[emeraldnzl]

Try this one - here and follow the instructions as laid out.

Come back and tell me how you got on.

[Advertisements]

That link took me to download the accrestore.zip. That part I already did. It was the next step where I ran into trouble, when I needed to download the repair.zip. That is what I could not find.

[timbotheking]

That link took me to download the accrestore.zip. That part I already did. It was the next step where I ran into trouble, when I needed to download the repair.zip. That is what I could not find.

[emeraldnzl]

Oh okay.

Download the one attached to this post.

Tell me how you get on.

[timbotheking]

OK thank you. What exactly was I restoring in this process? I now have all of the icons/start menu items that I need, but my documents and installed software are still gone? Is there a way to retrieve those items?

[emeraldnzl]

Your machine has/had a number of infections... rootkit TDL3, bagle worm, adware and it looks like a rogue "Windows Recovery" (but it might be something else) which removes user shortcuts and files from the desktop to a temporary file.

Knowing that rogue one was about we didn't clear those temp folders in the fixes we used early on. However the ESET scan did remove some temp files and it was after that that your problem appeared. Whether the ESET ones were the ones we needed I don't know but when we looked in with OTL for the relevant temp files, they weren't there.

The tools we just used have only recently become available but what they do is rebuild the shortcuts etc. on your desktop.

You seem to have lost something more than just the shortcuts and files on your desktop though so I am not completely convinced that it was that particular rogue that did this.

We will try some other things now to see if we can find a solution:

Firstly I think we should do a couple of things to help with your OS and then run another tool to check for some malware that might still be there. After that we will reassess and look at ways to retrieve data if that is still necessary.

Now

Please run chkdsk.

Go to Windows XP chkdsk for some helpful instructions.

Next

With this one you may be asked for your Windows Installation Disk. If you have it, well and good, if you don't have it just continue on as far as it will let you.

Run the System File Checker.

Follow these steps:

• Click Start > Run and type sfc /scannow (note the space, it should be there), and then press ENTER.
• Follow the prompts throughout the System File Checker process.
• Restart your computer when System File Checker process is complete.

After that come back and tell me how it went. We will reassess and likely move on to another tool to check and remove possible malware.

[timbotheking]

emeraldnzl,

Sorry for the delay in my response. I had to travel out of town for a few days and did not have access to my computer. Thank you again for all of your assistance in this matter.

I completed the 2 tasks (chkdsk and System File Checker) that you asked me to this last time. Everything went well, nothing showed up as being wrong.

[emeraldnzl]

Welcome back timbotheking,

Before we go to other actions let's try that Unhide.exe again

You may like to delete your copy and download it again.

Download and run unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run.

After that come back and tell me if there is any change.

[timbotheking]

emeraldnzl,

I ran unhide again, and there is no change. Thanks.

[emeraldnzl]

Okie dokie... it was an outside chance at best.

Now

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[timbotheking]

Below is the ComboFix log:

