Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antispyware 2013 malware infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 T_mike

T_mike

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 04 February 2013 - 09:45 PM

Sirs:

In mid_january 2013 I was affected with XP Antispyware 2013.

1.Downloaded SpyDoctor - SCAN didn't detect

2.McAffe and Spy Protector which is resident on my computer - and automatically updated didn't detect it. The malware interfered with McAfee warnings.

3. Found my old notes from a similar infection in 2010 - and went to your site.

4. RKill found nothing to stop

5. Malware Byte - repeated scans found nothing . ( Also ran in through your chameleon.)

6. Ran ComboFix as I did in 2010 - and that stopped the infection - but please logs to see if I am correct.

7. Made the mistake of deleting Temp Files - so Unhide can't find and restore my links.

8. Present system - one User profile not Admin is pretty hosed. Wanted to use Windows SYSTEM Restore as ADmin user but SYSTEM RESTORE hanngs - see log file.

Solution Required: a) Get Windows SYSTEM RESTORE up and running to restore to an earlier point and B) any other Windows help you can suggest.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by DeluxeCatz at 18:10:49 on 2013-02-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1791 [GMT -8:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Security Task Manager\SpyProtector.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
uURLSearchHooks: PC Tools Browser Guard: {472734EA-242A-422b-ADF8-83D1E48CC825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120630070853.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734EA-242A-422B-ADF8-83D1E48CC825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Spy Protector] c:\program files\security task manager\SpyProtector.exe /autostart
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb100\WUSB100.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: vzTCPConfig - hxxps://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190419922640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{1D36831A-BC22-4713-8130-51FCD480D9DB} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{E6277542-4D28-4FCB-AA1D-446C158EE33E} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\deluxecatz\application data\mozilla\firefox\profiles\p9frxier.default\
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 565416]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-9-17 91200]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2013-1-16 580728]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-9-17 167784]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-9-17 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-9-17 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-9-17 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-9-17 203400]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-9-17 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-9-17 171976]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-2-19 106496]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-9-17 60480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-9-17 234824]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-9-17 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-12-22 84464]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-10-27 146872]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-9-17 65488]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-12-22 84464]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-9-17 92192]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2013-1-16 62688]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
.
=============== Created Last 30 ================
.
2013-01-19 02:16:51 -------- d-----w- c:\program files\Security Task Manager
2013-01-18 23:53:59 -------- d-----w- c:\documents and settings\deluxecatz\local settings\application data\Threat Expert
2013-01-17 12:26:09 -------- d-----w- C:\ComboFix
2013-01-17 03:07:50 769144 ----a-w- c:\windows\BDTSupport.dll
2013-01-17 03:07:50 62688 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2013-01-17 03:07:49 2280568 ----a-w- c:\windows\PCTBDCore.dll
2013-01-17 03:07:49 150648 ----a-w- c:\windows\SGDetectionTool.dll
2013-01-17 03:07:48 1690744 ----a-w- c:\windows\PCTBDRes.dll
2013-01-17 03:06:23 -------- d-----w- c:\program files\PC Tools
2013-01-17 03:02:29 202280 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2013-01-17 03:02:28 -------- d-----w- c:\program files\common files\PC Tools
2013-01-17 03:01:58 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2013-01-17 03:01:57 -------- d-----w- c:\documents and settings\deluxecatz\application data\TestApp
2013-01-15 12:28:34 -------- d-----w- c:\documents and settings\deluxecatz\application data\Sammsoft
2013-01-15 02:56:14 -------- d-----w- c:\program files\Yahoo!
2013-01-15 02:54:07 -------- d-----w- c:\documents and settings\all users\application data\APN
.
==================== Find3M ====================
.
2013-01-08 21:23:01 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-26 18:12:06 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-12-26 18:09:06 171976 ----a-w- c:\windows\system32\mfevtps.exe
2012-12-26 18:08:44 91200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-12-26 18:08:06 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-12-26 18:07:54 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-12-26 18:06:54 565416 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-12-26 18:06:04 84464 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-26 18:05:52 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-12-26 18:05:22 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-12-26 18:05:02 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-12-26 18:04:34 132976 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-11 22:22:28 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-08 19:29:12 1402312 ----a-w- c:\windows\system32\msxml4.dll
.
============= FINISH: 18:12:08.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:04:55 AM

Posted 07 February 2013 - 03:38 PM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 

Ran ComboFix as I did in 2010 - and that stopped the infection - but please logs to see if I am correct.

