Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

f.exe spyware


  • This topic is locked This topic is locked
11 replies to this topic

#1 richob

richob

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 10 January 2010 - 10:37 AM

Hello. I have a Dell mini 1011 running windows xp which I got two weeks ago.
I unfortunately downloaded two files (which I have found out are f.exe files) which I think are form of Spyware. I need help finding and removing the files safely if possible please.
I get pop-ups every now and then and some are hard to close. When i try to close them down another message comes up asking to click ok to continue or cancel to stay on the page etc. The same thing happens when I try to close them down using task manager.
When they eventually close a message comes up saying ''f.exe has encountered a problem and needs to close. We are sorry for the inconvenience'' and asks if i want to send an error report. If I send or don't sent I either get a pop-up straight after or nothing happens.
Please help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Rich at 20:11:15.02 on 08/01/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.440 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\OA012Mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\CapsLKNotify\CapsLKNotify.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\msb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Rich\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
mDefault_Page_URL = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LREC75DND7] c:\docume~1\rich\locals~1\temp\f.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OA012Mon] c:\windows\OA012Mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [WSED] c:\program files\wsed\WSED.exe
mRun: [<NO NAME>]
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [CapsLKNotify] c:\program files\capslknotify\CapsLKNotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rich\applic~1\mozilla\firefox\profiles\lb7nu2od.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-11-15 14248]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-1-8 28552]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-15 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\McProxy.exe [2009-11-15 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-15 144704]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-11-15 143840]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-15 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-15 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-15 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-15 40552]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [2009-11-15 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [2009-11-15 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-15 162816]
S2 gupdate1ca872da777d26a;Google Update Service (gupdate1ca872da777d26a);c:\program files\google\update\GoogleUpdate.exe [2009-12-27 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-15 1684736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-15 34248]
S3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [2009-11-15 135168]
S3 RDID1005;EDIROL UA-5;c:\windows\system32\drivers\Rdwm1005.sys [2009-12-29 144673]

=============== Created Last 30 ================

2010-01-08 17:32:18 185344 ----a-w- c:\windows\msb.exe
2010-01-08 13:04:37 0 d-s---w- c:\documents and settings\rich\UserData
2010-01-08 13:00:43 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-08 12:59:36 0 d-----w- c:\program files\Panda Security
2010-01-08 12:26:44 185344 ----a-w- c:\windows\msa.exe
2010-01-08 12:26:05 230912 ----a-w- c:\windows\system32\sshnas.dll
2009-12-29 18:00:46 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-12-29 18:00:46 225280 ----a-w- c:\windows\system32\ReWire.dll
2009-12-29 18:00:46 0 d-----w- c:\docume~1\rich\applic~1\Propellerhead Software
2009-12-29 18:00:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-12-29 18:00:03 0 d-----w- c:\program files\Propellerhead
2009-12-29 17:49:16 4088 ----a-w- c:\windows\system32\RD3T1005.DAT
2009-12-29 17:49:15 81920 ----a-w- c:\windows\system32\rdas1005.dll
2009-12-29 17:49:15 57344 ----a-w- c:\windows\system32\RDCP1005.CPL
2009-12-29 17:49:15 31862 ----a-w- c:\windows\system32\RdCi1005.dll
2009-12-29 17:49:15 221184 ----a-w- c:\windows\system32\RDDP1005.DAT
2009-12-29 17:49:15 144673 ----a-w- c:\windows\system32\drivers\Rdwm1005.sys
2009-12-29 17:49:15 0 d-----w- c:\program files\RdDrv001
2009-12-29 17:41:44 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-12-29 17:41:44 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-12-28 18:55:42 0 d-----w- c:\program files\common files\xing shared
2009-12-28 18:54:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-28 18:54:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-12-28 18:54:11 0 d-----w- c:\program files\common files\Real
2009-12-28 17:38:20 36224 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-27 19:48:45 0 d-----w- c:\program files\common files\DivX Shared
2009-12-27 19:48:43 0 d-----w- c:\program files\DivX
2009-12-27 11:00:51 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-12-26 12:28:35 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-26 12:28:35 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-12-26 12:26:45 0 d-----w- c:\program files\iPod
2009-12-26 12:26:40 0 d-----w- c:\program files\iTunes
2009-12-26 12:26:40 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-26 12:26:07 0 d-----w- c:\program files\Bonjour
2009-12-26 12:07:30 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-26 12:07:29 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-26 12:07:29 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-26 12:07:29 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-26 12:07:28 0 d-----w- C:\bfac899b4da7c90f8f2ea823ce5aa6b0
2009-12-25 09:03:10 0 d-----w- c:\docume~1\rich\applic~1\Windows Search
2009-12-25 08:57:56 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-25 08:53:45 0 d-----w- c:\windows\system32\PreInstall