ComboFix 11-07-28.06 - Compaq_Owner 07/28/2011 19:29:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1215.776 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner.STEVESR\Desktop\ComboFix.exe
AV: Norton AntiVirus 2005 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Compaq_Owner.STEVESR\WINDOWS
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\jessica\WINDOWS
c:\documents and settings\Joan\WINDOWS
c:\documents and settings\tim\WINDOWS
c:\program files\CouponAlert_2p
c:\program files\CouponAlert_2p\bar\1.bin\2pdyn.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pfeedmg.dll
c:\program files\CouponAlert_2p\bar\1.bin\2phighin.exe
c:\program files\CouponAlert_2p\bar\1.bin\2phttpct.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pidle.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pimpipe.exe
c:\program files\CouponAlert_2p\bar\1.bin\2pmedint.exe
c:\program files\CouponAlert_2p\bar\1.bin\2pmlbtn.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pmsg.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pradio.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pregfft.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pregiet.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pscript.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pskplay.exe
c:\program files\CouponAlert_2p\bar\1.bin\2ptpinst.dll
c:\program files\CouponAlert_2p\bar\1.bin\2puabtn.dll
c:\program files\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST
c:\program files\CouponAlert_2p\bar\1.bin\chrome\2pffxtbr.jar
c:\program files\CouponAlert_2p\bar\1.bin\INSTALL.RDF
c:\program files\CouponAlert_2p\bar\1.bin\LOGO.BMP
c:\program files\CouponAlert_2p\bar\1.bin\NP2pStub.dll
c:\program files\CouponAlert_2p\bar\Cache\000500A3
c:\program files\CouponAlert_2p\bar\Cache\002753BF.bmp
c:\program files\CouponAlert_2p\bar\Cache\002756DC.bmp
c:\program files\CouponAlert_2p\bar\Cache\00275892.bmp
c:\program files\CouponAlert_2p\bar\Cache\0027592E.bmp
c:\program files\CouponAlert_2p\bar\Cache\002759BB.bmp
c:\program files\CouponAlert_2p\bar\Cache\00275AA5.bmp
c:\program files\CouponAlert_2p\bar\Cache\00275DE1.bmp
c:\program files\CouponAlert_2p\bar\Cache\00A4CB31
c:\program files\CouponAlert_2p\bar\Cache\0531C37E
c:\program files\CouponAlert_2p\bar\Cache\0BAB4D44
c:\program files\CouponAlert_2p\bar\Cache\13F7CFE6
c:\program files\CouponAlert_2p\bar\Cache\1F2045EE.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20CD6D.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D0D8.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D136.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D184.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D1D2.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D211.jhtml
c:\program files\CouponAlert_2p\bar\Cache\1F210C6A
c:\program files\CouponAlert_2p\bar\Cache\1F213436.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F213484.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F2134F1.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F213530.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F21359D.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F21360A.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F213668.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F2B7044
c:\program files\CouponAlert_2p\bar\Cache\1F7F7443.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F74A1.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F74FE.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F75C9.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F7685.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F8B84.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F8C3F.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F8D78.bmp
c:\program files\CouponAlert_2p\bar\Cache\22EBC730
c:\program files\CouponAlert_2p\bar\Cache\25F14EDF
c:\program files\CouponAlert_2p\bar\Cache\2B3EC3C8
c:\program files\CouponAlert_2p\bar\Cache\2B3F8217
c:\program files\CouponAlert_2p\bar\Cache\32F9B131.bmp
c:\program files\CouponAlert_2p\bar\Cache\3F32780C
c:\program files\CouponAlert_2p\bar\Cache\448E1317
c:\program files\CouponAlert_2p\bar\Cache\files.ini
c:\program files\CouponAlert_2p\bar\History\search3
c:\program files\CouponAlert_2p\bar\Message\COMMON.T8S
c:\program files\CouponAlert_2p\bar\Message\COMMON\8_step1.gif
c:\program files\CouponAlert_2p\bar\Message\COMMON\index.htm
c:\program files\CouponAlert_2p\bar\Message\COMMON\rebut4b.htm
c:\program files\CouponAlert_2p\bar\Message\COMMON\shield.png
c:\program files\CouponAlert_2p\bar\Settings\prevcfg2.htm
c:\program files\CouponAlert_2p\bar\Settings\s_pid.dat
c:\program files\CouponAlert_2p\bar\Settings\s_w1.dat
c:\program files\CouponAlert_2p\bar\Settings\s_w1.dat.bak
c:\program files\CouponAlert_2p\bar\Settings\s_w2.dat
c:\program files\CouponAlert_2p\bar\Settings\s_w2.dat.bak
c:\program files\CouponAlert_2p\bar\Settings\setting3.htm
c:\program files\CouponAlert_2p\bar\Settings\setting3.htm.bak
c:\program files\CouponAlert_2p\Shared\Cache\CouponAlertBtn.html
c:\program files\CouponAlert_2p\Shared\Cache\CouponAlertNewDealsBtn.html
c:\program files\CouponAlert_2p\Shared\Cache\GrouponBtn.html
c:\program files\CouponAlert_2p\Shared\Cache\PopupProperties100063112.html
c:\program files\CouponAlert_2p\Shared\Cache\PopupProperties100064904.html
c:\program files\CouponAlert_2pEI
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-28 17:59 . 2011-02-10 23:34 6600192 ----a-w- c:\windows\system32\licprotector310.exe
