MBAM-PUM.Hijack.Explorer - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

MBAM-PUM.Hijack.Explorer Windows XP infected with this malware and I can't get rid of it

#1 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 02 March 2011 - 04:41 PM

I have run the following tools but they have not fixed the issue:
MBAM (partially fixes, temorarily though)
Symantec Anti-virus
McAfee Stinger
Super Antispyware
RKill
F-Secure Blacklight Rootkit Revealer
Hijack This
Look2meDestroyer
smitfraud fix
sophos antirootkit
about buster
ccleaner
combofix
virtumondo be gone
vundo fix

I have just run OTL per your forum directions and here is my log file:
OTL.txt
OTL logfile created on: 3/2/2011 4:26:09 PM - Run 1
OTL by OldTimer - Version 3.2.22.2 Folder = C:\Documents and Settings\administrator\Desktop\OTL_ListIt
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 273.00 Mb Available Physical Memory | 27.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 57.26 Gb Free Space | 76.92% Space Free | Partition Type: NTFS
Drive G: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive H: | 273.24 Gb Total Space | 155.03 Gb Free Space | 56.74% Space Free | Partition Type: NTFS
Drive I: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive M: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive N: | 53.04 Gb Total Space | 20.19 Gb Free Space | 38.07% Space Free | Partition Type: NTFS
Drive S: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive T: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS

Computer Name: GCP-H79TGB1 | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/02 16:22:46 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\OTL_ListIt\OTL.exe
PRC - [2009/10/08 09:48:04 | 000,030,240 | ---- | M] (Laserfiche) -- C:\Program Files\Laserfiche\Client 8\Snapshot 8\SnapshotService80.exe
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/27 19:33:44 | 000,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/09/27 19:33:38 | 000,116,464 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2006/09/27 19:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 19:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/07/19 18:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 18:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/07/19 18:26:04 | 000,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/04/11 16:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/03/02 16:22:46 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\OTL_ListIt\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2009/10/08 09:48:04 | 000,030,240 | ---- | M] (Laserfiche) [Auto | Running] -- C:\Program Files\Laserfiche\Client 8\Snapshot 8\SnapshotService80.exe -- (Laserfiche Snapshot Service 8)
SRV - [2009/09/14 13:23:56 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [Disabled | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/09/27 19:33:38 | 000,116,464 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 19:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 19:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/02 15:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 15:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 18:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 18:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 16:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/02/15 09:40:16 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110223.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/02/15 09:40:16 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110223.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/05/21 16:41:04 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/21 16:41:01 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/05/10 12:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 12:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/08/05 21:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/06/18 12:54:10 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\2.tmp -- (MEMSWEEP2)
DRV - [2006/09/18 16:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 13:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 13:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/07 15:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 15:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/07/14 10:45:20 | 000,156,160 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/04/11 16:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



O1 HOSTS File: ([2005/08/23 13:33:06 | 000,000,713 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O7 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 1
O7 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1935655697-1292428093-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 1
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1252955716384 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.10 10.0.0.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aaahc.org
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/14 12:18:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/01/26 17:28:41 | 000,351,696 | ---- | M] () - S:\autoarchive_outlook_2007.pdf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/02 16:23:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Desktop\OTL_ListIt
[2011/03/02 16:17:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Application Data\Macromedia
[2011/03/02 12:21:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\DoctorWeb
[2011/03/02 12:19:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Desktop\Dr.WebCureIt
[2011/03/01 10:20:01 | 000,000,000 | ---D | C] -- C:\VundoFix Backups
[2011/03/01 10:19:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sophos
[2011/03/01 10:19:21 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011/03/01 10:08:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/01 10:07:19 | 000,000,000 | ---D | C] -- C:\MRTs
[2011/03/01 09:45:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/03/01 09:38:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/02/23 11:59:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\administrator\Recent
[2011/02/23 11:58:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Start Menu\Programs\CCleaner
[2011/02/23 11:58:57 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/02/23 09:24:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/02 16:16:12 | 000,000,255 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2011/03/02 16:15:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/02 16:12:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/01 09:53:01 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/02/23 11:58:58 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\administrator\Desktop\CCleaner.lnk
[2011/02/19 15:17:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/02/16 15:51:35 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2007.lnk
[2011/02/10 08:01:53 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/01 09:52:09 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/02/23 11:58:58 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\administrator\Desktop\CCleaner.lnk
[2010/10/14 10:07:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2010/10/14 09:57:45 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/10/14 09:57:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/10/14 09:57:45 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/10/14 09:57:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/10/14 09:57:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/02 09:07:16 | 000,056,884 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/01 11:33:07 | 000,000,181 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/09/15 09:47:13 | 000,000,025 | ---- | C] () -- C:\WINDOWS\LF.ini
[2009/09/14 13:05:23 | 000,000,255 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2009/09/14 12:20:33 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/14 12:15:34 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/14 06:48:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/09/14 06:47:45 | 000,269,392 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/04/23 23:02:14 | 000,491,520 | ---- | C] () -- C:\WINDOWS\System32\LFSS80ResNT.dll
[2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/02/28 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 06:00:00 | 000,465,404 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 06:00:00 | 000,079,306 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/08/05 14:34:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Lf
[2010/10/14 10:40:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\TeamViewer
[2009/09/14 14:30:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Windows Desktop Search
[2009/09/15 08:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Windows Search
[2011/01/12 16:23:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Xerox
[2010/02/18 09:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/15 12:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gcharlton-perrin\Application Data\Lf
[2010/11/19 11:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gcharlton-perrin\Application Data\webex
[2009/09/15 12:17:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gcharlton-perrin\Application Data\Windows Desktop Search
[2009/09/15 12:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gcharlton-perrin\Application Data\Windows Search
[2010/11/18 10:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gcharlton-perrin\Application Data\Xerox

