Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware removed (I think); now cannot run Windows Update or install MS


  • Please log in to reply

#1
tech_lady

tech_lady

    New Member

  • Member
  • Pip
  • 7 posts
Frustrating... If this is posted twice I'm sorry. I was just about done with typing a post when I hit a wrong key and lost it.

Anyway, I work for a non-profit in networking/IT, but had a request from one of our clients today to fix their personal PC. The call I received said they were downloading clipart and something popped up "with a lot of red Xs" and then something wanting them to pay $84 which is when they just shut down the PC. I don't know how long it's been having problems, but the McAfee on this older Dell desktop was expired so it was unprotected. With that said...

I powered on the PC and got the classic "running a scan" malware pop-up. I could find no identification on that window to indicate what the name of the infector was, but I've successfully removed similar ones for friends and family several times. I quickly looked and saw that task manager was unavailable, so I just rebooted into Safe Mode as the Administrator to begin working on it. The PC is running Windows XP Home Edition.

Installed Malwarebytes from a usb drive and ran it. It removed 40+ infected files. I then rebooted again and ran Microsoft's Safety Scanner which removed 3 more items. I also installed ccleaner and ran the files cleaner and the registry cleaner after backing up the registry to the usb drive.

Rebooted to the affected user's regular account (which is an administrator) and found no desktop icons or start menu items, but could navigate the folders in Explorer and found they were hidden. Looked online and found an 'unhide' script at another forum which I downloaded and ran. Rebooted and the icons and folders were back. Ran MBAM again and it didn't find any more items. Uninstalled all McAfee items from Add & Remove Programs (since they were expired) with the intention of installing MSSE.

Attempted to run Windows Update which failed. Also attempted to download and install Microsoft Security Essentials but the installer started, then gave an error stating that it couldn't complete and uninstalled everything it had already installed. Went to the Microsoft site and downloaded .NET Framework and installed it so I could run the Microsoft FixIt tool to see if it would restore Windows Update. It did not fix it. I did check the connection info in IE Options and there was no proxy being used which I know is sometimes the case. I was able to update MBAM before it ran.

Before shutting down the system I ran HJT and saved the log to the usb drive. It is shown below. I really could use some help in finishing the cleanup on this PC, but don't have a lot of time to spend on it. Needs to run Windows update and needs antivirus, MSSE was planned. Any help will be greatly appreciated. Thanks.

HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:47:02 PM, on 1/10/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1228161552\ee\AOLSoftware.exe
C:\Program Files\ArcadeWeb\tray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
E:\CleanUp tools\HijackThisPortable.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mediacomtoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox...id=80291&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox...aspx?tbid=80291
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox...id=80291&lng=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox...aspx?tbid=80291
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows...dir.asp?Ext=ppt
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1228161552\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TrayIcRun] C:\Program Files\ArcadeWeb\tray.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AOL9~1.0\AOL.EXE" -b
O8 - Extra context menu item: &Search - http://tbedits.total...B7&n=2011110918
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...ploader_v10.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6954 bytes
  • 0

Advertisements


#2
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Hello and welcome to Geekstogo!

We apologize for the delay in responding to your request for help.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below.




Geeks to Go offers free computer help and tech support for home and personal use only, but if it's just one PC and you really are non-profit, then I'm willing to help you this one time. :)




Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

  • 0

#3
tech_lady

tech_lady

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
:( The problem has not been solved. Thank you for agreeing to help solve the issue on an individual developmentally disabled client's computer for our non-profit. I have been off for the weekend and MLK holiday and today I have not had time to go back to the home where the PC is and run OTL so I can post the logs it creates. I hope to have time to do that tomorrow. The user is using it, but has been instructed to stay off of the internet (I hope he's listening.) Thanks again.
  • 0

#4
tech_lady

tech_lady

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
OK. I finally got over to run the OTL scan, but did so in a big hurry and didn't print your short, easy directions before I went. Therefore, I hate to admit, but I ran the first OTL scan without checking the 'Scan All Users' box. :upset: I've since had the flu and haven't been at work so I haven't had a chance to post this. Anyway, after the scan was finished I renamed both log files and tried to run it again, but for some reason the Extras.txt file did not re-create. So the info below is the last (all users scan) OTL.txt, but the only (initial without the all user checked) EXTRAS.txt. If I need to do something over, let me know. Sorry....

