Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

XP Security 2012 on Dell Mini 910


  • This topic is locked This topic is locked

#1
Moonpie

Moonpie

    Member

  • Member
  • PipPip
  • 17 posts
Ciao!

It's me again in what seems like deja vu...

So my boss hands me her Dell Mini 910 that the kids have been given free reign on with only the one user account with Administrator privileges. Who knows what they downloaded on purpose that had "junk" in it, and who knows what put itself on here in the background???!!!

I do know it had/has XP Security 2012 with all the "standard" pop-up screens and notifications that can be seen in your post "Removal Instructions for XP Total Security 2011 (and its clones)".

So to attempt to remedy:

I found a guide on another reputable forum/site and I tried this:

- Downloaded FixNCR on another computer & tranferred to infected via thumb drive
- Ran FixNCR
- Tranferred RKill to infected computer
- Ran RKill
- Tranferred MBAM Setup to infected computer & installed MBAM
- Ran MBAM

That seemed to work for a few minutes, then back came the pop-ups.

I basically did it all again. Pop-ups & notifications disappeared, so I downloaded & installed Microsoft Security Essentials. But it wouldn't run correctly and other symptoms became noticeable (listed later).

(At some point in there I deleted RKill and uninstalled MBAM b/c it wouldn't run correctly.)

I tried an MSE scan in Safe Mode and it ran over 10 hours last night and finally locked up. It indicated that it did remove some stuff, which I can try to find a log and post later if you want.

So using the G2G guide I re-downloaded & renamed MBAM Setup to '.com' and then installed & and then MBAM again. I ran MBAM and it found & removed 4 items (IIRC it was one Trojan something and 3 ?registry? entries that disabled the Security Center items.

Now it still doesn't have pop-ups & notifications, but the following symptoms still exist:

- Security Center won't start; when I go into Services it is marked 'Disabled'. If I change it to 'Automatic' of 'Manual' I can start the service but it almost immedately stops and is changed back to 'Disabled'.

- Can't go to www.geekstogo.com or other similar sites via IE (except I usually can in Safe Mode with Networking) - after considerable time am told the address is invalid.

- Get an occasional 'You're a winner - click here!' pop-up in IE when visiting sites that I know don't have those (like Microsoft).

- One of the many 'svchost.exe' processes will use close to 100% of the CPU.

- As I type this it is slow, and every touch of a key makes the cursor briefly change to the hourglass. I have no known experience with keyloggers, so I don't know if it is a KL or if it just because of the 100% CPU usage.

There could me more symptoms that I'm missing or can't remember right now.

Thanks!



-----
OTL LOG


OTL logfile created on: 7/27/2011 12:29:33 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\JILL HEFFERNAN\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.34 Mb Total Physical Memory | 647.41 Mb Available Physical Memory | 63.83% Memory free
1.19 Gb Paging File | 0.86 Gb Available in Paging File | 72.75% Paging File free
Paging file location(s): C:\pagefile.sys 300 300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.30 Gb Total Space | 5.50 Gb Free Space | 38.45% Space Free | Partition Type: NTFS

Computer Name: D32K5JC1 | User Name: JILL HEFFERNAN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/27 12:28:00 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.com
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/11/04 21:47:38 | 000,623,912 | ---- | M] (Dell) -- C:\Program Files\Battery Meter\BTMeter.exe
PRC - [2008/10/04 13:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/10/04 13:58:02 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/09/17 21:28:58 | 000,546,088 | ---- | M] (Dell) -- C:\Program Files\Wireless Select Switch\WLSS.exe
PRC - [2008/07/30 10:56:16 | 000,604,776 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/29 11:48:12 | 000,304,368 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
PRC - [2007/06/29 11:47:48 | 000,292,080 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
PRC - [2006/12/12 04:22:34 | 000,537,480 | ---- | M] ( ) -- C:\WINDOWS\system32\dlcqcoms.exe


========== Modules (SafeList) ==========

MOD - [2011/07/27 12:28:00 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.com
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/07/30 10:54:34 | 000,073,728 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/03/23 04:10:04 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/03/18 19:57:34 | 000,120,088 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\T-Mobile\Connection Manager\RcAppSvc.exe -- (TMobileRcAppSvc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/04 13:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2006/12/12 04:22:34 | 000,537,480 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\dlcqcoms.exe -- (dlcq_device)


========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/03/18 19:40:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2008/11/16 16:14:18 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/11/16 16:14:06 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/11/16 16:14:02 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/11/10 21:39:02 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/11/10 18:03:38 | 000,269,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Vid.sys -- (OA004Vid)
DRV - [2008/11/10 18:03:38 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Ufd.sys -- (OA004Ufd)
DRV - [2008/11/10 18:03:36 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Afx.sys -- (OA004Afx)
DRV - [2008/11/04 20:24:58 | 000,014,248 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\EMSC.SYS -- (EMSC)
DRV - [2008/07/13 19:55:40 | 000,106,368 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/07/13 19:02:52 | 000,093,968 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jmcr.sys -- (JMCR)
DRV - [2008/07/13 18:59:14 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/03/16 22:03:46 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/sphome.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/27 15:17:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins


Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLCQCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.DLL ()
O4 - HKLM..\Run: [dlcqmon.exe] C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] File not found
O4 - HKLM..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 966\memcard.exe ()
O4 - HKLM..\Run: [MSC] File not found
O4 - HKLM..\Run: [T-Mobile Connection Manager] C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe (T-Mobile)
O4 - HKLM..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\meheoto: DllName - C:\Documents and Settings\NetworkService\Local Settings\Application Data\meheoto.dll - C:\Documents and Settings\NetworkService\Local Settings\Application Data\meheoto.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 20:45:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell\AutoRun\command - "" = D:\laucher.exe
O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/27 12:27:38 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.com
[2011/07/27 12:19:28 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.exe
[2011/07/27 11:20:15 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/27 11:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/27 11:20:10 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/27 11:20:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/26 19:37:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2011/07/26 18:19:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/07/25 16:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JILL HEFFERNAN\My Documents\SightSpeed Recordings
[2011/07/25 16:54:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JILL HEFFERNAN\My Documents\My Received Files
[2011/07/25 16:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/07/25 15:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Malwarebytes
[2011/07/25 15:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/07/24 18:04:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/07/24 18:04:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/07/24 17:10:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/07/24 17:10:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/08/27 16:59:45 | 001,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqserv.dll
[2009/08/27 16:59:45 | 000,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqusb1.dll
[2009/08/27 16:59:45 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqinpa.dll
[2009/08/27 16:59:45 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqiesc.dll
[2009/08/27 16:59:45 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\DLCQhcp.dll
[2009/08/27 16:59:45 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqprox.dll
[2009/08/27 16:59:45 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqpplc.dll
[2009/08/27 16:59:44 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqhbn3.dll
[2009/08/27 16:59:44 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqpmui.dll
[2009/08/27 16:59:44 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqlmpm.dll
[2009/08/27 16:59:44 | 000,385,928 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqih.exe
[2009/08/27 16:59:43 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcomc.dll
[2009/08/27 16:59:43 | 000,537,480 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcoms.exe
[2009/08/27 16:59:43 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcomm.dll
[2009/08/27 16:59:43 | 000,381,832 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcfg.exe
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/27 12:29:16 | 000,000,302 | -HS- | M] () -- C:\WINDOWS\tasks\Kowqvbzt.job
[2011/07/27 12:28:00 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.com
[2011/07/27 12:25:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/27 12:19:33 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.exe
[2011/07/27 12:04:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/27 11:10:03 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/07/26 18:24:17 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/07/26 18:19:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/25 17:00:57 | 000,015,376 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\3101554789
[2011/07/25 16:52:56 | 000,015,360 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\543002988
[2011/07/25 16:52:56 | 000,015,360 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3101554789
[2011/07/25 16:49:08 | 000,015,366 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\543002988
[2011/07/25 16:49:07 | 000,015,366 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\wyne21d23x68edomywy2024
[2011/07/25 16:47:30 | 000,016,764 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\wyne21d23x68edomywy2024
[2011/07/25 16:45:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/25 16:45:14 | 000,066,048 | RHS- | M] () -- C:\WINDOWS\System32\qagent2.dll
[2011/07/25 15:39:21 | 000,012,970 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\y613x7814o263y7irkx
[2011/07/25 15:39:21 | 000,012,970 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\y613x7814o263y7irkx
[2011/07/25 15:20:24 | 000,001,134 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\FixNCR.reg
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\yugd.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\tnts.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\mvej.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\jfcl.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\ihba.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\gfcc.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ektn.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dsox.exe
[2011/07/15 14:31:22 | 000,167,504 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/14 18:35:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/07 21:53:54 | 000,464,500 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/07 21:53:54 | 000,079,610 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/26 19:17:02 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/07/26 18:20:20 | 000,001,749 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/07/26 18:11:39 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\meheoto.dll
[2011/07/26 18:08:20 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/07/25 17:00:30 | 000,015,376 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\3101554789
[2011/07/25 16:52:25 | 000,015,360 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\543002988
[2011/07/25 16:52:25 | 000,015,360 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3101554789
[2011/07/25 16:48:56 | 000,001,134 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\FixNCR.reg
[2011/07/25 16:46:17 | 000,015,366 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\wyne21d23x68edomywy2024
[2011/07/25 16:46:17 | 000,015,366 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\543002988
[2011/07/25 16:45:16 | 000,000,302 | -HS- | C] () -- C:\WINDOWS\tasks\Kowqvbzt.job
[2011/07/25 16:45:14 | 000,066,048 | RHS- | C] () -- C:\WINDOWS\System32\qagent2.dll
[2011/07/25 16:45:05 | 000,016,764 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\wyne21d23x68edomywy2024
[2011/07/25 16:45:05 | 000,016,764 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wyne21d23x68edomywy2024
[2011/07/24 17:11:15 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/24 16:59:41 | 000,012,970 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\y613x7814o263y7irkx
[2011/07/24 16:59:41 | 000,012,970 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\y613x7814o263y7irkx
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\yugd.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tnts.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mvej.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\jfcl.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\ihba.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\gfcc.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ektn.exe
[2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dsox.exe
[2010/03/14 17:09:52 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/04 22:33:40 | 000,002,480 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\wklnhst.dat
[2009/08/27 17:05:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcqvs.dll
[2009/08/27 17:05:10 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\dlcqcoin.dll
[2009/08/27 17:04:38 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\dlcqdrs.dll
[2009/08/27 17:04:38 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcqcaps.dll
[2009/08/27 17:04:38 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcqcnv4.dll
[2009/08/27 16:59:45 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\dlcqutil.dll
[2009/08/27 16:59:45 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\DLCQinst.dll
[2009/08/27 16:59:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\dlcqgrd.dll
[2009/08/27 16:59:44 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcqinsb.dll
[2009/08/27 16:59:44 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcqins.dll
[2009/08/27 16:59:44 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\dlcqjswr.dll
[2009/08/27 16:59:44 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlcqinsr.dll
[2009/08/27 16:59:43 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcqcub.dll
[2009/08/27 16:59:43 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcqcu.dll
[2009/08/27 16:59:43 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcqcur.dll
[2009/08/27 16:59:42 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\DLCQcfg.dll
[2009/08/27 15:17:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/23 05:13:42 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/03/23 05:12:45 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2009/03/23 05:10:13 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/03/23 04:33:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/23 04:07:38 | 000,000,075 | RHS- | C] () -- C:\WINDOWS\CT4CET.bin
[2009/03/23 03:52:59 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\EMSC.DLL
[2008/07/30 10:55:02 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/25 20:47:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 20:44:05 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 20:42:57 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 15:33:19 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 15:33:18 | 000,464,500 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 15:33:18 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 15:33:18 | 000,079,610 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 15:33:18 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 15:33:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 15:33:17 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 15:33:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 15:33:14 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 15:33:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 15:33:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 15:33:06 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 08:39:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 08:38:33 | 000,167,504 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/03/23 04:13:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/03/23 04:13:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/03/23 04:13:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/04/11 15:15:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\T-Mobile
[2009/03/23 03:52:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista32
[2009/03/23 03:52:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista64
[2009/03/23 04:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\XP32
[2009/04/02 18:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\DBUpdater
[2009/03/26 18:33:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\T-Mobile
[2009/11/05 21:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Template
[2009/08/27 15:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Thunderbird
[2009/03/23 03:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Windows Desktop Search
[2010/01/15 12:24:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Windows Live Writer
[2009/03/26 18:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Windows Search
[2011/07/27 12:29:16 | 000,000,302 | -HS- | M] () -- C:\WINDOWS\Tasks\Kowqvbzt.job
[2011/07/27 11:10:03 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :unsure:

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________


OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] File not found
    O4 - HKLM..\Run: [MSC] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
    O20 - Winlogon\Notify\meheoto: DllName - C:\Documents and Settings\NetworkService\Local Settings\Application Data\meheoto.dll - C:\Documents and Settings\NetworkService\Local Settings\Application Data\meheoto.dll ()
    O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell - "" = AutoRun
    O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell - "" = AutoRun
    O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
    O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell - "" = AutoRun
    O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
    O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell - "" = AutoRun
    O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell - "" = AutoRun
    O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell\AutoRun\command - "" = D:\laucher.exe
    O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell - "" = AutoRun
    O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
    O33 - MountPoints2\F\Shell - "" = AutoRun
    O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
    [2011/07/27 12:29:16 | 000,000,302 | -HS- | M] () -- C:\WINDOWS\tasks\Kowqvbzt.job
    [2011/07/25 17:00:57 | 000,015,376 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\3101554789
    [2011/07/25 16:52:56 | 000,015,360 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\543002988
    [2011/07/25 16:52:56 | 000,015,360 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\3101554789
    [2011/07/25 16:49:08 | 000,015,366 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\543002988
    [2011/07/25 16:49:07 | 000,015,366 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\wyne21d23x68edomywy2024
    [2011/07/25 16:47:30 | 000,016,764 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\wyne21d23x68edomywy2024
    [2011/07/25 16:45:14 | 000,066,048 | RHS- | M] () -- C:\WINDOWS\System32\qagent2.dll
    [2011/07/25 15:39:21 | 000,012,970 | -HS- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\y613x7814o263y7irkx
    [2011/07/25 15:39:21 | 000,012,970 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\y613x7814o263y7irkx
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\yugd.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\tnts.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\mvej.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\jfcl.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\ihba.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\gfcc.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ektn.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\dsox.exe
    [2011/07/25 17:00:30 | 000,015,376 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\3101554789
    [2011/07/25 16:52:25 | 000,015,360 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\543002988
    [2011/07/25 16:52:25 | 000,015,360 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3101554789
    [2011/07/25 16:46:17 | 000,015,366 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\wyne21d23x68edomywy2024
    [2011/07/25 16:46:17 | 000,015,366 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\543002988
    [2011/07/25 16:45:16 | 000,000,302 | -HS- | C] () -- C:\WINDOWS\tasks\Kowqvbzt.job
    [2011/07/25 16:45:14 | 000,066,048 | RHS- | C] () -- C:\WINDOWS\System32\qagent2.dll
    [2011/07/25 16:45:05 | 000,016,764 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\wyne21d23x68edomywy2024
    [2011/07/25 16:45:05 | 000,016,764 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wyne21d23x68edomywy2024
    [2011/07/24 16:59:41 | 000,012,970 | -HS- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\y613x7814o263y7irkx
    [2011/07/24 16:59:41 | 000,012,970 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\y613x7814o263y7irkx
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\yugd.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\tnts.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mvej.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\jfcl.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\ihba.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\gfcc.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ektn.exe
    [2011/07/24 16:59:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\dsox.exe
    [2011/07/27 12:29:16 | 000,000,302 | -HS- | M] () -- C:\WINDOWS\Tasks\Kowqvbzt.job
    
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\windows\\system32\\userinit.exe,"
    "Shell"="explorer.exe"
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



What issues are you currently experiencing with your computer?
  • 0

#3
Moonpie

Moonpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello ST!

Thank you for volunteering in general and for helping me specifically.