========== Purity Check ==========



< End of report >

and here is the "extras.txt" log:
OTL Extras logfile created on: 3/2/2011 4:26:09 PM - Run 1
OTL by OldTimer - Version 3.2.22.2 Folder = C:\Documents and Settings\administrator\Desktop\OTL_ListIt
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 273.00 Mb Available Physical Memory | 27.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 57.26 Gb Free Space | 76.92% Space Free | Partition Type: NTFS
Drive G: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive H: | 273.24 Gb Total Space | 155.03 Gb Free Space | 56.74% Space Free | Partition Type: NTFS
Drive I: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive M: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive N: | 53.04 Gb Total Space | 20.19 Gb Free Space | 38.07% Space Free | Partition Type: NTFS
Drive S: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS
Drive T: | 272.24 Gb Total Space | 59.97 Gb Free Space | 22.03% Space Free | Partition Type: NTFS

Computer Name: GCP-H79TGB1 | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2CC31A8B-A5EB-4470-90DF-FD8B8987C548}" = Laserfiche Client 8.1
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{2B9A891F-DDF6-40D7-AF81-1CC80E271EE5}" =
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D4582F-C436-4896-9526-C7E7DD8D49B7}" = NFOutlook07
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.2.0 Professional
"Adobe Acrobat 8 Professional_820" = Adobe Acrobat 8.2.0 - CPSID_52074
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CCleaner" = CCleaner
"HijackThis" = HijackThis 1.99.1
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PROPLUS" = Microsoft Office Professional Plus 2007
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/1/2011 11:31:55 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 2756) Time: Tuesday, March 01, 2011 9:31:55 AM

Error - 3/1/2011 11:31:56 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\iexplore.exe (PID 2716) Time: Tuesday, March 01, 2011
9:31:56 AM

Error - 3/1/2011 11:31:56 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 3276) Time: Tuesday, March 01, 2011 9:31:56 AM

Error - 3/1/2011 11:31:58 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\firefox.exe (PID 2528) Time: Tuesday, March 01, 2011
9:31:58 AM

Error - 3/1/2011 11:33:21 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 1284) Time: Tuesday, March 01, 2011 9:33:21 AM

Error - 3/1/2011 11:33:21 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\iexplore.exe (PID 3884) Time: Tuesday, March 01, 2011
9:33:21 AM

Error - 3/1/2011 11:33:22 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 3996) Time: Tuesday, March 01, 2011 9:33:22 AM

Error - 3/1/2011 11:33:24 AM | Computer Name = GCP-H79TGB1 | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\firefox.exe (PID 2772) Time: Tuesday, March 01, 2011
9:33:24 AM

Error - 3/2/2011 11:32:51 AM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application outlook.exe, version 12.0.6550.5003, stamp 4d10fbc4,
faulting module mso.dll, version 12.0.6545.5004, stamp 4c9344d2, debug? 0, fault
address 0x008da853.

Error - 3/2/2011 6:16:51 PM | Computer Name = GCP-H79TGB1 | Source = MsiInstaller | ID = 10005
Description = Product: 32 Bit HP BiDi Channel Components Installer -- The installer
has encountered an unexpected error installing this package. This may indicate
a problem with this package. The error code is 2753. The arguments are: ipm12.CF34E983_546C_421F_A494_3C30281E4CF3,
,

[ OSession Events ]
Error - 7/16/2010 11:34:13 AM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 2566
seconds with 1200 seconds of active time. This session ended with a crash.

Error - 10/5/2010 11:58:26 AM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6541.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1648320
seconds with 33300 seconds of active time. This session ended with a crash.

Error - 10/12/2010 10:26:02 AM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3443
seconds with 1260 seconds of active time. This session ended with a crash.

Error - 11/29/2010 12:38:09 PM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6779
seconds with 2340 seconds of active time. This session ended with a crash.

Error - 1/6/2011 5:56:59 PM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6171
seconds with 180 seconds of active time. This session ended with a crash.

Error - 1/20/2011 3:55:57 PM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 16011
seconds with 5460 seconds of active time. This session ended with a crash.

Error - 2/8/2011 5:13:49 PM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 13688
seconds with 2940 seconds of active time. This session ended with a crash.

Error - 2/10/2011 5:32:29 PM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 2302
seconds with 960 seconds of active time. This session ended with a crash.

Error - 2/23/2011 10:40:33 PM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 23254
seconds with 2040 seconds of active time. This session ended with a crash.

Error - 3/2/2011 11:32:44 AM | Computer Name = GCP-H79TGB1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 3642
seconds with 1080 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/2/2011 11:34:30 AM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 11:34:24 AM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 11:34:17 AM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 11:34:11 AM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 11:33:59 AM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 12:19:24 PM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 12:19:24 PM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 12:18:44 PM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 12:56:25 PM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.

Error - 3/2/2011 12:56:25 PM | Computer Name = GCP-H79TGB1 | Source = EventLog | ID = 6004
Description = A driver packet received from the I/O subsystem was invalid. The
data is the packet.


< End of report >

MBAM cleans this infrection but as soon as we reboot, it returns. The computer exhibits the following behaviour:
when browsing with IE8, the browser refuses to respond or close. Also, when browsing java enabled sites, we are filling in forms, etc. and the cursor moves around instead of entering carriage returns, bounces around the screen, etc.

In addition, we are running Symantec Anti-virus.

Thank you in advance for your assistance. Please let me know what else I can provide.

#2 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 09 March 2011 - 10:17 AM

Yeah, I'd like to attach my cureit.log but it's 16MB and I apparently have a 1MB limit. It also will not allow me to post the contents of the logfile. What are my options? The scans came up clean anyway so I don't know if the logfile is relevant anyway.

Please advise. Also, I made this post 1 week ago today and have had 0 activity. Is this common?

Thank you in advance

#3 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 14 March 2011 - 01:47 PM

Really? No replies? It's been 2 weeks (one of which is in your so called "waiting room") and no replies there either? Wow. OK, maybe I need to go somewhere else. Thanks

#4 Tomk

  • Group: Malware Removal
  • Posts: 178
  • Joined: 10-August 09

Posted 21 March 2011 - 01:47 PM

Hi kevmartin01,

Are you still needing help?

#5 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 22 March 2011 - 08:24 AM

I replied yesterday via email but did not hear back. I don't know if that posts back here so I am replying now. YES, I STILL NEED SOME HELP! Thanks in advance for volunteering.

Kevin

#6 Tomk

  • Group: Malware Removal
  • Posts: 178
  • Joined: 10-August 09

Posted 22 March 2011 - 09:17 AM

We may be "plowing old ground" here a little... but please bear with me.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean


Then



  • Please start your Malwarebytes' Anti-Malware Program.
  • Go to the update tab and check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

#7 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 22 March 2011 - 09:32 AM

First, let me say Thank you TomK. I gave up on this forum until you responded. Second, I will run TFC and post the log shortly. FYI, I've been using MBAM and it is the only program that is picking up malware. It keeps finding PUM.Hijack.Explorer. I will post the log later today after I've had an opportunity to run anther scan on the users machine. They are in use all day so I will need a little time to complete the scan.