Contents of OTL.txt: (I did a find & replace to put initials instead of user actual name for security)

OTL logfile created on: 1/18/2012 1:01:38 PM - Run 4
OTL by OldTimer - Version 3.2.31.0 Folder = E:\Computer clean up
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 128.13 Mb Available Physical Memory | 25.52% Memory free
1.20 Gb Paging File | 0.93 Gb Available in Paging File | 77.47% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.59 Gb Total Space | 57.42 Gb Free Space | 80.20% Space Free | Partition Type: NTFS
Drive E: | 1.86 Gb Total Space | 1.49 Gb Free Space | 80.03% Space Free | Partition Type: FAT

Computer Name: DJPYYP61 | User Name: John GT | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/17 07:34:14 | 000,584,192 | ---- | M] (OldTimer Tools) -- E:\Computer clean up\OTL.exe
PRC - [2012/01/10 13:52:29 | 001,187,072 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2012/01/10 13:52:28 | 002,152,152 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/11/16 20:54:45 | 000,123,392 | ---- | M] (ArcadeWeb LLC) -- C:\Program Files\ArcadeWeb\tray.exe
PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/23 06:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2006/09/25 18:52:48 | 000,050,736 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\1228161552\ee\aolsoftware.exe
PRC - [2005/01/25 08:26:32 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2004/09/15 01:01:00 | 000,086,016 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2004/09/14 08:50:48 | 000,131,072 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
PRC - [2004/07/19 07:51:24 | 000,306,688 | ---- | M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe
PRC - [2003/08/27 10:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/10 13:52:34 | 000,430,568 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\VipreBridge.dll
MOD - [2012/01/10 13:52:33 | 000,591,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll
MOD - [2011/12/23 07:12:12 | 000,308,560 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll
MOD - [2009/02/14 05:04:38 | 000,756,040 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
MOD - [2008/04/13 18:11:52 | 000,498,742 | ---- | M] () -- C:\WINDOWS\SYSTEM32\dxmasf.dll
MOD - [2004/09/15 01:01:00 | 000,086,016 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
MOD - [2004/09/14 08:50:46 | 000,122,880 | ---- | M] () -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\TrackUtils.dll
MOD - [2004/09/14 08:50:42 | 000,434,176 | ---- | M] () -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\CoreDll.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2012/01/10 13:52:28 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2006/10/23 06:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)
SRV - [2003/08/27 10:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - [2005/01/25 08:26:36 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/01/06 15:57:24 | 000,887,431 | ---- | M] (Conexant) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\winachcf.sys -- (Winachcf)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/11/08 13:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
IE - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll (Oberon-Media )
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\npEpicPlayDisplayHost: C:\Program Files\EpicPlay\npEpicHost.dll ( )


[2011/09/06 17:52:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John GT\Application Data\Mozilla\Extensions

