Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need virus help. Combofix has detected a rootkit.


  • This topic is locked This topic is locked
15 replies to this topic

#1 wentreefgirl

wentreefgirl

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 04 May 2011 - 06:32 AM

Recieved computer from cousin complete with virus. I tried to remove. WOuldnt leave. Formatted computer but looks like some of the files remain including virus. Combofix keeps telling me there is a rootkit present. Please help. Ive done combofix. Trend micro rootkit remover. smithfraud fix. Bit defender online scan. We were having a problem with my antivirus not updating itself and had to do manually due to warning message many times a day.Thinking it was the virus but not sure. That has since stopped but still finding rootkit is present. Here is my hijack this and last combofix.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:17:08, on 5/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\karen went\My Documents\Downloads\HijackThis (1).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110327225510.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: MOBCleanup - Unknown owner - C:\WINDOWS\TEMP\MOBCleanup.exe (file missing)
O23 - Service: McAfee Online Backup (MOBKbackup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBKbackup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

--
End of file - 4948 bytes


ComboFix 11-05-03.04 - karen went 05/04/2011 18:51:26.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.639 [GMT -4:00]
Running from: c:\documents and settings\karen went\My Documents\Downloads\ComboFix.exe
Command switches used :: /f
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-03 22:25 . 2011-05-03 22:25 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-05-03 22:25 . 2011-05-03 22:25 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-03 22:25 . 2011-05-03 22:25 -------- d-----w- c:\documents and settings\karen went\log
2011-05-02 09:52 . 2011-05-02 09:57 1292 ----a-w- c:\windows\system32\tmp.reg
2011-05-02 09:51 . 2009-06-02 15:17 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2011-05-02 09:51 . 2008-12-12 05:57 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2011-05-02 09:51 . 2008-11-29 22:58 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2011-05-02 09:51 . 2008-10-01 19:51 87552 ----a-w- c:\windows\system32\VACFix.exe
2011-05-02 09:51 . 2008-09-20 16:45 80384 ----a-w- c:\windows\system32\o4Patch.exe
2011-05-02 09:51 . 2008-08-18 16:19 82432 ----a-w- c:\windows\system32\404Fix.exe
2011-05-02 09:51 . 2008-05-19 01:40 82944 ----a-w- c:\windows\system32\IEDFix.exe
2011-05-02 09:51 . 2007-09-06 04:22 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2011-05-02 09:51 . 2006-04-27 21:49 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2011-05-02 09:51 . 2004-07-31 22:50 51200 ----a-w- c:\windows\system32\dumphive.exe
2011-04-26 22:14 . 2011-04-26 22:14 -------- d-----w- c:\documents and settings\qerim iljazi\Application Data\Malwarebytes
2011-04-25 22:11 . 2011-04-25 22:11 -------- d-----w- c:\documents and settings\qerim iljazi\Application Data\SUPERAntiSpyware.com
2011-04-25 13:16 . 2011-04-25 13:16 -------- d-----w- c:\documents and settings\karen went\Application Data\Malwarebytes
2011-04-25 13:16 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 13:16 . 2011-04-25 13:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-04-25 13:16 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 11:25 . 2011-04-25 11:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2011-04-25 11:25 . 2011-04-25 11:25 -------- d-----w- c:\documents and settings\karen went\Application Data\SUPERAntiSpyware.com
2011-04-18 01:47 . 2011-04-18 01:47 -------- d-----w- c:\documents and settings\qerim iljazi\Application Data\McAfee
2011-04-17 02:05 . 2011-04-17 05:00 -------- d-sh--w- c:\documents and settings\karen went\UserData
2011-04-10 08:14 . 2008-04-13 18:45 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2011-03-27 03:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2011-03-27 03:47 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2007-10-07 00:59 . 2007-10-07 00:59 349272 -c--a-w- c:\program files\Silent Runners.vbs
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-25_12.51.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-04 22:44 . 2011-05-04 22:44 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
+ 2011-03-27 03:14 . 2011-05-04 22:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-03-27 03:14 . 2011-04-25 11:19 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-05-03 10:07 . 2011-05-04 22:19 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-03-27 03:14 . 2011-04-25 11:19 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-03-27 04:17 . 2011-04-18 19:46 42181064 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 00:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2001-08-20 19:07 40960 ----a-w- c:\windows\system32\Ati2mdxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4200 Series]
2005-03-08 08:00 98304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4200 Series (Copy 1)]
2005-03-08 08:00 98304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-03-27 02:04 136176 ----atw- c:\documents and settings\karen went\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McPvTray]
2009-11-17 15:15 670312 ----a-w- c:\program files\McAfee\Anti-Theft\McPvTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/17/2009 11:15 AM 63080]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/27/2011 10:54 PM 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [3/27/2011 10:59 PM 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/27/2011 10:54 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/27/2011 10:54 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/27/2011 10:54 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/27/2011 10:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/26/2011 11:30 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [4/13/2010 9:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/27/2011 10:54 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/27/2011 10:54 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/27/2011 10:54 PM 88544]
S2 MOBCleanup;MOBCleanup;"c:\windows\TEMP\MOBCleanup.exe" --> c:\windows\TEMP\MOBCleanup.exe [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/27/2011 10:54 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/27/2011 10:54 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1003Core.job
- c:\documents and settings\karen went\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-27 02:04]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1003UA.job
- c:\documents and settings\karen went\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-27 02:04]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1004Core.job
- c:\documents and settings\qerim iljazi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-28 05:58]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1004UA.job
- c:\documents and settings\qerim iljazi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-28 05:58]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1005Core.job
- c:\documents and settings\arion went\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:26]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1005UA.job
- c:\documents and settings\arion went\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-29 22:26]
.
2011-04-16 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]
.
2011-05-02 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]
.
2011-04-28 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
2011-05-03 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
2011-04-25 c:\windows\Tasks\vtscheduletask.job
- c:\program files\McAfee\Supportability\MVT\MvtApp.exe [2011-04-17 18:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: internet
Trusted Zone: mcafee.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 19:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(864)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-05-04 19:11:23
ComboFix-quarantined-files.txt 2011-05-04 23:11
ComboFix2.txt 2011-05-02 23:46
ComboFix3.txt 2011-05-02 07:29
ComboFix4.txt 2011-04-25 12:56
ComboFix5.txt 2011-05-04 22:31
.
Pre-Run: 17,583,108,096 bytes free
Post-Run: 17,583,570,944 bytes free
.
- - End Of File - - D719499E4B99BF8465F1279E056BCCFD

Cant find the trend micro log for the rootkit remover. Hope you can help.

dds logs.

gmer thanks in advance.

Merged 2 posts from duplicate topic to here. ~ OB

Just wanted to let orange blossom know that I wasnt being impatient. I thought I posted to the wrong forum. There is a notation above that if im in the wrong forum either someone would move me or the post would stall. From what I read there is a difference between thinking I have a virus and knowing I have one and thought I should be on the forum with the knowing I have a virus.Not trying to start off on a bad note. :thumbup2:

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 06 May 2011 - 05:15 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 12 May 2011 - 10:35 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 12 May 2011 - 10:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 wentreefgirl

wentreefgirl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 12 May 2011 - 06:36 PM

This originally started in february when someone in the house clicked on a tab on the right of facebook and it downloaded a virus. It started with the fake antivirus and I thought it got removed until things started acting laggy. So I did a combofix and it removed something best casino something. Well it continued and got worse so I formatted the computer. But for some reason the old file are still accessable. Because it started again about a week after the format to get sluggish. Did another combofix and it says detected a rootkit now. Since then ive tried several things. Rootkit killer. eset. rootkit unhooker gives many things but need professionals to help with that so here we are. Stopped doing things since i posted so we could get a good idea of what is going. Before the eset the virus had my updates to the antivirus blocked. had to do manuallly. But after that they never gave the pop up warning for the updates.So i think something worked. But combofix still said rootkit. Windows xp professional. I think 32bit.

Edited by wentreefgirl, 12 May 2011 - 06:42 PM.


#5 wentreefgirl

wentreefgirl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 12 May 2011 - 06:48 PM

OTL logfile created on: 5/13/2011 7:29:07 AM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\karen went\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 730.00 Mb Available Physical Memory | 71.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 3000 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 15.41 Gb Free Space | 41.38% Space Free | Partition Type: NTFS

Computer Name: KARONIS-C985944 | User Name: karen went | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/08 11:08:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\karen went\Desktop\OTL.exe
PRC - [2011/05/06 16:19:43 | 001,011,768 | ---- | M] (Google Inc.) -- C:\Documents and Settings\karen went\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/01/17 16:15:32 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/01/17 16:15:32 | 001,155,768 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/04/13 21:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/03/10 14:41:24 | 000,180,888 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSM\McSmtFwk.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/17 18:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe


========== Modules (SafeList) ==========

MOD - [2011/05/08 11:08:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\karen went\Desktop\OTL.exe
MOD - [2011/03/09 16:54:14 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (MOBCleanup)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/10/13 22:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 22:28:54 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/10/13 22:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 20:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/04/13 21:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)


========== Driver Services (SafeList) ==========

DRV - [2010/10/13 22:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 22:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 22:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 22:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/10/13 22:28:54 | 000,088,544 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/10/13 22:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 22:28:54 | 000,084,072 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/10/13 22:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 22:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/04/13 21:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/17 11:15:28 | 000,063,080 | ---- | M] (McAfee) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\McPvDrv.sys -- (McPvDrv)
DRV - [2008/04/13 14:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2002/01/11 00:22:10 | 000,295,168 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtaa.sys -- (ati2mtaa)
DRV - [2001/08/17 09:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)
DRV - [2001/08/17 08:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 08:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 08:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 08:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 08:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
DRV - [2001/08/13 17:17:34 | 000,737,973 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\winachcf.sys -- (Winachcf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/03 06:09:06 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/05/02 05:57:11 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110327225510.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1844237615-1532298954-1801674531-1003\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\WINDOWS\Prairie Wind.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Prairie Wind.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/14 20:00:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - StartUpReg: ATIModeChange - hkey= - key= - File not found
MsConfig - StartUpReg: EPSON Stylus CX4200 Series - hkey= - key= - File not found
MsConfig - StartUpReg: EPSON Stylus CX4200 Series (Copy 1) - hkey= - key= - File not found
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\karen went\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig - StartUpReg: McPvTray - hkey= - key= - C:\Program Files\McAfee\Anti-Theft\McPvTray.exe (McAfee)

