Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Receiving two errors from Google: "Unusual Traffic.." and "Cross-Site Scripting"


  • This topic is locked This topic is locked
27 replies to this topic

#1 Olive Oyl

Olive Oyl

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 18 September 2011 - 03:29 PM

Hello Volunteer Geniuses, and thank you!

I am seeking help with two error messages I’ve received from Google, and I’ve detailed other things going on that might or might not be related. My concern is that my machine is infected with something I can’t discover using Norton 360 v.5, System Mechanic Pro 10.5, HijackThis and MalwareBytes.

Here are my machine’s specs:

PC Manufacturer Dell Computer Corporation
Model Dimension 8250
Motherboard Manufacturer Dell Computer Corp.
Product
CPU Intel® Pentium® 4 CPU 2.66GHz
Version x86 Family 15 Model 2 Stepping 7
Data Width 32bits
Approximate Current Clock Speed 2,652Mhz
Approximate Maximum Clock Speed 2,652Mhz
BIOS Default System BIOS
Date 1/27/2003
Version DELL - 8
Memory slots available on motherboard 4
Memory Chip RIMM1
RAM 256MB
Speed 400ns
Memory Chip RIMM2
RAM 256MB
Speed 400ns
Memory Chip RIMM3
RAM 256MB
Speed 400ns
Memory Chip RIMM4
RAM 256MB
Speed 400ns
Motherboard Device
Status Off
System Slot PCI1
Status Available
System Slot PCI2
Status Available
System Slot PCI3
Status Available
System Slot PCI4
Status Available
System Slot AGP1
Status In Use
CD Drive PIONEER DVD-RW DVR-109 (Currently dead, I suppose)
Media Type CD-ROM
CD Drive LITEON DVD-ROM LTD163 (Currently working or not working, as it sees fit)
Media Type CD-ROM
Video Manufacturer ATI Technologies Inc.
Video Card ALL-IN-WONDER 9600 SERIES
RAM 128MB
Mode 1024 x 768 x 4294967296 colors
Driver ati2dvag.dll
Date 2/21/2006
Version 6.14.10.6601
Video Manufacturer ATI Technologies Inc.
Video Card ALL-IN-WONDER 9600 SERIES - Secondary
RAM 128MB
Driver ati2dvag.dll
Date 2/21/2006
Version 6.14.10.6601
Hard Disk Model WDC WD1200JB-75CRA0
Interface IDE
Hard Disk Model ST350041 2AS USB Device
Interface USB
Network Adapter Intel® PRO/100 M Network Connection
Service Name E100B
Sound Manufacturer Creative Technology Ltd.
Model Creative SB Live! Series (WDM)
Sound Manufacturer Microsoft
Model Unimodem Half-Duplex Audio Device
Printer PDFCreator
Printer Microsoft XPS Document Writer
Printer CAPTURE FAX BVRP
Printer Brother MFC-8500
Web Site http://www.brother.com

Number of Logical CPUs Active 1 Microsoft Windows XP Professional
Patch Level Service Pack 3
Date Installed 3/26/2010
Country Code 1
OS System Language 1033
ANSI Code Page 1252
System Locale 0409
Internet Explorer Version 8.0.6001.18702
Windows Update Automatic
Latest Windows Hotfix Date 9/7/2011
Path C:\WINDOWS\system32;
C:\WINDOWS;
C:\WINDOWS\System32\Wbem;
C:\WINDOWS\system32\WindowsPowerShell\v1.0;
C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 3.5 Suite Deluxe;
C:\Program Files\Common Files\Ulead Systems\MPEG;
C:\Program Files\Common Files\Ulead Systems\DVD;
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;
C:\Program Files\Support Tools\;
C:\WINDOWS\system32\WindowsPowerShell\v1.0;
C:\Program Files\QuickTime\QTSystem\

OS User Language 1033

Page File Size 768MB
Page File Free 82%
Physical Memory Size 1,022MB
Physical Memory Free 20%
Disk Type Fixed Disk
Disk ID C
Total Disk Space 112GB
Free Disk Space 50.3GB
Disk Type Fixed Disk
Disk ID F
Total Disk Space 466GB

Free Disk Space 49.8GB

Here is the first error message:

"Unusual traffic from your computer network".

Note: Neither System Mechanic nor Norton 360 show any infections.

Malwarebytes considers changes that I understand are not really infections but are, instead, changes made by System Mechanic that I can ignore (See report text, below).

The report from Malwarebytes:

Broken.OpenCommand, Registry Data, HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default), Bad: (NOTEPAD.EXE %1) Good: ("%1" /S)

and:

Broken.OpenCommand, Registry Data, HKEY_CLASSES_ROOT\regfile\shell\open\command\(default), Bad: (NOTEPAD.EXE %1) Good: (regedit.exe"%1")

The second error message:

“Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information.”

Clicking yields this notice:

“How does Internet Explorer help protect me from cross-site scripting attacks?
Internet Explorer's Cross-Site Scripting (XSS) Filter can help prevent one website from adding script code to another website. XSS Filter watches how websites interact, and when it recognizes a potential attack, it will automatically block script code from running. When this happens, you will see a message in the Information bar letting you know that the webpage was modified to help protect your privacy and security.
If the modified webpage does not work properly, try going to the home page of the website and navigating to the webpage directly. If the page still does not work correctly, contact the website's administrator.”

In an effort to give you the best state-of-the-computer info, here are other most-likely unrelated details about things affecting the state of my dear, old computer (economic reality keeps me working to keep this baby going):

1. In mid July, My DVD-ROM conked out following a weird flashed-quickly message saying something like my mouse had been overloaded with signal – can’t find it in the logs. Immediately the drive conked. I took the entire computer apart, cleaned it, checked all connections, re-installed the DVD to no avail. Choosing the DVD from “My Computer” causes the system to freeze. Sometimes the system becomes unresponsive and I must hit the Kill button to start it over. The 2nd drive, DVD (not recorder) acts weird, too.

I regularly receive the (This one from 9/16/11) Event ID: 7036 “The IMAPI CD burning service entered the stopped state”, plus its fraternal twin: “… service has been started…”.

Also this: 9/16/11 Event ID: 7 “The device, \Device\CdRom1, has a bad block”. For both of these drives to act wacky, I wonder if there is a software issue and not a hardware issue. (Incidentally, Dell happily sold me a USB DVD burner that won’t work with my computer. Now, two weeks after saying they’d pick it up and refund my $$, I’ve heard nuthin’ from them.)

2. Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename
8/23/2011 8:20 PM,High,fileaccess.exe (W32.SillyFDC) detected by Virus scanner,Quarantined,Resolved - No Action Required,g:\recycler\s-1-6-21-4564564512-1075880115-910321303-3161\fileaccess.exe

The above tells the story of my daughter’s flash drive that contained an infection. I realized it immediately as did Norton 360. Apparently, it is satisfactorily resolved.

3. 8.25.11 Event ID 1904 HHCTRL “The description for Event ID (1904) in Source (HHCTRL) cannot be found…” Sometimes this event will appear hundreds of times in a row. I think I understand it has something to do with MS Help files.

4. 8.26.11 Event ID 50 Ntfs “{Delayed Write Failed} Windows was unable to save all the data for the file…” This has appeared only this one time.

5. 8.26.11 Event ID 57 Ftdisk “The system failed to flush data to the transaction log. Corruption may occur.” This has appeared only this one time.

6. 9/16/11 Event ID: 36 W32 Time “The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.” Happens semi-frequently.

7. For several months, the icon showing connected devices is gone. The only way to get it back is to Log Off. Sometimes, no discernable pattern, it will appear upon a Restart. I found a site that showed me how to run this at the command prompt: “C:\WINDOWS\system32\rundll32.exe shell32.dll,Control_RunDLL hotplug.dll” so that I can safely disconnect my flash drive, IPOD and external hard drive. Very frustrating.

Before I discovered the above-described command, I believe the errors described in #s 3 and 4, above are related to my yanking out my flash drive without the “safely remove hardware” icon available. It caused the drives to rename themselves. I spent days trying to fix that, and ultimately – not sure how – the drives reordered themselves correctly.