Thank you again for your help.

#8 Tomk

  • Group: Malware Removal
  • Posts: 178
  • Joined: 10-August 09

Posted 22 March 2011 - 09:54 AM

Unfortunately there are only so many helpers and all are volunteers so nobody is here full time. We all have "real" jobs and lives and "work" here as free time allows. Therefore, when the forum is busy, that means that there is a lag to responses... and sometimes topics just plain get missed. Anyhow... you are now "mine" :D and I'll try to respond to you as quick as I can. It's pretty rare when I'm not able to get to the computer several times in a day.

#9 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 22 March 2011 - 10:03 AM

Well, I just wanted you to know that I realize that we are only human and I appreciate your help.

That said, I've run into a bit of a problem. I am running TFC per your request. Every time I do, it tells me that I need to reboot to finish deleting files. I reboot and that's it. The program does not run again when I log back in and there are no log files in the directory from which I ran it. The first time it ran, it deleted about 150MB. I ran it a 2nd time (after a reboot) and it removed about 72MB. I've just ran it a 3rd time but didn't notice how much it removed the last time.

Not sure how to proceed. In the meantime, I will run MBAM and post the logs for it.

Thanks again.

#10 Tomk

  • Group: Malware Removal
  • Posts: 178
  • Joined: 10-August 09

Posted 22 March 2011 - 10:13 AM

Sorry I was unclear. TFC doesn't produce any log and should not run again when you reboot. All it is doing is cleaning up the temporary files on your computer, mainly with the goal that other scans we ask you to run will go faster.

#11 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 22 March 2011 - 10:43 AM

Tomk,

My bad, you were not unclear. I just re-read your post. All good. The MBAM scan is running and I will post when it completes.

Thanks

#12 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 22 March 2011 - 01:11 PM

OK, hopefully this is what you are looking for. Please let know if you need anything else.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6132

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/22/2011 2:07:47 PM
mbam-log-2011-03-22 (14-07-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 159925
Time elapsed: 28 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (PUM.Hijack.Explorer) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached File(s)


#13 Tomk

  • Group: Malware Removal
  • Posts: 178
  • Joined: 10-August 09

Posted 22 March 2011 - 01:42 PM

kevmartin01,

That report says "No action taken".

Did you make sure that that it had a check in front of it and then did you click Remove Selected?

#14 kevmartin01

  • Group: Member
  • Posts: 20
  • Joined: 02-March 11

Posted 22 March 2011 - 02:29 PM

TomK,

I did not remove the threat the last time I ran the scan. I have run this scan many times over the last couple of weeks and even theough MBAM says it cleaned up the issue, it keeps returning. I had lost the log file from this morning when I initially ran the scan so I had to re-run it to get a good log file. Since it keeps returning, I didn't bother trying to remove it this time due to the time crunch in getting the log file to you.

As I've said, I've removed this infection multiple times. It keeps coming back as soon as I reboot. I believe that System Restore is disabled (I'm not at the machine currently and I've run every tool I have against this machine to no avail so at this poin it may be re-enabled). I've been making a ton of changes trying to square this issue and the setting may not be disabled at this time. I'll have to wait untilt the user is done so I can log in as admin to check for sure (system restore tab is not available in user profile. I don't know if this is due to a rights issue or malware).

#15 Tomk

  • Group: Malware Removal
  • Posts: 178
  • Joined: 10-August 09

Posted 22 March 2011 - 03:59 PM

PUM stands for Potentially Unwanted Modification. In this case is is in regards to whether or not you want to allow toolbars to be able to be customized in explorer. This is not a malware infection, it is a restriction and this system has had several restrictions set. If this computer is being used in a business environment, it is possible that the network is restoring the modifications after MBAM changes them. I'm not sure exactly what this restriction is... but we can find out as follows:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :reg
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /s


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

As far as System Restore... Your OTL log reports that system restore is enabled. When you get a chance to check that... please let me know.

And finally... currently your computer is claiming that Java is not installed. That can be rectified by downloading the latest version of Java Runtime Environment (JRE) Version 6
  • Click the "Download JRE" button on the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop (or where ever you saved the file) double-click on jre-6u24-windows-i586-p.exe to install the newest version.


Let me know how all the above goes... post the SystemLook report, and let me know about system restore please.

Share this topic:


  • 2 Pages +
  • 1
  • 2