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found.
O3 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O3 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1228161552\ee\aolsoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [OSCD_Creator] c:\DELL\PREODM.EXE ()
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TrayIcRun] C:\Program Files\ArcadeWeb\tray.exe (ArcadeWeb LLC)
O4 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe (The Weather Channel Interactive, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O15 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://aolsvc.aol.co...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.183.164 97.64.209.37
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4B8AA30B-9990-4720-8762-7831C2190C2E}: DhcpNameServer = 97.64.183.164 97.64.209.37
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\John GT\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\John GT\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/10 13:52:38 | 000,101,720 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2012/01/10 13:49:30 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2012/01/10 13:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lavasoft
[2012/01/10 13:49:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2012/01/10 13:46:40 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/01/10 13:32:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John GT\Application Data\ElevatedDiagnostics
[2012/01/10 13:31:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
[2012/01/10 13:31:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2012/01/10 13:14:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2012/01/10 12:52:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2012/01/10 12:30:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sophos
[2012/01/10 12:30:22 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2012/01/10 12:02:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John GT\Application Data\Malwarebytes
[2012/01/10 11:23:58 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/01/10 11:12:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/01/10 11:12:30 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/01/10 11:12:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/10 11:06:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\John GT\Recent
[2012/01/08 19:37:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John GT\Start Menu\Programs\System Check
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/17 13:53:08 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/01/17 13:52:50 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/01/17 13:52:50 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/01/16 13:51:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2012/01/16 13:51:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012/01/16 13:51:45 | 526,536,704 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/10 13:52:36 | 000,101,720 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2012/01/10 13:46:48 | 000,002,115 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/01/10 13:29:06 | 000,402,406 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2012/01/10 13:29:06 | 000,063,016 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2012/01/10 12:56:20 | 000,000,000 | ---- | M] () -- C:\install.rdf
[2012/01/10 12:13:09 | 079,716,544 | ---- | M] () -- C:\msert.exe
[2012/01/10 11:46:03 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DJPYYP61-John GT).job
[2012/01/09 15:50:03 | 000,000,432 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LtXHAyG7SewWf1
[2012/01/09 15:48:35 | 000,000,280 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~LtXHAyG7SewWf1
[2012/01/09 15:48:35 | 000,000,192 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~LtXHAyG7SewWf1r
[2012/01/08 20:02:35 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~wve2YaNW7iCCF2
[2012/01/08 20:02:35 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~wve2YaNW7iCCF2r
[2012/01/08 20:02:22 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\John GT\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/08 19:37:48 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\wve2YaNW7iCCF2
[2011/12/25 16:55:50 | 000,119,712 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/14 13:38:03 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/01/14 13:38:03 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/01/10 13:50:01 | 000,000,486 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/01/10 12:56:20 | 000,000,000 | ---- | C] () -- C:\install.rdf
[2012/01/10 12:56:05 | 000,002,115 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2012/01/10 12:13:09 | 079,716,544 | ---- | C] () -- C:\msert.exe
[2012/01/10 11:45:54 | 526,536,704 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/09 15:48:35 | 000,000,280 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~LtXHAyG7SewWf1
[2012/01/09 15:48:35 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~LtXHAyG7SewWf1r
[2012/01/09 15:44:17 | 000,000,432 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LtXHAyG7SewWf1
[2012/01/08 20:02:35 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~wve2YaNW7iCCF2r
[2012/01/08 20:02:34 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~wve2YaNW7iCCF2
[2012/01/08 19:37:57 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\John GT\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/08 19:37:48 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\wve2YaNW7iCCF2
[2011/01/30 16:27:17 | 000,000,067 | ---- | C] () -- C:\WINDOWS\101_ASB.INI
[2010/11/09 20:03:21 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\John GT\Application Data\PFP120JPR.{PB
[2010/11/09 20:03:21 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\John GT\Application Data\PFP120JCM.{PB
[2009/11/03 20:56:57 | 000,000,060 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/11/03 20:56:55 | 000,000,371 | ---- | C] () -- C:\WINDOWS\ka.ini
[2009/11/01 19:54:20 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Clifford Uninstall.exe
[2009/11/01 19:54:20 | 000,000,097 | ---- | C] () -- C:\WINDOWS\CR.ini
[2009/10/21 17:06:43 | 000,000,434 | ---- | C] () -- C:\WINDOWS\Operation.ini
[2009/10/07 18:18:30 | 000,000,035 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2009/10/07 15:25:31 | 000,000,204 | ---- | C] () -- C:\WINDOWS\ACTIVITY.INI
[2009/10/04 19:15:25 | 000,000,301 | ---- | C] () -- C:\WINDOWS\EReg077.dat
[2009/10/04 19:15:16 | 000,000,127 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2009/06/28 19:47:36 | 000,000,069 | ---- | C] () -- C:\WINDOWS\HB_ASB.INI
[2009/06/25 13:22:44 | 000,000,023 | ---- | C] () -- C:\WINDOWS\NOPD.INI
[2008/12/18 12:27:06 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\John GT\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/14 16:38:03 | 000,000,143 | ---- | C] () -- C:\Documents and Settings\John GT\Local Settings\Application Data\fusioncache.dat
[2008/12/01 14:01:09 | 000,000,715 | ---- | C] () -- C:\WINDOWS\aolback.exe.lnk
[2008/11/30 19:39:04 | 000,000,065 | ---- | C] () -- C:\WINDOWS\ARIEL_SS.INI
[2005/01/25 08:28:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/25 08:25:21 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/01/25 08:09:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2005/01/25 08:09:08 | 000,402,406 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2005/01/25 08:09:08 | 000,063,016 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2005/01/25 07:51:20 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/10/15 18:56:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:13:12 | 000,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/10 13:08:08 | 000,226,408 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 13:03:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 13:02:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 10:08:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2004/08/10 10:08:26 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\SECUPD.DAT
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2004/07/19 16:01:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\SETPWRCG.EXE
[1980/01/01 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:108D3361