2011-07-28 17:59 . 2011-07-28 17:59 -------- d-----w- c:\program files\Free File Opener
2011-07-28 07:00 . 2011-07-28 07:00 -------- d-----w- c:\windows\LastGood
2011-07-25 20:13 . 2011-07-25 20:13 1409 ----a-w- c:\windows\QTFont.for
2011-07-25 03:11 . 2011-07-25 03:11 -------- d-----w- c:\windows\PIF
2011-07-22 15:19 . 2004-08-04 10:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2011-07-22 15:19 . 2004-08-04 10:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2011-07-22 15:19 . 2004-08-04 10:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2011-07-22 15:19 . 2004-08-04 10:00 1875968 ----a-w- c:\windows\system32\msir3jp.lex
2011-07-22 15:19 . 2004-08-04 10:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2011-07-22 15:17 . 2004-08-04 10:00 6656 ----a-w- c:\windows\system32\c_is2022.dll
2011-07-22 13:56 . 2011-07-22 13:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-21 23:08 . 2011-07-27 23:44 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-07-21 23:02 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-07-21 22:45 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-07-21 21:46 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-07-21 21:45 . 2004-08-04 06:10 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2011-07-21 21:45 . 2001-08-17 20:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2011-07-21 21:45 . 2004-08-04 06:10 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2011-07-21 20:27 . 2011-07-28 07:01 -------- dcsh--r- c:\windows\system32\dllcache
2011-07-21 19:06 . 2011-07-21 19:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-21 19:06 . 2011-07-21 19:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-21 18:57 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-07-21 18:56 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\Compaq_Owner.STEVESR
2011-07-21 01:15 . 2011-07-21 01:15 -------- d-----w- c:\program files\ESET
2011-07-18 14:57 . 2011-07-18 14:57 -------- d-----w- C:\_OTL
2011-07-15 20:44 . 2011-07-21 01:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\AskToolbar
2011-07-15 20:44 . 2011-07-15 20:45 -------- d-----w- c:\program files\Ask.com
2011-07-15 20:44 . 2011-07-15 20:44 -------- d-----w- C:\Firefox
2011-07-15 20:44 . 2011-07-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegWork
2011-07-15 20:44 . 2011-07-15 20:44 -------- d-----w- c:\program files\RegWork
2011-07-15 20:30 . 2011-07-15 20:30 -------- d-----w- c:\program files\MSECache
2011-07-08 23:39 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\PackageAware
2011-07-07 22:49 . 2011-07-07 22:49 -------- d-----w- c:\program files\MSBuild
2011-07-07 22:48 . 2011-07-07 22:48 -------- d-----w- c:\program files\Reference Assemblies
2011-07-07 22:47 . 2011-07-07 22:48 -------- d-----w- C:\17a2adeab0eea6167f307d0e1d0e4c35
2011-07-06 00:16 . 2011-07-06 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2011-07-05 00:32 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\tim
2011-07-04 17:21 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\Joan
2011-07-04 15:18 . 2011-07-23 12:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-04 15:13 . 2011-07-04 15:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-04 15:03 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\jessica
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-05 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-14 58488]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-06 218240]
"NAV CfgWiz"="c:\program files\Norton AntiVirus\CfgWiz.exe" [2004-08-18 132248]
"IS CfgWiz"="c:\program files\Common Files\Symantec Shared\cfgwiz.exe" [2003-11-05 124096]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-27 98304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2011 11:13 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2011 11:13 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:03]
.
2011-07-21 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 15:50]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-04 15:13]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-04 15:13]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099956112-2596822647-424640563-1008Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-23 06:58]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099956112-2596822647-424640563-1008UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-23 06:58]
.
2011-07-23 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 14:44]
.
2011-07-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099956112-2596822647-424640563-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099956112-2596822647-424640563-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099956112-2596822647-424640563-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099956112-2596822647-424640563-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099956112-2596822647-424640563-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099956112-2596822647-424640563-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-22 c:\windows\Tasks\Regwork.job
- c:\program files\RegWork\RegWork.exe [2011-07-15 16:57]
.
2011-07-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 17:29]
.
2004-10-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-27 07:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-28 19:37
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-28 19:39:49
ComboFix-quarantined-files.txt 2011-07-28 23:39
.
Pre-Run: 24,591,421,440 bytes free
Post-Run: 26,397,749,248 bytes free
.
- - End Of File - - 597201C97950763B6A2B08EBE84AF0FE