-------------------------------------------------------

Ran OTL Fix & rebooted; here is report:



========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Malwarebytes' Anti-Malware (reboot) deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MSC deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\meheoto\ deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\meheoto.dll moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{553601ed-365c-11de-9d0d-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{553601ed-365c-11de-9d0d-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{553601ed-365c-11de-9d0d-002170f677eb}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71966641-1a5d-11de-9cef-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71966641-1a5d-11de-9cef-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71966641-1a5d-11de-9cef-002170f677eb}\ not found.
File D:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\ not found.
File D:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a902ef8a-26d5-11de-9d00-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a902ef8a-26d5-11de-9d00-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a902ef8a-26d5-11de-9d00-002170f677eb}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\ not found.
File D:\laucher.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9e9f118-1994-11df-9deb-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9e9f118-1994-11df-9deb-002170f677eb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9e9f118-1994-11df-9deb-002170f677eb}\ not found.
File D:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
File F:\LaunchU3.exe -a not found.
C:\WINDOWS\tasks\Kowqvbzt.job moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\3101554789 moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\543002988 moved successfully.
C:\Documents and Settings\All Users\Application Data\3101554789 moved successfully.
C:\Documents and Settings\All Users\Application Data\543002988 moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\wyne21d23x68edomywy2024 moved successfully.
C:\Documents and Settings\All Users\Application Data\wyne21d23x68edomywy2024 moved successfully.
C:\WINDOWS\system32\qagent2.dll moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\y613x7814o263y7irkx moved successfully.
C:\Documents and Settings\All Users\Application Data\y613x7814o263y7irkx moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\yugd.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\tnts.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\mvej.exe moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\jfcl.exe moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\ihba.exe moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\gfcc.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\ektn.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\dsox.exe moved successfully.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\3101554789 not found.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\543002988 not found.
File C:\Documents and Settings\All Users\Application Data\3101554789 not found.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\wyne21d23x68edomywy2024 not found.
File C:\Documents and Settings\All Users\Application Data\543002988 not found.
File C:\WINDOWS\tasks\Kowqvbzt.job not found.
File C:\WINDOWS\System32\qagent2.dll not found.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\wyne21d23x68edomywy2024 moved successfully.
File C:\Documents and Settings\All Users\Application Data\wyne21d23x68edomywy2024 not found.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\y613x7814o263y7irkx not found.
File C:\Documents and Settings\All Users\Application Data\y613x7814o263y7irkx not found.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\yugd.exe not found.
File C:\Documents and Settings\All Users\Application Data\tnts.exe not found.
File C:\Documents and Settings\All Users\Application Data\mvej.exe not found.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\jfcl.exe not found.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\ihba.exe not found.
File C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\gfcc.exe not found.
File C:\Documents and Settings\All Users\Application Data\ektn.exe not found.
File C:\Documents and Settings\All Users\Application Data\dsox.exe not found.
File C:\WINDOWS\Tasks\Kowqvbzt.job not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Userinit"|"C:\\windows\\system32\\userinit.exe," /E : value set successfully!
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Shell"|"explorer.exe" /E : value set successfully!
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?
C:\Documents and Settings\JILL HEFFERNAN\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\JILL HEFFERNAN\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\JILL HEFFERNAN\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\JILL HEFFERNAN\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully
Unable to start service SrService!

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 566 bytes

User: All Users

User: Default User
->Flash cache emptied: 321 bytes

User: JILL HEFFERNAN
->Flash cache emptied: 3163674 bytes

User: LocalService
->Flash cache emptied: 1687 bytes

User: NetworkService
->Flash cache emptied: 11631 bytes

Total Flash Files Cleaned = 3.00 mb


OTL by OldTimer - Version 3.2.26.1 log created on 07282011_193451

-------------------------------------------------------


Downloaded & scanned with GMER; here is log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-28 20:15:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 STEC_PATA_16GB rev.D5221-10
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agtyapoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AF000A
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B0000A
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AE000C
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86EFD31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86EFD31B
Device \FileSystem\Fastfat \Fat F66E1D20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 [email protected] code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4Z32DOPD\banner[1].php 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4Z32DOPD\flowplayer-3.2.7[1].swf 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8WQ8YETB\crossdomain[2].xml 204 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9RWOOUUT\all[1].js 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\V1HW70T5\ad[1].gif 45 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\W3IVYOE6\search[1].htm 413 bytes

---- EOF - GMER 1.0.15 ----

-------------------------------------------------------

Current issues:

  • "Congratulations, You Just Won!" pop-ups still coming up in IE (URL is webprizegiveaways . com)
  • CPU Usage still gets up to 100% due to one particular svchost.exe (1124)
I'm not really trying to do much else - especially since the 100% CPU Usage happens rather quickly and slows everything down.

Thanks again!

Edited by Moonpie, 28 July 2011 - 08:02 PM.

  • 0

#4
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi Moonpie!

Thank you for volunteering in general and for helping me specifically.

You're very welcome!

Looks like you have a TDL4 infection.

Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#5
Moonpie

Moonpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ST,

I Googled TDL4 and read a technical article about it. The minutia of the article was over my head, but I understood the gist of it. At first I was concerned because the article writer stated that the experts in the field talked about how nearly indestructible TDL4 is. I was thinking I would have to format this hard drive & try to reinstall everything (which would be a nightmare b/c my boss doesn't keep up with disks very well)!

Then I realized that they weren't saying it is "indestructible" on an individual computer - turns out it is not too difficult to remove it from one computer once it is detected, it is just this particular encrypted p2p botnet (with an estimated 4.5 million infected computers!!) is nearly indestructible.

Makes me want to finally act on the promise I made to myself years ago to learn Linux....

Anyway, I downloaded & ran TDSSKiller. Report is below.

(FYI, after being logged in for as long or longer than previous times when these occurred, I am not currently getting a high CPU Usage nor am I getting IE pop-ups.)