< End of report >


Contents of EXTRAS.TXT: (I did the same replacement of initials for name as with the other log file.)

OTL Extras logfile created on: 1/18/2012 12:51:15 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = E:\Computer clean up
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 137.77 Mb Available Physical Memory | 27.44% Memory free
1.20 Gb Paging File | 0.92 Gb Available in Paging File | 77.17% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.59 Gb Total Space | 57.42 Gb Free Space | 80.20% Space Free | Partition Type: NTFS
Drive E: | 1.86 Gb Total Space | 1.49 Gb Free Space | 80.04% Space Free | Partition Type: FAT

Computer Name: DJPYYP61 | User Name: John GT | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\AOL 9.0\waol.exe" = C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL 9.0 -- (AOL, LLC.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (AOL LLC)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)
"C:\Program Files\AOL\RC\regclient.exe" = C:\Program Files\AOL\RC\regclient.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed -- (AOL LLC)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL LLC)
"C:\Program Files\AOL 9.0\waol.exe" = C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL 9.0 -- (AOL, LLC.)
"C:\Program Files\Itibiti Soft Phone\Itibiti.exe" = C:\Program Files\Itibiti Soft Phone\Itibiti.exe:*:Enabled:Itibiti.exe -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{158104AB-D92E-45BC-8268-5D351C95F6AD}" = Clip Art Collection
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{25331195-4E18-11D7-9D73-0008C7223F91}" = Zoom V.92 PCI Voice Faxmodem
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{730E03E4-350E-48E5-9D3E-4329903D454D}" = Itibiti RTC
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8E9976D2-E563-43DE-A51F-5AEBC38D1F08}" = Ad-Aware
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CDE4CC8B-134B-421E-943C-90799E56F664}" = Dell Media Experience Update
"101 Dalmatians StoryBook" = 101 Dalmatians StoryBook
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adventures in Typing" = Adventures in Typing
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"Ariel's Story Studio" = Ariel's Story Studio
"BFGC" = Big Fish Games: Game Manager
"CCleaner" = CCleaner
"Clifford Reading" = Clifford Reading
"DellSupport" = Dell Support 5.0.0 (630)
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Hunchback Animated StoryBook" = Hunchback Animated StoryBook
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Itibiti_is1" = Knctr
"JSARTIST" = JumpStart Artist
"Mahjongg Master" = Mahjongg Master
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpDKey" = Operation
"PROSet" = Intel® PRO Network Adapters and Drivers
"QuickTime" = QuickTime
"Read4632.exe" = Reader Rabbit's Reading Ages 4-6
"RealPlayer 6.0" = RealPlayer Basic
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.20
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/10/2012 3:05:05 PM | Computer Name = DJPYYP61 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/10/2012 3:07:20 PM | Computer Name = DJPYYP61 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/10/2012 3:07:23 PM | Computer Name = DJPYYP61 | Source = Microsoft Security Client | ID = 1001
Description =

Error - 1/10/2012 3:07:39 PM | Computer Name = DJPYYP61 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/10/2012 3:44:08 PM | Computer Name = DJPYYP61 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 1/10/2012 3:46:24 PM | Computer Name = DJPYYP61 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/10/2012 3:46:32 PM | Computer Name = DJPYYP61 | Source = Microsoft Security Client | ID = 1001
Description =

Error - 1/10/2012 3:46:48 PM | Computer Name = DJPYYP61 | Source = Microsoft Security Client | ID = 5000
Description =

Error - 1/11/2012 9:47:36 PM | Computer Name = DJPYYP61 | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application powerpnt.exe, version 12.0.6545.5000, stamp 4c653ef1,
faulting module ogl.dll, version 12.0.6509.5000, stamp 4a32fc30, debug? 0, fault
address 0x00002c2e.

Error - 1/16/2012 3:57:54 PM | Computer Name = DJPYYP61 | Source = Application Hang | ID = 1002
Description = Hanging application OIS.EXE, version 12.0.6413.1000, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 1/18/2010 3:20:54 PM | Computer Name = DJPYYP61 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session
lasted 2549 seconds with 780 seconds of active time. This session ended with a
crash.

Error - 1/11/2012 9:47:32 PM | Computer Name = DJPYYP61 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application
Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session
lasted 98316 seconds with 2160 seconds of active time. This session ended with
a crash.

[ System Events ]
Error - 1/18/2012 2:50:23 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:25 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:26 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:27 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:29 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:30 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:32 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:33 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:34 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 1/18/2012 2:50:36 PM | Computer Name = DJPYYP61 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >


Help please. :P
  • 0

#5
tech_lady

tech_lady

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I just realized too that I probably didn't run the Quick Scan, but the full Scan because it is the default. Again, this was due to the fact that I didn't take your simple directions with me. So I apologize.
  • 0

#6
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
    FF - HKLM\Software\MozillaPlugins\npEpicPlayDisplayHost: C:\Program Files\EpicPlay\npEpicHost.dll ( )
    O3 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found.
    O3 - HKU\S-1-5-21-3309173768-1008403981-1713555679-1006\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
    O4 - HKLM..\Run: [TrayIcRun] C:\Program Files\ArcadeWeb\tray.exe (ArcadeWeb LLC)
    [2012/01/08 19:37:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\John GT\Start Menu\Programs\System Check
    [2012/01/09 15:50:03 | 000,000,432 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LtXHAyG7SewWf1
    [2012/01/09 15:48:35 | 000,000,280 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~LtXHAyG7SewWf1
    [2012/01/09 15:48:35 | 000,000,192 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~LtXHAyG7SewWf1r
    [2012/01/08 20:02:35 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~wve2YaNW7iCCF2
    [2012/01/08 20:02:35 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~wve2YaNW7iCCF2r
    [2012/01/08 20:02:22 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\John GT\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2012/01/08 19:37:48 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\wve2YaNW7iCCF2
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\*.tmp files -> C:\*.tmp -> ]
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    C:\Program Files\Viewpoint
    C:\Program Files\EpicPlay
    C:\Program Files\ArcadeWeb
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done





Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.





Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#7
tech_lady

tech_lady

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I hope to get to do these fixes today. One question: If MBAM is already installed as part of my prior cleaning arsenal, can I use it to run the scan as long as I have it updated, or is there some reason I need to uninstall, redownload and reinstall it? If you're busy and don't get a chance to quickly reply, I will probably use the installed version. Thanks!
  • 0

#8
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
You can use the MBAM version that's already installed as long as you update it first. :thumbsup:
  • 0

#9
tech_lady

tech_lady

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
It's hard for me to find time to go to the facility where the PC is located at and do the requested actions, but I do my best if you can be patient with me. I did go there today.

Ran OTL and the Custom Scan/Fix you gave me (after I modified it to include the full name that I had removed on the earlier log). It completed successfully. You did not tell me to post the log that this created, so I am not.

Ran MBAM Quick Scan after updating and it found nothing. Here's the content of the log: (after names were replaced with initials for security)

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.24.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
John GT :: DJPYYP61 [administrator]

1/24/2012 11:52:12 AM
mbam-log-2012-01-24 (11-52-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196302
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Next I ran Combofix as instructed. I had to allow it to go online and download and install a newer version of Recovery Console (I think) which succeeded. It took quite a while and took probably 15 minutes at the end to create the log, but I just let it run. Here's the log from it:

ComboFix 12-01-23.02 - John GT 01/24/2012 12:03:12.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.232 [GMT -6:00]
Running from: c:\documents and settings\John GT\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\John GT\WINDOWS
c:\documents and settings\Neva G. T\Start Menu\Programs\System Check
c:\documents and settings\Neva G. T\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Neva G. T\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\program files\TotalRecipeSearch_14
c:\program files\TotalRecipeSearch_14\bar\1.bin\14auxstb.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14brstub.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14datact.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14dlghk.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14dyn.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14feedmg.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14highin.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14hkstub.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14html.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14htmlmu.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14httpct.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14idle.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14ieovr.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14impipe.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14medint.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14mlbtn.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14msg.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14Plugin.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14radio.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14regfft.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14reghk.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14regiet.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14script.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14skin.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14skplay.exe
c:\program files\TotalRecipeSearch_14\bar\1.bin\14tpinst.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\14uabtn.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\CHROME.MANIFEST
c:\program files\TotalRecipeSearch_14\bar\1.bin\chrome\14ffxtbr.jar
c:\program files\TotalRecipeSearch_14\bar\1.bin\INSTALL.RDF
c:\program files\TotalRecipeSearch_14\bar\1.bin\LOGO.BMP
c:\program files\TotalRecipeSearch_14\bar\1.bin\NP14Stub.dll
c:\program files\TotalRecipeSearch_14\bar\1.bin\T8RES.DLL
c:\program files\TotalRecipeSearch_14\bar\Cache\0AD91421.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F96FE27.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F97000B.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F9700A7.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F9702F9.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F97050C.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F970654.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F97077D.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F9708C5.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F970942.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F9709CF.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F970A5C.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\0F97170E.jhtml
c:\program files\TotalRecipeSearch_14\bar\Cache\0F9751C5.bmp
c:\program files\TotalRecipeSearch_14\bar\Cache\files.ini
c:\program files\TotalRecipeSearch_14\bar\History\search3
c:\program files\TotalRecipeSearch_14\bar\IE9Mesg\COMMON.T8S
c:\program files\TotalRecipeSearch_14\bar\Message\COMMON.T8S
c:\program files\TotalRecipeSearch_14\bar\Settings\prevcfg2.htm
c:\program files\TotalRecipeSearch_14\bar\Settings\s_pid.dat
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w1.dat
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w1.dat.bak
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w2.dat
c:\program files\TotalRecipeSearch_14\bar\Settings\s_w2.dat.bak
c:\program files\TotalRecipeSearch_14\bar\Settings\setting3.htm
c:\program files\TotalRecipeSearch_14\bar\Settings\setting3.htm.bak
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100023737.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100023739.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100024344.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100025727.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100025731.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties100065004.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\PopupProperties200821740.html
c:\program files\TotalRecipeSearch_14\TotalRecipeSearch_14\Cache\Radio.html
c:\program files\TotalRecipeSearch_14EI
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TOTALRECIPESEARCH_14SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-10 19:52 . 2012-01-10 19:52 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-10 19:49 . 2012-01-10 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2012-01-10 19:49 . 2012-01-10 19:49 -------- d-----w- c:\program files\Lavasoft
2012-01-10 19:32 . 2012-01-10 19:32 -------- d-----w- c:\documents and settings\John GT\Application Data\ElevatedDiagnostics
2012-01-10 19:14 . 2012-01-24 18:11 -------- d-----w- c:\windows\system32\CatRoot2
2012-01-10 18:30 . 2012-01-10 18:30 -------- d-----w- c:\program files\Sophos
2012-01-10 18:13 . 2012-01-10 18:13 79716544 ----a-w- C:\msert.exe
2012-01-10 18:02 . 2012-01-10 18:02 -------- d-----w- c:\documents and settings\John GT\Application Data\Malwarebytes
2012-01-10 17:23 . 2012-01-10 17:24 -------- d-----w- c:\program files\CCleaner
2012-01-10 17:12 . 2012-01-10 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-10 17:12 . 2012-01-24 17:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-10 17:12 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 17:09 . 2012-01-10 17:27 -------- d-----w- c:\documents and settings\Administrator
2012-01-09 18:31 . 2012-01-09 18:31 -------- d-----w- c:\documents and settings\Neva G. T\Local Settings\Application Data\Yahoo
2012-01-09 18:31 . 2012-01-09 18:31 -------- d-----w- c:\documents and settings\Neva G. T\Application Data\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-14 02:46 . 2011-12-14 02:46 1409 ----a-w- c:\windows\QTFont.for
2011-11-13 23:50 . 2011-08-08 21:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2011-06-08 822456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-01-25 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-25 98304]
"HostManager"="c:\program files\Common Files\AOL\1228161552\ee\AOLSoftware.exe" [2006-09-26 50736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Itibiti Soft Phone\\Itibiti.exe"=
.
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/23/2011 7:12 AM 2152152]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 19:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mediacomtoday.com/
uInternet Connection Wizard,ShellNext = hxxp://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=ppt
TCP: DhcpNameServer = 97.64.183.164 97.64.209.37
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 12:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = c:\dell\PreODM.EXE /2??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2012-01-24 12:20:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-24 18:20
.
Pre-Run: 61,567,967,232 bytes free
Post-Run: 61,457,133,568 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 818F90DA68B518B506DEFA2F3D3C27FB