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\INF\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: aux - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/05/13 02:36:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\McAfee
[2011/05/12 18:58:17 | 000,099,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srusd.dll
[2011/05/12 18:58:17 | 000,099,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srusd.dll
[2011/05/12 18:58:05 | 000,006,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\serscan.sys
[2011/05/12 18:57:51 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fnfilter.dll
[2011/05/12 18:57:51 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fnfilter.dll
[2011/05/12 18:28:34 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\karen went\Recent
[2011/05/11 18:43:19 | 000,000,000 | ---D | C] -- C:\Program Files\FileHippo.com
[2011/05/11 18:24:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\karen went\Desktop\TMRBLog
[2011/05/09 02:58:34 | 000,000,000 | R--D | C] -- C:\Documents and Settings\karen went\Start Menu\Programs\Administrative Tools
[2011/05/08 11:08:56 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\karen went\Desktop\OTL.exe
[2011/05/06 18:20:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\karen went\Desktop\log
[2011/05/05 08:55:45 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/04 18:24:25 | 002,486,352 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\karen went\Desktop\RootkitBuster.exe
[2011/05/03 18:27:04 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\karen went\Desktop\HijackThis (1).exe
[2011/05/03 18:25:53 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/05/03 18:25:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\karen went\log
[2011/05/02 11:02:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\Temp
[2011/05/02 05:51:08 | 000,289,144 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\VCCLSID.exe
[2011/05/02 05:51:08 | 000,087,552 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\VACFix.exe
[2011/05/02 05:51:08 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.exe
[2011/05/02 05:51:08 | 000,082,944 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\IEDFix.C.exe
[2011/05/02 05:51:08 | 000,082,432 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\404Fix.exe
[2011/05/02 05:51:08 | 000,080,384 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\o4Patch.exe
[2011/05/02 05:51:08 | 000,078,336 | ---- | C] (S!Ri.URZ) -- C:\WINDOWS\System32\Agent.OMZ.Fix.exe
[2011/05/02 05:51:07 | 000,288,417 | ---- | C] (S!Ri) -- C:\WINDOWS\System32\SrchSTS.exe
[2011/04/25 09:16:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\karen went\Application Data\Malwarebytes
[2011/04/25 09:16:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/25 09:16:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/25 09:16:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2011/04/25 09:16:30 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/25 08:15:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/25 08:15:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/25 08:15:49 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/25 08:15:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/25 07:25:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\karen went\Application Data\SUPERAntiSpyware.com
[2011/04/25 07:25:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
[2011/04/25 07:24:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\SUPERAntiSpyware
[2011/04/17 00:13:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\karen went\Start Menu\Programs\McAfee
[2011/04/16 22:05:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\karen went\UserData
[2011/04/16 22:05:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\karen went\Cookies
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/13 07:36:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1005UA.job
[2011/05/13 07:23:42 | 000,013,742 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/13 07:14:00 | 000,001,002 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1003UA.job
[2011/05/13 07:08:01 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1004UA.job
[2011/05/13 06:08:01 | 000,000,954 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1004Core.job
[2011/05/13 04:14:00 | 000,000,950 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1003Core.job
[2011/05/13 03:36:04 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1532298954-1801674531-1005Core.job
[2011/05/13 02:36:47 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\McAfee Total Protection.lnk
[2011/05/13 02:34:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/13 02:34:48 | 1072,775,168 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/12 18:28:14 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\CCleaner.lnk
[2011/05/11 19:08:32 | 000,002,308 | ---- | M] () -- C:\Documents and Settings\karen went\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/11 19:08:29 | 000,002,330 | ---- | M] () -- C:\Documents and Settings\karen went\Desktop\Google Chrome.lnk
[2011/05/11 18:43:22 | 000,001,632 | ---- | M] () -- C:\Documents and Settings\karen went\Desktop\Update Checker.lnk
[2011/05/11 18:42:56 | 000,392,296 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/11 18:42:56 | 000,058,596 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/10 02:46:00 | 000,000,370 | ---- | M] () -- C:\WINDOWS\tasks\PC Health Advisor.job
[2011/05/09 00:01:00 | 000,000,430 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version3.job
[2011/05/08 11:08:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\karen went\Desktop\OTL.exe
[2011/05/05 02:46:00 | 000,000,388 | ---- | M] () -- C:\WINDOWS\tasks\PC Health Advisor Defrag.job
[2011/05/03 18:27:04 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\karen went\Desktop\HijackThis (1).exe
[2011/05/03 18:25:53 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/05/02 07:20:55 | 000,000,184 | -HS- | M] () -- C:\WINDOWS\setup_9.0.0.722_02.05.2011_01-37drv.spi
[2011/05/02 05:57:21 | 000,001,292 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2011/05/02 05:57:11 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/29 18:45:34 | 000,123,080 | ---- | M] () -- C:\Documents and Settings\karen went\Desktop\BD_Official_5LQ.jpg
[2011/04/25 09:34:56 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\vtscheduletask.job
[2011/04/25 09:27:55 | 000,001,558 | ---- | M] () -- C:\Documents and Settings\karen went\Desktop\McAfee Virtual Technician.lnk
[2011/04/25 09:16:48 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/25 07:24:50 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/04/17 04:49:34 | 000,091,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/17 04:18:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/16 18:00:00 | 000,000,456 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/13 02:36:44 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\McAfee Total Protection.lnk
[2011/05/11 18:43:22 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\karen went\Start Menu\Programs\Update Checker.lnk
[2011/05/11 18:43:21 | 000,001,632 | ---- | C] () -- C:\Documents and Settings\karen went\Desktop\Update Checker.lnk
[2011/05/02 07:20:54 | 000,000,184 | -HS- | C] () -- C:\WINDOWS\setup_9.0.0.722_02.05.2011_01-37drv.spi
[2011/05/02 05:52:56 | 000,001,292 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2011/05/02 05:51:08 | 000,075,776 | ---- | C] () -- C:\WINDOWS\System32\WS2Fix.exe
[2011/05/02 05:51:07 | 000,051,200 | ---- | C] () -- C:\WINDOWS\System32\dumphive.exe
[2011/04/29 18:45:43 | 000,123,080 | ---- | C] () -- C:\Documents and Settings\karen went\Desktop\BD_Official_5LQ.jpg
[2011/04/25 09:16:48 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/25 08:15:49 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/25 08:15:49 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/25 08:15:49 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/25 08:15:49 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/25 08:15:49 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/25 07:24:50 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/04/17 03:08:09 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/04/17 00:13:36 | 000,001,558 | ---- | C] () -- C:\Documents and Settings\karen went\Desktop\McAfee Virtual Technician.lnk
[2011/03/31 12:23:26 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2011/03/28 00:50:06 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\karen went\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/28 00:39:59 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2011/03/28 00:39:58 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2011/03/28 00:39:58 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2011/03/28 00:39:58 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2011/03/28 00:39:58 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2011/03/28 00:39:58 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2011/03/28 00:39:58 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2011/03/28 00:39:58 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2011/03/28 00:39:57 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2011/03/28 00:39:57 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2011/03/28 00:39:57 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2011/03/28 00:39:57 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2011/03/28 00:39:57 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2011/03/28 00:39:56 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2011/03/28 00:39:56 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2011/03/28 00:39:56 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2011/03/27 00:00:20 | 000,000,207 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2011/03/26 23:56:11 | 000,000,145 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT.DAT
[2011/03/26 23:56:08 | 000,000,023 | ---- | C] () -- C:\WINDOWS\EPSC80.ini
[2011/03/26 23:11:36 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/03/26 23:01:22 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/03/26 16:49:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/03/26 16:47:23 | 000,091,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/10/06 20:59:07 | 000,349,272 | ---- | C] () -- C:\Program Files\Silent Runners.vbs
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,392,296 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,058,596 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/01/26 22:47:24 | 000,548,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWSXP-KB839017-X86-ENU-Symbols.EXE
[2009/01/26 22:47:24 | 000,553,240 | ---- | M] (Microsoft Corporation) -- C:\WindowsXP-KB839017-x86-ENU.EXE


< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2006/02/28 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: WINLOGON.EXE >
[2011/03/28 00:46:13 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\Documents and Settings\karen went\My Documents\Downloads\Creative SB Live! Value (WDM) ac5d8d3ae167f70dc3fc365182288957\C7M_CN700_XPeSP2Image\WINDOWS\system32\winlogon.exe
[2006/02/28 08:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >
Missing the extra report. Didnt come up. Im redoing the scan in hopes it comes up.

#6 wentreefgirl

wentreefgirl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 12 May 2011 - 06:58 PM

It wont come up the extra report but here is an older one.


OTL Extras logfile created on: 5/8/2011 11:10:50 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\karen went\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 642.00 Mb Available Physical Memory | 63.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 3000 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 16.18 Gb Free Space | 43.45% Space Free | Partition Type: NTFS

Computer Name: KARONIS-C985944 | User Name: karen went | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"ANTIVIRUSDISABLENOTIFY" = 0
"FIREWALLDISABLENOTIFY" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CBF3EBB-235D-4c29-A68B-2BB1F428586E}" = ParetoLogic PC Health Advisor
"{624880EA-7610-47B6-B4A6-40DD83DB1AB4}" = McAfee Anti-Theft
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"Adobe AIR" = Adobe AIR
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Virtual Technician" = McAfee Virtual Technician
"MSC" = McAfee Total Protection
"UIU__MODEM_PCI_VEN_14F1&DEV_1033&SUBSYS_020D13E0" = Conexant HCF V90 56K Data Fax PCI Modem
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1844237615-1532298954-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/4/2011 6:51:24 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:25 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:25 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:27 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:27 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:28 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:29 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:30 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/4/2011 6:51:30 PM | Computer Name = KARONIS-C985944 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/6/2011 6:22:14 AM | Computer Name = KARONIS-C985944 | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.52.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:08 PM | Computer Name = KARONIS-C985944 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SENS with arguments
"" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