Thanks!
-Moonpie


---------------------------------

2011/07/30 08:39:00.0296 0216 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/07/30 08:39:00.0843 0216 ================================================================================
2011/07/30 08:39:00.0843 0216 SystemInfo:
2011/07/30 08:39:00.0843 0216
2011/07/30 08:39:00.0843 0216 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/30 08:39:00.0843 0216 Product type: Workstation
2011/07/30 08:39:00.0843 0216 ComputerName: D32K5JC1
2011/07/30 08:39:00.0843 0216 UserName: Administrator
2011/07/30 08:39:00.0843 0216 Windows directory: C:\WINDOWS
2011/07/30 08:39:00.0843 0216 System windows directory: C:\WINDOWS
2011/07/30 08:39:00.0843 0216 Processor architecture: Intel x86
2011/07/30 08:39:00.0843 0216 Number of processors: 2
2011/07/30 08:39:00.0843 0216 Page size: 0x1000
2011/07/30 08:39:00.0843 0216 Boot type: Safe boot with network
2011/07/30 08:39:00.0843 0216 ================================================================================
2011/07/30 08:39:04.0078 0216 Initialize success
2011/07/30 08:39:10.0687 0272 ================================================================================
2011/07/30 08:39:10.0687 0272 Scan started
2011/07/30 08:39:10.0687 0272 Mode: Manual;
2011/07/30 08:39:10.0687 0272 ================================================================================
2011/07/30 08:39:14.0218 0272 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/07/30 08:39:14.0296 0272 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/30 08:39:14.0359 0272 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/07/30 08:39:14.0437 0272 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/07/30 08:39:14.0500 0272 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/30 08:39:14.0578 0272 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/30 08:39:14.0640 0272 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/30 08:39:14.0718 0272 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/07/30 08:39:14.0781 0272 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/07/30 08:39:14.0843 0272 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/07/30 08:39:14.0921 0272 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/07/30 08:39:15.0031 0272 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/07/30 08:39:15.0109 0272 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/07/30 08:39:15.0171 0272 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/07/30 08:39:15.0234 0272 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/07/30 08:39:15.0328 0272 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/07/30 08:39:15.0406 0272 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/07/30 08:39:15.0468 0272 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/07/30 08:39:15.0625 0272 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/30 08:39:15.0703 0272 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/30 08:39:15.0843 0272 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/30 08:39:15.0921 0272 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/30 08:39:16.0062 0272 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/07/30 08:39:16.0156 0272 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/30 08:39:16.0265 0272 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/07/30 08:39:16.0375 0272 BTKRNL (b4355289cb2ebcc91ae995f916d271b7) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/07/30 08:39:16.0687 0272 BTWUSB (fac7e5965162c70d184dfe92b4bcbd1b) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/07/30 08:39:16.0765 0272 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/07/30 08:39:16.0828 0272 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/30 08:39:16.0906 0272 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/30 08:39:17.0015 0272 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/07/30 08:39:17.0078 0272 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/30 08:39:17.0156 0272 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/30 08:39:17.0218 0272 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/30 08:39:17.0421 0272 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/30 08:39:17.0500 0272 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/07/30 08:39:17.0562 0272 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/30 08:39:17.0703 0272 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/07/30 08:39:17.0937 0272 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/07/30 08:39:18.0000 0272 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/07/30 08:39:18.0109 0272 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/30 08:39:18.0250 0272 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/30 08:39:18.0328 0272 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/30 08:39:18.0406 0272 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/30 08:39:18.0484 0272 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/30 08:39:18.0609 0272 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/07/30 08:39:18.0671 0272 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/30 08:39:18.0765 0272 EMSC (a6da3468ffafbdce403ef2973ff03865) C:\WINDOWS\system32\DRIVERS\EMSC.SYS
2011/07/30 08:39:18.0906 0272 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/30 08:39:19.0015 0272 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/30 08:39:19.0078 0272 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/30 08:39:19.0156 0272 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/30 08:39:19.0218 0272 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/07/30 08:39:19.0312 0272 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/30 08:39:19.0390 0272 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/30 08:39:19.0468 0272 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/30 08:39:19.0546 0272 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/30 08:39:19.0656 0272 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/30 08:39:19.0750 0272 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/07/30 08:39:19.0828 0272 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/30 08:39:19.0937 0272 hwdatacard (07853191b1bdee5b39be4cfcfe3b9ad4) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2011/07/30 08:39:20.0046 0272 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/07/30 08:39:20.0109 0272 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/07/30 08:39:20.0187 0272 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/30 08:39:20.0453 0272 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/07/30 08:39:20.0750 0272 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/30 08:39:20.0859 0272 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/07/30 08:39:21.0109 0272 IntcAzAudAddService (41bb402c2ade27b32439bb765864ab3b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/30 08:39:21.0312 0272 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/30 08:39:21.0453 0272 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/30 08:39:21.0500 0272 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/07/30 08:39:21.0578 0272 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/30 08:39:21.0640 0272 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/30 08:39:21.0718 0272 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/30 08:39:21.0781 0272 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/30 08:39:21.0859 0272 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/30 08:39:21.0953 0272 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/30 08:39:22.0046 0272 JMCR (fa4a5b32cae6074205b26971191efee4) C:\WINDOWS\system32\DRIVERS\jmcr.sys
2011/07/30 08:39:22.0109 0272 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/30 08:39:22.0171 0272 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/30 08:39:22.0250 0272 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/30 08:39:22.0312 0272 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/30 08:39:22.0687 0272 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/30 08:39:22.0781 0272 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/30 08:39:22.0843 0272 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/30 08:39:22.0921 0272 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/30 08:39:22.0984 0272 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/30 08:39:23.0062 0272 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/07/30 08:39:23.0187 0272 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/07/30 08:39:23.0265 0272 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/30 08:39:23.0343 0272 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/30 08:39:23.0453 0272 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/30 08:39:23.0546 0272 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/30 08:39:23.0640 0272 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/30 08:39:23.0703 0272 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/30 08:39:23.0796 0272 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/30 08:39:23.0875 0272 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/30 08:39:23.0937 0272 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/30 08:39:24.0015 0272 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/30 08:39:24.0109 0272 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/30 08:39:24.0171 0272 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/30 08:39:24.0234 0272 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/30 08:39:24.0312 0272 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/30 08:39:24.0375 0272 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/30 08:39:24.0453 0272 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/30 08:39:24.0515 0272 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/30 08:39:24.0593 0272 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/30 08:39:24.0796 0272 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/30 08:39:24.0875 0272 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/30 08:39:25.0000 0272 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/30 08:39:25.0062 0272 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/30 08:39:25.0125 0272 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/30 08:39:25.0203 0272 OA004Afx (ec528056b89d15755abb624e55949e44) C:\WINDOWS\system32\Drivers\OA004Afx.sys
2011/07/30 08:39:25.0281 0272 OA004Ufd (a015dd2ba6009c8bdd00a6c431302d06) C:\WINDOWS\system32\DRIVERS\OA004Ufd.sys
2011/07/30 08:39:25.0343 0272 OA004Vid (12a4366ff51befbdf018f654ff8b22b8) C:\WINDOWS\system32\DRIVERS\OA004Vid.sys
2011/07/30 08:39:25.0421 0272 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/30 08:39:25.0484 0272 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/30 08:39:25.0546 0272 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/30 08:39:25.0625 0272 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/30 08:39:25.0750 0272 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/30 08:39:25.0828 0272 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/30 08:39:25.0890 0272 PCTINDIS5 (1e715247efffdda938c085913045d599) C:\WINDOWS\system32\PCTINDIS5.SYS
2011/07/30 08:39:26.0234 0272 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/07/30 08:39:26.0296 0272 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/07/30 08:39:26.0500 0272 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/30 08:39:26.0593 0272 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/30 08:39:26.0671 0272 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/30 08:39:26.0734 0272 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/07/30 08:39:26.0812 0272 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/07/30 08:39:26.0875 0272 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/07/30 08:39:26.0937 0272 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/07/30 08:39:27.0015 0272 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/07/30 08:39:27.0078 0272 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/30 08:39:27.0171 0272 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/30 08:39:27.0265 0272 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/30 08:39:27.0328 0272 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/30 08:39:27.0437 0272 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/30 08:39:27.0500 0272 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/30 08:39:27.0593 0272 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/30 08:39:27.0687 0272 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/30 08:39:27.0781 0272 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/30 08:39:28.0093 0272 RTLE8023xp (7174f20ad9b7b7878a51ecca03c499c2) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/07/30 08:39:28.0234 0272 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/07/30 08:39:28.0312 0272 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/30 08:39:28.0437 0272 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/07/30 08:39:28.0562 0272 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/30 08:39:28.0750 0272 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/07/30 08:39:28.0812 0272 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/30 08:39:28.0906 0272 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/07/30 08:39:28.0984 0272 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/30 08:39:29.0093 0272 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/30 08:39:29.0187 0272 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/30 08:39:29.0296 0272 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/30 08:39:29.0375 0272 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/30 08:39:29.0437 0272 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/30 08:39:29.0531 0272 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/07/30 08:39:29.0593 0272 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/07/30 08:39:29.0718 0272 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/07/30 08:39:29.0781 0272 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/07/30 08:39:29.0875 0272 SynTP (64a8508b82a62bf661670884d1fd0e13) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/07/30 08:39:29.0953 0272 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/30 08:39:30.0062 0272 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/30 08:39:30.0140 0272 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/30 08:39:30.0203 0272 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/30 08:39:30.0281 0272 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/30 08:39:30.0421 0272 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/07/30 08:39:30.0546 0272 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/30 08:39:30.0656 0272 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/07/30 08:39:30.0734 0272 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/30 08:39:30.0875 0272 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/30 08:39:30.0937 0272 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/30 08:39:31.0015 0272 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/30 08:39:31.0078 0272 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/30 08:39:31.0156 0272 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/30 08:39:31.0218 0272 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/30 08:39:31.0281 0272 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/30 08:39:31.0390 0272 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/30 08:39:31.0484 0272 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/30 08:39:31.0546 0272 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/07/30 08:39:31.0609 0272 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/07/30 08:39:31.0687 0272 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/30 08:39:31.0812 0272 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/30 08:39:31.0906 0272 Wdf01000 (e8fa4dcfd33071aa703bec19c3bb625e) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/07/30 08:39:32.0031 0272 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/30 08:39:32.0421 0272 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/30 08:39:32.0484 0272 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/30 08:39:32.0562 0272 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/30 08:39:32.0781 0272 MBR (0x1B8) (534997c1da6d62ceb42126d018cac57b) \Device\Harddisk0\DR0
2011/07/30 08:39:32.0812 0272 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/30 08:39:32.0859 0272 Boot (0x1200) (2d92d411d02e52e96c58bdce48413dcc) \Device\Harddisk0\DR0\Partition0
2011/07/30 08:39:32.0906 0272 ================================================================================
2011/07/30 08:39:32.0906 0272 Scan finished
2011/07/30 08:39:32.0906 0272 ================================================================================
2011/07/30 08:39:32.0968 0264 Detected object count: 1
2011/07/30 08:39:32.0968 0264 Actual detected object count: 1
2011/07/30 08:39:53.0296 0264 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/30 08:39:53.0296 0264 \Device\Harddisk0\DR0 - ok
2011/07/30 08:39:53.0296 0264 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/30 08:39:59.0703 0200 Deinitialize success

Edited by Moonpie, 30 July 2011 - 08:07 AM.

  • 0

#6
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi Moonpie!

Looks like TDSSKiller did find a TDL4 infection.

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



The main infection that you were infected with is called TDL4.

See the snippet of text below:

2011/07/30 08:39:32.0968 0264 Detected object count: 1
2011/07/30 08:39:32.0968 0264 Actual detected object count: 1
2011/07/30 08:39:53.0296 0264 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/30 08:39:53.0296 0264 \Device\Harddisk0\DR0 - ok
2011/07/30 08:39:53.0296 0264 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/30 08:39:59.0703 0200 Deinitialize success


You can read more about this infection here:

Special thanks to quietman7 for providing the above links.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

#7
Moonpie

Moonpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ST,

I intend to go through the steps you laid out in your last post; I just haven't had the best opportunity in the past couple of days.

I hope to get to it today, but the way my schedule is working out it will more likely happen tomorrow.

I apologize for the delay. Please bear with me.

Thanks!

  • 0

#8
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay, no worries!

I appreciate the courtesy of being let know.

As long as I know you're still with me, it's perfectly okay. :)
  • 0

#9
Moonpie

Moonpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ST,

Thanks for your patience & understanding.

-------------------------
Ran MBAM; found nothing malicious. Report:


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7365

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

8/3/2011 11:05:13 AM
mbam-log-2011-08-03 (11-05-13).txt

Scan type: Quick scan
Objects scanned: 191183
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------

Did the ESETScan thing. Report:

C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\1\4b511e41-55859ce7 multiple threats
C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-65ba5cc8 Java/TrojanDownloader.Agent.ME trojan

-------------------------

Security Check report:

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 11
Out of date Java installed!
Adobe Flash Player
Mozilla Thunderbird (2.0.0) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

-------------------------

And I have a confession to make: Microsoft Security Essentials was acting funny so I uninstalled it before running all of these. (I know not to surf while it is not there, and I know I eventually need to re-install it.) I just hope I didn't/don't mess you up with the analysis you are doing and help you are providing....

My apologies if I've made things worse.

Thanks!
-MP

  • 0

#10
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi Moonpie!

And I have a confession to make: Microsoft Security Essentials was acting funny so I uninstalled it before running all of these. (I know not to surf while it is not there, and I know I eventually need to re-install it.) I just hope I didn't/don't mess you up with the analysis you are doing and help you are providing....

Thansk for letting me now that!

After you proceed with the OTL fix below, I'd like to ask that you re-install Microsoft Security Essentials, and then run the new OTL scan.

These threat(s) below will be removed very shortly:

C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\1\4b511e41-55859ce7 multiple threats
C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-65ba5cc8 Java/TrojanDownloader.Agent.ME trojan


____________________________________________________

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Your SecurityCheck log indicates that your version of Flash Player is outdated. This is a vulnerability that needs to be addressed. Please remove the outdated version of Flash Player and then install the latest version.

Java Outdated

[/list]Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform:
    [list]
  • 32-bit Select: Windows x86 Offline.
  • 64-bit Select: Windows x64.
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT



You should update Thunderbird to the latest version which is 5.0.1



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\1\4b511e41-55859ce7
    C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-65ba5cc8
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?
  • 0

Advertisements


#11
Moonpie

Moonpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ST,

Thanks for your grace.

-------------------------
Flash Player:

I saw that the SecurityCheck listed Adobe Flash Player, but I did not see where it indicated it was out of date (like it so obviously did with Java & Thunderbird). I assumed then that your note to me about Flash Player being out of date was just part of your canned reply text. But just in case, I went into Control Panel -> Flash Player under the Advanced tab and it did indicate that my current version is 10.3.181.34. Adobe's web site indicates that this is the latest version. (I also verified that the "Check for updates automatically" radio button was selected.)

-------------------------
Java

Your reply indicates to "Download the latest version of Java Runtime Environment...Version 6". Java's website indicates that Version 7 is available, as well as offering Version 6 Update 26 on the same page. I understand that sometimes the very latest versions are "beta" or otherwise sometimes a bit unstable, so I went with what your reply states about Version 6 and I downloaded & installed v6u26. Please let me know if you would rather I install v7.

-------------------------
Thunderbird

The only reason Thunderbird was on here was when this was my boss' main portable device, which it is no longer. (AAMOF, when I opened it, her accounts were still connected and it started downloading her mail!) Her kids use this Mini now, so instead of updating Thunderbird I just uninstalled it. The kids probably use a web-based email and don't need an email program. If they do, they can download the latest version of whatever they want.

-------------------------
OTL Fix


All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\1\4b511e41-55859ce7 moved successfully.
C:\Documents and Settings\JILL HEFFERNAN\Application Data\Sun\Java\Deployment\cache\6.0\34\37db3fe2-65ba5cc8 moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 10048 bytes
->Temporary Internet Files folder emptied: 43403374 bytes
->Flash cache emptied: 893 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: JILL HEFFERNAN
->Temp folder emptied: 215365505 bytes
->Temporary Internet Files folder emptied: 8519974 bytes
->Java cache emptied: 2509414 bytes
->Flash cache emptied: 470 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 58102261 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 114638 bytes
->Temporary Internet Files folder emptied: 406234262 bytes
->Java cache emptied: 13 bytes
->Flash cache emptied: 4235 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 3048465 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255953029 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 130011592 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 2381676 bytes
RecycleBin emptied: 1453384 bytes

Total Files Cleaned = 1,075.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: JILL HEFFERNAN
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.26.1 log created on 08032011_172322

