WindowsXP User Account Reset to "TEMP"

My wife's user account was unexplainably reset to the default new-user state several days ago. She had been working normally on her laptop much of the afternoon, turned it off for a few hours, then when she came back and booted it up later that evening, her account ran through all of the typical new-user introductory stuff, and her entire desktop was also reset. At first I thought that she had mistakenly selected the wrong user account, so she logged off and tried again, but found that indeed, her account had been reset.

I logged onto the laptop, logging into my account, and it appears to be working properly, with no signs of having been reset.

I logged back into her account, and found that the "Documents and Settings" file that her account was directed to was named "TEMP". Upon further investigation it looks like her user files still exist under her original user name, but that her account has been redirected away from them. I also found some files within \WINDOWS and \WINDOWS\SYSTEM32 dated from the day the problem first appeared that do not look "normal", and turn up as evidence of a virus through a Google search.

I've ran completed (fully updated) scans using: Norton 360; Norton Bootable Recovery Tools; Malwarebytes; and most recently SuperAntiSpyware. Neither Norton nor Malwarebytes found anything, and SuperAntiSpyware only turned up tracking cookies.

I'd like to return her user account to it's normal status, but I'm not sure what was changed to reset it. I also don't know what virus may still be lurking on her laptop, and need to make sure that whatever is there gets fully wiped out.


Here's the Defogger log:
------------------------
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:08 on 11/11/2010 (David)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


Here's the DDS log:
-------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by David at 21:25:39.45 on Thu 11/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.464 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\User\debug\bc_utils\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bleepingcomputer.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Amazing3DAquariumWallpaper]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\vht8nqf2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-5-21 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-5-21 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-5-21 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20101104.004\IDSXpx86.sys [2010-10-19 341880]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-5-21 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20101107.003\NAVENG.SYS [2010-11-7 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20101107.003\NAVEX15.SYS [2010-11-7 1371184]

=============== Created Last 30 ================

2010-11-12 02:08:14 0 ----a-w- c:\documents and settings\david\defogger_reenable
2010-11-11 17:12:32 0 d-----w- c:\docume~1\david\applic~1\SUPERAntiSpyware.com
2010-11-11 17:12:32 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-11 17:12:07 0 d-----w- c:\program files\SUPERAntiSpyware
2010-11-09 07:46:33 74752 --sha-w- c:\documents and settings\david\ntuser.dat.LOG1
2010-11-09 07:46:33 0 --sha-w- c:\documents and settings\david\ntuser.dat.LOG2
2010-11-09 07:42:35 0 d-----w- C:\NBRT
2010-11-04 04:41:18 0 d-----w- C:\New Folder

==================== Find3M ====================


============= FINISH: 21:26:13.51 ===============


Here's a list of suspicious looking files within \WINDOWS and \WINDOWS\SYSTEM32:
--------------------------------------------------------------------------------


Directory of C:\WINDOWS

...

10/12/2010 01:11 PM 1,007,486 setupapi.log
11/07/2010 09:40 AM <DIR> system32
11/07/2010 11:09 PM 91,153 wmsetup.log
11/07/2010 11:09 PM 2,558 OEWABLog.txt
11/07/2010 11:47 PM 32,540 SchedLgU.Txt
11/11/2010 12:10 PM 0 0.log
11/11/2010 12:10 PM 3,890 ModemLog_Conexant D110 MDC V.92 Modem.txt
11/11/2010 12:17 PM 1,828,117 WindowsUpdate.log
11/11/2010 09:32 PM <DIR> Temp
11/11/2010 09:42 PM <DIR> Prefetch

(end)

Directory of C:\WINDOWS\SYSTEM32

...

11/07/2010 09:40 AM 557,242 PerfStringBackup.INI
11/07/2010 09:40 AM <DIR> ..
11/07/2010 09:40 AM <DIR> .
11/07/2010 09:40 AM 466,982 perfh009.dat
11/07/2010 09:40 AM 80,032 perfc009.dat
11/07/2010 11:35 PM <DIR> Restore
11/09/2010 02:42 AM <DIR> config
11/11/2010 12:10 PM 2,206 wpa.dbl
11/11/2010 12:15 PM <DIR> CatRoot2

(end)

The problem with her account occurred on 11/07/2010, so the above files appear to coincide with the attack.

Both the DDS "Attach.zip" file and GMER "ark.txt" files have been attached to this posting.

The "OEWABLog.txt" file listed above is one that turned up as a virus indicator via a Google search. But the other *.log and *.txt files, especially the "ModemLog..." file, look pretty unusual. And those are just the files that I can easily see...

My wife and I very much appreciate any assistance that the Bleeping Computer malware removal team can once again provide!

- David

For completeness, attached here are the log files from two SuperAntiSpyware scans. They list the tracking cookies that were found and removed.

Other than copying the entire C partition to a back-up drive, and running the Norton, MWB, and SAS scans mentioned within my original post, nothing else has been done to the computer since the time that we found the account had been reset.

- David

EDIT: Posts merged ~BP

Edited by Budapest, 12 November 2010 - 05:07 PM.

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

m0le, Thanks for responding. I was beginning to wonder if I was going to be on my own with this one.

My primary concern with this condition is whether or not malware is to blame for the corruption of my wife's user account. I understand that the creation of a TEMP user account is a Windows reaction to a corrupted user profile, so that portion may not have been the direct actions of an infection. But the corruption of the userprofile might have been. And either way I'd like to restore her account, after first cleaning up her computer.

Timing is going to be a bit tight with the up-coming Thanksgiving holiday (at least here in the States), so I'm only going to have the rest of tonight and tomorrow to work on this before heading out of town for a few days for the holiday.

I'll keep monitoring for a reply for a few more hours this evening, so please do get back to me if you are still kicking around the board tonight.

- David

Edited by pcfnd, 21 November 2010 - 10:49 PM.

The time difference has beaten us a bit I'm afraid.

It doesn't look like there's any malicious activity in any of the logs you have posted. The suspicious files you have flagged are all okay.

The Gmer log shows a missing file so it could be that the PC could do with a repair installation but certainly I haven't found anything to concern us.

m0le,

Thanks for your reply, and for looking through all of the log files and other information that I had posted. My wife will be somewhat relieved to hear that there wasn't any malware identified, although I think she and I will both be puzzled about what has happened to her computer to cause her user account to be corrupted.

We do have a backup image of her system from a number of months ago, and have made copies of her current files so that we have anything newer than the date of the image copy. I just wasn't sure if there may have been something nasty lurking in those newer files, so I didn't want to just restore her system and them inadvertently copy something bad along with it and wind up with the same corruption issue again in the near future.

In wrapping up here, can you tell me anything further about the "OEWABLog.txt" file in particular? That was one file that raised concerns about there being a virus after a Google search for it listed it as potential malware.

Thanks.

- David

First, a text file is not going to cause you any problems anyway as it is not executable on your machine. Your post showed this:

11/07/2010 11:09 PM 91,153 wmsetup.log
11/07/2010 11:09 PM 2,558 OEWABLog.txt

wmsetup.log is an error log from Windows Media Player

OEWABLog.txt is not quite so easy to pin down. Again, it is only a text file.

When you Google you will find all sorts of conflicting information but someone actually ran the file from that location through a multi-scanner here. It's clean, and the fact that is has the same time stamp as wmsetup means it must be part of the Media Player error log setup.

I would advise this. Reinstall the PC and when done run the following scan and post the results.

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Since this issue appears to be resolved ... this topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.