Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

keylogger infection?


  • This topic is locked This topic is locked
14 replies to this topic

#1 compuhelp32

compuhelp32

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 17 November 2010 - 09:35 PM

I used the internet to buy something with my credit card. Several days later the credit card company called to say there was an unauthorized charge on my account. Is it possible my computer is hacked somehow that allowed someone to steal my credit card info?

I could not run the DDS log, it is just scrambled characters.

The GMER scan said it didn't find any modifications to my system.

BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:28 AM

Posted 27 November 2010 - 06:46 PM

Hi compuhelp32!!.. :)

Is it possible my computer is hacked somehow that allowed someone to steal my credit card info?

Yes, that's one of the possibilities...

I could not run the DDS log, it is just scrambled characters.

Please perform the following scan:
  • Download DDS by sUBs from the following link. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed.
    There shouldn't be any scheduled antivirus scans running while the scan is being performed.
    Do not use your computer for anything else during the scan.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • >>Post the contents of both DDS.txt and Attach.txt into the thread.<<
  • Close the program window, and delete the program from your Desktop.

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 compuhelp32

compuhelp32
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 29 November 2010 - 08:47 PM

Here are the logs.
Thanks for your help!

Attached Files



#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:28 AM

Posted 30 November 2010 - 12:06 PM

Hi again compuhelp32!!.. :)

Let's check further...

Firstly,
Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

Secondly,
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer (32 bit version - Start --> All programs --> Internet Explorer) for this scan. Internet Explorer must be run as administrator - right click and choose: Run as administrator.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files (x86)\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 compuhelp32

compuhelp32
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 30 November 2010 - 08:19 PM

OTL logfile created on: 11/30/2010 8:04:15 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Jon\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 48.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 584.95 Gb Total Space | 456.63 Gb Free Space | 78.06% Space Free | Partition Type: NTFS
Drive D: | 11.21 Gb Total Space | 1.05 Gb Free Space | 9.37% Space Free | Partition Type: NTFS

Computer Name: JON-PC | User Name: Jon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/30 18:00:08 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Jon\Desktop\OTL.exe
PRC - [2010/03/23 02:51:16 | 000,193,848 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\ytbb.exe
PRC - [2010/02/25 19:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccsvchst.exe
PRC - [2009/11/20 19:17:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/11/03 17:21:18 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/11/03 17:21:16 | 000,182,808 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/04/18 10:01:34 | 000,065,536 | ---- | M] (Hewlett-Packard Company) -- C:\hp\support\hpsysdrv.exe