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZXEKUQGM\3.1&title=Competitive%20Cyclist%20-%20Road%20Bikes%2C%20Framesets%2C%20Cycling%20Apparel%2C%20Road%20Bike%20Components%2C%20Road%20Bike%20Accessories%2C%20Demo%20Bikes&referrer= not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZXEKUQGM\;sdccat=96424;kw=speedplay+x5;cnt=us;page=xdn;gen=null;type=null;tile=6;zr=n;ct=;u=aKy22aIHcL_DSDNSP_96424_2455_;dcopt=ist;dcove=d;sz=728x90;ord=1247171954666[1] not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZXEKUQGM\cycling_wheel_sports;sz=728x90;u=33f3ecd788244d07b3ec4ef89d8eedb3;ord=1E6YC3PZ8SKS1QWQW1JH;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m1;s=m4;z=400;z=383;tile=[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZXEKUQGM\cycling_wheel_sports;sz=728x90;u=8cf27c5aa9af4b05bade1ab9cfb0214e;ord=0N53J04K4553BWHR3FY1;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m1;s=m4;z=400;z=383;tile=[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZXEKUQGM\RO_COPY%3D%26TFC%3DTRUE%26MODE%3D%26DOSORT%3DTRUE%26SORT_BY%3DPPRICE%252CPROD_DISP_SEQ%26DESC%3D%26PAGE_NUM%3D1%26PRSET_VERSION%3D1%26CATEGORY_SORT_BY%3DPPRICE%252CPROD_DISP_SEQ not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\EI72A12F\;sdccat=96424;kw=speedplay+x5;cnt=us;page=xdn;gen=null;type=null;tile=1;zr=n;ct=;u=aKy22aIHcL_DSDNSP_96424_2455_;;dcove=d;sz=728x90;ord=1247171954666[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\EI72A12F\;sdccat=96424;kw=speedplay+x5;cnt=us;page=xdn;gen=null;type=null;tile=6;zr=n;ct=;u=aKy22aIHcL_DSDNSP_96424_2455_;dcopt=ist;dcove=d;sz=728x90;ord=1247171954666[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\EI72A12F\RO_COPY%3D%26TFC%3DTRUE%26MODE%3D%26DOSORT%3DTRUE%26SORT_BY%3DPPRICE%252CPROD_DISP_SEQ%26DESC%3D%26PAGE_NUM%3D1%26PRSET_VERSION%3D1%26CATEGORY_SORT_BY%3DPPRICE%252CPROD_DISP_SEQ not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\A4WW17Z8\;sdccat=96424;kw=speedplay+x5;cnt=us;page=xdn;gen=null;type=null;tile=2;zr=n;ct=;u=aKy22aIHcL_DSDNSP_96424_2455_;;dcove=d;sz=160x600;ord=1247171954666[1] not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\A4WW17Z8\amzn.us.gw[1].btf;sz=300x250;bn=507846;u=1c035a279b904ac79c5c014fe820d4ba;ord=13XVHNAJA3YKP4XSXCXZ;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m1;s=m4;z=1;tile=3 not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\A4WW17Z8\cycling_wheel_sports;sz=300x250;u=0a74b5ffae0744cab88c6e2085efdffc;ord=1VV5G8H5Q9G2812T8YJR;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m4;s=m1;z=400;z=383;tile[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\A4WW17Z8\cycling_wheel_sports;sz=728x90;u=eba9166a98fd44369d31d0ce7dedfcb9;ord=1ENXG66VTPNK9Y02S6CC;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m4;s=m1;z=400;z=383;tile=[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\A4WW17Z8\RO_COPY%3D%26TFC%3DTRUE%26MODE%3D%26DOSORT%3DTRUE%26SORT_BY%3DPPRICE%252CPROD_DISP_SEQ%26DESC%3D%26PAGE_NUM%3D1%26PRSET_VERSION%3D1%26CATEGORY_SORT_BY%3DPPRICE%252CPROD_DISP_SEQ not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\;sdccat=96424;kw=speedplay+x5;cnt=us;page=xdn;gen=null;type=null;tile=2;zr=n;ct=;u=aKy22aIHcL_DSDNSP_96424_2455_;;dcove=d;sz=160x600;ord=1247171954666[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\;sdccat=96424;kw=speedplay+x5;cnt=us;page=xdn;gen=null;type=null;tile=3;zr=n;ct=;u=aKy22aIHcL_DSDNSP_96424_2455_;;dcove=d;sz=165x30;ord=1247171954666[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\amzn.us.gw[2].atf;sz=300x250;bn=507846;u=a9ed5d54efe24d7a92d39a101433a690;ord=13XVHNAJA3YKP4XSXCXZ;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m4;s=m1;z=3;tile=1 not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\B.1&title=Competitive%20Cyclist%20-%20Road%20Bikes%2C%20Framesets%2C%20Cycling%20Apparel%2C%20Road%20Bike%20Components%2C%20Road%20Bike%20Accessories%2C%20Demo%20Bikes&referrer= not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\cycling_wheel_sports;sz=300x250;u=3c2344c496774b82bc8026e03186e0f7;ord=1ENXG66VTPNK9Y02S6CC;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m1;s=m4;z=400;z=383;tile[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\cycling_wheel_sports;sz=300x250;u=5503d5bea4ab462385ae798d9b8c0d24;ord=0N53J04K4553BWHR3FY1;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m4;s=m1;z=400;z=383;tile[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\cycling_wheel_sports;sz=300x250;u=9e7fc15998ab44b0a697be800f79b29c;ord=1E6YC3PZ8SKS1QWQW1JH;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m1;s=m4;z=400;z=383;tile[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\cycling_wheel_sports;sz=728x90;u=8bfb9b576e0942b2b85bd8085c43305f;ord=1VV5G8H5Q9G2812T8YJR;s=67;s=7;s=303;s=32;s=k153;s=k67;s=k7;s=k12;s=k161;s=m1;s=m4;z=400;z=383;tile=[1].htm not found!
File\Folder C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Temp\Temporary Internet Files\Content.IE5\0DMV8LI3\RO_COPY%3D%26TFC%3DTRUE%26MODE%3D%26DOSORT%3DTRUE%26SORT_BY%3DPPRICE%252CPROD_DISP_SEQ%26DESC%3D%26PAGE_NUM%3D1%26PRSET_VERSION%3D1%26CATEGORY_SORT_BY%3DPPRICE%252CPROD_DISP_SEQ not found!

Registry entries deleted on Reboot...


-------------------------
By the time I got to the bottom of your list, I forgot you initially said to re-install MSE between the OTL Fix and the OTL Custom Scan. So I ran the Custom Scan before I installed MSE.


-------------------------
OTL Custom Scan - Pre-MSE Re-Install


OTL logfile created on: 8/3/2011 5:44:35 PM - Run 2
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.36 Mb Total Physical Memory | 819.82 Mb Available Physical Memory | 80.82% Memory free
1.19 Gb Paging File | 1.12 Gb Available in Paging File | 94.16% Paging File free
Paging file location(s): C:\pagefile.sys 300 300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.30 Gb Total Space | 6.32 Gb Free Space | 44.18% Space Free | Partition Type: NTFS

Computer Name: D32K5JC1 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/03 17:21:50 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/08/03 17:21:50 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2009/03/23 04:10:04 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/03/18 19:57:34 | 000,120,088 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\T-Mobile\Connection Manager\RcAppSvc.exe -- (TMobileRcAppSvc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/04 13:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2006/12/12 04:22:34 | 000,537,480 | ---- | M] ( ) [Auto | Stopped] -- C:\WINDOWS\System32\dlcqcoms.exe -- (dlcq_device)


========== Driver Services (SafeList) ==========

DRV - [2009/03/18 19:40:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2008/11/16 16:14:18 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/11/16 16:14:06 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/11/16 16:14:02 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/11/10 21:39:02 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/11/10 18:03:38 | 000,269,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OA004Vid.sys -- (OA004Vid)
DRV - [2008/11/10 18:03:38 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OA004Ufd.sys -- (OA004Ufd)
DRV - [2008/11/10 18:03:36 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OA004Afx.sys -- (OA004Afx)
DRV - [2008/11/04 20:24:58 | 000,014,248 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\EMSC.SYS -- (EMSC)
DRV - [2008/07/13 19:55:40 | 000,106,368 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/07/13 19:02:52 | 000,093,968 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jmcr.sys -- (JMCR)
DRV - [2008/07/13 18:59:14 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/03/16 22:03:46 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/sphome.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2011/08/03 17:23:24 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLCQCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.DLL ()
O4 - HKLM..\Run: [dlcqmon.exe] C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe ()
O4 - HKLM..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 966\memcard.exe ()
O4 - HKLM..\Run: [T-Mobile Connection Manager] C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe (T-Mobile)
O4 - HKLM..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
O4 - HKCU..\Run: [SightSpeed] C:\Program Files\Dell Video Chat\DellVideoChat.exe (Dell Inc. and SightSpeed Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 20:45:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/08/03 17:21:46 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/08/03 16:54:26 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/08/03 16:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/08/03 16:46:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/08/03 11:40:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2011/08/03 11:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/07/30 08:38:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tdsskiller
[2011/07/28 19:34:51 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/07/27 14:16:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/07/27 14:13:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Template
[2011/07/27 11:20:15 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/27 11:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/27 11:20:10 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/27 11:20:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/26 19:37:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2011/07/26 18:02:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2011/07/26 18:02:20 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2011/07/26 18:01:46 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2011/07/26 18:01:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2011/07/26 18:01:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/07/26 18:01:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2011/07/26 18:01:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
[2011/07/26 18:01:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2011/07/26 18:01:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2011/07/26 18:01:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2011/07/26 18:01:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents
[2011/07/26 18:01:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites
[2011/07/26 18:01:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
[2011/07/26 18:01:46 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2011/07/26 18:01:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2011/07/26 18:01:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2011/07/26 18:01:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2011/07/26 18:01:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\InstallShield
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Dell WebCam Central
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Bluetooth Software
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2011/07/26 18:01:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2011/07/25 16:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/07/25 15:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/07/24 18:04:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/07/24 18:04:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/07/24 17:10:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/07/24 17:10:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/08/27 16:59:45 | 001,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqserv.dll
[2009/08/27 16:59:45 | 000,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqusb1.dll
[2009/08/27 16:59:45 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqinpa.dll
[2009/08/27 16:59:45 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqiesc.dll
[2009/08/27 16:59:45 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\DLCQhcp.dll
[2009/08/27 16:59:45 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqprox.dll
[2009/08/27 16:59:45 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqpplc.dll
[2009/08/27 16:59:44 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqhbn3.dll
[2009/08/27 16:59:44 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqpmui.dll
[2009/08/27 16:59:44 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqlmpm.dll
[2009/08/27 16:59:44 | 000,385,928 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqih.exe
[2009/08/27 16:59:43 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcomc.dll
[2009/08/27 16:59:43 | 000,537,480 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcoms.exe
[2009/08/27 16:59:43 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcomm.dll
[2009/08/27 16:59:43 | 000,381,832 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcfg.exe
[2 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/03 17:38:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/03 17:23:24 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/08/03 17:21:50 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/08/03 13:49:34 | 000,879,225 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SecurityCheck.exe
[2011/08/03 11:32:09 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/08/03 10:49:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/30 08:37:31 | 001,388,094 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/07/28 20:43:41 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/28 19:40:11 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2011/07/28 19:39:24 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\gmer.zip
[2011/07/27 16:53:59 | 000,000,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
[2011/07/27 14:14:01 | 000,010,240 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\g2g.wps
[2011/07/25 16:45:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/15 14:31:22 | 000,167,504 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/14 18:35:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/07 21:53:54 | 000,464,500 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/07 21:53:54 | 000,079,610 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/03 13:49:28 | 000,879,225 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SecurityCheck.exe
[2011/07/30 08:37:30 | 001,388,094 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/07/28 19:39:19 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\gmer.zip
[2011/07/27 14:14:00 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\g2g.wps
[2011/07/27 14:13:21 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
[2011/07/26 18:08:20 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/07/26 18:01:47 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.LNK
[2011/07/26 18:01:47 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/07/26 18:01:46 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.LNK
[2011/07/26 18:01:46 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.LNK
[2011/07/26 18:01:46 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.LNK
[2011/07/24 17:11:15 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/16 22:21:04 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.exe
[2009/08/27 17:05:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcqvs.dll
[2009/08/27 17:05:10 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\dlcqcoin.dll
[2009/08/27 17:04:38 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\dlcqdrs.dll
[2009/08/27 17:04:38 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcqcaps.dll
[2009/08/27 17:04:38 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcqcnv4.dll
[2009/08/27 16:59:45 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\dlcqutil.dll
[2009/08/27 16:59:45 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\DLCQinst.dll
[2009/08/27 16:59:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\dlcqgrd.dll
[2009/08/27 16:59:44 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcqinsb.dll
[2009/08/27 16:59:44 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcqins.dll
[2009/08/27 16:59:44 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\dlcqjswr.dll
[2009/08/27 16:59:44 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlcqinsr.dll
[2009/08/27 16:59:43 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcqcub.dll
[2009/08/27 16:59:43 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcqcu.dll
[2009/08/27 16:59:43 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcqcur.dll
[2009/08/27 16:59:42 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\DLCQcfg.dll
[2009/08/27 15:17:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/23 05:13:42 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/03/23 05:12:45 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2009/03/23 05:10:13 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/03/23 04:33:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/23 04:07:38 | 000,000,075 | RHS- | C] () -- C:\WINDOWS\CT4CET.bin
[2009/03/23 03:52:59 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\EMSC.DLL
[2008/07/30 10:55:02 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/25 20:47:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 20:44:05 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 20:42:57 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 15:33:19 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 15:33:18 | 000,464,500 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 15:33:18 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 15:33:18 | 000,079,610 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 15:33:18 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 15:33:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 15:33:17 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 15:33:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 15:33:14 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 15:33:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 15:33:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 15:33:06 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 08:39:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 08:38:33 | 000,167,504 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2011/07/27 14:13:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Template
[2009/03/23 03:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2011/08/03 11:40:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2009/03/23 04:13:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/03/23 04:13:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/03/23 04:13:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/04/11 15:15:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\T-Mobile
[2009/03/23 03:52:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista32
[2009/03/23 03:52:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista64
[2009/03/23 04:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\XP32