Running ComboFix without the supervision of a helper is risky, because it has such powerful commands. Please provide the log it produced in your reply.

 

=====

 

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

 

=====

 

Please provide the following in your reply (you may need to use multiple posts):

  • ComboFix.txt.

  • OTL.txt.

  • Extras.txt.

How is the computer currently running?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 T_mike

T_mike
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 15 February 2013 - 12:16 AM

Dark Knight.

 

Sorry, didn't know how to navigate on this site - so missed your post. Computer seems okay - although the User Account where I was attacked is hosed in that can't open most files or programs. System Restore doesn't work on any of the Admin accounts.

 

Here is OTL.txt:

 

OTL logfile created on: 2/14/2013 8:39:33 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Transaction\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.50 Gb Total Physical Memory | 2.04 Gb Available Physical Memory | 81.71% Memory free
4.35 Gb Paging File | 3.76 Gb Available in Paging File | 86.44% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 100.22 Gb Free Space | 67.26% Space Free | Partition Type: NTFS
 
Computer Name: KELABU | User Name: Transaction | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/02/14 20:39:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Transaction\Desktop\OTL.exe
PRC - [2013/01/14 18:00:22 | 001,278,064 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/06/09 13:06:06 | 000,507,624 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/11/10 08:59:50 | 000,140,616 | ---- | M] (Neuber Software - www.neuber.com) -- C:\Program Files\Security Task Manager\SpyProtector.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/19 01:13:28 | 000,438,272 | -H-- | M] (WDC) -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
PRC - [2007/10/30 01:38:28 | 005,677,056 | -H-- | M] (Linksys) -- C:\Program Files\Linksys\WUSB100\WUSB100.exe
PRC - [2007/03/15 11:09:36 | 000,460,784 | -H-- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2007/03/09 10:09:58 | 000,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
PRC - [2003/08/11 00:07:34 | 000,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2012/08/27 20:33:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/08/27 20:33:08 | 001,242,512 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013/02/07 19:23:34 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Unknown] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/26 10:09:06 | 000,171,976 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2012/12/26 10:05:32 | 000,168,880 | ---- | M] () [Auto | Unknown] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2012/12/26 10:03:22 | 000,203,400 | ---- | M] () [Auto | Unknown] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2012/11/16 21:07:20 | 000,279,048 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2012/10/23 17:40:06 | 000,580,728 | ---- | M] (Threat Expert Ltd.) [Auto | Unknown] -- C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2012/08/31 12:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2012/08/31 12:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2012/08/31 12:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2012/08/31 12:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2012/08/31 12:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2012/08/31 12:20:06 | 000,167,784 | ---- | M] (McAfee, Inc.) [Auto | Unknown] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2012/07/13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Unknown] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2009/10/20 10:19:48 | 000,117,264 | -H-- | M] (CACE Technologies, Inc.) [On_Demand | Unknown] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2008/04/13 16:12:09 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
SRV - [2008/02/19 01:15:38 | 000,106,496 | -H-- | M] (WDC) [Auto | Unknown] -- C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe -- (WDBtnMgrSvc.exe)
SRV - [2007/03/19 11:44:44 | 000,070,656 | -H-- | M] () [On_Demand | Unknown] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Unknown] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (mfeavfk01)
DRV - File not found [Kernel | System | Unknown] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Unknown] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Unknown] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\DELUXE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/12/26 10:12:06 | 000,060,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2012/12/26 10:08:44 | 000,091,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Unknown] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2012/12/26 10:07:54 | 000,092,192 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2012/12/26 10:06:54 | 000,565,416 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Unknown] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2012/12/26 10:06:04 | 000,084,464 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2012/12/26 10:06:04 | 000,084,464 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2012/12/26 10:05:52 | 000,362,640 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2012/12/26 10:05:22 | 000,065,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2012/12/26 10:05:02 | 000,234,824 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2012/12/26 10:04:34 | 000,132,976 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2012/10/23 17:40:32 | 000,062,688 | ---- | M] (PC Tools) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\PCTBD.sys -- (PCTBD)
DRV - [2012/04/20 15:40:44 | 000,146,872 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\HipShieldK.sys -- (HipShieldK)
DRV - [2009/10/20 10:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2008/04/13 16:12:09 | 000,088,576 | ---- | M] (Microsoft Corporation) [Unknown (-1) | Unknown (-1) | Unknown] -- C:\WINDOWS\system32\wbem\wmiaprpl.dll -- (WmiApRpl)
DRV - [2007/07/28 13:50:36 | 000,517,632 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2007/02/25 11:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/28 20:46:20 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Unknown] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2006/10/05 16:07:28 | 000,004,736 | -H-- | M] (Gteko Ltd.) [Kernel | On_Demand | Unknown] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/02/09 19:57:46 | 001,502,208 | -H-- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/09/17 08:02:54 | 000,732,928 | -H-- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/11/17 14:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 14:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 14:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2013/02/14 20:12:15 | 000,000,000 | -H-D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\PC Tools\PC Tools Security\BDT\Firefox\ [2013/01/16 19:07:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/30 06:08:51 | 000,000,000 | -H-D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/12 14:52:05 | 000,000,000 | -H-D | M]
 
[2008/10/18 06:09:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Transaction\Application Data\Mozilla\Firefox\Profiles\pdcnuzgh.default\extensions
[2011/12/18 11:43:41 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/05 12:18:49 | 000,000,000 | -H-D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/01/16 18:38:32 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/04/12 19:17:59 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/06/16 11:28:45 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/12/18 11:43:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
[2011/12/10 14:08:46 | 000,000,000 | -H-D | M] (Talkback) -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2011/12/10 14:08:15 | 000,067,688 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2011/12/10 14:08:16 | 000,054,368 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2011/12/10 14:08:16 | 000,034,944 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2011/12/10 14:08:18 | 000,046,712 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2011/12/10 14:08:18 | 000,172,136 | -H-- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/03/24 19:21:00 | 002,889,088 | -H-- | M] () -- C:\Program Files\mozilla firefox\plugins\NPSWF32.dll
 
O1 HOSTS File: ([2013/01/17 04:48:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120630070853.dll (McAfee, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Spy Protector] C:\Program Files\Security Task Manager\SpyProtector.exe (Neuber Software - www.neuber.com)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe (WDC)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB100\WUSB100.exe (Linksys)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: navy.mil ([www.civilianbenefits.hroc] https in Trusted sites)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190419922640 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: vzTCPConfig https://www.verizon.net/WhatsNext/CheckMyPc/vzTCPConfig.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1D36831A-BC22-4713-8130-51FCD480D9DB}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6277542-4D28-4FCB-AA1D-446C158EE33E}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Transaction\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Transaction\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/20 14:55:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)
 
CREATERESTOREPOINT
Unable to start System Restore Service. Error code 5
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/14 20:38:55 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Transaction\Desktop\OTL.exe
[2013/02/14 20:22:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2013/01/21 18:45:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\LocalVASL
[2013/01/21 17:19:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\stuff_To_mail
[2013/01/21 15:14:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Transaction\My Documents\UsersGuide
[2013/01/21 15:14:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Transaction\My Documents\boards
[2013/01/21 15:07:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Transaction\VASSAL
[2013/01/21 14:54:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\UsersGuide
[2013/01/20 20:15:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\ASL_Help
[2013/01/19 13:56:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Transaction\Application Data\Sammsoft
[2013/01/18 18:16:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager
[2013/01/18 18:16:51 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2013/01/18 18:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Transaction\Local Settings\Application Data\Threat Expert
[2013/01/18 16:41:06 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Documents\rundll32.exe
[2013/01/17 05:00:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2013/01/17 04:26:09 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/01/16 19:07:50 | 000,062,688 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTBD.sys
[2013/01/16 19:07:49 | 002,280,568 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2013/01/16 19:07:49 | 000,150,648 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2013/01/16 19:07:48 | 001,690,744 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2013/01/16 19:06:23 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools
[2013/01/16 19:02:29 | 000,202,280 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTSD.sys
[2013/01/16 19:02:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2013/01/16 19:01:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/02/14 20:42:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{97833F28-DCA8-4C15-896A-A10E5ADD409F}.job
[2013/02/14 20:39:25 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/14 20:39:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Transaction\Desktop\OTL.exe
[2013/02/14 20:22:31 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2013/02/14 20:22:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/02/14 20:11:55 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/14 20:11:53 | 2682,408,960 | -HS- | M] () -- C:\hiberfil.sys
[2013/02/14 19:58:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/09 19:44:29 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/09 19:44:29 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2013/02/07 19:23:30 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/02/07 19:23:30 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/02/03 18:37:42 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/01/26 17:30:53 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Transaction\My Documents\http   money.cnn.com 2012 08 07 pf medicare-rehab-costs
[2013/01/26 17:29:51 | 000,021,940 | ---- | M] () -- C:\Documents and Settings\Transaction\My Documents\http   money.cnn.com 2012 08 07 pf medicare-rehab-costs.pdf
[2013/01/21 18:51:52 | 000,000,783 | ---- | M] () -- C:\Documents and Settings\Transaction\Desktop\Shortcut to VASL.lnk
[2013/01/18 14:28:54 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Transaction\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/01/17 04:48:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/01/26 17:30:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Transaction\My Documents\http   money.cnn.com 2012 08 07 pf medicare-rehab-costs
[2013/01/26 17:29:49 | 000,021,940 | ---- | C] () -- C:\Documents and Settings\Transaction\My Documents\http   money.cnn.com 2012 08 07 pf medicare-rehab-costs.pdf
[2013/01/21 18:51:52 | 000,000,783 | ---- | C] () -- C:\Documents and Settings\Transaction\Desktop\Shortcut to VASL.lnk
[2013/01/18 14:28:54 | 000,001,831 | ---- | C] () -- C:\Documents and Settings\Transaction\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/01/18 14:28:24 | 2682,408,960 | -HS- | C] () -- C:\hiberfil.sys
[2013/01/16 19:07:50 | 000,769,144 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2013/01/16 19:07:49 | 000,003,488 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2013/01/16 19:07:49 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2013/01/16 19:07:49 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2013/01/16 19:07:49 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2013/01/13 17:50:12 | 000,012,462 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl
[2012/03/30 17:36:42 | 000,000,275 | ---- | C] () -- C:\WINDOWS\EReg104.dat
[2012/02/16 05:19:38 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/06/16 18:52:52 | 000,565,248 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2011/06/16 18:14:22 | 000,000,200 | ---- | C] () -- C:\WINDOWS\ins.dat
[2011/04/23 10:28:04 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/23 10:28:04 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/23 10:28:04 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/23 10:28:04 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/23 10:28:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
 
========== ZeroAccess Check ==========
 
[2012/01/21 18:16:31 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/12/21 21:21:02 | 001,509,888 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 04:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 16:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Custom Scans ==========
 
< %SYSTEMDRIVE%\*.* >
[2010/03/14 08:54:49 | 000,026,876 | ---- | M] () -- C:\aaw7boot.log
[2007/09/20 14:55:48 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/06/27 14:03:20 | 000,000,211 | -HS- | M] () -- C:\Boot.bak
[2011/06/17 19:46:44 | 000,000,327 | -HS- | M] () -- C:\boot.ini
[2004/08/03 22:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2013/01/17 04:56:11 | 000,015,360 | ---- | M] () -- C:\ComboFix.txt
[2007/09/20 14:55:48 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2013/02/14 20:11:53 | 2682,408,960 | -HS- | M] () -- C:\hiberfil.sys
[2007/09/20 14:55:48 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/09/20 14:55:48 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/12 05:25:07 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/03/06 15:29:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2013/02/14 20:11:52 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2011/12/11 14:38:30 | 000,000,359 | ---- | M] () -- C:\rkill.log
[2011/12/11 14:44:11 | 000,107,904 | ---- | M] () -- C:\TDSSKiller.2.6.22.0_11.12.2011_14.43.27_log.txt
[2013/01/14 19:09:23 | 000,182,762 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_14.01.2013_19.08.33_log.txt
 
< %systemroot%\*. /mp /s >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoUpdate" = 0
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-01-20 01:02:00
 
========== Files - Unicode (All) ==========
[2012/07/13 17:07:55 | 000,000,000 | ---D | M](C:\WINDOWS\System32\??) -- C:\WINDOWS\System32\괰Ӌ
[2012/07/13 17:07:55 | 000,000,000 | ---D | C](C:\WINDOWS\System32\??) -- C:\WINDOWS\System32\괰Ӌ
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84


 

< End of report >

Attached Files



#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:04:55 AM

Posted 15 February 2013 - 03:25 AM

Hello T_mike,

There are signs of the Yahoo! Toolbar in your log. This toolbar comes bundled with other third party applications you may not want installed. Please see here for more information. I recommend you remove it.

Please go to Start>Control Panel>Programs and uninstall the following (if present):
  • Sammsoft
  • WinPcap
  • Yahoo!
  • Yahoo! Companion
  • Yahoo! Toolbar
  • Please restart your computer after these program removals.

    =====

    Next, please run OTL.exe.
    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      :OTL
      SRV - [2009/10/20 10:19:48 | 000,117,264 | -H-- | M] (CACE Technologies, Inc.) [On_Demand | Unknown] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O15 - HKCU\..Trusted Domains: navy.mil ([www.civilianbenefits.hroc] https in Trusted sites)
      [2013/01/19 13:56:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Transaction\Application Data\Sammsoft
      [2013/01/13 17:50:12 | 000,012,462 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl
      @Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
      @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84

      :Commands
      [EmptyTemp]
    • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    =====

    Please provide the contents of the OTL fix log in your reply and please let me know how your computer is running.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 T_mike

T_mike
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 15 February 2013 - 07:17 PM

The Dark Knight,

 

Removed WinPcap from Control Panel - Add/remove Programs

None of the other Programs were on the list

 

Removed Yahoo manually from Programs logged in as an Administrator

 

Ran OTL with the instruction script

 

Programs were removed -- and was advised to reboot

 

Could not find the OTL TXT file - searched for all .txt files since yesterday through today, and didn't see any that would be the one OTL created.

 

Computer pretty much as before. the one User account still not working .

 

Oh yes?, Can I pretty much expect that the XP malware is gone?



#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:04:55 AM

Posted 16 February 2013 - 12:05 AM

Hello T_mike,

 

Your logs haven't shown anything particularly bad.

 

You may have to delete that user account and just create a new one.

 


Please run a free online scan with the ESET Online Scanner.
Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

 


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 T_mike

T_mike
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 16 February 2013 - 07:13 PM

dark knight,

 

I think I found that text file from Old_Time:

 

All processes killed
========== OTL ==========
Error: No service named rpcapd was found to stop!
No service named rpcapd was found to delete!
File C:\Program Files\WinPcap\rpcapd.exe not found.
Registry delete failed. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ scheduled to be deleted on reboot.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\navy.mil\www.civilianbenefits.hroc\ deleted successfully.
C:\Documents and Settings\Transaction\Application Data\Sammsoft\ARO\Version 2012\Partial Backups folder moved successfully.
C:\Documents and Settings\Transaction\Application Data\Sammsoft\ARO\Version 2012\Logs folder moved successfully.
C:\Documents and Settings\Transaction\Application Data\Sammsoft\ARO\Version 2012\Images folder moved successfully.
C:\Documents and Settings\Transaction\Application Data\Sammsoft\ARO\Version 2012 folder moved successfully.
C:\Documents and Settings\Transaction\Application Data\Sammsoft\ARO folder moved successfully.
C:\Documents and Settings\Transaction\Application Data\Sammsoft folder moved successfully.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
File move failed. C:\Documents and Settings\All Users\Application Data\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl scheduled to be moved on reboot.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84 .
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
->Temporary Internet Files folder emptied: 33170 bytes
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
->Flash cache emptied: 41620 bytes
 
User: DeluxeCatz
 
User: LocalService
 
User: NetworkService
 
User: Nick
 
User: Rohainie
 
User: Transaction
->Temp folder emptied: 66969 bytes
Unable to create HKLM\Software\OldTimer Tools\OTL key.
->Temporary Internet Files folder emptied: 65240321 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 10608434 bytes
->Apple Safari cache emptied: 13763584 bytes
->Flash cache emptied: 3997 bytes
 
%systemdrive% .tmp files removed: 0 bytes
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
%systemroot% .tmp files removed: 2162283 bytes
Unable to create HKLM\Software\OldTimer Tools\OTL key.
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Unable to create HKLM\Software\OldTimer Tools\OTL key.
Windows Temp folder emptied: 126007 bytes
RecycleBin emptied: 381 bytes
 
Total Files Cleaned = 88.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 02152013_152215
 



#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:04:55 AM

Posted 16 February 2013 - 07:36 PM

Hello T-mike,

 

Do you have the scan from ESET?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 T_mike

T_mike
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 17 February 2013 - 05:39 AM

Dark Knight,

 

Here is the info from ESET SCAN:

 

 

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=6a41b9469046694eb3aec97d55c41b08
# engine=13173
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-17 01:16:33
# local_time=2013-02-16 05:16:33 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5122 16777213 100 100 2012817 110783751 0 0
# scanned=28033
# found=3
# cleaned=0
# scan_time=3083
sh=A762843B8D42C4A84158B2D36607E36AF9F2F3CB ft=1 fh=bb1f3b8fcad71efc vn="a variant of Win32/InstallCore.D application" ac=I fn="C:\Documents and Settings\All Users\Documents\SpyDetect\cnet2_sd-setup_exe.exe"
sh=FB5D6266240D0CA14064F704CAE7B0C71BC10D50 ft=1 fh=fd3cddddd847bb4a vn="probably a variant of Win32/InstallIQ application" ac=I fn="C:\Documents and Settings\All Users\Documents\Utilities_Jan2013\7zip_bimo_d154539.exe"
sh=FB5D6266240D0CA14064F704CAE7B0C71BC10D50 ft=1 fh=fd3cddddd847bb4a vn="probably a variant of Win32/InstallIQ application" ac=I fn="C:\Documents and Settings\DeluxeCatz\Desktop\7zip_bimo_d154539.exe"
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=6a41b9469046694eb3aec97d55c41b08
# engine=13173
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-17 04:38:36
# local_time=2013-02-16 08:38:36 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5122 16777213 100 100 2024940 110795874 0 0
# scanned=979
# found=0
# cleaned=0
# scan_time=908
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=6a41b9469046694eb3aec97d55c41b08
# engine=13173
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-17 08:22:09
# local_time=2013-02-17 12:22:09 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5122 16777213 100 100 2041954 110809288 0 0
# scanned=163242
# found=5
# cleaned=0
# scan_time=12997
sh=A762843B8D42C4A84158B2D36607E36AF9F2F3CB ft=1 fh=bb1f3b8fcad71efc vn="a variant of Win32/InstallCore.D application" ac=I fn="C:\Documents and Settings\All Users\Documents\SpyDetect\cnet2_sd-setup_exe.exe"
sh=FB5D6266240D0CA14064F704CAE7B0C71BC10D50 ft=1 fh=fd3cddddd847bb4a vn="probably a variant of Win32/InstallIQ application" ac=I fn="C:\RECYCLER\S-1-5-21-2000478354-117609710-725345543-1006\Dc70.exe"
sh=E90684A7D9D2D3AB8428AEBCCA964E077F34DF44 ft=1 fh=a9cc839b9994eecc vn="Win32/DownloadAdmin.G application" ac=I fn="C:\System Volume Information\_restore{475DFD80-9CD3-4EFF-AAE9-D8F2DBF5DAA0}\RP851\A0157265.exe"
sh=FB5D6266240D0CA14064F704CAE7B0C71BC10D50 ft=1 fh=fd3cddddd847bb4a vn="probably a variant of Win32/InstallIQ application" ac=I fn="C:\System Volume Information\_restore{475DFD80-9CD3-4EFF-AAE9-D8F2DBF5DAA0}\RP851\A0158139.exe"
sh=FB5D6266240D0CA14064F704CAE7B0C71BC10D50 ft=1 fh=fd3cddddd847bb4a vn="probably a variant of Win32/InstallIQ application" ac=I fn="C:\System Volume Information\_restore{475DFD80-9CD3-4EFF-AAE9-D8F2DBF5DAA0}\RP853\A0158236.exe"


#10 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:04:55 AM

Posted 17 February 2013 - 03:26 PM

Hey T_mike,

 

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#11 T_mike

T_mike
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 17 February 2013 - 06:58 PM

Dark Knight,

 

 Results of screen317's Security Check version 0.99.57 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 30 
 Java™ 6 Update 3 
 Java™ 6 Update 7 
 Java version out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome 24.0.1312.56 
 Google Chrome 24.0.1312.57 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 
````````````````````End of Log``````````````````````
 



#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:04:55 AM

Posted 18 February 2013 - 03:05 AM

Hey T_mike,

 

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

  • Please go to the below link and download the latest Windows 7 version:

http://www.java.com/en/download/manual.jsp
    
  • Save it to your Desktop.
  •     Please go to Start>Control Panel>Programs.
  •     Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them:
  •      Select Uninstall.
  •     Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.

 

=====

 

Also, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

  • Please go to Start>All Programs>Adobe Reader.
  • Open Adobe Reader and navigate to Help>Check for Updates.
  • Please follow the prompts to install the latest version.

 

=====

 

In your reply please let me know how the updates go.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 T_mike

T_mike
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 18 February 2013 - 06:21 PM

Dark Knight,

 

Updates are done - both JAVA and Adobe.



#14 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:04:55 AM

Posted 19 February 2013 - 04:03 AM

Hello T_mike,

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
  • Click the CleanUp button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
  • Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    =====

    Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:


    IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.


    As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

    Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

    MalwareBytes' Anti-Malware Is a very good scanner that you can use when needed or pay to have it provide resident protection.

    SpywareBlaster
    A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

    A software firewall will help increase your computer security. Free versions are available for the below firewalls:Please visit this tutorial for further information on firewalls.

    Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

    Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.


    Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

    Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

    Please also read Tony Klein's excellent article: How did I get infected in the first place.

    Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. smile.png

If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#15 T_mike

T_mike
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 19 February 2013 - 11:13 PM

Thank you - and hope you have good luck with others also!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users