8. I am unable to run SFC successfully. I have the original reinstallation disk from Dell, and the DVD drive does not recognize that there’s a disk in the tray. I suppose I’ll need to slipstream SP2 in order to use it, but since Dell doesn’t have a DVD-ROM burner to sell me, and my 2nd DVD reader is possessed by the devil (apparently), well, aaaaaahhhhhhhhhhhhhhh.

That’s the story. I’m most concerned with ensuring I’m not running an infected machine.

Sorry for the overkill detail. Thanks very much for your willingness to assist!!!

.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Susan Campbell at 20:29:47 on 2011-09-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.566 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Secunia\PSI\sua.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Inner Workings of Susan's Brain
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TClockEx] c:\program files\tclockexe\TCLOCKEX.EXE
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: &Search - c:\search\search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: chase.com
Trusted Zone: dell.com
Trusted Zone: secunia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/ja/downloads/getmodule.aspx?lang=en
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269830155160
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269830388754
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{46C5D265-B17C-485A-BEFB-F6F1B5229DB6} : DhcpNameServer = 10.0.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-8-20 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-8-20 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20110909.001\BHDrvx86.sys [2011-9-9 816760]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-8-20 136312]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-8-21 722616]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-8-20 130008]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2010-3-31 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2010-3-31 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2010-3-31 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2010-3-31 60416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-9-15 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20110917.031\IDSXpx86.sys [2011-9-17 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20110916.035\NAVENG.SYS [2011-9-17 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20110916.035\NAVEX15.SYS [2011-9-17 1576312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-6-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-09-16 19:59:32 388096 ----a-r- c:\documents and settings\susan campbell\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-16 19:59:30 -------- d-----w- c:\program files\Trend Micro
2011-09-07 20:24:52 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2011-09-07 20:24:50 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2011-09-07 20:24:50 -------- d-----w- c:\program files\PDFCreator
2011-09-02 19:16:59 -------- d-----w- C:\search
2011-08-23 21:37:55 -------- d-----w- c:\documents and settings\susan campbell\application data\Dell
2011-08-22 01:54:13 511328 ----a-w- c:\program files\common files\microsoft shared\capicom\CAPICOM.DLL
2011-08-22 01:54:11 2083464 ----a-w- c:\windows\system32\Incinerator32.dll
2011-08-22 01:54:10 9341 ----a-w- c:\windows\system32\drivers\filedisk.sys
2011-08-22 01:54:01 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-08-22 01:54:01 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-08-22 01:54:00 56200 ----a-w- c:\windows\system32\offreg.dll
2011-08-22 01:38:34 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-08-22 01:37:59 -------- d-----w- C:\iolo
2011-08-21 23:36:13 -------- d-----w- c:\program files\iolo
2011-08-21 23:36:13 -------- d-----w- c:\documents and settings\susan campbell\application data\iolo
2011-08-21 23:36:13 -------- d-----w- c:\documents and settings\all users\application data\iolo
2011-08-21 09:08:45 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-08-21 09:08:44 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-08-21 09:08:43 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-08-21 09:08:43 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-08-21 09:08:42 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-08-21 09:08:23 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2011-08-21 09:08:21 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-08-21 09:08:19 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-08-21 09:08:15 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-08-21 09:08:13 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2011-08-21 09:06:59 687999 -c--a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2011-08-21 09:05:59 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2011-08-21 09:04:50 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2011-08-21 09:03:59 77824 -c--a-w- c:\windows\system32\dllcache\s3sav4m.sys
2011-08-21 09:02:52 19840 -c--a-w- c:\windows\system32\dllcache\philtune.sys
2011-08-21 09:01:58 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-08-21 08:59:44 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-08-21 08:58:55 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys
2011-08-21 08:58:54 25065 -c--a-w- c:\windows\system32\dllcache\lmndis3.sys
2011-08-21 08:58:54 20573 -c--a-w- c:\windows\system32\dllcache\lne100.sys
2011-08-21 08:58:53 15744 -c--a-w- c:\windows\system32\dllcache\lit220p.sys
2011-08-21 08:58:52 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2011-08-21 08:58:52 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2011-08-21 08:58:51 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2011-08-21 08:58:48 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2011-08-21 08:58:43 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2011-08-21 08:58:43 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2011-08-21 08:58:25 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2011-08-21 08:58:24 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2011-08-21 08:56:59 9216 -c--a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2011-08-21 08:55:50 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2011-08-21 08:54:54 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2011-08-21 08:53:58 60970 -c--a-w- c:\windows\system32\dllcache\cpqtrnd5.sys
2011-08-21 07:12:04 -------- d-----w- c:\program files\SystemRequirementsLab
2011-08-21 05:58:05 -------- d-----w- c:\program files\common files\Motive
2011-08-21 05:57:57 -------- d-----w- c:\program files\ATT
2011-08-21 04:44:59 -------- d-----w- c:\program files\Norton 360
2011-08-21 04:44:42 -------- d-----w- c:\program files\NortonInstaller
2011-08-20 22:23:33 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-08-20 22:23:31 31529 -c--a-w- c:\windows\system32\dllcache\brzwlan.sys
2011-08-20 22:23:31 11008 -c--a-w- c:\windows\system32\dllcache\brusbmdm.sys
2011-08-20 22:23:31 10368 -c--a-w- c:\windows\system32\dllcache\brusbscn.sys
2011-08-20 22:23:23 81408 -c--a-w- c:\windows\system32\dllcache\brmfcwia.dll
2011-08-20 22:23:23 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2011-08-20 22:23:22 12160 -c--a-w- c:\windows\system32\dllcache\brfiltlo.sys
2011-08-20 22:21:56 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2011-08-20 22:21:56 77568 -c--a-w- c:\windows\system32\dllcache\ati.sys
2011-08-20 22:19:53 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-08-20 22:19:53 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-08-20 22:19:01 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2011-08-20 22:19:00 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2011-08-20 22:19:00 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2011-08-20 22:19:00 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2011-08-20 22:17:59 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-08-20 21:50:17 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-20 21:50:17 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-20 21:25:44 -------- d-----w- c:\program files\WinDirStat
2011-08-20 21:25:42 -------- d-----w- c:\program files\Auslogics
2011-08-19 20:09:49 -------- d-----w- c:\documents and settings\all users\application data\PCDr
2011-08-19 20:08:32 -------- d-----w- c:\program files\Dell Support Center
2011-08-19 20:03:52 -------- d-----w- c:\documents and settings\susan campbell\application data\PCDr
.
==================== Find3M ====================
.
2011-09-09 21:18:05 32768 ----a-w- c:\windows\system32\PLUGIN.DLL
2011-09-09 21:18:05 210944 ----a-w- c:\windows\system32\MSVCRT10.DLL
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 19:01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-21 04:45:51 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-21 04:45:51 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1991680 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 18:36:30 1212416 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2011-06-23 18:36:30 105984 ----a-w- c:\windows\system32\url(2)(2).dll
2011-06-23 18:36:29 11081728 ----a-w- c:\windows\system32\ieframe(2)(2).dll
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv(2)(2).dll
2010-05-11 07:02:20 965120 ----a-w- c:\program files\Clk.exe
.
============= FINISH: 20:31:20.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:19 AM

Posted 23 September 2011 - 03:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419479 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 September 2011 - 02:47 AM

Attached File  attach.txt   10.25KB   0 downloadsAttached File  ark.txt   6.79KB   0 downloads

Hello (again) Volunteer Geniuses, and thank you!

I am seeking help with two error messages I’ve received from Google, and I’ve detailed other things going on that might or might not be related. My concern is that my machine is infected with something I can’t discover using Norton 360 v.5, System Mechanic Pro 10.5, HijackThis and MalwareBytes.

Here are my machine’s specs:

PC Manufacturer Dell Computer Corporation
Model Dimension 8250
Motherboard Manufacturer Dell Computer Corp.
Product
CPU Intel® Pentium® 4 CPU 2.66GHz
Version x86 Family 15 Model 2 Stepping 7
Data Width 32bits
Approximate Current Clock Speed 2,652Mhz
Approximate Maximum Clock Speed 2,652Mhz
BIOS Default System BIOS
Date 1/27/2003
Version DELL - 8
Memory slots available on motherboard 4
Memory Chip RIMM1
RAM 256MB
Speed 400ns
Memory Chip RIMM2
RAM 256MB
Speed 400ns
Memory Chip RIMM3
RAM 256MB
Speed 400ns
Memory Chip RIMM4
RAM 256MB
Speed 400ns
Motherboard Device
Status Off
System Slot PCI1
Status Available
System Slot PCI2
Status Available
System Slot PCI3
Status Available
System Slot PCI4
Status Available
System Slot AGP1
Status In Use
CD Drive PIONEER DVD-RW DVR-109 (Currently dead, I suppose)
Media Type CD-ROM
CD Drive LITEON DVD-ROM LTD163 (Currently working or not working, as it sees fit)
Media Type CD-ROM
Video Manufacturer ATI Technologies Inc.
Video Card ALL-IN-WONDER 9600 SERIES
RAM 128MB
Mode 1024 x 768 x 4294967296 colors
Driver ati2dvag.dll
Date 2/21/2006
Version 6.14.10.6601
Video Manufacturer ATI Technologies Inc.
Video Card ALL-IN-WONDER 9600 SERIES - Secondary
RAM 128MB
Driver ati2dvag.dll
Date 2/21/2006
Version 6.14.10.6601
Hard Disk Model WDC WD1200JB-75CRA0
Interface IDE
Hard Disk Model ST350041 2AS USB Device
Interface USB
Network Adapter Intel® PRO/100 M Network Connection
Service Name E100B
Sound Manufacturer Creative Technology Ltd.
Model Creative SB Live! Series (WDM)
Sound Manufacturer Microsoft
Model Unimodem Half-Duplex Audio Device
Printer PDFCreator
Printer Microsoft XPS Document Writer
Printer CAPTURE FAX BVRP
Printer Brother MFC-8500
Web Site http://www.brother.com

Number of Logical CPUs Active 1 Microsoft Windows XP Professional
Patch Level Service Pack 3
Date Installed 3/26/2010
Country Code 1
OS System Language 1033
ANSI Code Page 1252
System Locale 0409
Internet Explorer Version 8.0.6001.18702
Windows Update Automatic
Latest Windows Hotfix Date 9/7/2011
Path C:\WINDOWS\system32;
C:\WINDOWS;
C:\WINDOWS\System32\Wbem;
C:\WINDOWS\system32\WindowsPowerShell\v1.0;
C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 3.5 Suite Deluxe;
C:\Program Files\Common Files\Ulead Systems\MPEG;
C:\Program Files\Common Files\Ulead Systems\DVD;
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;
C:\Program Files\Support Tools\;
C:\WINDOWS\system32\WindowsPowerShell\v1.0;
C:\Program Files\QuickTime\QTSystem\

OS User Language 1033

Page File Size 768MB
Page File Free 82%
Physical Memory Size 1,022MB
Physical Memory Free 20%
Disk Type Fixed Disk
Disk ID C
Total Disk Space 112GB
Free Disk Space 50.3GB
Disk Type Fixed Disk
Disk ID F
Total Disk Space 466GB

Free Disk Space 49.8GB

Here is the first error message:

"Unusual traffic from your computer network".

Note: Neither System Mechanic nor Norton 360 show any infections.

Malwarebytes considers changes that I understand are not really infections but are, instead, changes made by System Mechanic that I can ignore (See report text, below).

The report from Malwarebytes:

Broken.OpenCommand, Registry Data, HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default), Bad: (NOTEPAD.EXE %1) Good: ("%1" /S)

and:

Broken.OpenCommand, Registry Data, HKEY_CLASSES_ROOT\regfile\shell\open\command\(default), Bad: (NOTEPAD.EXE %1) Good: (regedit.exe"%1")

The second error message:

“Internet Explorer has modified this page to help prevent cross-site scripting. Click here for more information.”

Clicking yields this notice:

“How does Internet Explorer help protect me from cross-site scripting attacks?
Internet Explorer's Cross-Site Scripting (XSS) Filter can help prevent one website from adding script code to another website. XSS Filter watches how websites interact, and when it recognizes a potential attack, it will automatically block script code from running. When this happens, you will see a message in the Information bar letting you know that the webpage was modified to help protect your privacy and security.
If the modified webpage does not work properly, try going to the home page of the website and navigating to the webpage directly. If the page still does not work correctly, contact the website's administrator.”

In an effort to give you the best state-of-the-computer info, here are other most-likely unrelated details about things affecting the state of my dear, old computer (economic reality keeps me working to keep this baby going):

1. In mid July, My DVD-ROM conked out following a weird flashed-quickly message saying something like my mouse had been overloaded with signal – can’t find it in the logs. Immediately the drive conked. I took the entire computer apart, cleaned it, checked all connections, re-installed the DVD to no avail. Choosing the DVD from “My Computer” causes the system to freeze. Sometimes the system becomes unresponsive and I must hit the Kill button to start it over. The 2nd drive, DVD (not recorder) acts weird, too.

I regularly receive the (This one from 9/16/11) Event ID: 7036 “The IMAPI CD burning service entered the stopped state”, plus its fraternal twin: “… service has been started…”.

Also this: 9/16/11 Event ID: 7 “The device, \Device\CdRom1, has a bad block”. For both of these drives to act wacky, I wonder if there is a software issue and not a hardware issue. (Incidentally, Dell happily sold me a USB DVD burner that won’t work with my computer. Now, two weeks after saying they’d pick it up and refund my $$, I’ve heard nuthin’ from them.)

2. Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action,Path - Filename
8/23/2011 8:20 PM,High,fileaccess.exe (W32.SillyFDC) detected by Virus scanner,Quarantined,Resolved - No Action Required,g:\recycler\s-1-6-21-4564564512-1075880115-910321303-3161\fileaccess.exe

The above tells the story of my daughter’s flash drive that contained an infection. I realized it immediately as did Norton 360. Apparently, it is satisfactorily resolved.

3. 8.25.11 Event ID 1904 HHCTRL “The description for Event ID (1904) in Source (HHCTRL) cannot be found…” Sometimes this event will appear hundreds of times in a row. I think I understand it has something to do with MS Help files.

4. 8.26.11 Event ID 50 Ntfs “{Delayed Write Failed} Windows was unable to save all the data for the file…” This has appeared only this one time.

5. 8.26.11 Event ID 57 Ftdisk “The system failed to flush data to the transaction log. Corruption may occur.” This has appeared only this one time.

6. 9/16/11 Event ID: 36 W32 Time “The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.” Happens semi-frequently.

7. For several months, the icon showing connected devices is gone. The only way to get it back is to Log Off. Sometimes, no discernable pattern, it will appear upon a Restart. I found a site that showed me how to run this at the command prompt: “C:\WINDOWS\system32\rundll32.exe shell32.dll,Control_RunDLL hotplug.dll” so that I can safely disconnect my flash drive, IPOD and external hard drive. Very frustrating.

Before I discovered the above-described command, I believe the errors described in #s 3 and 4, above are related to my yanking out my flash drive without the “safely remove hardware” icon available. It caused the drives to rename themselves. I spent days trying to fix that, and ultimately – not sure how – the drives reordered themselves correctly.

8. I am unable to run SFC successfully. I do have the original XP reinstallation disk from Dell, and the DVD drive does not recognize that there’s a disk in the tray. I suppose I’ll need to slipstream SP2 in order to use it, but since Dell doesn’t have a DVD-ROM burner to sell me, and my 2nd DVD reader is possessed by the devil (apparently), well, aaaaaahhhhhhhhhhhhhhh.

That’s the story. I’m most concerned with ensuring I’m not running an infected machine.

Sorry for the overkill detail. Thanks very much for your willingness to assist!!!





.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Susan Campbell at 21:24:23 on 2011-09-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.535 [GMT -5:00]
.
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Inner Workings of Susan's Brain
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Advertising Cookie Opt-out: {8e425eb4-adbd-4816-b1e8-49bb9decf034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\5.1.0.29\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TClockEx] c:\program files\tclockexe\TCLOCKEX.EXE
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: &Search - c:\search\search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: chase.com
Trusted Zone: dell.com
Trusted Zone: secunia.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/ja/downloads/getmodule.aspx?lang=en
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269830155160
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269830388754
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{46C5D265-B17C-485A-BEFB-F6F1B5229DB6} : DhcpNameServer = 10.0.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\SymDS.sys [2011-8-20 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\SymEFA.sys [2011-8-20 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\bashdefs\20110909.001\BHDrvx86.sys [2011-9-9 816760]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\Ironx86.sys [2011-8-20 136312]
R2 N360;Norton 360;c:\program files\norton 360\engine\5.1.0.29\ccSvcHst.exe [2011-8-20 130008]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2010-3-31 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2010-3-31 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2010-3-31 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2010-3-31 60416]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\ipsdefs\20110922.030\IDSXpx86.sys [2011-9-22 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20110923.018\NAVENG.SYS [2011-9-23 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.1.0.29\definitions\virusdefs\20110923.018\NAVEX15.SYS [2011-9-23 1576312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2011-8-21 722616]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2002-6-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-09-16 19:59:32 388096 ----a-r- c:\documents and settings\susan campbell\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-16 19:59:30 -------- d-----w- c:\program files\Trend Micro
2011-09-07 20:24:52 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2011-09-07 20:24:50 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2011-09-07 20:24:50 -------- d-----w- c:\program files\PDFCreator
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-09-02 19:16:59 -------- d-----w- C:\search
.
==================== Find3M ====================
.
2011-09-22 15:49:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 21:18:05 32768 ----a-w- c:\windows\system32\PLUGIN.DLL
2011-09-09 21:18:05 210944 ----a-w- c:\windows\system32\MSVCRT10.DLL
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 01:38:34 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-08-21 04:45:51 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-21 04:45:51 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-08-08 20:01:38 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-08-08 20:01:28 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-08-08 19:18:16 2083464 ----a-w- c:\windows\system32\Incinerator32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-05-11 07:02:20 965120 ----a-w- c:\program files\Clk.exe
.
============= FINISH: 21:25:30.10 ===============

#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:19 PM

Posted 24 September 2011 - 10:42 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:19 PM

Posted 24 September 2011 - 10:46 AM

I'm not sure all your problems are malware related, but let's see :)

Download and run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#6 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 September 2011 - 12:55 PM



Hi and thanks, Casey.

I'm preparing to run combofix, perusing the instructions prior to starting. One thing, .dds script starts all by itself every now and then. I didn't find it in add/remove programs or in the task manager. Not sure why it continues to run or how to stop it. Since it's download-able, and you have 2 sets of its resultant logs, I think I'll delete it, so combofix can run without interruption.

Thanks, here I go!

Olive Oyl

#7 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 September 2011 - 01:57 PM

Hi Casey,

Here's the ComboFix log:

ComboFix 11-09-24.02 - Susan Campbell 09/24/2011 13:15:50.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.443 [GMT -5:00]
Running from: c:\documents and settings\Susan Campbell\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Susan Campbell\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Susan Campbell\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Susan Campbell\WINDOWS
c:\windows\system32\default_user_class.dat.LOG
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
2011-09-16 19:59 . 2011-09-16 19:59 388096 ----a-r- c:\documents and settings\Susan Campbell\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-16 19:59 . 2011-09-16 19:59 -------- d-----w- c:\program files\Trend Micro
2011-09-07 20:24 . 1998-06-24 06:00 137000 ----a-w- c:\windows\system32\MSMAPI32.OCX
2011-09-07 20:24 . 2011-09-07 20:25 -------- d-----w- c:\program files\PDFCreator
2011-09-07 20:24 . 1998-07-06 06:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-02 19:16 . 2011-09-02 19:16 -------- d-----w- C:\search
2011-08-30 15:35 . 2011-08-30 15:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-22 15:49 . 2011-06-17 00:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 21:18 . 1996-10-30 14:35 32768 ----a-w- c:\windows\system32\PLUGIN.DLL
2011-09-09 21:18 . 1994-11-18 06:00 210944 ----a-w- c:\windows\system32\MSVCRT10.DLL
2011-09-09 09:12 . 2002-09-23 21:10 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 22:00 . 2011-06-17 01:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-22 01:38 . 2011-08-22 01:38 74703 ----a-w- c:\windows\system32\mfc45.dll
2011-08-21 04:45 . 2011-08-21 04:45 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-21 04:45 . 2011-08-21 04:45 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-08-08 20:01 . 2011-08-22 01:54 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-08-08 20:01 . 2011-08-22 01:54 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-08-08 19:18 . 2011-08-22 01:54 2083464 ----a-w- c:\windows\system32\Incinerator32.dll
2011-07-15 13:29 . 2002-06-25 19:14 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2002-06-25 19:17 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 23:37 . 2011-07-05 23:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 23:37 . 2011-07-05 23:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-05-11 07:02 . 2010-05-11 07:02 965120 ----a-w- c:\program files\Clk.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockExe\TCLOCKEX.EXE" [2010-03-30 89088]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 16:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 15:42 69632 -c--a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-02-11 04:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"ATI Smart"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"McciCMService"=2 (0x2)
"MDM"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SymDS.sys [8/20/2011 11:45 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SymEFA.sys [8/20/2011 11:45 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20110909.001\BHDrvx86.sys [9/9/2011 12:44 PM 816760]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.sys [8/20/2011 11:45 PM 136312]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [3/31/2010 10:21 AM 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [3/31/2010 10:22 AM 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [3/31/2010 10:21 AM 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [3/31/2010 10:21 AM 60416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/23/2011 7:09 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20110923.030\IDSXpx86.sys [9/24/2011 6:25 AM 356280]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-09-24 c:\windows\Tasks\User_Feed_Synchronization-{551B3E86-5738-435A-824A-9D3D402E1D13}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: chase.com
Trusted Zone: dell.com
Trusted Zone: secunia.com
TCP: DhcpNameServer = 10.0.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-24 13:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1715567821-1085031214-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-09-24 13:42:31
ComboFix-quarantined-files.txt 2011-09-24 18:42
.
Pre-Run: 53,120,536,576 bytes free
Post-Run: 53,162,840,064 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 3704E100D8B3F8C02781D9F2F1AA89F1

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:19 PM

Posted 24 September 2011 - 03:46 PM

Hi again,

There doesn't look much wrong there.

:step1: Please visit the online Jotti Virus Scanner Posted Image<--link
  • Browse to the following filepath:

    c:\program files\Clk.exe
    c:\windows\system32\MSMPIDE.DLL

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

:step2: Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

:step3: We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    C:\search\*
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 September 2011 - 04:02 PM

Thanks...will do and report back...

#10 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 September 2011 - 04:11 PM

Here's the clk.exe result:



Jotti's malware scan
Filename: Clk.exe
Status: Scan finished. 1 out of 20 scanners reported malware.
Scan taken on: Sat 24 Sep 2011 23:04:15 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 965120 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 36886aea141922ae994ad8a2f8eb492b
SHA1: c92ea9d91c5b73ce03b5910b363ff530fc149d7e







Scanners
2011-09-24 Found nothing 2011-09-24 Found nothing
2011-09-24 Found nothing 2011-09-24 Found nothing
2011-09-24 Found nothing 2011-09-24 Found nothing
2011-09-23 Found nothing 2011-09-24 Found nothing
2011-09-24 Found nothing 2011-09-24 Found nothing
2011-09-24 Found nothing 2011-09-23 Found nothing
2011-09-24 BackDoor.W32.Death.25.m 2011-09-22 Found nothing
2011-09-24 Found nothing 2011-09-24 Found nothing
2011-09-24 Found nothing 2011-09-23 Found nothing
2011-09-24 Found nothing 2011-09-24 Found nothing



--------------------------------------------------------------------------------



Scan a file - Hash search - Frequently Asked Questions - Privacy policy

© 2004-2011 Jotti <jotti@jotti.org>

and results for: MSMPIDE.DLL





Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.





--------------------------------------------------------------------------------

Filename: MSMPIDE.DLL
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Tue 8 Feb 2011 07:29:23 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 23552 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 6ec9a8dc8508d724e7456600b0ccb995
SHA1: e10c41f27dfcfd9b2f9e2a8f32026b2df9b6c947







Scanners
2011-02-08 Found nothing 2011-02-07 Found nothing
2011-02-07 Found nothing 2011-02-08 Found nothing
2011-02-07 Found nothing 2011-02-08 Found nothing
2011-02-07 Found nothing 2011-02-08 Found nothing
2011-02-08 Found nothing 2011-02-08 Found nothing
2011-02-08 Found nothing 2011-02-07 Found nothing
2011-02-08 Found nothing 2011-02-08 Found nothing
2011-02-08 Found nothing 2011-02-07 Found nothing
No result available 2011-02-06 Found nothing
2011-02-07 Found nothing 2011-02-07 Found nothing



--------------------------------------------------------------------------------



Scan a file - Hash search - Frequently Asked Questions - Privacy policy

© 2004-2011 Jotti <jotti@jotti.org>



Now Step 2...

#11 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 24 September 2011 - 04:38 PM

Good news, I suppose..."no results" upon running the "TDSS ROOTKIT REMOVING TOOL" I made sure I ran the v2.4.0.0.

Here is the result from running OTL - the "OTL.txt" log:

OTL logfile created on: 9/24/2011 4:25:49 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Susan Campbell\Desktop\Computer Help\Blpng Cmptr\9.23.11
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 543.25 Mb Available Physical Memory | 53.10% Memory free
1.65 Gb Paging File | 1.16 Gb Available in Paging File | 70.32% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.75 Gb Total Space | 49.64 Gb Free Space | 44.42% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 49.19 Gb Free Space | 10.56% Space Free | Partition Type: NTFS

Computer Name: SCIENCE-NC24JMJ | User Name: Susan Campbell | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/24 16:16:08 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Susan Campbell\Desktop\Computer Help\Blpng Cmptr\9.23.11\OTL.exe
PRC - [2011/08/08 14:15:42 | 000,722,616 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe
PRC - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2011/01/10 09:24:20 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2010/09/13 20:02:44 | 000,399,872 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/17 22:36:38 | 000,032,256 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\BrmfRsmg.exe


========== Modules (No Company Name) ==========

MOD - [2001/10/28 17:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/08/08 14:15:42 | 000,722,616 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton 360\Engine\5.1.0.29\ccSvcHst.exe -- (N360)
SRV - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2010/09/13 20:02:44 | 000,399,872 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/12/08 06:40:00 | 000,115,992 | ---- | M] (EMC Corporation) [Disabled | Stopped] -- C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe -- (RetroLauncher)
SRV - [2008/01/29 16:09:02 | 000,394,704 | ---- | M] (Symantec, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - [2004/03/13 04:04:16 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2002/05/03 12:29:42 | 001,118,208 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\NMSSvc.Exe -- (NMSSvc) Intel®


========== Driver Services (SafeList) ==========

DRV - [2011/09/21 15:01:36 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20110923.025\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/09/21 15:01:36 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/09/21 15:01:36 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\VirusDefs\20110923.025\NAVENG.SYS -- (NAVENG)
DRV - [2011/09/09 12:44:06 | 000,816,760 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\BASHDefs\20110909.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/08/23 00:17:32 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\Definitions\IPSDefs\20110923.030\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/08/20 23:55:20 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/08/20 23:45:51 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/30 22:00:09 | 000,516,216 | R--- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 22:00:09 | 000,050,168 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 19:39:49 | 000,369,784 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/14 21:31:23 | 000,744,568 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/27 01:47:10 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS -- (SymDS)
DRV - [2011/01/27 00:07:05 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2010/06/29 18:30:08 | 000,009,341 | ---- | M] (iolo technologies, LLC (based on original work by Bo Brantén)) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\filedisk.sys -- (FileDisk)
DRV - [2009/12/18 11:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/08/14 08:45:24 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/08/14 08:45:24 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/04/13 13:36:41 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2008/04/13 12:45:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006/02/21 20:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/02/01 14:46:00 | 000,056,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atineuxx.sys -- (ATITUNEP)
DRV - [2005/02/01 14:45:12 | 000,074,240 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinesxx.sys -- (ATIXSAudio)
DRV - [2005/02/01 14:42:58 | 000,165,888 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinevxx.sys -- (atinevxx)
DRV - [2005/02/01 14:41:58 | 000,014,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinpdxx.sys -- (PCDCODEC)
DRV - [2005/02/01 14:41:40 | 000,015,360 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinmdxx.sys -- (MVDCODEC)
DRV - [2005/02/01 14:37:46 | 000,055,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinraxx.sys -- (ativraxx)
DRV - [2004/08/03 23:29:32 | 000,104,960 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinrvxx.sys -- (atinrvxx) ATI WDM Rage Theater Video (Microsoft Corporation)
DRV - [2003/09/22 12:43:06 | 001,330,048 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2003/09/22 08:48:06 | 000,130,192 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/22 08:47:38 | 000,178,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/03/05 12:19:28 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)
DRV - [2002/05/03 12:30:08 | 000,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NMSCFG.SYS -- (NMSCFG)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 13:12:24 | 000,003,168 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrParImg.sys -- (brparimg)
DRV - [2001/08/17 13:12:18 | 000,039,552 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrParwdm.sys -- (BrParWdm)
DRV - [2001/08/17 13:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)
DRV - [2001/08/17 08:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/07/25 17:58:28 | 000,584,336 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsf_cnxt.sys -- (winachsf)
DRV - [2001/07/18 19:07:00 | 000,080,449 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\spkpnt.sys -- (SpeakerPhone)
DRV - [2001/07/18 19:06:40 | 000,426,783 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\k56nt.sys -- (K56)
DRV - [2001/07/18 19:06:12 | 000,127,405 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fsksnt.sys -- (Fsks)
DRV - [2001/07/18 19:05:26 | 000,217,019 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\faxnt.sys -- (SoftFax)
DRV - [2001/07/18 19:04:26 | 000,056,607 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tonesnt.sys -- (Tones)
DRV - [2001/07/18 19:04:04 | 000,310,899 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fallback.sys -- (Fallback)
DRV - [2001/07/18 19:01:56 | 000,077,426 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\basic2.sys -- (basic2)
DRV - [2001/07/18 19:01:38 | 000,067,654 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rksample.sys -- (Rksample)
DRV - [2001/07/18 19:01:20 | 000,534,125 | ---- | M] (Conexant Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\v124nt.sys -- (V124)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\IPSFFPlgn\ [2011/08/21 00:08:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.1.0.29\coFFPlgn_2011_7_1_3 [2011/09/24 13:49:10 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/09/24 13:35:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\5.1.0.29\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\5.1.0.29\IPS\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Advertising Cookie Opt-out) - {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - C:\Program Files\Google\Advertising Cookie Opt-out\opt_out.dll (Google Inc)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\CoIEPlg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\5.1.0.29\CoIEPlg.dll (Symantec Corporation)
O4 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003..\Run: [TClockEx] C:\Program Files\TClockExe\TCLOCKEX.EXE (Dale Nurden)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\..Trusted Domains: chase.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\..Trusted Domains: dell.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1715567821-1085031214-682003330-1003\..Trusted Domains: secunia.com ([]http in Trusted sites)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} http://www.caminova.net/ja/downloads/getmodule.aspx?lang=en (DjVuCtl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269830155160 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269830388754 (MUWebControl Class)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab (SysInfo Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{46C5D265-B17C-485A-BEFB-F6F1B5229DB6}: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Susan Campbell\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Susan Campbell\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/26 00:33:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/24 16:20:54 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/24 13:07:01 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/24 13:04:35 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/24 13:04:35 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/24 13:04:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/24 13:04:35 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/24 13:04:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/24 13:04:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/24 12:17:39 | 004,226,750 | R--- | C] (Swearware) -- C:\Documents and Settings\Susan Campbell\Desktop\ComboFix.exe
[2011/09/18 16:51:14 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/09/18 16:21:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Susan Campbell\Desktop\ATT
[2011/09/16 19:46:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Susan Campbell\Start Menu\Programs\Administrative Tools
[2011/09/16 14:59:30 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/09/16 14:59:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Susan Campbell\Start Menu\Programs\HiJackThis
[2011/09/09 15:39:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IrfanView
[2011/09/07 15:24:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PDFCreator
[2011/09/07 15:24:52 | 000,137,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSMAPI32.OCX
[2011/09/07 15:24:50 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSMPIDE.DLL
[2011/09/07 15:24:50 | 000,000,000 | ---D | C] -- C:\Program Files\PDFCreator
[2011/09/02 14:16:59 | 000,000,000 | ---D | C] -- C:\search
[2011/08/30 10:35:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\iolo
[2002/04/11 00:41:00 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/24 16:28:33 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{551B3E86-5738-435A-824A-9D3D402E1D13}.job
[2011/09/24 13:50:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/24 13:49:17 | 000,002,695 | ---- | M] () -- C:\WINDOWS\BrmfBidi.ini
[2011/09/24 13:48:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/24 13:35:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/24 13:07:12 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/24 12:17:51 | 004,226,750 | R--- | M] (Swearware) -- C:\Documents and Settings\Susan Campbell\Desktop\ComboFix.exe
[2011/09/24 02:31:45 | 000,002,501 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2011/09/23 20:49:05 | 000,109,879 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Desktop\__www.harborfreight.com_weatherproof-security-camera-with-.pdf
[2011/09/23 09:48:01 | 000,002,499 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Excel.lnk
[2011/09/22 10:49:02 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/09/19 20:30:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/19 09:34:00 | 006,762,754 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Desktop\Adobe Tall Foreset After Fire.PDF
[2011/09/17 15:29:29 | 013,135,872 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\My Documents\AdbeRdrUpd1011.msp
[2011/09/16 19:35:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\defogger_reenable
[2011/09/16 17:09:09 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/09/14 07:58:02 | 000,003,224 | ---- | M] () -- C:\{165CB1DC-6762-4FC9-9855-F9EFE8954E0B}
[2011/09/13 15:07:31 | 000,071,680 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/13 11:23:29 | 000,087,040 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\My Documents\Blank CD Env.pub
[2011/09/12 11:28:17 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/09/12 11:28:11 | 000,010,869 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Application Data\Microsoft Excel.CAL
[2011/09/09 16:18:05 | 000,210,944 | ---- | M] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2011/09/09 16:18:05 | 000,032,768 | ---- | M] (Adobe Systems, Inc.) -- C:\WINDOWS\System32\PLUGIN.DLL
[2011/09/09 15:39:22 | 000,000,685 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IrfanView.lnk
[2011/09/09 04:12:13 | 000,599,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\crypt32.dll
[2011/09/06 12:11:02 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Outlook.lnk
[2011/09/03 21:20:30 | 000,009,961 | ---- | M] () -- C:\Documents and Settings\Susan Campbell\Application Data\Comma Separated Values (Windows).CAL
[2011/09/01 20:55:38 | 000,000,272 | ---- | M] () -- C:\{40B0DC84-AEBF-433F-ADC5-759DAB2EAC20}
[2011/09/01 02:03:05 | 000,000,960 | ---- | M] () -- C:\{6D1D5684-5A2D-4F40-A295-71C478E0AB97}
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/28 14:14:44 | 000,262,144 | ---- | M] () -- C:\WINDOWS\System32\default_user_class.dat
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/24 13:07:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/09/24 13:07:06 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/09/24 13:04:35 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/24 13:04:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/24 13:04:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/24 13:04:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/24 13:04:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/09/23 20:49:00 | 000,109,879 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Desktop\__www.harborfreight.com_weatherproof-security-camera-with-.pdf
[2011/09/19 09:34:00 | 006,762,754 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Desktop\Adobe Tall Foreset After Fire.PDF
[2011/09/17 15:28:49 | 013,135,872 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\My Documents\AdbeRdrUpd1011.msp
[2011/09/16 19:35:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\defogger_reenable
[2011/09/14 07:58:02 | 000,003,224 | ---- | C] () -- C:\{165CB1DC-6762-4FC9-9855-F9EFE8954E0B}
[2011/09/13 11:23:28 | 000,087,040 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\My Documents\Blank CD Env.pub
[2011/09/09 15:39:22 | 000,000,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IrfanView.lnk
[2011/09/01 20:55:38 | 000,000,272 | ---- | C] () -- C:\{40B0DC84-AEBF-433F-ADC5-759DAB2EAC20}
[2011/09/01 02:03:05 | 000,000,960 | ---- | C] () -- C:\{6D1D5684-5A2D-4F40-A295-71C478E0AB97}
[2011/08/21 20:38:34 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2011/06/16 19:40:07 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2011/05/16 13:30:54 | 000,023,951 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Application Data\Microsoft Excel.ADR
[2011/03/29 10:48:42 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\default_user_class.dat
[2011/03/28 17:51:08 | 000,009,998 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Application Data\Comma Separated Values (DOS).CAL
[2011/01/07 17:24:01 | 000,038,537 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Application Data\Comma Separated Values (DOS).ADR
[2010/10/15 23:21:13 | 001,017,192 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/11 18:54:28 | 000,066,288 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/07/30 16:21:34 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/05/11 02:02:16 | 000,965,120 | ---- | C] () -- C:\Program Files\Clk.exe
[2010/05/02 01:23:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/27 12:42:38 | 000,000,272 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI
[2010/04/18 15:33:05 | 000,010,869 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Application Data\Microsoft Excel.CAL
[2010/04/05 15:03:03 | 000,071,680 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/05 01:26:28 | 000,013,149 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Application Data\Microsoft Access.CAL
[2010/04/03 20:39:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2010/04/03 19:58:09 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2010/04/03 19:35:20 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/04/01 11:29:48 | 000,009,961 | ---- | C] () -- C:\Documents and Settings\Susan Campbell\Application Data\Comma Separated Values (Windows).CAL
[2010/03/31 10:22:13 | 000,002,695 | ---- | C] () -- C:\WINDOWS\BrmfBidi.ini
[2010/03/31 10:22:09 | 000,000,256 | R--- | C] () -- C:\WINDOWS\System32\brmsl06.bin
[2010/03/29 13:31:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/03/29 12:15:57 | 000,000,066 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2010/03/29 12:15:20 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2010/03/29 12:15:20 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2010/03/29 12:15:19 | 000,002,696 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2010/03/26 01:00:23 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/03/26 00:36:35 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/03/26 00:29:34 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/03/25 17:19:36 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/03/25 17:18:23 | 000,296,456 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/10 23:12:00 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2010/02/10 23:12:00 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/04/23 17:29:16 | 000,121,995 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2004/08/02 15:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/07/08 13:41:48 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2002/06/25 14:21:13 | 000,673,632 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/06/25 14:21:13 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/06/25 14:21:11 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/06/25 14:21:10 | 000,143,898 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/06/25 14:20:23 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/06/25 14:20:22 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/06/25 14:19:09 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/06/25 14:13:52 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/06/25 14:13:40 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/06/25 14:05:30 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/06/25 14:03:54 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/02/06 10:04:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\NMSInst.dll
[2002/01/21 16:17:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PROInst.dll
[1994/11/18 01:00:00 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL

========== Custom Scans ==========


< C:\search\* >
[2002/04/05 15:18:48 | 000,000,060 | ---- | M] () -- C:\search\add_registry_entries.bat
[2002/04/05 14:49:32 | 000,000,344 | ---- | M] () -- C:\search\add_registry_entries.reg
[2002/04/05 14:52:12 | 000,000,232 | ---- | M] () -- C:\search\remove_registry_entries.reg
[2002/04/05 15:28:52 | 000,007,982 | ---- | M] () -- C:\search\search.htm

< End of report >


and here is the OTL "Extra.txt" log:

OTL Extras logfile created on: 9/24/2011 4:25:49 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Susan Campbell\Desktop\Computer Help\Blpng Cmptr\9.23.11
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 543.25 Mb Available Physical Memory | 53.10% Memory free
1.65 Gb Paging File | 1.16 Gb Available in Paging File | 70.32% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.75 Gb Total Space | 49.64 Gb Free Space | 44.42% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 49.19 Gb Free Space | 10.56% Space Free | Partition Type: NTFS

Computer Name: SCIENCE-NC24JMJ | User Name: Susan Campbell | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [print_directory_listing] -- printdir.bat "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{01A4AEDE-F219-49A2-B855-16A016EAF9A4}" = Intel® PROSet II
"{025C3792-E9C6-432A-92C1-661F99D021CA}" = Ulead Photo Explorer 8.5 SE
"{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}" = Medieval II Total War : Kingdoms : Crusades
"{03ADC8AB-C130-0C3D-1FF9-2C385DF25689}" = CCC Help Czech
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07021185-008D-ABF9-7716-475AC035F8B3}" = CCC Help Spanish
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0F8D0406-7755-AC37-6529-73AD649DBE32}" = Catalyst Control Center Graphics Previews Common
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{22072CC8-7230-96F8-52F4-05EAF3F906B6}" = CCC Help Polish
"{2368ADBD-6FDF-4B9F-FE41-E20B4D78E79E}" = CCC Help Chinese Standard
"{25EF0DC4-B072-2E04-4581-A13C91423CE6}" = CCC Help Portuguese
"{26F7855C-443B-00A6-F7B8-A97A5403F617}" = CCC Help Danish
"{2CB4A925-48A7-DA65-DCEE-D4DE224B7D84}" = CCC Help English
"{306D75B9-7FFF-FF65-0C76-57F2FE4FE1D6}" = Catalyst Control Center Core Implementation
"{32B12FE4-5A51-751A-1FB6-A14E97EBDD5C}" = CCC Help German
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{351512E5-01BD-E878-6F57-AA3E517D9ECE}" = Skins
"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes
"{354A387E-0374-21A3-6832-335674A6D7D1}" = CCC Help French
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C00BEE9-26D0-D9E0-A2D1-62F70D412A12}" = CCC Help Turkish
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{4346F7AA-3D56-0941-424C-4454E04D37F6}" = CCC Help Italian
"{4415B0E6-B266-49C3-B501-FFEF76C3D71B}" = Google Advertising Cookie Opt-out
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46B3CC07-3B29-41B4-9B22-0988425E8E2C}_is1" = Auslogics Duplicate File Finder
"{49CE65E4-9EE2-4F29-8768-58DD1E45D09C}" = HP Photo and Imaging 2.1 - Scanjet 36X0 Series
"{4AC7B4E7-59B7-4E48-A60D-263C486FC33A}_is1" = System Checkup 3.0
"{4CAE2F2C-75CD-A0DE-7520-449BCBBCC833}" = CCC Help Korean
"{4EBDDD97-BC33-4F4C-8DF3-4FA4D83DF84E}" = Retrospect 7.6
"{4F1DA6BF-3614-48A1-9970-9E90F646789E}" = Ulead VideoStudio 8.0 SE DVD
"{51D386C4-0227-46A9-AC45-61F0A50E7AFF}" = Rome - Total War
"{57F7F0A5-8F22-8E63-E819-803B5C9CA3A5}" = CCC Help Dutch
"{590D4F8F-98FE-47FA-AC2B-3F22FDCF7C09}" = ShareIns
"{5EA437D2-7A57-B60E-E8F2-76BFAC0895A5}" = CCC Help Chinese Traditional
"{61AF4E75-050E-0304-3417-8BC16417FEB1}" = CCC Help Greek
"{632005DA-C291-5275-284C-5EE96B05C714}" = Catalyst Control Center HydraVision Full
"{659314FA-F336-482D-B094-C3FCA68BB60B}" = GEAR driver installer for x86 and x64
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6C72BE0C-3E25-CACD-0070-2FD9C02ABA14}" = ccc-core-preinstall
"{75983B66-804C-40D1-BA13-64DAF652A6F1}" = Medieval II Total War : Kingdoms : Americas
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = LiveUpdate BVRP Software
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}" = Medieval II Total War : Kingdoms : Teutonic
"{7D15B945-2725-4443-AB3F-D900556612FE}" = User Profile Hive Cleanup Service
"{8398B542-3CC4-44D9-83DF-696CCE70124B}" = Windows Support Tools
"{880BB617-914E-17E8-D877-A96BAC5794D2}" = Catalyst Control Center Graphics Full New
"{8897CF22-DB6C-8248-895C-12BFA2677F51}" = CCC Help Hungarian
"{8D7133DE-27D2-47E5-B248-4180278D32AA}" = Catalyst Control Center - Branding
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Live!
"{9987773E-4C0B-4A51-AF29-6C08CF58BFEA}" = Europa Barbarorum v1
"{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}" = Paint.NET v3.5.8
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AF710FDE-2815-8C8D-5281-8004C2654AA6}" = CCC Help Russian
"{AFF2D965-C6F2-A210-FBF7-532612AA1D23}" = CCC Help Swedish
"{B21336EE-4AEF-9940-4AC7-EDB89854B8D3}" = CCC Help Thai
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BBA69346-61A1-BD34-E75A-4D81232DB1FE}" = Catalyst Control Center Localization All
"{BBD3F66B-1180-4785-B679-3F91572CD3B4}_is1" = iolo technologies' System Mechanic Professional
"{BFD5ED08-F066-92D5-BE67-3B9AE5DCFF0C}" = CCC Help Japanese
"{C0698BDA-0D29-40EE-8570-A31106DF9AB1}" = Medieval II Total War
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C4609F15-FB3C-D97E-BAA1-4F10815039C2}" = Catalyst Control Center Graphics Full Existing
"{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}" = Microsoft Outlook Personal Folders Backup
"{C768790F-04FB-11E0-9B2C-001AA037B01E}" = Google Earth
"{C7D89BBE-D4B3-49E8-B185-7966B5345866}" = Ulead DVD MovieFactory 3.5 Suite Deluxe
"{C82E1703-ACBB-4015-856B-A8A0E5BAC661}" = Ulead CD & DVD PictureShow 3 SE
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD41B576-4787-4D5C-95EE-24A4ABD89CD3}" = System Requirements Lab for Intel
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}" = Medieval II Total War : Kingdoms : Britannia
"{D01FAC3D-86B4-3A19-9D10-9156A0EB3EBE}" = CCC Help Finnish
"{D73722C8-3F65-C75B-A631-5D36894DAB92}" = ccc-core-static
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DDAD33B6-8C00-428D-087B-A7088355B9BE}" = Catalyst Control Center Graphics Light
"{E333F074-FC7F-596D-3D61-44F0EC28E8C0}" = ccc-utility
"{E3436EE2-D5CB-4249-840B-3A0140CC34C3}" = Classic PhoneTools
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{FA38F9E4-BED7-E021-B660-8FDFF7EC6E1A}" = CCC Help Norwegian
"{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}" = Barbarian Invasion
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"ATT-PRT22" = ATT-PRT22
"CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0" = Conexant HSF V92 56K RTAD Speakerphone PCI Modem
"DjVu" = LizardTech DjVu Control (autoinstall)
"FileMenu Tools_is1" = FileMenu Tools
"Graph paper printer" = Graph paper printer
"ie8" = Windows Internet Explorer 8
"Intelli-studio" = SAMSUNG Intelli-studio
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"MasterMind" = MasterMind
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"N360" = Norton 360
"PROSet" = Intel® PRO Ethernet Adapter and Software
"Secunia PSI" = Secunia PSI (2.0.0.3001)
"TurboTax 2009" = TurboTax 2009
"Tweak UI 2.10" = Tweak UI
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinMerge_is1" = WinMerge 2.12.4

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1715567821-1085031214-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"WinDirStat" = WinDirStat 1.1.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/19/2011 1:34:07 AM | Computer Name = SCIENCE-NC24JMJ | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
comctl32.dll, version 5.82.2900.6028, fault address 0x00029932.