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/04/25 07:01:34 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/04/25 07:01:34 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/04/25 07:01:34 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-07-14 23:48:25

< >

< >

< >

< >

< End of report >


-------------------------
Do you want me to re-run the same OTL Custom Scan (or a different Custom Scan you post), or am I good to go without re-running it? Sorry I messed up - again!

Thanks!
-MP

Edited by Moonpie, 03 August 2011 - 09:15 PM.

  • 0

#12
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi Moonpie!

But just in case, I went into Control Panel -> Flash Player under the Advanced tab and it did indicate that my current version is 10.3.181.34. Adobe's web site indicates that this is the latest version. (I also verified that the "Check for updates automatically" radio button was selected.)

It looks like you're correct, I forgot to remove that from my post to you.

Please let me know if you would rather I install v7.

Sorry about that, one of my canned responses didn't get updated, and I didn't realize it until after I posted it.

You will want to update to version 7.

Do you want me to re-run the same OTL Custom Scan (or a different Custom Scan you post), or am I good to go without re-running it? Sorry I messed up - again!

No worries, it happens, I messed up myself with giving you the wrong instructions.

If you wouldn't mind, I'd like to see a new OTL Custom Scan log, that way I can ensure that everything went well with the MSE installation.

I'd ask that you first update to Version 7 of Java and then run the previous OTL Custom Scan for me. :)

Kindest Regards,
ST.
  • 0

#13
Moonpie

Moonpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello again ST!

Thanks again for hanging in there with me.


I'd ask that you first update to Version 7 of Java...

Done!


...and then run the previous OTL Custom Scan for me. :)

Also done! Report below. Is that the light at the end of the tunnel I see???


-------------------------
OTL logfile created on: 8/4/2011 9:17:09 AM - Run 3
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\JILL HEFFERNAN\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.36 Mb Total Physical Memory | 585.22 Mb Available Physical Memory | 57.69% Memory free
1.19 Gb Paging File | 0.73 Gb Available in Paging File | 61.27% Paging File free
Paging file location(s): C:\pagefile.sys 300 300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 14.30 Gb Total Space | 6.10 Gb Free Space | 42.67% Space Free | Partition Type: NTFS

Computer Name: D32K5JC1 | User Name: JILL HEFFERNAN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/04 09:16:21 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.exe
PRC - [2011/08/04 09:08:22 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/11/04 21:47:38 | 000,623,912 | ---- | M] (Dell) -- C:\Program Files\Battery Meter\BTMeter.exe
PRC - [2008/10/04 13:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/10/04 13:58:02 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/09/17 21:28:58 | 000,546,088 | ---- | M] (Dell) -- C:\Program Files\Wireless Select Switch\WLSS.exe
PRC - [2008/07/30 10:56:16 | 000,604,776 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/29 11:48:12 | 000,304,368 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
PRC - [2007/06/29 11:47:48 | 000,292,080 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
PRC - [2006/12/12 04:22:34 | 000,537,480 | ---- | M] ( ) -- C:\WINDOWS\system32\dlcqcoms.exe


========== Modules (SafeList) ==========

MOD - [2011/08/04 09:16:21 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/07/30 10:54:34 | 000,073,728 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2008/07/30 10:52:10 | 000,040,960 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/08/04 09:08:22 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/03/23 04:10:04 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/03/18 19:57:34 | 000,120,088 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\T-Mobile\Connection Manager\RcAppSvc.exe -- (TMobileRcAppSvc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/04 13:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2006/12/12 04:22:34 | 000,537,480 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\dlcqcoms.exe -- (dlcq_device)


========== Driver Services (SafeList) ==========

DRV - [2011/08/04 09:05:04 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B4B40CDC-2C84-479D-BAE4-CDFEDE6B6D0C}\MpKsl3b5a874a.sys -- (MpKsl3b5a874a)
DRV - [2009/03/18 19:40:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2008/11/16 16:14:18 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/11/16 16:14:06 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2008/11/16 16:14:02 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/11/10 21:39:02 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/11/10 18:03:38 | 000,269,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Vid.sys -- (OA004Vid)
DRV - [2008/11/10 18:03:38 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Ufd.sys -- (OA004Ufd)
DRV - [2008/11/10 18:03:36 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Afx.sys -- (OA004Afx)
DRV - [2008/11/04 20:24:58 | 000,014,248 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\EMSC.SYS -- (EMSC)
DRV - [2008/07/13 19:55:40 | 000,106,368 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/07/13 19:02:52 | 000,093,968 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jmcr.sys -- (JMCR)
DRV - [2008/07/13 18:59:14 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/03/16 22:03:46 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/sphome.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)