[emeraldnzl]

Hello timbotheking,

Please run Malwarebytes again but this time tick the Perform full scan box.

Post the log back here.

[timbotheking]

Below is the mbam log:

ComboFix 11-07-28.06 - Compaq_Owner 07/28/2011 19:29:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1215.776 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner.STEVESR\Desktop\ComboFix.exe
AV: Norton AntiVirus 2005 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Compaq_Owner.STEVESR\WINDOWS
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\jessica\WINDOWS
c:\documents and settings\Joan\WINDOWS
c:\documents and settings\tim\WINDOWS
c:\program files\CouponAlert_2p
c:\program files\CouponAlert_2p\bar\1.bin\2pdyn.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pfeedmg.dll
c:\program files\CouponAlert_2p\bar\1.bin\2phighin.exe
c:\program files\CouponAlert_2p\bar\1.bin\2phttpct.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pidle.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pimpipe.exe
c:\program files\CouponAlert_2p\bar\1.bin\2pmedint.exe
c:\program files\CouponAlert_2p\bar\1.bin\2pmlbtn.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pmsg.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pradio.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pregfft.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pregiet.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pscript.dll
c:\program files\CouponAlert_2p\bar\1.bin\2pskplay.exe
c:\program files\CouponAlert_2p\bar\1.bin\2ptpinst.dll
c:\program files\CouponAlert_2p\bar\1.bin\2puabtn.dll
c:\program files\CouponAlert_2p\bar\1.bin\CHROME.MANIFEST
c:\program files\CouponAlert_2p\bar\1.bin\chrome\2pffxtbr.jar
c:\program files\CouponAlert_2p\bar\1.bin\INSTALL.RDF
c:\program files\CouponAlert_2p\bar\1.bin\LOGO.BMP
c:\program files\CouponAlert_2p\bar\1.bin\NP2pStub.dll
c:\program files\CouponAlert_2p\bar\Cache\000500A3
c:\program files\CouponAlert_2p\bar\Cache\002753BF.bmp
c:\program files\CouponAlert_2p\bar\Cache\002756DC.bmp
c:\program files\CouponAlert_2p\bar\Cache\00275892.bmp
c:\program files\CouponAlert_2p\bar\Cache\0027592E.bmp
c:\program files\CouponAlert_2p\bar\Cache\002759BB.bmp
c:\program files\CouponAlert_2p\bar\Cache\00275AA5.bmp
c:\program files\CouponAlert_2p\bar\Cache\00275DE1.bmp
c:\program files\CouponAlert_2p\bar\Cache\00A4CB31
c:\program files\CouponAlert_2p\bar\Cache\0531C37E
c:\program files\CouponAlert_2p\bar\Cache\0BAB4D44
c:\program files\CouponAlert_2p\bar\Cache\13F7CFE6
c:\program files\CouponAlert_2p\bar\Cache\1F2045EE.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20CD6D.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D0D8.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D136.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D184.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D1D2.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F20D211.jhtml
c:\program files\CouponAlert_2p\bar\Cache\1F210C6A
c:\program files\CouponAlert_2p\bar\Cache\1F213436.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F213484.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F2134F1.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F213530.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F21359D.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F21360A.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F213668.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F2B7044
c:\program files\CouponAlert_2p\bar\Cache\1F7F7443.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F74A1.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F74FE.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F75C9.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F7685.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F8B84.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F8C3F.bmp