Error - 4/10/2011 6:55:56 PM | Computer Name = KARONIS-C985944 | Source = Service Control Manager | ID = 7000
Description = The MOBCleanup service failed to start due to the following error:
%%3


< End of report >

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 14 May 2011 - 01:53 PM

Hi,

There will occasionally be false positives with the rootkit routine from ComboFix, in particular when McAfee is present.

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

Are there any other symptoms that make you think that you're infected?

reagrds myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 wentreefgirl

wentreefgirl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 14 May 2011 - 07:12 PM

Yes today the all day it ran sluggish. Then I pulled up task mgr too look at processes running, it had like eight iexporer.exe's and like 10 firefox's running. And I dont have firefox and rarely use internet explorer. I calmed down after i ended all the processes but ya, there is something still giving me problems. The hourglass is going intermittantly also. Also I thought when you do a format to the computer, its supposed to removed the bad guy? And the old files? Do you not see anything on the scans?

Edited by wentreefgirl, 14 May 2011 - 07:13 PM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 15 May 2011 - 03:51 AM

Hi,

please run a scan with aswMBR next:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

the log from OTL is clean, but there is not one tool that can see all infections, so we need to run several.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 wentreefgirl

wentreefgirl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 15 May 2011 - 10:30 AM

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-15 23:27:24
-----------------------------
23:27:24.218 OS Version: Windows 5.1.2600 Service Pack 3
23:27:24.218 Number of processors: 1 586 0x102
23:27:24.218 ComputerName: KARONIS-C985944 UserName: karen went
23:27:26.187 Initialize success
23:27:36.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:27:36.406 Disk 0 Vendor: Maxtor_5T040H4 TAH71DP0 Size: 38146MB BusType: 3
23:27:36.437 Disk 0 MBR read successfully
23:27:36.437 Disk 0 MBR scan
23:27:36.437 Disk 0 Windows XP default MBR code
23:27:36.453 Disk 0 scanning sectors +78108030
23:27:36.500 Disk 0 scanning C:\WINDOWS\system32\drivers
23:28:57.515 Service scanning
23:29:04.515 Disk 0 trace - called modules:
23:29:04.562 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
23:29:04.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f95ab8]
23:29:04.562 3 CLASSPNP.SYS[f76affd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fe9030]
23:29:04.562 Scan finished successfully
23:29:17.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\karen went\Desktop\MBR.dat"
23:29:18.000 The log file has been saved successfully to "C:\Documents and Settings\karen went\Desktop\aswMBR.txt"

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 15 May 2011 - 10:57 AM

Hi,

please run a scan with Malwarebytes too, but I'm not seeing an indication for amwlare at the moment:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 wentreefgirl

wentreefgirl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 16 May 2011 - 06:12 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6588

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/16/2011 7:07:50 PM
mbam-log-2011-05-16 (19-07-50).txt

Scan type: Quick scan
Objects scanned: 220385
Time elapsed: 25 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 16 May 2011 - 01:58 PM

Hi,

your logs look clean have you experienced the multiple occurrences of iexplore and firefox again?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 wentreefgirl

wentreefgirl
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 17 May 2011 - 05:12 PM

Looks to be few things running off the hook in process mgr. The big hang comes when mscorsvw.exe x2 comes up. Also mcshield.exe and other thats associated with mcafee i believe. Things are hard coming up after a boot. If log out of say my page and go into my childs page, it takes 5 minutes to do anything. I click on chrome and it takes 2 minutes to come up. I cant seem to get into safe mode either. Really wish I knew what was going on.

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:20 PM

Posted 18 May 2011 - 04:35 PM

Hi,

I would suggest uninstalling and reinstalling McAfee and see if that helps. It's possible that the install got corrupted and is causing the slowdowns.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users