========== Modules (SafeList) ==========

MOD - [2010/11/30 18:00:08 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Jon\Desktop\OTL.exe
MOD - [2010/09/20 14:26:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\asoehook.dll
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2009/07/12 03:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 03:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\microsoft.vc90.crt\msvcp90.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/06/12 15:10:50 | 001,030,600 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2008/01/20 21:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2007/10/18 10:37:22 | 000,412,672 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysNative\DRIVERS\xaudio64.exe -- (XAudioService)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/25 19:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccSvcHst.exe -- (N360)
SRV - [2009/11/20 19:17:00 | 000,240,232 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2009/03/29 23:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/11/03 17:21:18 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)
DRV:64bit: - [2010/06/12 06:59:04 | 000,173,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2010/05/05 23:01:59 | 000,451,120 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\N360x64\0403000.005\SYMTDIV.SYS -- (SYMTDIv)
DRV:64bit: - [2010/04/29 00:03:51 | 000,150,064 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0403000.005\Ironx64.SYS -- (SymIRON)
DRV:64bit: - [2010/04/21 22:02:20 | 000,221,232 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0403000.005\SYMEFA64.SYS -- (SymEFA)
DRV:64bit: - [2010/04/21 21:29:51 | 000,505,392 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\Drivers\N360x64\0403000.005\SRTSP64.SYS -- (SRTSP)
DRV:64bit: - [2010/04/21 21:29:51 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0403000.005\SRTSPX64.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV:64bit: - [2010/02/25 19:22:52 | 000,615,040 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\N360x64\0403000.005\ccHPx64.sys -- (ccHP)
DRV:64bit: - [2009/10/14 22:50:05 | 000,433,200 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\N360x64\0403000.005\SYMDS64.SYS -- (SymDS)
DRV:64bit: - [2009/05/18 17:17:08 | 000,034,152 | R--- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/01/20 06:49:48 | 000,195,584 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/11/03 17:10:08 | 000,406,040 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iastor.sys -- (iaStor)
DRV:64bit: - [2008/02/12 10:50:14 | 000,286,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAXHWBS3.sys -- (CAXHWBS3)
DRV:64bit: - [2008/02/12 10:48:10 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_CNXT.sys -- (winachsf)
DRV:64bit: - [2008/02/12 10:47:08 | 001,481,216 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CAX_DP.sys -- (HSF_DP)
DRV:64bit: - [2007/10/18 10:37:10 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\xaudio64.sys -- (XAudio)
DRV:64bit: - [2006/09/18 16:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2006/06/19 09:27:24 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\mdmxsdk.sys -- (mdmxsdk)
DRV - [2010/11/03 19:07:05 | 000,953,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20101104.001\BHDrvx64.sys -- (BHDrvx64)
DRV - [2010/10/19 15:36:20 | 000,476,720 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20101129.001\IDSviA64.sys -- (IDSVia64)
DRV - [2010/09/30 06:54:38 | 001,804,336 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20101130.022\EX64.SYS -- (NAVEX15)
DRV - [2010/09/30 06:54:38 | 000,117,808 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20101130.022\ENG64.SYS -- (NAVENG)
DRV - [2010/06/12 12:24:11 | 000,475,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2010/06/12 12:24:11 | 000,132,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/06/12 12:54:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/06/12 06:59:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/06/12 14:33:35 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 16:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (MSN Toolbar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\Program Files (x86)\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\Windows\SysNative\NvMcTray.DLL (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [KBD] C:\hp\KBD\KbdStub.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\clouds.jpg
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\clouds.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{fc0c662f-ae28-11df-b3b2-001fc6dbd5a5}\Shell - "" = AutoRun
O33 - MountPoints2\{fc0c662f-ae28-11df-b3b2-001fc6dbd5a5}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\WINDOWS\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\SysWow64\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/11/30 17:59:52 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Users\Jon\Desktop\OTL.exe
[2010/11/29 20:18:35 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/11/29 20:17:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Carbonite
[2010/11/29 20:17:05 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2010/11/29 20:17:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2010/11/29 20:17:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2010/11/18 21:32:32 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/11/18 21:32:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/11/18 21:27:31 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Jon\Desktop\mbam-setup.exe
[2010/11/11 20:17:19 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
[2010/11/08 19:34:39 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/11/01 16:01:48 | 001,927,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gameux.dll
[2010/11/01 16:01:48 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gameux.dll
[2010/11/01 16:01:47 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
[2010/11/01 16:01:47 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\SysNative\GameUXLegacyGDFs.dll
[2010/11/01 16:01:47 | 000,032,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Apphlpdm.dll
[2010/11/01 16:01:47 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Apphlpdm.dll

========== Files - Modified Within 30 Days ==========

[2010/11/30 19:51:38 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/11/30 19:51:38 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/11/30 19:28:01 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/30 18:04:37 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/11/30 18:04:37 | 000,604,264 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/11/30 18:04:37 | 000,103,964 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/11/30 18:00:08 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\Jon\Desktop\OTL.exe
[2010/11/30 17:51:55 | 000,052,449 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/11/30 17:51:55 | 000,052,449 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/11/30 17:51:39 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/30 17:51:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/11/18 21:32:34 | 000,000,810 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/18 21:27:32 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Jon\Desktop\mbam-setup.exe
[2010/11/18 21:09:17 | 000,296,448 | ---- | M] () -- C:\Users\Jon\Desktop\o8krxcdm.exe
[2010/11/17 21:07:25 | 000,288,107 | ---- | M] () -- C:\Users\Jon\Desktop\gmer.zip
[2010/11/17 21:00:17 | 000,000,000 | ---- | M] () -- C:\Users\Jon\defogger_reenable
[2010/11/17 20:59:34 | 000,050,477 | ---- | M] () -- C:\Users\Jon\Desktop\Defogger.exe
[2010/11/16 21:03:53 | 000,098,956 | ---- | M] () -- C:\Users\Jon\Desktop\Symantec_Internet_Threat_Meter.gadget
[2010/11/11 20:17:19 | 000,001,674 | ---- | M] () -- C:\Users\Public\Desktop\Defraggler.lnk
[2010/11/08 19:34:39 | 000,000,772 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk

========== Files Created - No Company Name ==========

[2010/11/18 21:32:34 | 000,000,810 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/18 21:09:14 | 000,296,448 | ---- | C] () -- C:\Users\Jon\Desktop\o8krxcdm.exe
[2010/11/17 21:07:23 | 000,288,107 | ---- | C] () -- C:\Users\Jon\Desktop\gmer.zip
[2010/11/17 21:00:17 | 000,000,000 | ---- | C] () -- C:\Users\Jon\defogger_reenable
[2010/11/17 20:59:34 | 000,050,477 | ---- | C] () -- C:\Users\Jon\Desktop\Defogger.exe
[2010/11/16 21:03:48 | 000,098,956 | ---- | C] () -- C:\Users\Jon\Desktop\Symantec_Internet_Threat_Meter.gadget
[2010/11/11 20:17:19 | 000,001,674 | ---- | C] () -- C:\Users\Public\Desktop\Defraggler.lnk
[2010/11/08 19:34:39 | 000,000,772 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2010/06/12 14:56:28 | 000,012,718 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_vcredistUI1863.txt
[2010/06/12 14:56:20 | 000,012,718 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_vcredistUI1849.txt
[2010/02/27 20:34:47 | 000,419,822 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_vcredistMSI0F59.txt
[2010/02/27 20:34:46 | 000,011,372 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_vcredistUI0F59.txt
[2009/12/08 20:41:11 | 000,052,449 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/12/08 20:41:11 | 000,052,449 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/11/05 19:31:36 | 000,004,608 | ---- | C] () -- C:\Users\Jon\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/26 19:38:54 | 000,002,047 | ---- | C] () -- C:\ProgramData\hpzinstall.log
[2009/08/24 20:24:19 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/08/24 20:23:46 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/08/22 18:10:15 | 000,521,826 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_ATL80SP1_KB973923MSI719B.txt
[2009/08/22 18:10:15 | 000,011,680 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_ATL80SP1_KB973923UI719B.txt
[2009/08/22 18:10:05 | 000,521,678 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_ATL80SP1_KB973923MSI7177.txt
[2009/08/22 18:10:04 | 000,011,696 | ---- | C] () -- C:\Users\Jon\AppData\Local\dd_ATL80SP1_KB973923UI7177.txt
[2009/08/22 17:24:00 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/05/14 02:12:25 | 000,327,680 | ---- | C] () -- C:\Windows\SysWow64\pythoncom25.dll
[2008/05/14 02:12:25 | 000,102,400 | ---- | C] () -- C:\Windows\SysWow64\pywintypes25.dll
[2008/01/20 21:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2008/05/14 03:04:59 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2009/10/13 18:33:27 | 000,000,125 | ---- | M] () -- C:\FINIS_IT.TXT
[2006/12/02 01:37:14 | 000,904,704 | ---- | M] (Microsoft Corporation) -- C:\msdia80.dll
[2010/11/30 17:51:26 | 312,885,247 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< >

< End of report >

OTL Extras logfile created on: 11/30/2010 8:04:15 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Users\Jon\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 48.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 584.95 Gb Total Space | 456.63 Gb Free Space | 78.06% Space Free | Partition Type: NTFS
Drive D: | 11.21 Gb Total Space | 1.05 Gb Free Space | 9.37% Space Free | Partition Type: NTFS