As for how the PC runs... Things seem to work, except my original issue with installing Microsoft Security Essentials and running Microsoft Updates still remains. I downloaded MSSE and saved to desktop. Then doubleclicked it to install with hopes it would now work. It got about 1/2 way through the installation and popped up and error saying it encountered an unknown error (or similar wording) and gave an Error Code of 0x8004FF2A, then uninstalled all installed components.

I then tried to go to Windows Update which went to Microsoft Update. I approved the ActiveX control and received a red X with a circle that said "The website has encountered a problem....." The Error number given at the top of the page was 0x80096001. I'm not sure what version of IE I was using, but I think it's IE7.

Since it's so hard for me to get there, I also ran HJT and saved a log before I left. I ran OTL again too and which saved a new log, but no Extras.txt log. If you need me to post these, I can. I didn't want to provide them unless requested though.

What next? Thanks. :huh:
  • 0

#10
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts
Please download and run this file: http://go.microsoft....?linkid=9665683
After that, please restart your PC and try 1) using Windows Update and 2) installing MSE.

If both/one of them still isn't working, please start a new topic about your problem here (since I think it's not malware related): http://www.geekstogo...p-2000-2003-nt/




Perform these two cleanup tools anyway:

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

  • 0

#11
tech_lady

tech_lady

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for the prompt reply. I hope I can get there soon to do these things. I actually tried to run the FixIt tool when I first discovered it wouldn't work after my cleanup and it didn't work, but now that ComboFix ran and you helped me maybe the outcome will be different. :P

Will it matter on the ComboFix uninstall if I've already deleted it from the desktop? After it ran, I didn't want the PC owner/user being tempted by the icon on his desktop, so I just deleted it. Do I need to replace it before uninstalling?

Also, I ran OTC from a thumb drive. Do I need to re-download to the desktop (maybe even a newer version) or can I run it from the one on the usb drive?

Thanks again. Your help has been wonderful! :thumbsup:

EDIT... Sorry, I first thought OTL and OTC were the same. Obviously Not! So ignore the second part of this comment.

Edited by tech_lady, 24 January 2012 - 03:16 PM.

  • 0

#12
Gammo

Gammo

    Trusted Helper

  • Malware Removal
  • 2,299 posts

Will it matter on the ComboFix uninstall if I've already deleted it from the desktop? After it ran, I didn't want the PC owner/user being tempted by the icon on his desktop, so I just deleted it. Do I need to replace it before uninstalling?

In order for ComboFix /uninstall to work you need to have a copy of ComboFix.exe present on the Desktop, so yes you have to replace it.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP