RunDown

Members
  • Content count

    14
  • Joined

  • Last visited

About RunDown

  • Rank
    New Member
  1. I do have another question. It turns out this computer didn't come with an XP install disc. Rather it looks like the system restore is off of the D: partition. Is it safe to wipe/reformat the infected C: partition and restore from D: or is it possible that is infected, too? Thank you
  2. I guess i may just reformat and reinstall. Fortunately the computer was rarely used so i'm not worried much about ID theft. I would like to try and save some of my documents from the drive if possible. Do you have any recomendations to do so safely, or is that not an issue? Also, once i have everything redone, do you have a recommendation for a best single malware/antivirus program? I don't think i'll be able to reinstall NortonAV, unless i repurchase a new copy. It has been years since i installed that and the copy is long gone. Thank you for all your help
  3. Thank you for getting back to me, I'll definitely stop the self-medication! I've included the texts from the various logs below, in order: ComboFix, exehelper, rkill, RogueKiller, SecurityCheck and FSS. As far as the other programs i have. I haven't run SystemMechanic 7 since XP SP3 came out, that killed that version of SystemMechanic, I haven't bothered to clean house and uninstall it but am happy to do so. I'll wait until everything is fixed to do so (unless you advise me otherwise). Norton AV is the first antivirus i've had on the computer and it and Spybot are the only things that run automatically at this point. What malware/antivirus programs should i get rid of? Which single program of what I have do you recommend? TeaTimer is off and i'll wait on your instructions for my next move. Thank you again! ComboFix.txt -------------------- ComboFix 13-02-15.01 - Owner 02/15/2013 12:57:13.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1288 [GMT -7:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Administrator\WINDOWS c:\documents and settings\Default User\WINDOWS c:\documents and settings\Owner\Application Data\inst.exe c:\documents and settings\Owner\Local Settings\Application Data\assembly\tmp c:\documents and settings\Owner\WINDOWS c:\documents and settings\UpdatusUser\WINDOWS C:\install.exe c:\windows\0 c:\windows\system32\config\systemprofile\WINDOWS c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe c:\windows\wininit.ini D:\Autorun.inf . . ((((((((((((((((((((((((( Files Created from 2013-01-15 to 2013-02-15 ))))))))))))))))))))))))))))))) . . 2013-02-14 20:56 . 2013-02-15 18:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Spotify 2013-02-14 20:55 . 2013-02-15 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Spotify 2013-02-14 18:33 . 2013-02-14 18:33 -------- d-----w- C:\iolo 2013-02-14 17:27 . 2013-02-14 17:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth 2013-02-14 03:27 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{F5638409-4435-4CCF-B496-B6E2134CE26B}\mpengine.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-02-14 23:32 . 2012-11-05 05:12 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-02-14 23:32 . 2011-05-23 02:33 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-14 23:32 . 2012-11-05 05:32 15739760 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2013-01-26 03:55 . 2005-04-13 16:55 552448 ----a-w- c:\windows\system32\oleaut32.dll 2013-01-17 08:28 . 2009-10-08 23:55 232336 ------w- c:\windows\system32\MpSigStub.exe 2013-01-08 04:57 . 2006-04-27 00:58 6991832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2013-01-07 01:16 . 2005-04-13 16:55 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-01-07 00:36 . 2004-08-04 05:59 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-01-04 01:20 . 2005-04-13 16:56 1867264 ----a-w- c:\windows\system32\win32k.sys 2013-01-02 06:49 . 2005-04-13 16:55 1292288 ----a-w- c:\windows\system32\quartz.dll 2012-12-26 20:16 . 2005-04-13 16:56 916480 ----a-w- c:\windows\system32\wininet.dll 2012-12-26 20:16 . 2005-04-13 16:55 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-12-26 20:16 . 2005-04-13 16:55 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-12-24 06:40 . 2005-04-13 16:55 385024 ----a-w- c:\windows\system32\html.iec 2012-12-16 12:23 . 2005-04-13 16:55 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-12-14 23:49 . 2011-03-25 06:56 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2007-05-28 16:45 . 2013-02-14 19:09 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-05-28 16:45 . 2013-02-14 19:09 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll 2013-02-14 19:10 . 2013-02-14 19:09 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "NCsoft Launcher"="c:\program files\ncsoft\launcher\NCLauncher.exe" [2012-08-27 38744] "Spotify Web Helper"="c:\documents and settings\Owner\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2013-02-15 1103768] "Spotify"="c:\documents and settings\Owner\Application Data\Spotify\Spotify.exe" [2013-02-15 4484504] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168] "CHotkey"="zHotkey.exe" [2005-05-03 543232] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 7\SMSystemAnalyzer.exe" [2008-05-06 764776] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424] "NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392] "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] . c:\documents and settings\Owner\Start Menu\Programs\Startup\ OpenOffice.org 3.3.lnk - [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - [N/A] HP Digital Imaging Monitor.lnk - [N/A] HP Photosmart Premier Fast Start.lnk - [N/A] . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck smrgdf c:\documents and settings\Owner\Application Data\iolo" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"= "c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Program Files\\Cryptic Studios\\Champions Online\\Live\\GameClient.exe"= "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1544\\Agent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Battle.net\\Agent\\Agent.1637\\Agent.exe"= "c:\\Documents and Settings\\Owner\\Application Data\\Spotify\\spotify.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "58989:TCP"= 58989:TCP:Pando Media Booster "58989:UDP"= 58989:UDP:Pando Media Booster . R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/16/2007 11:55 AM 566120] R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/16/2007 11:55 AM 566120] R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [9/7/2010 9:47 AM 202048] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [12/12/2010 1:41 PM 25856] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/14/2008 9:18 AM 47360] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18 PM 169192] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2013-02-15 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-05 17:29] . 2013-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57] . 2011-11-25 c:\windows\Tasks\MotoHelper MUM.job - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47] . 2013-02-15 c:\windows\Tasks\MotoHelper Routing.job - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47] . 2012-09-11 c:\windows\Tasks\MotoHelper Update.job - c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2010-09-07 16:47] . 2013-02-15 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.emachines.com/ uInternet Settings,ProxyOverride = *.local IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html TCP: DhcpNameServer = 74.211.15.210 74.211.15.211 74.211.89.201 . . ------- File Associations ------- . JSEFile=NOTEPAD.EXE %1 . - - - - ORPHANS REMOVED - - - - . HKCU-Run-HLBackupScheduler - c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe HKCU-Run-PlayNC Launcher - (no file) Notify-AtiExtEvent - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-02-15 13:04 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\.sol] @DACL=(02 0000) @SACL= "Content Type"="text/plain" . [HKEY_LOCAL_MACHINE\software\Classes\.sor] @DACL=(02 0000) @SACL= "Content Type"="text/plain" . [HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\CLSID] @DACL=(02 0000) @="{D27CDB6E-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\CurVer] @DACL=(02 0000) @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\DefaultIcon] @DACL=(02 0000) @="c:\\Program Files\\HP\\Digital Imaging\\help\\player\\FlashPla.exe,1" . [HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\shell] @DACL=(02 0000) . Completion time: 2013-02-15 13:06:48 ComboFix-quarantined-files.txt 2013-02-15 20:06 . Pre-Run: 85,376,978,944 bytes free Post-Run: 85,956,276,224 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect . - - End Of File - - 50E95777A870B220250C25BC935E2CCB ************************** exehelperlog --------------------- exeHelper by Raktor Build 20100414 Run at 16:28:04 on 02/17/13 Now searching... Checking for numerical processes... Checking for sysguard processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- *************************** Rkill.txt -------------------- Rkill 2.4.7 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2013 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 02/17/2013 04:23:23 PM in x86 mode. Windows Version: Microsoft Windows XP Service Pack 3 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\WINDOWS\zHotkey.exe (PID: 136) [WD-HEUR] * C:\WINDOWS\system32\HPZipm12.exe (PID: 2216) [WD-HEUR] 2 proccesses terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [incorrect ImagePath] Searching for Missing Digital Signatures: * No issues found. Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 localhost Program finished at: 02/17/2013 04:24:12 PM Execution time: 0 hours(s), 0 minute(s), and 48 seconds(s) ********************* RKreport[1]_S_02202013_02d1108 ----------------------- RogueKiller V8.5.1 [Feb 20 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Owner [Admin rights] Mode : Scan -- Date : 02/20/2013 11:08:40 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 8 ¤¤¤ [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND [HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[31] : NtConnectPort @ 0x80599A7E -> HOOKED (Unknown @ 0xE2900678) ¤¤¤ HOSTS File: ¤¤¤ --> C:\WINDOWS\system32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST3200826A +++++ --- User --- [MBR] 7e2b7451b50f42356955d4e9036a7ecc [bSP] 74a11c150ec0fb413f12c867ca5ca2ed : Legit2 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 8723295 | Size: 186512 Mo 1 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 4259 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_02202013_02d1108.txt >> RKreport[1]_S_02202013_02d1108.txt ********************************** checkup (from SecurityCheck) ----------------- Results of screen317's Security Check version 0.99.58 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Spybot - Search & Destroy Windows Defender Windows Defender Signatures Malwarebytes Anti-Malware version 1.70.0.1100 Java 6 Update 22 Java 6 Update 2 Java 6 Update 3 Java version out of Date! Adobe Flash Player 11.6.602.168 Adobe Reader 8 Adobe Reader out of Date! Mozilla Firefox (19.0) ````````Process Check: objlist.exe by Laurent```````` Windows Defender MSMpEng.exe Symantec AntiVirus DefWatch.exe Symantec AntiVirus Rtvscan.exe Windows Defender MsMpEng.exe iolo common lib ioloServiceManager.exe iolo System Mechanic 7 SMSystemAnalyzer.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 20% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log`````````````````````` *********************************** FSS ------------ Farbar Service Scanner Version: 20-02-2013 Ran by Owner (administrator) on 20-02-2013 at 11:21:06 Running from "C:\Documents and Settings\Owner\Desktop" Microsoft Windows XP Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo IP is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll [2005-04-13 10:16] - [2008-04-13 17:12] - 0006656 ____A (Microsoft Corporation) 35321FB577CDC98CE3EB3A3EB9E4610A C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe [2005-04-13 09:56] - [2009-02-06 04:11] - 0110592 ____A (Microsoft Corporation) 65DF52F5B8B6E9BBD183505225C37315 Extra List: ======= Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3) 0x080000000400000001000000020000000300000008000000050000000600000007000000 IpSec Tag value is correct. **** End of log ****
  4. Hello, I think i've been infected by something. At first no .exe would run except my default browser (FireFox). Then I got that kind of resolved. At least many programs run now. However, most programs i can't run simply by double clicking on the desktop icons. I have to right-click and "Open" them instead. And additionally, I can't install Malwarebytes Anti-Malware. I had a copy already on my computer when i realized something was wrong (with the .exe files) and ran it, it wanted to update and so i let it but when it did i got a "CoCreateInstance failed" error message when it got to the last few (.dll's, i believe) files of the installation. It then proceeded to act like it was finishing up installation and after it appeared to finish it popped up a couple of Runtime errors and then nothing happened, and the Malwarebytes folder it created is populated but unable to run the program. I tried to resolve this issue on my own but only managed to semi-solve the .exe problem, i still can't install or run malwarebyte's program. Here are the things i've already tried, I've tried all of the appropriate choices except the unhide.exe step (it didn't seem appropriate) from the "Malwarebytes Anti-Malware won't run or failed to resolve my issues" and none have resulted in successful installation of the program. Chameleon will run but it gets the same cocreateinstance errors and runtime errors even though it thinks it was successful. I have also run Spybot S&D, which did find a registry key which it "took care of" (I have the log from that if it would be useful). After looking at some other postings of similar CoCreateInstance issues, I also ran ComboFix, SecurityCheck, xp_exe_fix, and adwcleaner. I have some of the logs created by those programs as well if useful. I also have *attached* the dds files if useful. I could really use some help on what steps i could take next. Thank you david dds ------------------- DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Run by Owner at 17:44:42 on 2013-02-17 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1004 [GMT -7:00] . . ============== Running Processes ================ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\zHotkey.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\zHotkey.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\program files\ncsoft\launcher\NCLauncher.exe C:\Documents and Settings\Owner\Application Data\Spotify\Data\SpotifyWebHelper.exe C:\Documents and Settings\Owner\Application Data\Spotify\Spotify.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch C:\WINDOWS\system32\svchost.exe -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.emachines.com/ BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.6.0_22\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre1.6.0_22\lib\deploy\jqs\ie\jqs_plugin.dll TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [NCsoft Launcher] c:\program files\ncsoft\launcher\NCLauncher.exe /Minimized uRun: [spotify Web Helper] "c:\documents and settings\owner\application data\spotify\data\SpotifyWebHelper.exe" uRun: [spotify] "c:\documents and settings\owner\application data\spotify\Spotify.exe" /uri spotify:autostart uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe mRun: [CHotkey] zHotkey.exe mRun: [soundMan] SOUNDMAN.EXE mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe" mRun: [sMSystemAnalyzer] "c:\program files\iolo\system mechanic 7\SMSystemAnalyzer.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t uPolicies-Explorer: NoDriveTypeAutoRun = dword:323 uPolicies-Explorer: NoDriveAutoRun = dword:67108863 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDrives = dword:0 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe . INFO: HKCU has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . . INFO: HKLM has more than 50 listed domains. If you wish to scan all of them, select the 'Force scan all domains' option. . DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1346094791984 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab TCP: NameServer = 74.211.15.210 74.211.15.211 74.211.89.201 TCP: Interfaces\{05567071-9353-4A3F-AF2D-A3542C6C9D2F} : DHCPNameServer = 74.211.15.210 74.211.15.211 74.211.89.201 Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll . ============= SERVICES / DRIVERS =============== . R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808] R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2007-12-16 566120] R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2007-12-16 566120] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2010-9-7 202048] R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-2-17 40776] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-8 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-8 1393144] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160] S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-12-12 25856] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192] . =============== File Associations =============== . FileExt: .jse: JSEFile=NOTEPAD.EXE %1 FileExt: .wsf: WSFFile=NOTEPAD.EXE %1 . =============== Created Last 30 ================ . 2013-02-18 00:29:00 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-02-18 00:29:00 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes 2013-02-18 00:28:52 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2013-02-18 00:28:51 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-02-18 00:28:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-02-17 19:23:33 -------- d-----w- c:\windows\pss 2013-02-16 17:42:02 60872 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{26453b8e-dede-4e7c-a608-37c5ae7f51e8}\offreg.dll 2013-02-16 03:04:42 6991832 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{26453b8e-dede-4e7c-a608-37c5ae7f51e8}\mpengine.dll 2013-02-15 19:50:47 -------- d-sha-r- C:\cmdcons 2013-02-15 18:09:10 208896 ----a-w- c:\windows\MBR.exe 2013-02-15 18:09:09 98816 ----a-w- c:\windows\sed.exe 2013-02-15 18:09:09 256000 ----a-w- c:\windows\PEV.exe 2013-02-14 20:56:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\Spotify 2013-02-14 20:55:25 -------- d-----w- c:\documents and settings\owner\application data\Spotify 2013-02-14 18:33:09 -------- d-----w- C:\iolo 2013-02-14 17:27:55 -------- d-----w- c:\documents and settings\owner\local settings\application data\PCHealth . ==================== Find3M ==================== . 2013-02-14 23:32:18 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-14 23:32:18 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-02-14 23:32:16 15739760 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll 2013-01-17 08:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe 2013-01-07 01:16:02 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-01-07 00:36:58 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys 2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll 2012-12-26 20:16:29 916480 ----a-w- c:\windows\system32\wininet.dll 2012-12-26 20:16:28 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-12-26 20:16:28 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-12-24 06:40:59 385024 ----a-w- c:\windows\system32\html.iec 2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll . ============= FINISH: 17:45:58.96 =============== attach ----------- . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 1/16/2006 9:36:02 PM System Uptime: 2/17/2013 5:33:41 PM (0 hours ago) . Motherboard: MICRO-STAR | | MS-7184 Processor: AMD Athlon™ 64 Processor 3500+ | Socket 939 | 2188/200mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 182 GiB total, 79.321 GiB free. D: is FIXED (FAT32) - 4 GiB total, 2.409 GiB free. E: is CDROM () F: is CDROM () G: is Removable H: is Removable I: is Removable J: is Removable . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP1220: 11/20/2012 8:53:00 PM - Software Distribution Service 3.0 RP1221: 11/30/2012 9:56:44 AM - Software Distribution Service 3.0 RP1222: 12/1/2012 2:58:09 PM - System Checkpoint RP1223: 12/2/2012 9:36:45 PM - System Checkpoint RP1224: 12/6/2012 3:10:50 PM - Software Distribution Service 3.0 RP1225: 12/10/2012 12:38:21 PM - Software Distribution Service 3.0 RP1226: 12/11/2012 9:01:01 AM - Software Distribution Service 3.0 RP1227: 12/12/2012 10:38:27 PM - Software Distribution Service 3.0 RP1228: 12/15/2012 6:50:38 AM - Software Distribution Service 3.0 RP1229: 12/18/2012 1:26:45 PM - Software Distribution Service 3.0 RP1230: 1/3/2013 10:49:14 AM - Software Distribution Service 3.0 RP1231: 1/3/2013 12:40:32 PM - Software Distribution Service 3.0 RP1232: 1/10/2013 7:35:11 AM - Software Distribution Service 3.0 RP1233: 1/10/2013 9:13:38 PM - Software Distribution Service 3.0 RP1234: 1/11/2013 9:10:59 AM - Software Distribution Service 3.0 RP1235: 1/14/2013 10:12:53 PM - System Checkpoint RP1236: 1/17/2013 11:03:52 AM - Software Distribution Service 3.0 RP1237: 1/17/2013 11:08:16 AM - Software Distribution Service 3.0 RP1238: 2/3/2013 6:26:26 PM - Software Distribution Service 3.0 RP1239: 2/13/2013 8:27:46 PM - Software Distribution Service 3.0 RP1240: 2/14/2013 7:00:16 AM - Software Distribution Service 3.0 RP1241: 2/14/2013 10:30:43 AM - Software Distribution Service 3.0 RP1242: 2/14/2013 8:14:48 PM - Software Distribution Service 3.0 RP1243: 2/15/2013 9:34:02 AM - Software Distribution Service 3.0 RP1244: 2/15/2013 8:04:36 PM - Software Distribution Service 3.0 RP1245: 2/15/2013 10:30:52 PM - Software Distribution Service 3.0 RP1246: 2/16/2013 9:41:22 PM - Software Distribution Service 3.0 . ==== Installed Programs ====================== . 6300 6300Trb Actiontec Gateway Adobe Flash Player 11 Plugin Adobe Reader 8.1.2 Adobe® Photoshop® Album Starter Edition 3.0 Adobe® Photoshop® Album Starter Edition 3.0.1 AiO_Scan_CDA AiOSoftwareNPI America Online (Choose which version to remove) Apple Application Support Apple Mobile Device Support Apple Software Update Applian Director ArcView GIS 3.2 ArcView Spatial Analyst BigFix Bluetooth Stack for Windows Bonjour BufferChm Champions Online CP_AtenaShokunin1Config CP_CalendarTemplates1 cp_OnlineProjectsConfig CP_Package_Basic1 CP_Package_Variety1 CP_Package_Variety2 CP_Package_Variety3 CP_Panorama1Config cp_PosterPrintConfig Critical Update for Windows Media Player 11 (KB959772) CueTour DeductionPro 2005-06 Destinations DeviceFunctionQFolder DeviceManagementQFolder Digital Media Reader DNRGarmin DocProc DocumentViewer DocumentViewerQFolder DVDFab 8.1.3.8 (09/12/2011) Qt eSupportQFolder Fable - The Lost Chapters Fax_CDA ffdshow [rev 2527] [2008-12-19] FullDPAppQFolder Game Cam 2.2 Garmin MapSource Google Toolbar for Internet Explorer HandBrake 0.9.5 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB2443685) Hotfix for Windows XP (KB2570791) Hotfix for Windows XP (KB2633952) Hotfix for Windows XP (KB2756822) Hotfix for Windows XP (KB2779562) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) HP Document Viewer 6.1 HP Imaging Device Functions 6.1 HP Photosmart Premier Software 6.1 HP PSC & OfficeJet 6.1.A HP Solution Center and Imaging Support Tools 6.1 HP Update HPProductAssistant InstantShareDevices iolo technologies' System Mechanic 7 iTunes J2SE Runtime Environment 5.0 Update 2 Java Auto Updater Java™ 6 Update 2 Java™ 6 Update 22 Java™ 6 Update 3 LiveUpdate 2.0 (Symantec Corporation) Lizardtech Express View Malwarebytes Anti-Malware version 1.70.0.1100 Map Patch MapSource Microsoft .NET Framework 1.0 Hotfix (KB2572066) Microsoft .NET Framework 1.0 Hotfix (KB2604042) Microsoft .NET Framework 1.0 Hotfix (KB2656378) Microsoft .NET Framework 1.0 Hotfix (KB953295) Microsoft .NET Framework 1.0 Hotfix (KB979904) Microsoft .NET Framework 1.0 Security Update (KB2698035) Microsoft .NET Framework 1.0 Security Update (KB2742607) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2698023) Microsoft .NET Framework 1.1 Security Update (KB2742597) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 Microsoft Money 2005 Microsoft National Language Support Downlevel APIs Microsoft Office Standard Edition 2003 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Works MotoHelper 2.0.24 Driver 4.7.1 MotoHelper MergeModules Motorola Mobile Drivers Installation 4.7.1 Mozilla Firefox 18.0.2 (x86 en-US) Mozilla Maintenance Service MSN MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Multimedia Keyboard Driver Napster Napster Burn Engine NCsoft Launcher Nero BurnRights Nero OEM NewCopy_CDA NVIDIA Control Panel 306.81 NVIDIA Graphics Driver 306.81 NVIDIA Install Application NVIDIA nView 136.28 NVIDIA Update 1.10.8 NVIDIA Update Components OpenOffice.org 3.3 Opera 12.14 Pando Media Booster