==================== Find3M ====================

2009-11-16 00:03:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-11-16 00:03:47 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-11-15 19:54:21 77824 ----a-w- c:\windows\setpwr32.exe
2009-11-15 19:53:01 4541 ----a-w- c:\windows\system32\drivers\1028_Dell_INS_1011.mrk
2009-11-15 18:25:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-14 00:49:00 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-14 00:49:00 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-14 00:49:00 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-11-14 00:49:00 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-14 00:49:00 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49:00 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 20:12:19.52 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:20 PM

Posted 10 January 2010 - 11:28 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT



  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 richob

richob
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 10 January 2010 - 06:22 PM

Thanks for taking time out to help me Sam. Really appreciate it.

Malwarebytes' Anti-Malware 1.44
Database version: 3537
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/01/2010 22:55:05
mbam-log-2010-01-10 (22-55-05).txt

Scan type: Quick Scan
Objects scanned: 117137
Time elapsed: 19 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\msb.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\LREC75DND7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\E8WECRKKMV (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e8wecrkkmv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrec75dnd7 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\msb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\f.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\d.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sshnas.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rich\Local Settings\Temp\sshnas.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.




netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT


OTL Extras logfile created on: 10/01/2010 23:08:25 - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\Rich\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 454.00 Mb Available Physical Memory | 45.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.01 Gb Total Space | 135.77 Gb Free Space | 91.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D6G402L1
Current User Name: Rich
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3867324620-3566477941-3609066403-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{053E51D3-885D-425C-9586-EA5183C4C688}" = Function Keys
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90578106-70AF-4198-B9DE-1924FA83B03A}" = CapsLKNotify
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E6CB6126-D120-4FB5-9D1B-E2E19003E66C}" = WSED
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FEF06E73-A519-4510-8CF3-B66041B91D8A}" = EMSC
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OA012" = Integrated Webcam Driver (1.02.02.0403)
"Dell Webcam Central" = Dell Webcam Central
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Google Chrome" = Google Chrome
"GoToAssist" = GoToAssist 8.0.0.514
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"InstallShield_{90578106-70AF-4198-B9DE-1924FA83B03A}" = CapsLKNotify
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MSC" = McAfee SecurityCenter
"RealPlayer 12.0" = RealPlayer
"Reason_is1" = Reason 3.0.4
"SynTPDeinstKey" = Dell Touchpad
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3867324620-3566477941-3609066403-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 29/12/2009 13:57:28 | Computer Name = D6G402L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 29/12/2009 13:57:28 | Computer Name = D6G402L1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 01/01/2010 15:10:45 | Computer Name = D6G402L1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 01/01/2010 15:10:45 | Computer Name = D6G402L1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

[ System Events ]
Error - 08/01/2010 15:13:02 | Computer Name = D6G402L1 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 08/01/2010 15:13:02 | Computer Name = D6G402L1 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 08/01/2010 15:13:02 | Computer Name = D6G402L1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss Tcpip

Error - 08/01/2010 15:13:07 | Computer Name = D6G402L1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 08/01/2010 15:14:09 | Computer Name = D6G402L1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 08/01/2010 15:14:14 | Computer Name = D6G402L1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 08/01/2010 15:18:28 | Computer Name = D6G402L1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 08/01/2010 15:20:43 | Computer Name = D6G402L1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the mcmscsvc service.

Error - 09/01/2010 15:04:43 | Computer Name = D6G402L1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the mcmscsvc service.

Error - 10/01/2010 09:06:15 | Computer Name = D6G402L1 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the mcmscsvc service.


< End of report >









#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:20 PM

Posted 11 January 2010 - 08:04 AM

You're missing the main log from OTL. It should be on your desktop with OTL.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 richob

richob
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 11 January 2010 - 09:45 AM

Sorry. This should be the OTL.

Also i got a message this afternoon from McAfee saying it found and stopped a Trojan.





OTL logfile created on: 10/01/2010 23:08:25 - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\Rich\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 454.00 Mb Available Physical Memory | 45.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.01 Gb Total Space | 135.77 Gb Free Space | 91.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D6G402L1
Current User Name: Rich
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/10 23:05:18 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rich\My Documents\Downloads\OTL.exe
PRC - [2010/01/08 18:45:29 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/07 16:07:10 | 01,394,000 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/12/28 18:54:13 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/11/15 18:25:10 | 00,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/11/15 18:25:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/11/15 18:25:10 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/11/12 16:33:10 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/22 15:22:54 | 00,623,984 | ---- | M] (Dell) -- C:\Program Files\Battery Meter\BTMeter.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/03 20:46:38 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/06/03 20:46:38 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2009/05/27 21:24:54 | 00,247,080 | ---- | M] (Dell) -- C:\Program Files\WSED\WSED.exe
PRC - [2009/05/11 21:11:24 | 00,024,576 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\OA012Mon.exe
PRC - [2009/03/15 22:49:30 | 01,434,920 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2009/03/15 21:32:14 | 17,529,856 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2009/02/23 15:03:06 | 00,320,808 | ---- | M] (Compal Electronics, Inc) -- C:\Program Files\CapsLKNotify\CapsLKNotify.exe
PRC - [2009/02/15 21:34:34 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxtray.exe
PRC - [2009/02/15 21:34:32 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2009/02/15 21:34:18 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2009/02/15 21:34:12 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2009/01/14 23:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/01/06 23:53:34 | 00,024,576 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2009/01/06 23:53:32 | 02,289,664 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2009/01/06 23:52:56 | 02,039,808 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/05/27 04:19:14 | 00,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/14 12:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/01/10 23:05:18 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rich\My Documents\Downloads\OTL.exe
MOD - [2009/12/28 18:56:30 | 00,102,400 | ---- | M] (RealPlayer) -- C:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll
MOD - [2009/12/28 18:54:23 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll
MOD - [2009/12/28 18:54:22 | 00,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2009/08/13 13:55:04 | 01,748,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/27 19:48:46 | 00,133,104 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca872da777d26a) Google Update Service (gupdate1ca872da777d26a)
SRV - [2009/11/15 18:31:02 | 00,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/11/15 18:25:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/12 16:33:00 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MpfSrv.exe -- (MpfService)
SRV - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/08/28 19:42:54 | 00,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/03 20:46:38 | 00,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2009/01/14 23:53:02 | 00,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/01/06 23:53:34 | 00,024,576 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/10/27 01:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 20:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2004/10/22 09:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.uk.msn.com/USCON/2
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.uk.msn.com/USCON/2


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/USCON/2
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/USCON/2
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3867324620-3566477941-3609066403-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
IE - HKU\S-1-5-21-3867324620-3566477941-3609066403-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKU\S-1-5-21-3867324620-3566477941-3609066403-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/USCON/2
IE - HKU\S-1-5-21-3867324620-3566477941-3609066403-1006\S-1-5-21-3867324620-3566477941-3609066403-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3867324620-3566477941-3609066403-1006\S-1-5-21-3867324620-3566477941-3609066403-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {6e764c17-863a-450f-bdd0-6772bd5aaa18}:1.0.3
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/08 18:45:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/08 18:45:51 | 00,000,000 | ---D | M]

[2009/12/25 09:26:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rich\Application Data\Mozilla\Extensions
[2010/01/10 19:19:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rich\Application Data\Mozilla\Firefox\Profiles\lb7nu2od.default\extensions
[2009/12/29 11:38:23 | 00,000,000 | ---D | M] (Media Converter) -- C:\Documents and Settings\Rich\Application Data\Mozilla\Firefox\Profiles\lb7nu2od.default\extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18}
[2009/12/25 09:26:18 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/08 18:45:43 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/08 18:45:43 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/08 18:45:43 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/08 18:45:43 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-3867324620-3566477941-3609066403-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [CapsLKNotify] C:\Program Files\CapsLKNotify\CapsLKNotify.exe (Compal Electronics, Inc)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OA012Mon] C:\WINDOWS\OA012Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WSED] C:\Program Files\WSED\WSED.exe (Dell)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3867324620-3566477941-3609066403-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/26 01:45:49 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/04/26 01:45:17 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892003295952896)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/10 22:28:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\Malwarebytes
[2010/01/10 22:28:00 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/10 22:27:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/10 22:27:56 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/10 22:27:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/08 13:04:37 | 00,000,000 | --SD | C] -- C:\Documents and Settings\Rich\UserData
[2010/01/08 13:00:43 | 00,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/01/08 12:59:36 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/01/08 12:21:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Local Settings\Application Data\The Little App Factory, LLC
[2009/12/29 18:00:46 | 00,233,472 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\REX Shared Library.dll
[2009/12/29 18:00:46 | 00,225,280 | ---- | C] (Propellerhead Software AB) -- C:\WINDOWS\System32\ReWire.dll
[2009/12/29 18:00:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\Propellerhead Software
[2009/12/29 18:00:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2009/12/29 18:00:03 | 00,000,000 | ---D | C] -- C:\Program Files\Propellerhead
[2009/12/29 17:49:15 | 00,221,184 | ---- | C] (Roland Corporation) -- C:\WINDOWS\System32\RDDP1005.DAT
[2009/12/29 17:49:15 | 00,144,673 | ---- | C] (Roland Corporation) -- C:\WINDOWS\System32\drivers\Rdwm1005.sys
[2009/12/29 17:49:15 | 00,081,920 | ---- | C] (Roland Corporation) -- C:\WINDOWS\System32\rdas1005.dll
[2009/12/29 17:49:15 | 00,000,000 | ---D | C] -- C:\Program Files\RdDrv001
[2009/12/29 12:05:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\DivX
[2009/12/29 11:28:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Local Settings\Application Data\WMTools Downloaded Files
[2009/12/29 11:10:18 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2009/12/28 18:55:42 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2009/12/28 18:54:22 | 00,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/12/28 18:54:17 | 00,000,000 | ---D | C] -- C:\Program Files\Real
[2009/12/28 18:54:11 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Real
[2009/12/28 18:54:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2009/12/28 18:54:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Rich\Application Data\Real
[2009/12/28 01:08:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/27 19:49:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/12/25 08:53:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/04/26 01:48:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/04/26 01:45:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/26 01:45:41 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/10 23:08:01 | 00,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/10 23:01:54 | 00,553,238 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/10 23:01:54 | 00,464,078 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/10 23:01:54 | 00,079,188 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/10 22:58:53 | 00,010,681 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/01/10 22:57:31 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/10 22:57:29 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/10 22:57:26 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/10 22:57:24 | 10,637,02528 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/10 22:56:46 | 03,407,872 | -H-- | M] () -- C:\Documents and Settings\Rich\NTUSER.DAT
[2010/01/10 22:56:27 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Rich\ntuser.ini
[2010/01/10 22:56:18 | 05,726,722 | -H-- | M] () -- C:\Documents and Settings\Rich\Local Settings\Application Data\IconCache.db
[2010/01/10 22:28:04 | 00,000,698 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/08 20:19:02 | 00,000,669 | ---- | M] () -- C:\Documents and Settings\Rich\Desktop\Shortcut to RootRepeal.lnk
[2010/01/08 12:42:22 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/02 23:30:13 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/31 21:35:43 | 00,076,396 | ---- | M] () -- C:\Documents and Settings\Rich\My Documents\all for the best.rns
[2009/12/29 18:38:59 | 00,005,632 | ---- | M] () -- C:\Documents and Settings\Rich\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/29 18:00:46 | 00,233,472 | ---- | M] (Propellerhead Software AB) -- C:\WINDOWS\System32\REX Shared Library.dll
[2009/12/29 18:00:46 | 00,225,280 | ---- | M] (Propellerhead Software AB) -- C:\WINDOWS\System32\ReWire.dll
[2009/12/29 18:00:40 | 00,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Reason.lnk
[2009/12/28 18:56:32 | 00,000,899 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2009/12/28 18:54:22 | 00,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/12/28 17:38:20 | 00,036,224 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/10 22:28:04 | 00,000,698 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/08 20:19:02 | 00,000,669 | ---- | C] () -- C:\Documents and Settings\Rich\Desktop\Shortcut to RootRepeal.lnk
[2010/01/08 19:19:02 | 10,637,02528 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/29 21:49:06 | 00,076,396 | ---- | C] () -- C:\Documents and Settings\Rich\My Documents\all for the best.rns
[2009/12/29 18:00:40 | 00,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Reason.lnk
[2009/12/29 17:49:16 | 00,004,088 | ---- | C] () -- C:\WINDOWS\System32\RD3T1005.DAT
[2009/12/29 17:49:15 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\RDCP1005.CPL
[2009/12/29 17:49:15 | 00,031,862 | ---- | C] () -- C:\WINDOWS\System32\RdCi1005.dll
[2009/12/29 12:04:53 | 00,005,632 | ---- | C] () -- C:\Documents and Settings\Rich\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/28 18:56:32 | 00,000,899 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer SP.lnk
[2009/12/28 17:38:20 | 00,036,224 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/28 01:03:54 | 00,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/12/28 01:03:53 | 00,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/11/15 19:54:10 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/11/15 19:48:23 | 00,001,203 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/11/15 18:50:08 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/11/15 18:26:49 | 00,577,536 | ---- | C] () -- C:\WINDOWS\System32\EMSC.DLL
[2009/11/15 18:25:35 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/11/15 18:25:33 | 00,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/04/26 01:42:57 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/09/27 16:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 16:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 16:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== LOP Check ==========

[2009/11/15 18:31:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/12/29 18:00:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2009/11/15 18:31:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/11/15 18:26:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista32
[2009/11/15 18:26:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista64
[2009/11/15 18:26:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Win732
[2009/11/15 18:26:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Win764
[2009/11/15 18:28:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\XP32
[2009/12/26 12:28:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/11/15 18:24:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Desktop Search
[2009/12/29 18:00:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rich\Application Data\Propellerhead Software
[2009/11/15 18:24:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rich\Application Data\Windows Desktop Search
[2009/12/25 09:03:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Rich\Application Data\Windows Search

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 12:00:00 | 20,056,462 | ---- | M] () .cab file -- C:\I386\sp3.cab:AGP440.sys
[2008/04/14 12:00:00 | 20,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 12:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/14 12:00:00 | 20,056,462 | ---- | M] () .cab file -- C:\I386\sp3.cab:atapi.sys
[2008/04/14 12:00:00 | 20,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 12:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 12:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 12:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 12:00:00 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 12:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 12:00:00 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
< End of report >


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:20 PM

Posted 11 January 2010 - 06:57 PM

How is your computer behaving now?


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 richob

richob
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 11 January 2010 - 07:51 PM

Hey Sam. It seems to be working fine now. I had a message earlier from McAfee saying it had found a trojan, and looking at the McAfee log today it says my computer has been pinged? Whatever means. Apart from that all previous problems seem to have gone. I no longer have the messages or pop-ups.
Is there something better than McAfee you could reccomend?
Thank you so much for your help. It is very much appreciated.

Rich.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:20 PM

Posted 12 January 2010 - 08:07 AM

I'm not a big Mcafee fan myself. It just doesn't handle many of the infections that are common today. If you're looking for a free product take a look at Avast. If you don't mind paying a few bucks check out Nod32 or Kaspersky. Both have a full security suite.

And of course keep Malwarebytes to supplement whatever antivirus you run.

Now we'll remove OTL and some of the other tools we've used.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

thumbup.gif smile.gif







Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 richob

richob
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 15 January 2010 - 02:02 PM

Hello Sam. I have followed your instructions but have a couple questions.

When I had to enable and disable system restore I wasn't sure if I should have restored my computer to a previous date when my computer hadn't picked up a virus or not. So i didn't. Was that the right thing to do?

When I installed Avast and restarted my computer, Avast scanned my hard drive (went to a blue screen) and found two infected files. I wasn't sure what to do to these so I moved them to the chest. Was this the right thing to do and how do I go about deleting them if needed?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:20 PM

Posted 16 January 2010 - 09:25 AM

Sounds like you did everything correctly. With system restore, what you are essentially doing is deleting all the old, and possibly infected restore data and files and setting a brand new restore point that you know is clean. With Avast, or any antivirus, it's always best just to have anything that is detected quarantined instead of deleted. Or in your case, moved to the chest.

So you did everything perfectly! smile.gif
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 richob

richob
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 17 January 2010 - 01:46 PM

Brilliant. It's good to know I am now clean and protected.
Once again, thanks for putting time aside and helping me out.
It is very much appreciated.

Rich.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:20 PM

Posted 18 January 2010 - 09:39 AM

I'm glad I could help you out! smile.gif

Now that your malware problem appears to be resolved, this topic will be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this topic in your request.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users