Error - 9/19/2011 1:34:36 AM | Computer Name = SCIENCE-NC24JMJ | Source = Microsoft Office 10 | ID = 1001
Description = Fault bucket 2063391292.

Error - 9/19/2011 1:41:54 AM | Computer Name = SCIENCE-NC24JMJ | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
mso.dll, version 10.0.6870.0, fault address 0x00007363.

Error - 9/19/2011 1:42:31 AM | Computer Name = SCIENCE-NC24JMJ | Source = Microsoft Office 10 | ID = 1001
Description = Fault bucket -1896562509.

Error - 9/19/2011 2:10:42 AM | Computer Name = SCIENCE-NC24JMJ | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
mso.dll, version 10.0.6870.0, fault address 0x00007363.

Error - 9/19/2011 2:31:07 AM | Computer Name = SCIENCE-NC24JMJ | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
mso.dll, version 10.0.6870.0, fault address 0x00007363.

Error - 9/19/2011 10:35:22 AM | Computer Name = SCIENCE-NC24JMJ | Source = Application Error | ID = 1000
Description = Faulting application acrord32.exe, version 10.1.1.33, faulting module
unknown, version 0.0.0.0, fault address 0x00000100.

Error - 9/19/2011 10:35:30 AM | Computer Name = SCIENCE-NC24JMJ | Source = Application Error | ID = 1001
Description = Fault bucket -1688464592.

Error - 9/23/2011 9:48:07 PM | Computer Name = SCIENCE-NC24JMJ | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19120, fault address 0x000ba108.

Error - 9/23/2011 9:48:14 PM | Computer Name = SCIENCE-NC24JMJ | Source = Application Error | ID = 1001
Description = Fault bucket -1739090641.

[ System Events ]
Error - 9/21/2011 2:53:38 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The Secunia Update Agent service terminated unexpectedly. It has
done this 4 time(s).

Error - 9/22/2011 2:42:21 PM | Computer Name = SCIENCE-NC24JMJ | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}.
The
error: "%5" Happened while starting this command: C:\WINDOWS\system32\wbem\wmiprvse.exe
-Embedding

Error - 9/23/2011 10:10:16 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The iolo System Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/23/2011 10:10:23 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The Secunia PSI Agent service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/23/2011 10:10:34 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The Secunia Update Agent service terminated unexpectedly. It has
done this 1 time(s).

Error - 9/23/2011 10:10:48 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The User Profile Hive Cleanup service terminated unexpectedly. It
has done this 1 time(s).

Error - 9/23/2011 10:40:30 PM | Computer Name = SCIENCE-NC24JMJ | Source = Print | ID = 6161
Description = The document http://www.bleepingcomputer.com/forums/topic34773.html
owned by Susan Campbell failed to print on printer Brother MFC-8500. Data type:
NT EMF 1.008. Size of the spool file in bytes: 2883584. Number of bytes printed:
0. Total number of pages in the document: 2. Number of pages printed: 0. Client
machine: \\SCIENCE-NC24JMJ. Win32 error code returned by the print processor: 2
(0x2).

Error - 9/24/2011 2:02:37 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The iolo System Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/24/2011 2:02:41 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The Secunia PSI Agent service terminated unexpectedly. It has done
this 1 time(s).

Error - 9/24/2011 2:02:44 PM | Computer Name = SCIENCE-NC24JMJ | Source = Service Control Manager | ID = 7034
Description = The Secunia Update Agent service terminated unexpectedly. It has
done this 1 time(s).


< End of report >


Olive Oyl

#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:19 PM

Posted 25 September 2011 - 11:15 AM

Hi again,

Your log doesn't look too bad.

:step1: We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
    [2011/09/01 20:55:38 | 000,000,272 | ---- | M] () -- C:\{40B0DC84-AEBF-433F-ADC5-759DAB2EAC20}
    [2011/09/01 02:03:05 | 000,000,960 | ---- | M] () -- C:\{6D1D5684-5A2D-4F40-A295-71C478E0AB97}
    [2011/09/14 07:58:02 | 000,003,224 | ---- | M] () -- C:\{165CB1DC-6762-4FC9-9855-F9EFE8954E0B}
    
    :commands
    [CREATERESTOREPOINT]
    [EMPTYTEMP]
    [PURITY]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

:step2: Run CheckDisk
  • Double-click My Computer, and then right-click the hard disk that has your Windows installation on it.
  • Click Properties, and then click Tools.
  • Under Error-checking, click Check Now (you may need to enter your administrator password). A dialog box that shows the Check disk options is displayed,
  • Select the Scan for and attempt recovery of bad sectors check box, and then click Start.
  • Click Yes to schedule the disk check
  • Restart your PC

Note: this process will take some time, please allow it to run fully.

Please let me know how your PC is running.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 25 September 2011 - 12:13 PM

Hi Casey,

Thanks very much. I'll follow your instructions now and report back in a few hours.

#14 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 25 September 2011 - 12:23 PM

Check that...I'll give you the OTL report and THEN I'll run CHKDSK and report back!

All processes killed
========== OTL ==========
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.
C:\{40B0DC84-AEBF-433F-ADC5-759DAB2EAC20} moved successfully.
C:\{6D1D5684-5A2D-4F40-A295-71C478E0AB97} moved successfully.
C:\{165CB1DC-6762-4FC9-9855-F9EFE8954E0B} moved successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: administrator

User: Administrator.SCIENCE-NC24JMJ
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes
->Flash cache emptied: 56922 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 343 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Susan Campbell
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1335519 bytes
->Flash cache emptied: 60479 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1286535 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33251 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 35375 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.00 mb


OTL by OldTimer - Version 3.2.29.1 log created on 09252011_121726

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6fc.dat not found!

Registry entries deleted on Reboot...

#15 Olive Oyl

Olive Oyl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 25 September 2011 - 02:02 PM

Hi Casey,

I performed CHKDSK following your instructions. It performed without me needing to reboot, perhaps because I ended all processes except the basic ones. It only took about 45 minutes. I tried to find the log to see the results, but, I've learned, when it runs without the need of a reboot and it finds no errors, it does not generate a report. But, it ran last night (well wee hours of today - Dallas, Texas time -) perhaps initiated by System Mechanic (?). I've attached the log from that episode, in case it might be helpful.

I ran System Mechanic last night.

Perhaps it caused Check Disk to run, because I didn't.

9/25/11, 3:35:44 AM

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 78 unused index entries from index $SII of file 0x9.
Cleaning up 78 unused index entries from index $SDH of file 0x9.
Cleaning up 78 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

117178078 KB total disk space.
64761120 KB in 182222 files.
70932 KB in 13903 indexes.
0 KB in bad sectors.
313078 KB in use by the system.
65536 KB occupied by the log file.
52032948 KB available on disk.

4096 bytes in each allocation unit.
29294519 total allocation units on disk.
13008237 allocation units available on disk.

Internal Info:
30 60 03 00 29 fe 02 00 db 87 04 00 00 00 00 00 0`..)...........
68 26 00 00 06 00 00 00 fe 05 00 00 00 00 00 00 h&..............
bc 54 2a 06 00 00 00 00 90 3c f2 7c 00 00 00 00 .T*......<.|....
d6 e1 90 16 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 fe b0 c7 a1 00 00 00 00 ................
99 9e 36 00 00 00 00 00 b0 39 07 00 ce c7 02 00 ..6......9......
00 00 00 00 00 80 b4 70 0f 00 00 00 4f 36 00 00 .......p....O6..

Windows has finished checking your disk.
Please wait while your computer restarts.


Yeehaw...So far, the ol' gal seems to be humming right along.

Questions: *** should I reset the 'Defogger' settings?

*** Did the result from the 1st 'Jotti' scan indicate an infection? "BackDoor.W32.Death.25.m..." If so, ick...I try (hard) to keep those creepy things from gettin' me!

*** Any idea about the weird “The IMAPI CD burning service entered the stopped state” messages in the event logs?

*** Can you hazard a guess about my DVD burner conking on me? Software or Hardware??? Related to the "IMAPI" events?

And thank you so much for your perfect step-by-step!

And I love that you're a physicist...Kids here call me the Science Lady...I hope to inspire at least one to become a physicist!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users