Computer Name: JON-PC | User Name: Jon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\System32\ieframe.DLL (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]
"VistaSp2" = C1 7A 40 FF E1 25 CA 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{163F0F42-D604-4724-A1BF-7BF316DA889B}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqkygrp.exe |
"{18394945-552B-4B31-91DF-CA97AF9C239F}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposid01.exe |
"{19516ACC-9A94-4786-9735-1F7B626DF744}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpiscnapp.exe |
"{26036CEE-DEF1-4DA0-9093-2C9A9BEB7D6D}" = dir=in | app=c:\program files (x86)\cyberlink\powerdirector\pdr.exe |
"{3AD92A87-0FAC-4508-9D80-8ABC4341EA96}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgplgtupl.exe |
"{4E976EBA-72A3-476D-976C-6CE91D7CCF52}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqste08.exe |
"{5B268FA7-54DD-48AF-B756-3A0AA87E50BE}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqsudi.exe |
"{5BB0C2CC-C3A6-4CC9-B540-AF3563D5E0C0}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgpc01.exe |
"{5FE40D27-65CE-411F-B80B-2225E0D79807}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe |
"{7583B22D-F4C5-433D-BD85-E2D911DB382F}" = dir=in | app=c:\program files (x86)\common files\hp\digital imaging\bin\hpqphotocrm.exe |
"{84D0FCBB-10A5-4CE7-BBFB-BF9AE6A2165D}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqcopy2.exe |
"{8803ED95-0BF9-4A26-B9CB-FBC43997122B}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqpsapp.exe |
"{DF914A3E-82E3-41D3-9F6B-26710D5CB6C6}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqpse.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{14E10342-F2B4-41f7-B955-F5C7BE8BC1FF}" = Autodesk Inventor View 2010 English Language Pack
"{5783F2D7-8005-0409-0102-0060B0CE6BBA}" = AutoCAD Mechanical 2010
"{5783F2D7-8005-0409-1102-0060B0CE6BBA}" = AutoCAD Mechanical 2010 Language Pack - English
"{5783F2D7-8028-0409-0100-0060B0CE6BBA}" = DWG TrueView 2010
"{5EC22191-8A56-4e02-8F20-29A9C2EB0771}" = Autodesk Vault 2010 (Client) English Language Pack
"{62E86312-9CF7-4A96-9F9E-261C3A4CC20A}" = Autodesk Inventor View 2010
"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{78F697ED-EC97-4D8D-881D-838984EA9855}" = 64 Bit HP CIO Components Installer
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{86732AE7-CB91-4f15-B091-FBA3D3926CD6}" = HP Photosmart C4400 All-In-One Driver Software 11.0 Rel .3
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{98754D03-0B21-4d4a-9B89-93A2828AE26B}" = Autodesk Vault 2010 (Client)
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{A7D48BF6-8ED8-4B91-8267-34CDE7807D05}_is1" = HP Demo
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"AutoCAD Mechanical 2010" = AutoCAD Mechanical 2010
"Autodesk Inventor View 2010" = Autodesk Inventor View 2010
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_HSF" = PCIe Soft Data Fax Modem with SmartCP
"Defraggler" = Defraggler
"DWG TrueView 2010" = DWG TrueView 2010
"HP Imaging Device Functions" = HP Imaging Device Functions 11.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 11.0
"HPOCR" = OCR Software by I.R.I.S. 11.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"OfficeTrial" = Microsoft Office Home and Student 60 day trial

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{0915B10F-8597-4FE7-BC4D-EA3E2FDA646A}" = PS_AIO_03_C4400_Software_Min
"{0A2C5854-557E-48C8-835A-3B9F074BDCAA}" = Python 2.5
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.6.1
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 22
"{276E3ECB-E9E9-494E-A3F9-173BAD7D9643}" = C4400
"{2EA45803-BEB7-46C4-9ADC-46A5F9E7BB77}" = GEAR driver installer for x86 and x64
"{305D4B08-5807-4475-B1C8-D54685534864}" = LightScribeTemplateLabeler
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A3D0CF8-60FF-4CEF-91A4-A1F001424602}" = DocProc
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CC59DA1-469B-49A5-9F6B-C4D26990294A}" = PS_AIO_03_C4400_ProductContext
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
"{55D9E026-DCB0-46FF-B60A-68B972228CF6}" = Autodesk Design Review 2010
"{5A3FEF2D-0E14-412E-869C-421AB373EE43}" = C4400_Help
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{70E1E357-E57C-4284-B04E-58196DC27BC1}" = PanoStandAlone
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A43E42-3658-4DD9-8551-FACDA3632538}" = HP Advisor
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{787D1A33-A97B-4245-87C0-7174609A540C}" = HP Update
"{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ACECB7C-5EB2-42B3-A2E1-B91878B6C5D7}" = PS_AIO_03_C4400_Software
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
"{9F4EE72A-C5C9-42ad-ABEF-427690843577}" = MarketResearch
"{A65F7CF8-6F76-40CE-B44D-D5A89D9881C7}" = MSN Toolbar Platform
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA2E8A46-B45E-4aea-8A23-88AB57D04523}" = WebReg
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.5
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{BF08AB1C-3357-4f20-A200-8EBB8EF27C59}" = BufferChm
"{C27C82E4-9C53-4D76-9ED3-A01A3D5EE679}" = HP Customer Experience Enhancements
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C89B5E3A-690F-4CEE-909A-BF869E198B0A}" = Scan
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{D16B4BE6-8B10-422f-8034-96D1CA9483B5}" = GPBaseService
"{E0810CC2-4B5B-4439-B1D0-452306AF2D64}" = HP Active Support Library
"{E133E97F-5186-4503-BEC8-752EB9E8EBD7}" = Copy
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E96B0085-6659-486b-A221-5042A042728D}" = Toolbox
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{EF9E56EE-0243-4BAD-88F4-5E7508AA7D96}" = Destination Component
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F413B69D-4AD6-42AB-AEA5-0548989FAD50}" = Norton 360
"{FA3B34BE-4246-4062-90A3-34CBBEA12B72}" = HPTCSSetup
"{FDDB69BB-2F9A-4830-A579-ABBB7C5AF9A8}" = muvee autoProducer 6.1
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Autodesk Design Review 2010" = Autodesk Design Review 2010
"Autodesk Vault 2010 (Client)" = Autodesk Vault 2010 (Client)
"ESET Online Scanner" = ESET Online Scanner v3
"HijackThis" = HijackThis 2.0.2
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"N360" = Norton 360
"NSS" = Norton Security Scan
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"PC-Doctor 5 for Windows" = Hardware Diagnostic Tools
"Verizon Online DSL_is1" = Verizon Online DSL
"WildTangent hp Master Uninstall" = My HP Games
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/19/2010 7:20:58 PM | Computer Name = Jon-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 11/19/2010 7:22:14 PM | Computer Name = Jon-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/22/2010 9:49:01 PM | Computer Name = Jon-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 11/22/2010 9:49:57 PM | Computer Name = Jon-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/29/2010 9:05:25 PM | Computer Name = Jon-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 11/29/2010 9:06:25 PM | Computer Name = Jon-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/29/2010 9:27:03 PM | Computer Name = Jon-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 11/29/2010 9:27:54 PM | Computer Name = Jon-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/30/2010 6:52:01 PM | Computer Name = Jon-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 11/30/2010 6:53:10 PM | Computer Name = Jon-PC | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 2/8/2010 10:03:50 AM | Computer Name = Jon-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/8/2010 5:11:36 PM | Computer Name = Jon-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/8/2010 8:34:25 PM | Computer Name = Jon-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/9/2010 9:59:09 AM | Computer Name = Jon-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/13/2010 2:45:13 PM | Computer Name = Jon-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/14/2010 4:21:06 PM | Computer Name = Jon-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/14/2010 4:25:52 PM | Computer Name = Jon-PC | Source = DCOM | ID = 10016
Description =

Error - 2/14/2010 4:39:15 PM | Computer Name = Jon-PC | Source = DCOM | ID = 10016
Description =

Error - 2/14/2010 4:39:19 PM | Computer Name = Jon-PC | Source = DCOM | ID = 10016
Description =

Error - 2/14/2010 4:39:22 PM | Computer Name = Jon-PC | Source = DCOM | ID = 10016
Description =


< End of report >

#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:28 AM

Posted 01 December 2010 - 02:52 PM

Hi again compuhelp32!!.. :)

The OTL logfile looks ok to me - no malware entries... I'll ask you to run a quick (some sort of) cleanup script with it, though... Post the ESET online scan results once it's finished...