PanoStandAlone Pdf995 (installed by TaxCut) PdfEdit995 (installed by TaxCut) PhotoGallery PowerDVD ProductContextNPI Pure Networks Port Magic QuickTime RandMap Readme RealPlayer Basic Realtek AC'97 Audio Recovery Software Suite eMachines Replay Music Rhapsody Safari Saunders NCLEX-RN4e Scan ScannerCopy Scribus 1.3.3.13 Seagate Crystal Reports for ESRI Security Task Manager 1.7 Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416) Security Update for Microsoft Windows (KB2564958) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB2416400) Security Update for Windows Internet Explorer 8 (KB2482017) Security Update for Windows Internet Explorer 8 (KB2497640) Security Update for Windows Internet Explorer 8 (KB2510531) Security Update for Windows Internet Explorer 8 (KB2530548) Security Update for Windows Internet Explorer 8 (KB2544521) Security Update for Windows Internet Explorer 8 (KB2559049) Security Update for Windows Internet Explorer 8 (KB2586448) Security Update for Windows Internet Explorer 8 (KB2618444) Security Update for Windows Internet Explorer 8 (KB2647516) Security Update for Windows Internet Explorer 8 (KB2675157) Security Update for Windows Internet Explorer 8 (KB2722913) Security Update for Windows Internet Explorer 8 (KB2744842) Security Update for Windows Internet Explorer 8 (KB2761465) Security Update for Windows Internet Explorer 8 (KB2792100) Security Update for Windows Internet Explorer 8 (KB2797052) Security Update for Windows Internet Explorer 8 (KB2799329) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2296199) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB2393802) Security Update for Windows XP (KB2412687) Security Update for Windows XP (KB2419632) Security Update for Windows XP (KB2423089) Security Update for Windows XP (KB2436673) Security Update for Windows XP (KB2440591) Security Update for Windows XP (KB2443105) Security Update for Windows XP (KB2476490) Security Update for Windows XP (KB2476687) Security Update for Windows XP (KB2478960) Security Update for Windows XP (KB2478971) Security Update for Windows XP (KB2479628) Security Update for Windows XP (KB2481109) Security Update for Windows XP (KB2483185) Security Update for Windows XP (KB2485376) Security Update for Windows XP (KB2485663) Security Update for Windows XP (KB2503658) Security Update for Windows XP (KB2503665) Security Update for Windows XP (KB2506212) Security Update for Windows XP (KB2506223) Security Update for Windows XP (KB2507618) Security Update for Windows XP (KB2507938) Security Update for Windows XP (KB2508272) Security Update for Windows XP (KB2508429) Security Update for Windows XP (KB2509553) Security Update for Windows XP (KB2511455) Security Update for Windows XP (KB2524375) Security Update for Windows XP (KB2535512) Security Update for Windows XP (KB2536276-v2) Security Update for Windows XP (KB2536276) Security Update for Windows XP (KB2544893-v2) Security Update for Windows XP (KB2544893) Security Update for Windows XP (KB2555917) Security Update for Windows XP (KB2562937) Security Update for Windows XP (KB2566454) Security Update for Windows XP (KB2567053) Security Update for Windows XP (KB2567680) Security Update for Windows XP (KB2570222) Security Update for Windows XP (KB2570947) Security Update for Windows XP (KB2584146) Security Update for Windows XP (KB2585542) Security Update for Windows XP (KB2592799) Security Update for Windows XP (KB2598479) Security Update for Windows XP (KB2603381) Security Update for Windows XP (KB2618451) Security Update for Windows XP (KB2620712) Security Update for Windows XP (KB2621440) Security Update for Windows XP (KB2624667) Security Update for Windows XP (KB2631813) Security Update for Windows XP (KB2633171) Security Update for Windows XP (KB2639417) Security Update for Windows XP (KB2641653) Security Update for Windows XP (KB2646524) Security Update for Windows XP (KB2647518) Security Update for Windows XP (KB2653956) Security Update for Windows XP (KB2655992) Security Update for Windows XP (KB2659262) Security Update for Windows XP (KB2660465) Security Update for Windows XP (KB2661637) Security Update for Windows XP (KB2676562) Security Update for Windows XP (KB2686509) Security Update for Windows XP (KB2691442) Security Update for Windows XP (KB2695962) Security Update for Windows XP (KB2698365) Security Update for Windows XP (KB2705219) Security Update for Windows XP (KB2707511) Security Update for Windows XP (KB2712808) Security Update for Windows XP (KB2719985) Security Update for Windows XP (KB2723135) Security Update for Windows XP (KB2724197) Security Update for Windows XP (KB2727528) Security Update for Windows XP (KB2731847) Security Update for Windows XP (KB2753842-v2) Security Update for Windows XP (KB2753842) Security Update for Windows XP (KB2757638) Security Update for Windows XP (KB2758857) Security Update for Windows XP (KB2761226) Security Update for Windows XP (KB2770660) Security Update for Windows XP (KB2778344) Security Update for Windows XP (KB2779030) Security Update for Windows XP (KB2780091) Security Update for Windows XP (KB2799494) Security Update for Windows XP (KB2802968) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165-v2) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) SkinsHP1 SoftV92 Data Fax Modem with SmartCP SolutionCenter Sonic Encoders Sonic_PrimoSDK Spotify Spybot - Search & Destroy Starcraft Status Symantec AntiVirus SyncToy System Requirements Lab TaxCut Arizona 2007 TaxCut Premium + State 2007 TaxCut Premium 2005 TaxCut Premium 2006 Toolbox TrayApp Unload Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB971180) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB980182) Update for Windows Media Player 10 (KB913800) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB2467659) Update for Windows XP (KB2541763) Update for Windows XP (KB2607712) Update for Windows XP (KB2616676-v2) Update for Windows XP (KB2641690) Update for Windows XP (KB2661254-v2) Update for Windows XP (KB2718704) Update for Windows XP (KB2736233) Update for Windows XP (KB2749655) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB953356) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971029) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update Rollup 2 for Windows XP Media Center Edition 2005 WebFldrs XP WebReg Windows Defender Windows Defender Signatures Windows Genuine Advantage v1.3.0254.0 Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Player 11 Windows XP Media Center Edition 2005 KB2502898 Windows XP Media Center Edition 2005 KB2619340 Windows XP Media Center Edition 2005 KB2628259 Windows XP Media Center Edition 2005 KB925766 Windows XP Media Center Edition 2005 KB973768 Windows XP Service Pack 3 WinZip World of Warcraft . ==== Event Viewer Messages From Past Week ======== . 2/17/2013 4:23:30 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s). 2/17/2013 12:29:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} 2/17/2013 12:29:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SAVRT SYMTDI Tcpip Tosrfcom WS2IFSL 2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning. 2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/17/2013 12:29:08 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/17/2013 12:28:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 2/15/2013 12:44:12 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service. 2/14/2013 7:00:35 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2789643). 2/13/2013 8:18:33 PM, error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC). 2/13/2013 8:18:33 PM, error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure. 2/13/2013 8:11:48 PM, error: PlugPlayManager [12] - The device 'PS/2 Compatible Mouse' (ACPI\PNP0F13\3&61aaa01&1) disappeared from the system without first being prepared for removal. 2/13/2013 8:10:41 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service. 2/13/2013 10:06:29 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s). . ==== End Of File ===========================
  5. I was referring to that mystery file that you had me scan with VirusTotal. Updated all those programs. Things seem to be running okay. Ran Malwarebytes again, updated, and it found nothing. Keeping my fingers crossed that it stays this way. Thank you for all of your help!
  6. Ok, sorry. Didn't know it was "safe" to get back into normal mode. After doing all of this the computer seems to be running well in normal mode, no more fake system tool popups. Not sure if i just dump that extraneous file. Thanks for all your help! Ran that file through virus total, here is what i got (didn't find anything, and i cut out the part in the middle that listed every program that looked): 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: fMnEpHmBdEi09001 Submission date: 2011-04-08 00:38:06 (UTC) Current status: queued queued analysing finished Result: 0/ 41 (0.0%) Additional information MD5 : d35a9dfca1cd36d39cb978f8c2a29537 SHA1 : f727ce19d298626235c90fa988d5344a599394b2 SHA256: c498b8b732aac52aad3b074e59c6db88255cf42cb26421e968f9973615a6fc37 VT Community This file has never been reviewed by any VT Community member. Be the first one to comment on it! - ------------------------------------------- ESET Scanner log: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.16915 (vista_gdr.090826-0339) # OnlineScanner.ocx=1.0.0.6425 # api_version=3.0.2 # EOSSerial=0f250ca438600547829292ba2c8eeced # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2011-04-08 05:39:25 # local_time=2011-04-07 11:39:25 (-0700, Mountain Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=60840 # found=0 # cleaned=0 # scan_time=4815 ----------------------------------- Security Check log: Results of screen317's Security Check version 0.99.10 Windows XP Service Pack 3 Internet Explorer 7 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! ESET Online Scanner v3 Norton AntiVirus ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 12 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10.0.32.18 Adobe Reader 8.1.2 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ``````````End of Log````````````
  7. Is there a way of doing something similar to the ESET online scanner but with a program copied to the hardrive? One of the issues is that i can't get Safemode with Networking to actually connect to the internet. I've been shuttling programs and log files back and forth using a thumb drive. I can do the first and third steps successfully probably with that method but not the second. Any suggestions? Thank you
  8. Hello, Okay. Did it all again. Behaved the same as the first time. As before the script seemed to be accepted by ComboFix and caused a reboot. Log file appeared, attached below. DDS log also attached below. It looks like when i ran it before it didn't actually accept the CFScript, which was odd because it both appeared to absorb (and therefore erase) the script and i used essentially the same copy of the script file i had created. I had just copied it off of a thumb drive. Anyway, it looks like it worked correctly this time for whatever reason. Thanks again. ---------------------------------------------------- ComboFix Log: ComboFix 11-03-29.06 - Administrator 04/01/2011 22:15:07.2.2 - x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.816 [GMT -6:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} . FILE :: "c:\windows\system32\drivers\qlyqr.sys" . . ((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 ))))))))))))))))))))))))))))))) . . 2011-03-25 00:22 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-25 00:22 . 2011-03-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-25 00:22 . 2011-03-25 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-25 00:22 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-25 00:03 . 2011-03-25 00:03 -------- d-----w- c:\documents and settings\Administrator 2011-03-24 15:26 . 2011-03-25 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\fMnEpHmBdEi09001 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\All Users\Application Data\fMnEpHmBdEi09001 ---- . 2011-03-24 15:26 . 2011-03-25 00:00 184 ----a-w- c:\documents and settings\All Users\Application Data\fMnEpHmBdEi09001\fMnEpHmBdEi09001 . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072] "RTHDCPL"="RTHDCPL.EXE" [2008-05-08 16862208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-07-29 684032] "ITSecMng"="%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [bU] "MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-10 148888] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-08 198160] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184] BodyMedia Sync.lnk - c:\program files\BodyMedia\Sync\BodyMediaSync.exe [2010-4-29 2064384] VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-2-3 6144] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{55c171c1-84a0-43e0-a8ac-ff8fe49f61be}"= "c:\windows\system32\jejobadi.dll" [bU] . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Local User\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Documents and Settings\\Local User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Local User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "62515:UDP"= 62515:UDP:Cisco VPN Client Split Tunnel "10000:TCP"= 10000:TCP:Cisco VPN Client IPSec TCP . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [9/24/2010 7:21 AM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [9/24/2010 7:21 AM 173104] R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [10/15/2008 5:00 PM 156160] S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/19/2011 8:09 PM 691248] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [9/24/2010 7:21 AM 501888] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [9/24/2010 7:21 AM 116784] S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [10/15/2008 5:12 PM 159744] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [9/24/2010 7:20 AM 126392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 7:18 AM 102448] S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20110317.005\IDSXpx86.sys [3/24/2011 9:31 AM 341944] S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2/9/2010 6:34 AM 103552] S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [10/15/2008 7:40 PM 625792] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307394343-2684688355-3097896448-1005Core.job - c:\documents and settings\Local User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 02:20] . 2011-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307394343-2684688355-3097896448-1005UA.job - c:\documents and settings\Local User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 02:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msi.com.tw FF - ProfilePath - . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-01 22:34 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(1364) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2011-04-01 22:37:58 - machine was rebooted ComboFix-quarantined-files.txt 2011-04-02 04:37 ComboFix2.txt 2011-03-31 00:18 ComboFix3.txt 2011-03-29 01:09 . Pre-Run: 21,092,970,496 bytes free Post-Run: 21,085,986,816 bytes free . - - End Of File - - 840A3F7C63CFF9B3ECF01195DB62B291 --------------------------------------------------------------- DDS Log: . DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL Run by Administrator at 22:39:42.48 on Fri 04/01/2011 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.822 [GMT -6:00] . AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.msi.com.tw BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.8.0.5\IPSBHO.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bodyme~1.lnk - c:\program files\bodymedia\sync\BodyMediaSync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://primis.ebrary.com/support/plugins/ebraryRdr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll STS: tokatiluy: {55c171c1-84a0-43e0-a8ac-ff8fe49f61be} - c:\windows\system32\jejobadi.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1108000.005\symds.sys [2010-9-24 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1108000.005\symefa.sys [2010-9-24 173104] R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-10-15 156160] S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-19 691248] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1108000.005\cchpx86.sys [2010-9-24 501888] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1108000.005\ironx86.sys [2010-9-24 116784] S2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-10-15 159744] S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.8.0.5\ccsvchst.exe [2010-9-24 126392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20110317.005\IDSXpx86.sys [2011-3-24 341944] S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2010-2-9 103552] S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110323.035\naveng.sys [2011-3-24 86008] S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110323.035\navex15.sys [2011-3-24 1360760] S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-15 625792] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344] . =============== Created Last 30 ================ . 2011-03-29 00:57:28 -------- d-sha-r- C:\cmdcons 2011-03-29 00:45:44 98816 ----a-w- c:\windows\sed.exe 2011-03-29 00:45:44 89088 ----a-w- c:\windows\MBR.exe 2011-03-29 00:45:44 256512 ----a-w- c:\windows\PEV.exe 2011-03-29 00:45:44 161792 ----a-w- c:\windows\SWREG.exe 2011-03-25 00:24:39 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2011-03-25 00:22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-25 00:22:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-03-25 00:22:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-25 00:22:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-25 00:00:12 -------- d-----w- c:\windows\pss 2011-03-24 15:26:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\fMnEpHmBdEi09001 . ==================== Find3M ==================== . . ============= FINISH: 22:40:08.35 ===============
  9. Hello, Ran ComboFix. It rebooted once right away, may have been i accidentally bumped the power cord because it didn't continue after restart. Ran it again, computer rebooted again, this time ComboFix made a log file. Text below. Then ran DDS. Text following ComboFix log. Thank you, d ------------------------------ ComboFix log: ComboFix 11-03-28.01 - Administrator 03/28/2011 18:58:47.1.2 - x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.800 [GMT -6:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} . . ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 ))))))))))))))))))))))))))))))) . . 2011-03-25 00:22 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-25 00:22 . 2011-03-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-25 00:22 . 2011-03-25 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-25 00:22 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-25 00:03 . 2011-03-25 00:03 -------- d-----w- c:\documents and settings\Administrator 2011-03-24 15:26 . 2011-03-25 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\fMnEpHmBdEi09001 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072] "RTHDCPL"="RTHDCPL.EXE" [2008-05-08 16862208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-07-29 684032] "MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-10 148888] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-08 198160] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184] BodyMedia Sync.lnk - c:\program files\BodyMedia\Sync\BodyMediaSync.exe [2010-4-29 2064384] VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-2-3 6144] . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Local User\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Documents and Settings\\Local User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Local User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "62515:UDP"= 62515:UDP:Cisco VPN Client Split Tunnel "10000:TCP"= 10000:TCP:Cisco VPN Client IPSec TCP . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [9/24/2010 7:21 AM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [9/24/2010 7:21 AM 173104] R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [10/15/2008 5:00 PM 156160] S0 vgbqo;vgbqo;c:\windows\system32\drivers\qlyqr.sys --> c:\windows\system32\drivers\qlyqr.sys [?] S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/19/2011 8:09 PM 691248] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [9/24/2010 7:21 AM 501888] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [9/24/2010 7:21 AM 116784] S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [10/15/2008 5:12 PM 159744] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [9/24/2010 7:20 AM 126392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 7:18 AM 102448] S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20110317.005\IDSXpx86.sys [3/24/2011 9:31 AM 341944] S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2/9/2010 6:34 AM 103552] S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [10/15/2008 7:40 PM 625792] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307394343-2684688355-3097896448-1005Core.job - c:\documents and settings\Local User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 02:20] . 2011-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307394343-2684688355-3097896448-1005UA.job - c:\documents and settings\Local User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 02:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msi.com.tw FF - ProfilePath - . - - - - ORPHANS REMOVED - - - - . HKLM-Run-ITSecMng - %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe SharedTaskScheduler-{55c171c1-84a0-43e0-a8ac-ff8fe49f61be} - c:\windows\system32\jejobadi.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-28 19:05 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(704) c:\windows\system32\WININET.dll . Completion time: 2011-03-28 19:09:13 ComboFix-quarantined-files.txt 2011-03-29 01:09 . Pre-Run: 20,520,267,776 bytes free Post-Run: 21,156,429,824 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /safeboot:minimal . - - End Of File - - 94AA5C56A90864A23010E09B8DC4C7CE --------------------------------- DDS log: . DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL Run by Administrator at 19:36:25.57 on Mon 03/28/2011 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.753 [GMT -6:00] . AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.msi.com.tw BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.8.0.5\IPSBHO.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bodyme~1.lnk - c:\program files\bodymedia\sync\BodyMediaSync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://primis.ebrary.com/support/plugins/ebraryRdr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1108000.005\symds.sys [2010-9-24 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1108000.005\symefa.sys [2010-9-24 173104] R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-10-15 156160] S0 vgbqo;vgbqo;c:\windows\system32\drivers\qlyqr.sys --> c:\windows\system32\drivers\qlyqr.sys [?] S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-19 691248] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1108000.005\cchpx86.sys [2010-9-24 501888] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1108000.005\ironx86.sys [2010-9-24 116784] S2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-10-15 159744] S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.8.0.5\ccsvchst.exe [2010-9-24 126392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20110317.005\IDSXpx86.sys [2011-3-24 341944] S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2010-2-9 103552] S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110323.035\naveng.sys [2011-3-24 86008] S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110323.035\navex15.sys [2011-3-24 1360760] S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-15 625792] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344] . =============== Created Last 30 ================ . 2011-03-29 00:57:28 -------- d-sha-r- C:\cmdcons 2011-03-29 00:45:44 98816 ----a-w- c:\windows\sed.exe 2011-03-29 00:45:44 89088 ----a-w- c:\windows\MBR.exe 2011-03-29 00:45:44 256512 ----a-w- c:\windows\PEV.exe 2011-03-29 00:45:44 161792 ----a-w- c:\windows\SWREG.exe 2011-03-25 00:24:39 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2011-03-25 00:22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-25 00:22:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-03-25 00:22:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-25 00:22:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-25 00:00:12 -------- d-----w- c:\windows\pss 2011-03-24 15:26:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\fMnEpHmBdEi09001 . ==================== Find3M ==================== . . ============= FINISH: 19:36:50.81 ===============
  10. Ran ComboFix. Log posted below. Then immediately ran DDS, with a new copy of DDS, this one worked. Log (not Attach log) is posted below. Of note, ComboFix warned me that Norton Antivirus was running and actively scanning, but as far as i could tell, it wasn't (was listed as both not started and as actually stopped in services manager). Thanks! --------------------------------------------- ComboFix log: ComboFix 11-03-28.01 - Administrator 03/28/2011 18:58:47.1.2 - x86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.800 [GMT -6:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} . . ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 ))))))))))))))))))))))))))))))) . . 2011-03-25 00:22 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-25 00:22 . 2011-03-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-03-25 00:22 . 2011-03-25 00:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-25 00:22 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-25 00:03 . 2011-03-25 00:03 -------- d-----w- c:\documents and settings\Administrator 2011-03-24 15:26 . 2011-03-25 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\fMnEpHmBdEi09001 . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072] "RTHDCPL"="RTHDCPL.EXE" [2008-05-08 16862208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-07-29 684032] "MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-10 148888] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-08 198160] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184] BodyMedia Sync.lnk - c:\program files\BodyMedia\Sync\BodyMediaSync.exe [2010-4-29 2064384] VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-2-3 6144] . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\Local User\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Documents and Settings\\Local User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Local User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "62515:UDP"= 62515:UDP:Cisco VPN Client Split Tunnel "10000:TCP"= 10000:TCP:Cisco VPN Client IPSec TCP . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1108000.005\symds.sys [9/24/2010 7:21 AM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1108000.005\symefa.sys [9/24/2010 7:21 AM 173104] R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [10/15/2008 5:00 PM 156160] S0 vgbqo;vgbqo;c:\windows\system32\drivers\qlyqr.sys --> c:\windows\system32\drivers\qlyqr.sys [?] S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [1/19/2011 8:09 PM 691248] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1108000.005\cchpx86.sys [9/24/2010 7:21 AM 501888] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1108000.005\ironx86.sys [9/24/2010 7:21 AM 116784] S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [10/15/2008 5:12 PM 159744] S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe [9/24/2010 7:20 AM 126392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/27/2010 7:18 AM 102448] S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20110317.005\IDSXpx86.sys [3/24/2011 9:31 AM 341944] S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2/9/2010 6:34 AM 103552] S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [10/15/2008 7:40 PM 625792] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307394343-2684688355-3097896448-1005Core.job - c:\documents and settings\Miriam Galeas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 02:20] . 2011-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307394343-2684688355-3097896448-1005UA.job - c:\documents and settings\Miriam Galeas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 02:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msi.com.tw FF - ProfilePath - . - - - - ORPHANS REMOVED - - - - . HKLM-Run-ITSecMng - %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe SharedTaskScheduler-{55c171c1-84a0-43e0-a8ac-ff8fe49f61be} - c:\windows\system32\jejobadi.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-28 19:05 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV] "ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.8.0.5\diMaster.dll\" /prefetch:1" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(704) c:\windows\system32\WININET.dll . Completion time: 2011-03-28 19:09:13 ComboFix-quarantined-files.txt 2011-03-29 01:09 . Pre-Run: 20,520,267,776 bytes free Post-Run: 21,156,429,824 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /safeboot:minimal . - - End Of File - - 94AA5C56A90864A23010E09B8DC4C7CE ---------------------------------------- DDS log: . DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL Run by Administrator at 19:36:25.57 on Mon 03/28/2011 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.753 [GMT -6:00] . AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.msi.com.tw BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.8.0.5\IPSBHO.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bodyme~1.lnk - c:\program files\bodymedia\sync\BodyMediaSync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://primis.ebrary.com/support/plugins/ebraryRdr.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - . ============= SERVICES / DRIVERS =============== . R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1108000.005\symds.sys [2010-9-24 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1108000.005\symefa.sys [2010-9-24 173104] R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-10-15 156160] S0 vgbqo;vgbqo;c:\windows\system32\drivers\qlyqr.sys --> c:\windows\system32\drivers\qlyqr.sys [?] S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-19 691248] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1108000.005\cchpx86.sys [2010-9-24 501888] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1108000.005\ironx86.sys [2010-9-24 116784] S2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-10-15 159744] S2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.8.0.5\ccsvchst.exe [2010-9-24 126392] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448] S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20110317.005\IDSXpx86.sys [2011-3-24 341944] S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2010-2-9 103552] S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110323.035\naveng.sys [2011-3-24 86008] S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110323.035\navex15.sys [2011-3-24 1360760] S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-15 625792] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344] . =============== Created Last 30 ================ . 2011-03-29 00:57:28 -------- d-sha-r- C:\cmdcons 2011-03-29 00:45:44 98816 ----a-w- c:\windows\sed.exe 2011-03-29 00:45:44 89088 ----a-w- c:\windows\MBR.exe 2011-03-29 00:45:44 256512 ----a-w- c:\windows\PEV.exe 2011-03-29 00:45:44 161792 ----a-w- c:\windows\SWREG.exe 2011-03-25 00:24:39 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2011-03-25 00:22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-03-25 00:22:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2011-03-25 00:22:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-03-25 00:22:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-03-25 00:00:12 -------- d-----w- c:\windows\pss 2011-03-24 15:26:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\fMnEpHmBdEi09001 . ==================== Find3M ==================== . . ============= FINISH: 19:36:50.81 ===============
  11. OTL Extras logfile created on: 3/27/2011 1:38:52 PM - Run 1 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,013.00 Mb Total Physical Memory | 845.00 Mb Available Physical Memory | 83.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 98.00% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 39.07 Gb Total Space | 19.18 Gb Free Space | 49.09% Space Free | Partition Type: NTFS Drive D: | 106.07 Gb Total Space | 105.96 Gb Free Space | 99.89% Space Free | Partition Type: NTFS Computer Name: MIRIAM | User Name: Administrator | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "62515:UDP" = 62515:UDP:*:Enabled:Cisco VPN Client Split Tunnel "10000:TCP" = 10000:TCP:*:Enabled:Cisco VPN Client IPSec TCP [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "62515:UDP" = 62515:UDP:*:Enabled:Cisco VPN Client Split Tunnel "10000:TCP" = 10000:TCP:*:Enabled:Cisco VPN Client IPSec TCP ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Documents and Settings\Local User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\Local User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player -- (Octoshape ApS) "C:\Documents and Settings\Local User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Local User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google) "C:\Documents and Settings\Local User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Local User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google) "C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.) "C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation) "C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{005F78AF-110D-398A-8430-BE98950A1E22}" = Google Talk Plugin "{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan "{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime "{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only) "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java 6 Update 12 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3DEA9F09-A904-4C73-B324-DCC9406BDA78}" = E. coli Infection in Michigan Case Study "{4C271126-C295-4828-A901-5910AE0C258B}" = Cisco Systems VPN Client 5.0.03.0530 "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{7236B969-6A18-42DD-ADE4-BBA2604F34C8}" = DJ_SF_03_D2500_Software_Min "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com "{85BCFC91-8B4F-40C1-966A-F2DB44482F60}" = BodyMedia SYNC "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder "{89B066F1-E675-4BB7-9336-2056672D5724}" = Complete Package for Botulism in Argentina Computer-based Case Study "{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour "{8D71A9AD-1F70-4BDB-9B42-9162FE3CB530}" = Gastroenteritis at a University in Texas Case Study "{9455959E-D588-EFAE-329C-F66CC797F32A}" = Adobe Media Player "{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars "{9AE395DB-6BC3-4CA9-B894-351CB8DE915A}" = BurnRecovery "{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2 "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5 "{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan "{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2 "{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver "{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype
  12. Ok, thanks. Ran MBAM, including requested restart. Log below. Ran OTL after restart. OTL log below, and Extras log in next post. Thanks for the help! MBAM log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6185 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 3/27/2011 1:33:28 PM mbam-log-2011-03-27 (13-33-28).txt Scan type: Quick scan Objects scanned: 150815 Time elapsed: 5 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\audinmgr.dll (Spyware.Agent) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\audinmgr.dll (Spyware.Agent) -> Quarantined and deleted successfully. ------------------------------- OTL.txt log: OTL logfile created on: 3/27/2011 1:38:52 PM - Run 1 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,013.00 Mb Total Physical Memory | 845.00 Mb Available Physical Memory | 83.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 98.00% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 39.07 Gb Total Space | 19.18 Gb Free Space | 49.09% Space Free | Partition Type: NTFS Drive D: | 106.07 Gb Total Space | 105.96 Gb Free Space | 99.89% Space Free | Partition Type: NTFS Computer Name: MIRIAM | User Name: Administrator | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011/03/27 12:35:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe ========== Modules (SafeList) ========== MOD - [2011/03/27 12:35:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe MOD - [2008/04/14 06:00:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) SRV - [2010/02/25 18:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [unknown | Stopped] -- C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe -- (NAV) SRV - [2008/06/09 18:26:52 | 000,159,744 | ---- | M] () [Auto | Stopped] -- C:\Program Files\System Control Manager\MSIService.exe -- (Micro Star SCM) SRV - [2008/04/17 10:08:46 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND) SRV - [2007/09/28 17:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service) ========== Driver Services (SafeList) ========== DRV - [2011/03/24 09:28:30 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20110323.035\navex15.sys -- (NAVEX15) DRV - [2011/03/24 09:28:30 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20110323.035\naveng.sys -- (NAVENG) DRV - [2010/12/01 02:03:34 | 000,341,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20110317.005\IDSXpx86.sys -- (IDSxpx86) DRV - [2010/11/22 20:20:07 | 000,691,248 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110114.001\BHDrvx86.sys -- (BHDrvx86) DRV - [2010/05/27 07:18:37 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2010/05/27 07:18:36 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2010/05/05 22:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\NAV\1108000.005\SYMTDI.SYS -- (SYMTDI) DRV - [2010/05/05 22:01:43 | 000,047,408 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP) DRV - [2010/05/05 22:01:43 | 000,047,408 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM) DRV - [2010/04/28 23:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\Ironx86.SYS -- (SymIRON) DRV - [2010/04/21 21:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\SYMEFA.SYS -- (SymEFA) DRV - [2010/04/21 20:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NAV\1108000.005\SRTSP.SYS -- (SRTSP) DRV - [2010/04/21 20:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL) DRV - [2010/02/25 18:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\ccHPx86.sys -- (ccHP) DRV - [2009/12/04 18:39:46 | 000,071,488 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K) DRV - [2009/12/04 18:39:46 | 000,053,184 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS) DRV - [2009/11/05 16:06:13 | 000,328,752 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1108000.005\SYMDS.SYS -- (SymDS) DRV - [2009/10/26 09:37:31 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent) DRV - [2009/08/28 07:20:02 | 000,103,552 | R--- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qscnusb.sys -- (MobileAdapter) DRV - [2008/07/10 11:33:40 | 000,306,176 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8187Se.sys -- (rtl8187Se) DRV - [2008/06/10 21:23:07 | 000,106,368 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp) DRV - [2008/06/10 21:23:01 | 000,156,160 | R--- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR) DRV - [2008/05/19 14:49:14 | 000,625,792 | R--- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2860.sys -- (RT80x86) DRV - [2008/05/07 22:21:40 | 004,739,072 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2008/04/17 10:07:52 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA) DRV - [2008/04/08 19:45:42 | 001,309,504 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416) DRV - [2008/03/29 18:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE) DRV - [2008/02/15 16:01:06 | 000,131,712 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd) DRV - [2008/01/31 16:55:06 | 000,074,240 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid) DRV - [2008/01/22 21:57:48 | 000,054,144 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd) DRV - [2007/11/29 10:45:44 | 000,036,608 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp) DRV - [2007/10/18 15:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb) DRV - [2007/10/02 12:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom) DRV - [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA) DRV - [2006/10/10 20:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte) DRV - [2005/01/26 12:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant) DRV - [2005/01/07 06:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds) DRV - [2004/12/23 05:47:10 | 000,027,392 | R--- | M] (Ulead Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys -- (ULCDRHlp) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\ [2010/05/25 15:49:08 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/17 07:29:25 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/11 17:11:57 | 000,000,000 | ---D | M] [2011/02/23 10:33:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010/07/22 04:36:13 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} O1 HOSTS File: ([2008/04/14 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ipsbho.dll (Symantec Corporation) O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google) O4 - HKLM..\Run: [iTSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe (Mirco-Star International CO., LTD.) O4 - HKLM..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe (Microsoft Corporation) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BodyMedia Sync.lnk = C:\Program Files\BodyMedia\Sync\BodyMediaSync.exe (BodyMedia, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} http://primis.ebrary.com/support/plugins/ebraryRdr.cab (Infotl Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O20 - AppInit_DLLs: (c:\windows\system32\jejobadi.dll) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O22 - SharedTaskScheduler: {55c171c1-84a0-43e0-a8ac-ff8fe49f61be} - tokatiluy - File not found O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Wall Paper.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Wall Paper.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008/10/15 16:15:24 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O36 - AppCertDlls: clipager - (C:\WINDOWS\system32\audinmgr.dll) - File not found O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011/03/27 13:35:21 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2011/03/24 20:20:05 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe [2011/03/24 18:24:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes [2011/03/24 18:22:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2011/03/24 18:22:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2011/03/24 18:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2011/03/24 18:22:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2011/03/24 18:22:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2011/03/24 18:06:50 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe [2011/03/24 18:03:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InstallShield [2011/03/24 18:03:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities [2011/03/24 18:03:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe [2011/03/24 18:03:46 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft [2011/03/24 18:03:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo [2011/03/24 18:03:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent [2011/03/24 18:03:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data [2011/03/24 18:03:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup [2011/03/24 18:03:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu [2011/03/24 18:03:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures [2011/03/24 18:03:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music [2011/03/24 18:03:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents [2011/03/24 18:03:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites [2011/03/24 18:03:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories [2011/03/24 18:03:46 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies [2011/03/24 18:03:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates [2011/03/24 18:03:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood [2011/03/24 18:03:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood [2011/03/24 18:03:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings [2011/03/24 18:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\WinRAR [2011/03/24 18:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Toshiba [2011/03/24 18:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help [2011/03/24 18:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft [2011/03/24 18:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop [2011/03/24 18:03:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe [2011/03/24 18:00:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss [2011/03/24 09:26:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\fMnEpHmBdEi09001 [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011/03/27 13:37:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2011/03/27 13:37:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2011/03/27 12:35:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2011/03/25 00:54:34 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr [2011/03/24 20:15:56 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HijackThis.exe [2011/03/24 20:08:48 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\iExplore.exe.msi [2011/03/24 18:22:54 | 000,000,794 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2011/03/24 18:00:50 | 000,000,229 | RHS- | M] () -- C:\boot.ini [2011/03/24 18:00:43 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk [2011/03/24 10:44:56 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.exe [2011/03/24 09:20:04 | 000,315,076 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2011/03/24 09:20:04 | 000,041,238 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2011/03/23 14:21:58 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe [2011/03/21 09:07:06 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1307394343-2684688355-3097896448-1005UA.job [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2011/03/25 01:27:10 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr [2011/03/24 20:12:43 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\iExplore.exe.msi [2011/03/24 18:22:54 | 000,000,794 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2011/03/24 18:06:57 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.exe [2011/03/24 18:06:54 | 000,000,552 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\fixme.bat [2011/03/24 18:03:48 | 000,001,525 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Magnifier.lnk [2011/03/24 18:03:48 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [2011/03/24 18:03:48 | 000,000,612 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Install winzip111_MSI.lnk [2011/03/24 18:03:48 | 000,000,506 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Install NIS2008.lnk [2011/03/24 18:03:48 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf [2011/03/24 18:03:47 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk [2011/03/24 18:03:47 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk [2011/03/24 18:03:47 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.lnk [2010/10/14 17:01:07 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini [2010/07/07 18:55:39 | 000,163,150 | ---- | C] () -- C:\WINDOWS\hphins25.dat [2010/07/07 18:55:39 | 000,000,795 | ---- | C] () -- C:\WINDOWS\hphmdl25.dat [2010/03/09 07:25:03 | 000,103,535 | ---- | C] () -- C:\WINDOWS\hpoins04.dat [2010/03/09 07:25:03 | 000,017,176 | ---- | C] () -- C:\WINDOWS\hpomdl04.dat [2010/02/04 22:09:25 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI [2009/10/25 23:18:41 | 000,000,095 | ---- | C] () -- C:\WINDOWS\wininit.ini [2009/02/11 12:06:43 | 000,000,034 | ---- | C] () -- C:\WINDOWS\ebraryRdr.ini [2009/01/25 21:28:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2008/10/15 20:37:07 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2008/10/15 18:23:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI [2008/10/15 17:00:08 | 006,184,960 | R--- | C] () -- C:\WINDOWS\System32\RTS5121icon.dll [2008/10/15 16:58:58 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe [2008/10/15 16:57:11 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll [2008/10/15 16:18:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2008/10/15 16:13:09 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2008/10/15 15:59:25 | 000,001,188 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini [2008/10/15 15:59:17 | 000,315,076 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2008/10/15 15:59:17 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2008/10/15 15:59:17 | 000,041,238 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2008/10/15 15:59:17 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2008/10/15 15:59:17 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2008/10/15 15:59:16 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2008/10/15 15:59:16 | 000,004,628 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2008/10/15 15:59:15 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [2008/10/15 15:59:14 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2008/10/15 15:59:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2008/10/15 15:59:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2008/10/15 15:59:10 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin [2008/10/15 09:07:01 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2008/10/15 09:06:04 | 000,302,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2008/04/17 10:08:56 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll [2008/04/17 10:08:44 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll [2007/12/21 17:46:32 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll [2005/07/22 22:30:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 < End of report >
  13. Thank you for your response. I updated and ran MBAM, quick scan. I'll post the log below. Downloaded and ran DDS. DDS did not complete it's scan. The program says it should not run for more than three minutes. The first shot i ran it for 30 and nothing happened. I forced it to quit and ran it and let it go overnight, and it still didn't complete. Tried it a couple more times this morning with the same results. Please advise, I didn't have MBAM take care of the two infected files it found and also didn't restart, as these steps weren't part of your instructions. Not sure what to do next. Thank you. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6164 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 3/25/2011 1:27:00 AM mbam-log-2011-03-25 (01-26-37).txt Scan type: Quick scan Objects scanned: 150493 Time elapsed: 6 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\audinmgr.dll (Spyware.Agent) -> No action taken. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\audinmgr.dll (Spyware.Agent) -> No action taken.
  14. Greetings, I need help with removal System Tool 2011 from a laptop. I looked up this problem on here and several other forums and performed these steps. -Restarted comp in safe mode. -Using a flash drive downloaded a copy of fixme.bat and rkill. -Ran fixme.bat, then rkill (rkill log text below). -Then installed (from flash drive) MBAM. Copied over updated definitions file so up to date as of today. -Ran mbam, got two infected files. Allowed mbam to fix, log copied below. -Restarted in safe mode. -Ran mbam again... got one infected file (again!). Allowed mbam to fix, log copied below. -Restarted again in safe mode. Downloaded Hijackthis from flashdrive. Ran it, got log file posted below. At this point i will wait to rerun mbam again, and really do anything (i'll leave hijackthis up and running, too) until i hear back what i might try for the next steps. It looks like the initial wipe found something but it didn't solve the problem so repeated wipes probably won't... I did find, as some sites suggested, a folder and file in the Application Data folder that was just random letters and numbers. Some people it seems have found success with just deleting that, but i'll hold off on that, too, until i hear more. Any help here would be much appreciated! Thank you, d Logs: ------------------------------------------------------- rkill log: This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Rkill was run on 03/24/2011 at 18:12:58. Operating System: Microsoft Windows XP Processes terminated by Rkill or while it was running: C:\WINDOWS\system32\grpconv.exe Rkill completed on 03/24/2011 at 18:17:22. ------------------------------------------------------- *First MBAM log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6155 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 3/24/2011 7:16:24 PM mbam-log-2011-03-24 (19-16-23).txt Scan type: Full scan (C:\|D:\|E:\|) Objects scanned: 205938 Time elapsed: 39 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\documents and settings\all users\application data\fmnephmbdei09001\fmnephmbdei09001.exe (Rogue.SystemTool) -> Quarantined and deleted successfully. c:\documents and settings\local user name\local settings\Temp\jar_cache4353506671824096356.tmp (Rogue.SystemTool) -> Quarantined and deleted successfully. ------------------------------------------------------- *Second MBAM log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6155 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 3/24/2011 8:00:38 PM mbam-log-2011-03-24 (20-00-38).txt Scan type: Full scan (C:\|) Objects scanned: 205542 Time elapsed: 38 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\system volume information\_restore{009fb4c4-b52a-465b-b45b-0987ad0a0b74}\RP202\A0265602.exe (Rogue.SystemTool) -> Quarantined and deleted successfully. ------------------------------------------------------- *HijackThis log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 8:20:26 PM, on 3/24/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16915) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msi.com.tw R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\IPSBHO.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe O4 - HKLM\..\Run: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: BodyMedia Sync.lnk = C:\Program Files\BodyMedia\Sync\BodyMediaSync.exe O4 - Global Startup: VPN Client.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.msi.com.tw O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://primis.ebrary.com/support/plugins/ebraryRdr.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O20 - AppInit_DLLs: c:\windows\system32\jejobadi.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: tokatiluy - {55c171c1-84a0-43e0-a8ac-ff8fe49f61be} - c:\windows\system32\jejobadi.dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.8.0.5\ccSvcHst.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- End of file - 6311 bytes