c:\program files\CouponAlert_2p\bar\Cache\1F7F8D78.bmp
c:\program files\CouponAlert_2p\bar\Cache\22EBC730
c:\program files\CouponAlert_2p\bar\Cache\25F14EDF
c:\program files\CouponAlert_2p\bar\Cache\2B3EC3C8
c:\program files\CouponAlert_2p\bar\Cache\2B3F8217
c:\program files\CouponAlert_2p\bar\Cache\32F9B131.bmp
c:\program files\CouponAlert_2p\bar\Cache\3F32780C
c:\program files\CouponAlert_2p\bar\Cache\448E1317
c:\program files\CouponAlert_2p\bar\Cache\files.ini
c:\program files\CouponAlert_2p\bar\History\search3
c:\program files\CouponAlert_2p\bar\Message\COMMON.T8S
c:\program files\CouponAlert_2p\bar\Message\COMMON\8_step1.gif
c:\program files\CouponAlert_2p\bar\Message\COMMON\index.htm
c:\program files\CouponAlert_2p\bar\Message\COMMON\rebut4b.htm
c:\program files\CouponAlert_2p\bar\Message\COMMON\shield.png
c:\program files\CouponAlert_2p\bar\Settings\prevcfg2.htm
c:\program files\CouponAlert_2p\bar\Settings\s_pid.dat
c:\program files\CouponAlert_2p\bar\Settings\s_w1.dat
c:\program files\CouponAlert_2p\bar\Settings\s_w1.dat.bak
c:\program files\CouponAlert_2p\bar\Settings\s_w2.dat
c:\program files\CouponAlert_2p\bar\Settings\s_w2.dat.bak
c:\program files\CouponAlert_2p\bar\Settings\setting3.htm
c:\program files\CouponAlert_2p\bar\Settings\setting3.htm.bak
c:\program files\CouponAlert_2p\Shared\Cache\CouponAlertBtn.html
c:\program files\CouponAlert_2p\Shared\Cache\CouponAlertNewDealsBtn.html
c:\program files\CouponAlert_2p\Shared\Cache\GrouponBtn.html
c:\program files\CouponAlert_2p\Shared\Cache\PopupProperties100063112.html
c:\program files\CouponAlert_2p\Shared\Cache\PopupProperties100064904.html
c:\program files\CouponAlert_2pEI
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\ps2.bat
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-28 17:59 . 2011-02-10 23:34 6600192 ----a-w- c:\windows\system32\licprotector310.exe
2011-07-28 17:59 . 2011-07-28 17:59 -------- d-----w- c:\program files\Free File Opener
2011-07-28 07:00 . 2011-07-28 07:00 -------- d-----w- c:\windows\LastGood
2011-07-25 20:13 . 2011-07-25 20:13 1409 ----a-w- c:\windows\QTFont.for
2011-07-25 03:11 . 2011-07-25 03:11 -------- d-----w- c:\windows\PIF
2011-07-22 15:19 . 2004-08-04 10:00 98304 ----a-w- c:\windows\system32\msir3jp.dll
2011-07-22 15:19 . 2004-08-04 10:00 838144 ----a-w- c:\windows\system32\chtbrkr.dll
2011-07-22 15:19 . 2004-08-04 10:00 70656 ----a-w- c:\windows\system32\korwbrkr.dll
2011-07-22 15:19 . 2004-08-04 10:00 1875968 ----a-w- c:\windows\system32\msir3jp.lex
2011-07-22 15:19 . 2004-08-04 10:00 1677824 ----a-w- c:\windows\system32\chsbrkr.dll
2011-07-22 15:17 . 2004-08-04 10:00 6656 ----a-w- c:\windows\system32\c_is2022.dll
2011-07-22 13:56 . 2011-07-22 13:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-21 23:08 . 2011-07-27 23:44 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-07-21 23:02 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-07-21 22:45 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-07-21 21:46 . 2004-08-04 06:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-07-21 21:45 . 2004-08-04 06:10 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2011-07-21 21:45 . 2001-08-17 20:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2011-07-21 21:45 . 2004-08-04 06:10 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2011-07-21 20:27 . 2011-07-28 07:01 -------- dcsh--r- c:\windows\system32\dllcache
2011-07-21 19:06 . 2011-07-21 19:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-21 19:06 . 2011-07-21 19:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-21 18:57 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-07-21 18:56 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\Compaq_Owner.STEVESR
2011-07-21 01:15 . 2011-07-21 01:15 -------- d-----w- c:\program files\ESET