I guess your computer may not be the source of the problem with an unauthorized charge on your account card... That's all I can say with the information I have...
There is only one possibility I can think of, looking over your logs... Have you experienced any strange redirects or fake phishing-like sites??.. I see you may be using a router - if yes, there is a small possibility that DNS settings on it have been changed... Do you know how to check that??.. With DNS settings altered, you may not even notice you're on a fake, phishing site...

Please run the script below, and post the ESET online scan results for me to see...

Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O4 - HKLM..\Run: [] File not found
    O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 compuhelp32

compuhelp32
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 01 December 2010 - 08:21 PM

This is the ESET scan.
I noticed yesterday that my printer has been disabled.
I will do OTL again as you suggested and post the results.
I do use a router, and no I don't know how to check the DNS settings.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2647ce1504d2cc448ce9fc0238c83bb8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-01 02:54:51
# local_time=2010-11-30 09:54:51 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 30833364 30833364 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=3589 16777213 100 82 4835184 54446553 0 0
# compatibility_mode=5892 16776573 100 56 0 127766964 0 0
# compatibility_mode=8192 67108863 100 0 29038753 29038753 0 0
# scanned=199803
# found=0
# cleaned=0
# scan_time=3832

#8 compuhelp32

compuhelp32
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 01 December 2010 - 08:35 PM

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
File Protocol\Handler\msdaipp - No CLSID value found not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jon
->Temp folder emptied: 1718 bytes
->Temporary Internet Files folder emptied: 9613607 bytes
->Java cache emptied: 38384880 bytes
->Flash cache emptied: 10848 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6851 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1262402 bytes

Total Files Cleaned = 47.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Jon
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 12012010_202349

Files\Folders moved on Reboot...
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\80475_eBay_Q4_2010_HolidayD_DailyDeal_728x90[1].html moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\ads[1].txt moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\clk[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\clk[2].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\iframe3[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\iframe3[2].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\page__pid__2039953[1].txt moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\st[1] moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\st[2] moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\st[3] moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\st[4] moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WNPM8OUF\welcome[1].txt moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GZK6L14D\1436920[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GZK6L14D\ads[2].txt moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GZK6L14D\data_sync[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAYK1PU0\clk[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAYK1PU0\data_sync[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAYK1PU0\iframe3[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAYK1PU0\iframe3[2].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAYK1PU0\inc_dec10;net=cm;u=,cm-68067590_1291252511,11cc8678218b931,none,;;sz=728x90;contx=none;dc=w;btg=;ord=0[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAYK1PU0\md[1].php moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAYK1PU0\st[1] moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\05NCFB8B\click[1].htm moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\Jon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TJMBV8J8\syndication[1].jsp moved successfully.

Registry entries deleted on Reboot...

#9 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:28 AM

Posted 02 December 2010 - 06:58 AM

Hi again compuhelp32!!.. :)

I noticed yesterday that my printer has been disabled.

None of the scans performed earlier was invasive... I'd say it's a coincidence... What do you mean by saying it was disabled??.. Does it still work??..

I do use a router, and no I don't know how to check the DNS settings.

Ok... What is the manufacturer and model of your router??..
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#10 compuhelp32

compuhelp32
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 02 December 2010 - 08:36 PM

The printer does work when I use my wifes laptop, but it does not work when I send a print from my desktop. It tells me the print job is paused, and when I try to restart it, it won't let me. Maybe I should re-install the driver?

I found information about my router. It is a Westell Versalink 327W. The info I have talks about setting a password. It appears the username & password are not admin & password, so they must have been changed but I did not change them. Maybe a Verizon tech did when I set the system up. It tells me to reset the router by holding the reset button for 30 seconds. Should I do that?

Thanks for all your help!

#11 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:28 AM

Posted 03 December 2010 - 12:09 PM

Hi again compuhelp32!!.. :)

Maybe I should re-install the driver?

No idea why it doesn't work... :huh: Yes, please re-install the Driver and let me know if it solves the issue...

It tells me to reset the router by holding the reset button for 30 seconds. Should I do that?

No, that's not necessary - if there is a non-standard username & password set, it's rather unlikely malware was able to hijack a router... Anyway, we should be able to find out the DNS settings by running the batch below:

Open Notepad and copy and paste next present in the quotebox:

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt

Save this as look.bat , choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Right-click on it, and choose: Run as administrator... A Notepad should open.
Copy and paste the contents of it in your next reply.

No harm checking if we have the possibility!


Ok, afterwards, please update outdated programs (with security vulnerabilities) on your machine:

- Adobe Acrobat Reader:

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 8.2.5 first):
http://www.adobe.com/products/acrobat/readstep2.html

- Adobe Shockwave Player:

Go to that site: Test Adobe Shockwave Player - if it says you have a version of the player below 11.5.9.615, please uninstall your current version from Start -> Control Panel -> Programs and Features... You can install the newest version then, if you want, from here: Adobe Shockwave Player

- Adobe Flash Player:

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#12 compuhelp32

compuhelp32
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 03 December 2010 - 07:57 PM

Windows IP Configuration

Host Name . . . . . . . . . . . . : Jon-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : myhome.westell.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : myhome.westell.com
Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E GBE NIC
Physical Address. . . . . . . . . : 00-1F-C6-DB-D5-A5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::99fc:7cc9:5e86:ec6b%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.46(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, December 03, 2010 7:34:11 PM
Lease Expires . . . . . . . . . . : Saturday, December 04, 2010 7:34:11 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 251666374
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-19-46-2D-00-1F-C6-8A-40-06
DNS Servers . . . . . . . . . . . : 192.168.1.1
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : myhome.westell.com
Description . . . . . . . . . . . : isatap.myhome.westell.com
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: dslrouter
Address: 192.168.1.1

Name: google.com
Address: 173.194.35.104

Server: dslrouter
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43



Pinging google.com [173.194.35.104] with 32 bytes of data:

Reply from 173.194.35.104: bytes=32 time=42ms TTL=52

Reply from 173.194.35.104: bytes=32 time=41ms TTL=52



Ping statistics for 173.194.35.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 41ms, Maximum = 42ms, Average = 41ms



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Reply from 98.137.149.56: bytes=32 time=126ms TTL=53

Reply from 98.137.149.56: bytes=32 time=132ms TTL=53



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 126ms, Maximum = 132ms, Average = 129ms

===========================================================================
Interface List
10 ...00 1f c6 db d5 a5 ...... Realtek RTL8168C(P)/8111C(P) Family PCI-E GBE NIC
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.myhome.westell.com
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.46 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.46 276
192.168.1.46 255.255.255.255 On-link 192.168.1.46 276
192.168.1.255 255.255.255.255 On-link 192.168.1.46 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.46 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.46 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 276 fe80::/64 On-link
10 276 fe80::99fc:7cc9:5e86:ec6b/128
On-link
1 306 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

#13 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:28 AM

Posted 04 December 2010 - 02:40 PM

Hi again compuhelp32!!.. :)

Logs look ok to me... If no problem remains, please do the following:

Firstly,
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Secondly,
Please set a new Restore Point to prevent infection from any previous Restore Points.
The easiest and safest way to do this is:
  • Open Control Panel (Start --> Control Panel) and double-click the System icon.
  • Click on the System Protection link on the left. If an UAC (User Account Control) prompt appears, click Continue. Close the System window.
  • Make sure that you have System Protection turned on for your System drive (usually C:\):
    • In Windows 7: On under Protection,
    • In Windows Vista: a box on the left will be checked.
  • Click on the Create button. Give the restore point a name, and click Create. Wait till the new system restore point is created, and click Close.
  • Then go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire (usually C:\).
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here and for Windows 7 here.
You can check my site - snemelk.hekko.pl:
A few steps to make your web browsing safer :thumbup2:

Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#14 compuhelp32

compuhelp32
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 05 December 2010 - 09:31 PM

Thanks I installed the new Adobe and I reinstalled the printer driver and now it works again.
I will read the articles.

#15 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:12:28 AM

Posted 06 December 2010 - 08:36 AM

Glad we could help. :)

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users