceng.dll
2012-09-30 00:54 . 2011-11-01 21:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-28 20:59 . 2012-10-28 20:58 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-10-07 2498560]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\bcrandal\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\bcrandal\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKsl8fa2d9fe;MpKsl8fa2d9fe;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A43584A-A46C-4F89-9FE2-218D91B2A182}\MpKsl8fa2d9fe.sys [12/22/2012 6:23 PM 29904]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [4/9/2012 10:20 AM 3063968]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 11:21 AM 160944]
S0 cerc6;cerc6; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL8FA2D9FE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 23:32]
.
2012-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-12-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-12 21:25]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:[email protected]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Free YouTube to iPod Converter - c:\documents and settings\bcrandal\Application Data\DVDVideoSoftIEHelpers\freeyoutubetoipodconverter.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\
FF - ExtSQL: 2012-11-24 10:08; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\documents and settings\bcrandal\Application Data\Mozilla\Firefox\Profiles\d2xsf5hk.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]
FF - ExtSQL: !HIDDEN! 2012-12-11 22:27; [email protected]; c:\program files\Mozilla Firefox\extensions\[email protected]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-22 18:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: OCZ-AGILITY3 rev.2.11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x894AB2E2
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0b\03\02\01\"7?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(940)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\StacSV.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2012-12-22 18:26:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-22 23:26
ComboFix2.txt 2012-12-22 01:37
ComboFix3.txt 2012-12-19 03:41
ComboFix4.txt 2011-11-07 15:04
ComboFix5.txt 2012-12-22 23:13
.
Pre-Run: 25,360,867,328 bytes free
Post-Run: 25,390,104,576 bytes free
.
- - End Of File - - 1F434A3DB280BB3B2214C0BF93E0FDDE
Upload was successful

Edited by abraxas123, 22 December 2012 - 06:29 PM.


#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:08 AM

Posted 24 December 2012 - 11:27 AM

Hi!

How are things running?

-ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 abraxas123

abraxas123
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 24 December 2012 - 05:53 PM

Not very well, I'm afraid. Random words on webpages are still hyperlinked for ads (whereas before the infections this did not occur with these same pages), and there is a large amount of adware/popups making an appearance within the browser (and I've tried a couple, it's an issue in all of them). The functionality of the computer is questionable, with freeze-ups tied to plugins and svchost.exe still common. It's such that it has become near impossible to shut down the computer properly, and audio is frequently disabled. Any suggestions would be appreciated, though I understand if you're unable to provide more of your volunteer time with this issue.

Edited by abraxas123, 24 December 2012 - 05:53 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users