2011-07-18 14:57 . 2011-07-18 14:57 -------- d-----w- C:\_OTL
2011-07-15 20:44 . 2011-07-21 01:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\AskToolbar
2011-07-15 20:44 . 2011-07-15 20:45 -------- d-----w- c:\program files\Ask.com
2011-07-15 20:44 . 2011-07-15 20:44 -------- d-----w- C:\Firefox
2011-07-15 20:44 . 2011-07-15 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\RegWork
2011-07-15 20:44 . 2011-07-15 20:44 -------- d-----w- c:\program files\RegWork
2011-07-15 20:30 . 2011-07-15 20:30 -------- d-----w- c:\program files\MSECache
2011-07-08 23:39 . 2011-07-08 23:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\PackageAware
2011-07-07 22:49 . 2011-07-07 22:49 -------- d-----w- c:\program files\MSBuild
2011-07-07 22:48 . 2011-07-07 22:48 -------- d-----w- c:\program files\Reference Assemblies
2011-07-07 22:47 . 2011-07-07 22:48 -------- d-----w- C:\17a2adeab0eea6167f307d0e1d0e4c35
2011-07-06 00:16 . 2011-07-06 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2011-07-05 00:32 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\tim
2011-07-04 17:21 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\Joan
2011-07-04 15:18 . 2011-07-23 12:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-04 15:13 . 2011-07-04 15:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-07-04 15:03 . 2011-07-28 23:33 -------- d-----w- c:\documents and settings\jessica
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-05 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-14 58488]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-06 218240]
"NAV CfgWiz"="c:\program files\Norton AntiVirus\CfgWiz.exe" [2004-08-18 132248]
"IS CfgWiz"="c:\program files\Common Files\Symantec Shared\cfgwiz.exe" [2003-11-05 124096]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-27 98304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2011 11:13 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/4/2011 11:13 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:03]
.
2011-07-21 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 15:50]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-04 15:13]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-04 15:13]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099956112-2596822647-424640563-1008Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-23 06:58]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3099956112-2596822647-424640563-1008UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-23 06:58]
.
2011-07-23 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Compaq_Owner.job
- c:\progra~1\NORTON~1\Navw32.exe [2004-08-18 14:44]
.
2011-07-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099956112-2596822647-424640563-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099956112-2596822647-424640563-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3099956112-2596822647-424640563-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099956112-2596822647-424640563-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099956112-2596822647-424640563-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3099956112-2596822647-424640563-1011.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 14:47]
.
2011-07-22 c:\windows\Tasks\Regwork.job
- c:\program files\RegWork\RegWork.exe [2011-07-15 16:57]
.
2011-07-28 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 17:29]
.
2004-10-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-27 07:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-28 19:37
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-28 19:39:49
ComboFix-quarantined-files.txt 2011-07-28 23:39
.
Pre-Run: 24,591,421,440 bytes free
Post-Run: 26,397,749,248 bytes free
.
- - End Of File - - 597201C97950763B6A2B08EBE84AF0FE

[emeraldnzl]

Hi timbotheking,

Looks like you posted the ComboFix log. It was a full Malwarebytes scan I was after.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.

Also please do this

Please run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  
  :files
  xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
  xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
  xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
  xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
  
  :Commands
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• It will produce a log for you on reboot, please post that log in your next reply.

Finally in this post

Please go to Programs > Accessories, right click the Command Prompt and open as Administrator

At the cursor, copy and past the bolded text below and hit enter

wmic /namespace:\\root\wmi PATH MSStorageDriver_FailurePredictStatus get
predictfailure

Click on the little black command prompt icon top left of the Command Prompt window > Edit > Mark and drag the curser over the dialogue. Click the icon top left again > Edit > Copy.

Save to notepad and then copy and paste back here.

So when you return please post

• MBAM log
• OTL log
• Notepad contents

[timbotheking]

emeralnzl,

My apologies for posting the wrong log. That is what popped up after running malwarebytes so I didn't even think to check if it was the correct log. Below please find malwarebytes log from earlier today:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7328

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/30/2011 5:35:38 PM
mbam-log-2011-07-30 (17-35-38).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 321705
Time elapsed: 1 hour(s), 21 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\compaq_owner\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected] (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\compaq_owner\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\chrome (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\compaq_owner\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\components (PUP.PlaySushi) -> Not selected for removal.

Files Infected:
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pdyn.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pfeedmg.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2phighin.exe.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2phttpct.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pidle.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pimpipe.exe.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pmedint.exe.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pmlbtn.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pmsg.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pradio.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pregfft.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pregiet.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pscript.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2pskplay.exe.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\2puabtn.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\couponalert_2p\bar\1.bin\np2pstub.dll.vir (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005271.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005270.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005272.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005273.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005274.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005275.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005276.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005277.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005278.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005279.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005280.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005281.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005282.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005283.exe (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005285.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a3fe4697-a95b-4476-a0d8-dd1dba8414b7}\RP11\A0005287.dll (Adware.FunWeb) -> Quarantined and deleted successfully.
c:\documents and settings\compaq_owner\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\chrome.manifest (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\compaq_owner\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\install.rdf (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\compaq_owner\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\chrome\pstextlinks.jar (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\compaq_owner\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\components\playsushiff.xpt (PUP.PlaySushi) -> Not selected for removal.



OTL log:

========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Compaq_Owner.STEVESR\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.26.1 log created on 07302011_222158



Command prompt:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Compaq_Owner.STEVESR>wmic /namespace:\\root\wmi PATH M
SStorageDriver_FailurePredictStatus get
'wmic' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Compaq_Owner.STEVESR>predictfailure
'predictfailure' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Compaq_Owner.STEVESR>


Thanks.

[emeraldnzl]

Hi timbotheking,

My apologies for posting the wrong log.

No problem.

Question now: At the the beginning of this thread the OTL log you posted showed that your machine had SP3 (Service Pack 3) installed. The next OTL log showed your machine with SP2. Both logs show as first run so I am wondering what has gone on there. Is this malware doing something or is it you doing something? Another possibility is corruption or imminent hardware failure. I endeavoured to check for this with that last action but your computer didn't recognise the command neither did it let SystemLook run when we tried earlier. That and the sudden loss of SP3 makes me think that there might be serious corruption or hardware failure here. Tell me what you think when you return.

For now though lets assume something has happened to SP3. If we replace it we will replace a whole swathe of system files and maybe get back some function.

You can uninstall and then reinstall SP3 (Service Pack 3)

Firstly, just to make sure please check and uninstall SP3 if it is there.

How to remove Windows XP Service Pack 3

To uninstall SP3

• Click Start > Control Panel >Add or Remove Programs
• Click Windows XP Service Pack 3
• Click Remove

After that

Here's the link for SP3 download

Link: http://www.microsoft...&displaylang=en

Disregard the information for use on multiple network computers.

Read this for information about what to do before installing SP3:

http://support.microsoft.com/kb/950717

Don't hesitate to come back if you have any questions or comments.

After you have reinstalled SP3 come back and tell me where your machine is at.