O1 HOSTS File: ([2011/08/03 17:23:24 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLCQCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.DLL ()
O4 - HKLM..\Run: [dlcqmon.exe] C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe ()
O4 - HKLM..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 966\memcard.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [T-Mobile Connection Manager] C:\Program Files\T-Mobile\Connection Manager\TMobileCM.exe (T-Mobile)
O4 - HKLM..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.89.100.2
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 20:45:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{553601ed-365c-11de-9d0d-002170f677eb}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{71966641-1a5d-11de-9cef-002170f677eb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8b0c0db0-1fdd-11de-9cf8-002170f677eb}\Shell\AutoRun\command - "" = D:\AutoRun.exe
O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a902ef8a-26d5-11de-9d00-002170f677eb}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b1b05254-b6e7-11e0-9f4a-002170f677eb}\Shell\AutoRun\command - "" = D:\laucher.exe
O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell - "" = AutoRun
O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b9e9f118-1994-11df-9deb-002170f677eb}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/08/04 09:16:06 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.exe
[2011/08/04 09:10:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/08/04 08:49:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/08/03 18:19:29 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/08/03 16:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JILL HEFFERNAN\Start Menu\Programs\Revo Uninstaller
[2011/08/03 16:54:26 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/08/03 16:46:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/08/03 11:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/07/28 19:34:51 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/07/26 19:37:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2011/07/25 16:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JILL HEFFERNAN\My Documents\SightSpeed Recordings
[2011/07/25 16:54:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JILL HEFFERNAN\My Documents\My Received Files
[2011/07/25 16:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/07/25 15:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Malwarebytes
[2011/07/25 15:50:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/07/24 18:04:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/07/24 18:04:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/07/24 17:10:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/07/24 17:10:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2009/08/27 16:59:45 | 001,224,704 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqserv.dll
[2009/08/27 16:59:45 | 000,991,232 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqusb1.dll
[2009/08/27 16:59:45 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqinpa.dll
[2009/08/27 16:59:45 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqiesc.dll
[2009/08/27 16:59:45 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\DLCQhcp.dll
[2009/08/27 16:59:45 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqprox.dll
[2009/08/27 16:59:45 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqpplc.dll
[2009/08/27 16:59:44 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqhbn3.dll
[2009/08/27 16:59:44 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqpmui.dll
[2009/08/27 16:59:44 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqlmpm.dll
[2009/08/27 16:59:44 | 000,385,928 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqih.exe
[2009/08/27 16:59:43 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcomc.dll
[2009/08/27 16:59:43 | 000,537,480 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcoms.exe
[2009/08/27 16:59:43 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcomm.dll
[2009/08/27 16:59:43 | 000,381,832 | ---- | C] ( ) -- C:\WINDOWS\System32\dlcqcfg.exe
[2 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/04 09:16:21 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\OTL.exe
[2011/08/04 09:10:06 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/08/04 09:04:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/03 18:21:08 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/08/03 18:15:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/03 17:23:24 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/08/03 16:54:27 | 000,000,919 | ---- | M] () -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\Revo Uninstaller.lnk
[2011/07/28 20:43:41 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/28 19:39:24 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\gmer.zip
[2011/07/25 16:45:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/15 14:31:22 | 000,167,504 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/14 18:35:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/07 21:53:54 | 000,464,500 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/07 21:53:54 | 000,079,610 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/03 18:25:39 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/08/03 18:19:58 | 000,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/08/03 16:54:27 | 000,000,919 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Desktop\Revo Uninstaller.lnk
[2011/07/28 19:39:19 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\gmer.zip
[2011/07/26 18:08:20 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/07/24 17:11:15 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/14 17:09:52 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/04 22:33:40 | 000,002,480 | ---- | C] () -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\wklnhst.dat
[2009/08/27 17:05:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlcqvs.dll
[2009/08/27 17:05:10 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\dlcqcoin.dll
[2009/08/27 17:04:38 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\dlcqdrs.dll
[2009/08/27 17:04:38 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dlcqcaps.dll
[2009/08/27 17:04:38 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlcqcnv4.dll
[2009/08/27 16:59:45 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\dlcqutil.dll
[2009/08/27 16:59:45 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\DLCQinst.dll
[2009/08/27 16:59:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\dlcqgrd.dll
[2009/08/27 16:59:44 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcqinsb.dll
[2009/08/27 16:59:44 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\dlcqins.dll
[2009/08/27 16:59:44 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\dlcqjswr.dll
[2009/08/27 16:59:44 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\dlcqinsr.dll
[2009/08/27 16:59:43 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\dlcqcub.dll
[2009/08/27 16:59:43 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\dlcqcu.dll
[2009/08/27 16:59:43 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\dlcqcur.dll
[2009/08/27 16:59:42 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\DLCQcfg.dll
[2009/08/27 15:17:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/23 05:13:42 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/03/23 05:12:45 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2009/03/23 05:10:13 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/03/23 04:33:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/23 04:07:38 | 000,000,075 | RHS- | C] () -- C:\WINDOWS\CT4CET.bin
[2009/03/23 03:52:59 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\EMSC.DLL
[2008/07/30 10:55:02 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/25 20:47:34 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 20:44:05 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 20:42:57 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 15:33:19 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 15:33:18 | 000,464,500 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 15:33:18 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 15:33:18 | 000,079,610 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 15:33:18 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 15:33:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 15:33:17 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 15:33:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 15:33:14 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 15:33:14 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 15:33:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 15:33:06 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 08:39:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 08:38:33 | 000,167,504 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/03/23 04:13:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/03/23 04:13:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/03/23 04:13:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/04/11 15:15:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\T-Mobile
[2009/03/23 03:52:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista32
[2009/03/23 03:52:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vista64
[2009/03/23 04:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\XP32
[2009/04/02 18:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\DBUpdater
[2009/03/26 18:33:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\T-Mobile
[2009/11/05 21:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Template
[2009/08/27 15:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Thunderbird
[2009/03/23 03:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Windows Desktop Search
[2010/01/15 12:24:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Windows Live Writer
[2009/03/26 18:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JILL HEFFERNAN\Application Data\Windows Search
[2011/08/04 09:10:06 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/04/25 07:01:34 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/04/25 07:01:34 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/04/25 07:01:34 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-07-14 23:48:25

< End of report >
  • 0

#14
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi Moonpie!

No problem! I'm glad to be able to help! :)

Is that the light at the end of the tunnel I see???

Yes, it is. :unsure:

Your logs appear to be clean, so if you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Commands
    [ClearAllRestorePoints]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



OTL Clean-Up

We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:
  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


NEXT:



All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===



Below I have included a number of recommendations for how to protect your computer against malware infections.


Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.


Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.


Make Internet Explorer more secure

  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



Extra Goodies

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates

  • Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.

  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome and Opera.
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Cheers,
SweetTech.
  • 0

#15
Moonpie

Moonpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ST,

An update:

-------------------------
OTL Fix


========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.26.1 log created on 08042011_104459

-------------------------
OTL Clean-Up

Ran it!


-------------------------
Installed Google Chrome
  • Made it the default browser
  • Removed link to IE from desktop

-------------------------
Made IE More Secure

-------------------------
Installed Flippo Update Checker
  • Used it to update a number of programs

-------------------------
Installed WOT
  • In Google Chrome
  • In IE

-------------------------
So Close...!!!
Then there's this (hopefully) one last issue:

  • I went into Start -> All Programs -> Windows Update in order to just verify that everything is, well, up to date.
  • It did not work and I got Error number: 0x80070424

    - I looked at the FAQ link from the error page and as it suggested tried to add Windows Update to my list of trusted web sites in IE - That did not work

    - I went to Microsoft Support website with the error number and found this article.

    ---I started trying fix Method 1, and when I got to the part where I was supposed to double-click on Automatic Updates in the Services, I was unable to - because Automatic Updates was not listed at all!

    (Side note: I realized that the same problem as earlier was still occurring: Security Center service was disabled. So I set it to "Automatic" and I started it, and this time it stayed running - and still is running.)

    --- I then tried fix Method 3 (as instructed if your Automatic Update service is non-existent) which is to manually download & install Windows Update Agent.

    ----- It went through the motions and then said it didn't need to be installed because it already existed. Then it exited.

    --- I then tried Method 4. It's detailed, so you'll have to read it if you're not familiar with it, but bottom line: when I right-clicked on the au file in \inf and tried to install, it started searching for a wuapi.dll file. When I browsed to the folder the instructions directed me to, the file was not there. I do not have the XP disk in hand, and it is doubtful by boss knows where it is (see my comment in a previous post regarding my "fears" of having to do a format & re-install on this Mini).

    --- So, down to my last straw, I reluctantly resorted to clicking the "Fix It" button in the Microsoft Support article. Not surprisingly, that did not work either.

    FYI, when I go into Control Panel -> Automatic Updates it indicates to me that it is "On" even though the Security Center says it is not.
So can you help with this one, too, or do I need to take this issue elsewhere?

Thanks!
-MP

Edited by Moonpie, 04 August 2011 - 02:45 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP