Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Windows XP Home Security 2012 icon keeps throwing up warning balloons

Started by psycho_candy , Jan 21 2012 03:04 PM

This topic is locked

#1
psycho_candy

Posted 21 January 2012 - 03:04 PM

Member

Member
17 posts

When I click on the pop-up, it opens a window for XP Home Security 2012 and claims to find 30 infected files, and asks if I want to "Remove All". Clicking "yes" opens up another window that tries to get me to purchase a full version of Windows Home Security (this window opens in "Internet Explorer," but I'm pretty sure it's not actually Internet Explorer since Mozilla is my default browser and I believe I've removed Internet Explorer from my computer completely). No, I did not purchase the "Full Version." I'm not that easy! :lol:

I just DL'd OTL and am running it.. :help:

Thanks in advance for any help!

Cheers,
-bean

also, whatever got on my computer won't let me run HijackThis! I downloaded it from a CNet link, so I'm pretty sure it's a safe and legit download. When I try to run HijackThis!, a window opens that warns me that the program is infected with: Trojan-BNK.Win32.Keylogger.gen. It also asks me, once again, to "Activate XP Home Security 2012." And whether I want to download the "Full Version - Recommended," or "Continue Unprotected - Dangerous."

I get the same when I try to run Malware Bytes (which was installed before my computer got infected). Same with Windows Defender. It basically won't let me run any security programs.

Finally, in the system tray, there is a fake Windows Defender shield that appears to be generating all the warnings. It identifies itself as XP Home Security 2012 when you hover over it. Nothing happens when you right click it. Left click leads to a window asking me to register.

Edited by psycho_candy, 21 January 2012 - 03:24 PM.

#2
Crag_Hack

Posted 21 January 2012 - 03:18 PM

Trusted Helper

Malware Removal
1,839 posts

Hello and welcome to the Geeks to Go Virus, Spyware & Malware Removal forum. My name is Josh and I will be helping you remove your infection. I am only human not superman - I can make errors but will do my best to help you as best I can so we can solve your problems. Some of the following instructions to begin the malware removal process can be hard to follow - let me know if you have any questions. Please read all of my responses through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. Also please do not attempt any disinfection procedures without my instruction as things can go wrong that way. One more thing - please refrain from using your computer until it is disinfected unless you absolutely have to (unless you are following my disinfection procedures) - when you are using it the current malware infection could propagate further infections - forcing us to do a second or even third round of disinfection after the first. If you do have to use it please disconnect it from the Internet - that way the current malware cannot propagate further infections. Please follow the instructions here to run OTL and post the OTL log contents in your next topic. If you have trouble running OTL follow these instructions. Expect no more than 24 hours between your post and my reponse unless World War 3 breaks out. Good luck!

#3
psycho_candy

Posted 21 January 2012 - 03:26 PM

Member

Topic Starter
Member
17 posts

Here is the OTL log:

OTL logfile created on: 1/21/2012 1:16:22 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\JCHSStudent\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.05 Mb Total Physical Memory | 166.99 Mb Available Physical Memory | 16.47% Memory free
2.38 Gb Paging File | 1.56 Gb Available in Paging File | 65.47% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.20 Gb Total Space | 2.79 Gb Free Space | 7.51% Space Free | Partition Type: NTFS

Computer Name: DELL620 | User Name: JCHSStudent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/21 13:16:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JCHSStudent\My Documents\Downloads\OTL.exe
PRC - [2012/01/20 16:33:45 | 000,363,008 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\JCHSStudent\Local Settings\Temp\aewrocmxsn.exe
PRC - [2012/01/08 20:36:16 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/01/17 18:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 18:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/09/26 23:21:09 | 000,708,608 | ---- | M] (RaduKing) -- C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\RKLauncher.exe
PRC - [2009/11/03 14:48:54 | 000,874,768 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/11/03 14:45:52 | 000,348,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
PRC - [2009/11/03 14:45:48 | 001,372,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2009/11/03 14:42:00 | 000,909,312 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009/11/03 14:35:14 | 001,202,448 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2009/11/03 14:33:48 | 000,473,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2009/10/23 13:59:56 | 000,228,352 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/10 09:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2007/02/16 08:58:12 | 000,856,064 | ---- | M] (Christian Diefer) -- C:\Program Files\I8kfanGUI\I8kfanGUI.exe
PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
PRC - [2003/05/21 00:21:18 | 000,090,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe

========== Modules (No Company Name) ==========

MOD - [2012/01/08 20:36:12 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/12/07 21:45:37 | 000,170,496 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxslt.dll
MOD - [2011/12/07 21:45:36 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2011/11/17 22:30:09 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/02/02 20:39:56 | 000,008,192 | ---- | M] () -- C:\Program Files\Java\jre6\bin\jp2native.dll
MOD - [2010/09/26 23:21:06 | 000,135,168 | ---- | M] () -- C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\docklets\RecycleBin\RecycleBin.dll
MOD - [2009/11/03 14:35:46 | 000,200,704 | ---- | M] () -- C:\Program Files\Intel\WiFi\bin\iWMSProv.dll
MOD - [2003/05/21 00:19:00 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\NavLogon.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/01/15 04:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/11/03 14:48:54 | 000,874,768 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2009/11/03 14:45:52 | 000,348,160 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2009/11/03 14:42:00 | 000,909,312 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2009/11/03 14:33:48 | 000,473,360 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2003/05/21 00:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

========== Driver Services (SafeList) ==========

DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/10/18 00:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/18 00:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/11 17:20:29 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/26 04:47:30 | 004,221,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/08/13 15:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008/04/13 10:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/12/23 16:18:48 | 000,068,696 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/05/10 09:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/16 01:05:48 | 000,014,464 | ---- | M] (Christian Diefer) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fanio.sys -- (fanio)
DRV - [2005/10/26 09:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/05/02 20:08:22 | 000,030,208 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2003/05/02 20:08:18 | 000,224,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -- (NAVAP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/08 20:36:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/21 20:24:06 | 000,000,000 | ---D | M]

[2010/10/17 20:14:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Extensions
[2010/10/17 20:14:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Extensions\[email protected]
[2012/01/20 16:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Profiles\1a1ltn3t.default\extensions
[2011/03/21 08:57:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Profiles\1a1ltn3t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/08 20:36:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/08 20:36:18 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 20:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2007/03/09 15:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll
[2012/01/08 20:36:07 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/08 20:36:07 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2004/08/04 02:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO File not found
O4 - HKCU..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe (Christian Diefer)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Touch Mouse Server.lnk = C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to RKLauncher.exe.lnk = C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\RKLauncher.exe (RaduKing)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Defender.lnk = C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\JCHSStudent\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5B826DB3-68BA-4A15-97DF-83E8843C829D}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/17 08:34:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = mdaw] -- "C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\qkm.exe" -a "%1" %* (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2012/01/20 17:13:59 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/01/20 17:13:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JCHSStudent\Start Menu\Programs\HiJackThis
[2012/01/20 16:33:46 | 000,363,008 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\qkm.exe
[2012/01/06 14:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JCHSStudent\My Documents\Excel, Bus 43B
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/21 12:34:47 | 000,009,104 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8
[2012/01/21 12:34:47 | 000,008,994 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6
[2012/01/21 12:34:47 | 000,008,936 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ec640112
[2012/01/21 02:20:02 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/20 17:13:59 | 000,001,996 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Desktop\HiJackThis.lnk
[2012/01/20 16:33:46 | 000,363,008 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\qkm.exe
[2012/01/17 08:59:31 | 000,433,372 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/17 08:59:31 | 000,068,162 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/17 08:56:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/17 08:55:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/12 10:16:53 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/20 17:13:59 | 000,001,996 | ---- | C] () -- C:\Documents and Settings\JCHSStudent\Desktop\HiJackThis.lnk
[2012/01/20 16:33:49 | 000,009,104 | ---- | C] () -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8
[2012/01/20 16:33:49 | 000,008,994 | ---- | C] () -- C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6
[2012/01/20 16:33:49 | 000,008,936 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ec640112
[2011/09/18 22:08:32 | 000,065,536 | ---- | C] () -- C:\WINDOWS\qt3wrap.dll
[2011/09/18 22:08:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2010/12/31 12:58:57 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2010/12/08 22:11:08 | 570,025,984 | ---- | C] () -- C:\Program Files\Adobe Acrobat 8 Professional.iso
[2010/09/19 22:01:03 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\MatrixS.INI
[2010/09/11 11:28:44 | 000,011,310 | ---- | C] () -- C:\WINDOWS\hpdj5600.ini
[2010/08/08 09:34:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/24 10:37:54 | 000,023,032 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/07/22 18:22:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/22 17:55:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2010/07/11 16:55:45 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2010/06/17 08:37:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/17 08:31:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/16 08:41:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/16 08:40:07 | 000,142,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/03/21 15:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 15:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 02:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 02:00:00 | 000,433,372 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 02:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 02:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 02:00:00 | 000,068,162 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 02:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 02:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 02:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 02:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 02:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/05/21 00:19:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll

< End of report >

#4
psycho_candy

Posted 22 January 2012 - 03:25 AM

Member

Topic Starter
Member
17 posts

hey josh,

thanks in advance for all your help. I look forward to what you can/will do for me. quick note: I did a little more research and found that this is a common infection. I found a quick and dirty process on another forum that involved booting the PC in safe mode and doing a system restore followed by running Malware Bytes.

my PC allowed me to do the above and ran normally after that. HOWEVER, Malware Bytes did not find anything amiss. I don't really trust that. I will go through the removal process with you. I just thought I should let you know what I did though.

cheers,
-bean

#5
psycho_candy

Posted 22 January 2012 - 12:26 PM

Member

Topic Starter
Member
17 posts

Here's the OTL quick scan log after I safebooted, restored, and ran Malware Bytes.

OTL logfile created on: 1/22/2012 10:13:50 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\JCHSStudent\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.05 Mb Total Physical Memory | 338.13 Mb Available Physical Memory | 33.34% Memory free
2.38 Gb Paging File | 1.64 Gb Available in Paging File | 68.93% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.20 Gb Total Space | 2.57 Gb Free Space | 6.92% Space Free | Partition Type: NTFS

Computer Name: DELL620 | User Name: JCHSStudent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/21 13:16:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JCHSStudent\My Documents\Downloads\OTL.exe
PRC - [2012/01/08 20:36:16 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/12/24 17:50:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/01/17 18:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 18:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/09/26 23:21:09 | 000,708,608 | ---- | M] (RaduKing) -- C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\RKLauncher.exe
PRC - [2010/01/15 04:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/11/03 14:48:54 | 000,874,768 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/11/03 14:45:52 | 000,348,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
PRC - [2009/11/03 14:45:48 | 001,372,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2009/11/03 14:42:00 | 000,909,312 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009/11/03 14:35:14 | 001,202,448 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2009/11/03 14:33:48 | 000,473,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2009/10/23 13:59:56 | 000,228,352 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/10 09:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2007/02/16 08:58:12 | 000,856,064 | ---- | M] (Christian Diefer) -- C:\Program Files\I8kfanGUI\I8kfanGUI.exe
PRC - [2006/11/03 18:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2003/05/21 00:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
PRC - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
PRC - [2003/05/21 00:21:18 | 000,090,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe

========== Modules (No Company Name) ==========

MOD - [2012/01/08 20:36:12 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/12/07 21:45:36 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2011/11/17 22:30:09 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/09/26 23:21:06 | 000,135,168 | ---- | M] () -- C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\docklets\RecycleBin\RecycleBin.dll
MOD - [2009/11/03 14:35:46 | 000,200,704 | ---- | M] () -- C:\Program Files\Intel\WiFi\bin\iWMSProv.dll
MOD - [2008/04/13 16:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 16:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2003/05/21 00:19:00 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\NavLogon.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/01/15 04:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/11/03 14:48:54 | 000,874,768 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2009/11/03 14:45:52 | 000,348,160 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2009/11/03 14:42:00 | 000,909,312 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2009/11/03 14:33:48 | 000,473,360 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2003/05/21 00:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

========== Driver Services (SafeList) ==========

DRV - [2012/01/22 10:16:14 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/10/18 00:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/18 00:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/11 17:20:29 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/26 04:47:30 | 004,221,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/08/13 15:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008/04/13 10:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/12/23 16:18:48 | 000,068,696 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/05/10 09:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/16 01:05:48 | 000,014,464 | ---- | M] (Christian Diefer) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fanio.sys -- (fanio)
DRV - [2005/10/26 09:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/05/02 20:08:22 | 000,030,208 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2003/05/02 20:08:18 | 000,224,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -- (NAVAP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/08 20:36:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/22 10:08:36 | 000,000,000 | ---D | M]

[2010/10/17 20:14:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Extensions
[2010/10/17 20:14:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Extensions\[email protected]
[2012/01/20 16:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Profiles\1a1ltn3t.default\extensions
[2011/03/21 08:57:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Profiles\1a1ltn3t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/08 20:36:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/08 20:36:18 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 20:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2007/03/09 15:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll
[2012/01/08 20:36:07 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/08 20:36:07 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2004/08/04 02:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO File not found
O4 - HKCU..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe (Christian Diefer)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Touch Mouse Server.lnk = C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to RKLauncher.exe.lnk = C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\RKLauncher.exe (RaduKing)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Defender.lnk = C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\JCHSStudent\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5B826DB3-68BA-4A15-97DF-83E8843C829D}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/17 08:34:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/22 10:15:30 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/01/21 14:11:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/01/06 14:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JCHSStudent\My Documents\Excel, Bus 43B
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/22 10:16:14 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/01/22 01:47:11 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/21 14:26:15 | 000,433,372 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/21 14:26:15 | 000,068,162 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/21 14:21:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/21 14:21:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/21 14:16:39 | 000,008,975 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ec640112
[2012/01/21 14:16:39 | 000,008,948 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6
[2012/01/21 14:16:39 | 000,008,948 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8
[2012/01/12 10:16:53 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/20 16:33:49 | 000,008,975 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ec640112
[2012/01/20 16:33:49 | 000,008,948 | ---- | C] () -- C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6
[2012/01/20 16:33:49 | 000,008,948 | ---- | C] () -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8
[2011/09/18 22:08:32 | 000,065,536 | ---- | C] () -- C:\WINDOWS\qt3wrap.dll
[2011/09/18 22:08:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2010/12/31 12:58:57 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2010/12/08 22:11:08 | 570,025,984 | ---- | C] () -- C:\Program Files\Adobe Acrobat 8 Professional.iso
[2010/09/19 22:01:03 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\MatrixS.INI
[2010/09/11 11:28:44 | 000,011,310 | ---- | C] () -- C:\WINDOWS\hpdj5600.ini
[2010/08/08 09:34:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/24 10:37:54 | 000,023,032 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/07/22 18:22:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/22 17:55:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2010/07/11 16:55:45 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2010/06/17 08:37:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/17 08:31:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/16 08:41:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/16 08:40:07 | 000,142,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/03/21 15:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 15:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 02:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 02:00:00 | 000,433,372 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 02:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 02:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 02:00:00 | 000,068,162 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 02:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 02:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 02:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 02:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 02:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/05/21 00:19:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll

========== LOP Check ==========

[2011/12/15 21:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/09/04 09:00:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/12/15 21:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/07/11 17:15:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/07/22 18:32:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/09/04 09:04:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\AVG2012
[2012/01/21 14:20:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\BitTorrent
[2010/10/17 20:14:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\Flickr
[2010/12/17 14:08:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\gtk-2.0
[2010/07/25 20:36:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\InterVideo
[2010/12/17 11:53:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\Local
[2010/07/26 19:15:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\OpenOffice.org
[2011/12/01 10:00:00 | 000,000,274 | ---- | M] () -- C:\WINDOWS\Tasks\JavaUpdate.job
[2012/01/22 01:47:11 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

< End of report >

#6
Crag_Hack

Posted 22 January 2012 - 02:37 PM

Trusted Helper

Malware Removal
1,839 posts

Please wait while I revise my fix. I will get back to you soon.

#7
Crag_Hack

Posted 22 January 2012 - 03:19 PM

Trusted Helper

Malware Removal
1,839 posts

Hello psycho_candy. I like your name

I finished analyzing your OTL log. Now it is time to start disinfection and run a couple other scans. Also we will upload a couple files to see if they are malicious.

Step 1

There are several suspicious files on your machine that might or might not be malware. We will scan them to verify. Let me know if you have any trouble following these instructions. Please do the following:

Go to this site
Click the browse button on the top of the page
Navigate to this file C:\WINDOWS\impborl.dll and click the open button
Click the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button
Once the Scan is completed, click on the Copy to Clipboard button at the bottom of the page. This will copy the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Now repeat the above instructions but this time for C:\WINDOWS\UNWISE.EXE.

Step 2

We will now do a quick clean with OTL.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL

PRC - [2012/01/20 16:33:45 | 000,363,008 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\JCHSStudent\Local Settings\Temp\aewrocmxsn.exe
O37 - HKCU\...exe [@ = mdaw] -- "C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\qkm.exe" -a "%1" %* (Microsoft Corporation)
[2012/01/20 16:33:46 | 000,363,008 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\qkm.exe
[2012/01/21 12:34:47 | 000,009,104 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8
[2012/01/21 12:34:47 | 000,008,994 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6
[2012/01/21 12:34:47 | 000,008,936 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ec640112

[2012/01/21 14:16:39 | 000,008,975 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ec640112
[2012/01/21 14:16:39 | 000,008,948 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6
[2012/01/21 14:16:39 | 000,008,948 | ---- | M] () -- C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8

:Files

C:\Documents and Settings\JCHSStudent\Local Settings\Temp\aewrocmxsn.exe

:Commands
[purity]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
Open OTL again

Under the Custom Scans/Fixes box at the bottom, paste in the following

%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\*.*

Click the Quick Scan button. Post the log it produces as in your next reply as well.

Please also post the extras.txt file from the same directory as OTL in your next reply.

Step 3

We will now run Roguekiller to remove any remnants of Windows XP Home Security 2012.

Download RogueKiller to your desktop

Quit all running programs
run RogueKiller.exe
When prompted, type 2 and press enter
The RKreport[1].txt shall be generated next to the executable.
Press a key to continue
When prompted, type 0 and press enter to quit
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport text files in your next Reply.

Step 4

Now for the final step. We will run aswMBR to check for nasty infections prevalent these days.

Download aswMBR.exe ( 1870KB ) to your desktop.
Double click the aswMBR.exe to run it
It will ask you if you want to download the latest Avast! virus definitions, answer no
Click the Scan button to start scan
On completion of the scan click Save log, save it to your desktop and post in your next reply

Things to see in your next post:
virscan.org upload results for both files
OTL fix log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
OTL.txt
Extras.txt
RKreport[1].txt
aswMBR log

That's it for now!

#8
psycho_candy

Posted 23 January 2012 - 01:51 AM

Member

Topic Starter
Member
17 posts

impborl.dll scan results:

VirSCAN.org Scanned Report :
Scanned time : 2012/01/23 15:46:53 (CST)
Scanner results: Scanners did not find malware!
File Name : impborl.dll
File Size : 12288 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 23a38a0f3b5fb112809c339725a9e318
SHA1 : 165dc2cb79d167b53bd35d42eb9ff33087040a19
Online report : http://r.virscan.org...f210288fbb9f983

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120123140230 2012-01-23 0.26 -
AhnLab V3 2012.01.23.00 2012.01.23 2012-01-23 3.03 -
AntiVir 8.2.8.34 7.11.21.127 2012-01-22 0.25 -
Antiy 2.0.18 20120123.15905382 2012-01-23 0.02 -
Arcavir 2011 201201221541 2012-01-22 3.48 -
Authentium 5.1.1 201201230608 2012-01-23 1.44 -
AVAST! 4.7.4 120122-1 2012-01-22 0.01 -
AVG 10.0.1405 2090/4760 2012-01-22 0.07 -
BitDefender 7.90123.7901111 7.40702 2012-01-23 4.03 -
ClamAV 0.97.1 14338 2012-01-23 0.01 -
Comodo 5.1 11330 2012-01-23 2.06 -
CP Secure 1.3.0.5 2012.01.22 2012-01-22 0.04 -
Dr.Web 7.0.0.11250 2012.01.23 2012-01-23 11.28 -
F-Prot 4.6.2.117 20120122 2012-01-22 0.77 -
F-Secure 7.02.73807 2012.01.10.04 2012-01-10 0.20 -
Fortinet 4.2.257 15.124 2012-01-22 0.10 -
GData 22.3586 20120123 2012-01-23 4.60 -
ViRobot 20120121 2012.01.21 2012-01-21 0.33 -
Ikarus T3.1.32.20.0 2012.01.23.80304 2012-01-23 5.08 -
JiangMin 13.0.900 2011.11.26 2011-11-26 2.14 -
Kaspersky 5.5.10 2012.01.23 2012-01-23 0.12 -
KingSoft 2009.2.5.15 2012.1.23.9 2012-01-23 0.87 -
McAfee 5400.1158 6597 2012-01-22 10.89 -
Microsoft 1.8001 2012.01.23 2012-01-23 3.22 -
NOD32 3.0.21 6816 2012-01-22 0.04 -
Panda 9.05.01 2012.01.22 2012-01-22 2.12 -
Trend Micro 9.500-1005 8.728.02 2012-01-22 0.03 -
Quick Heal 11.00 2012.01.23 2012-01-23 1.29 -
Rising 20.0 23.93.02.01 2012-01-18 2.31 -
Sophos 3.27.0 4.73 2012-01-23 4.63 -
Sunbelt 3.9.2526.2 11438 2012-01-22 0.65 -
Symantec 1.3.0.24 20120122.004 2012-01-22 0.05 -
nProtect 20120122.01 11832391 2012-01-22 1.14 -
The Hacker 6.7.0.1 v00384 2012-01-22 0.53 -
VBA32 3.12.16.4 20120120.2024 2012-01-20 3.94 -
VirusBuster 5.4.0.10 14.1.180.1/74922422012-01-22 0.01 -

#9
psycho_candy

Posted 23 January 2012 - 01:55 AM

Member

Topic Starter
Member
17 posts

UNWISE.EXE scan results:

VirSCAN.org Scanned Report :
Scanned time : 2012/01/23 15:52:34 (CST)
Scanner results: Scanners did not find malware!
File Name : UNWISE.EXE
File Size : 149504 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 443e13846997c537e8f5ed61130ab705
SHA1 : 6b10d458a5f1e3dbf8dfa96b118cf232d3a66f5f
Online report : http://r.virscan.org...9f58dda6d5929c4

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120123140230 2012-01-23 0.30 -
AhnLab V3 2012.01.23.00 2012.01.23 2012-01-23 2.93 -
AntiVir 8.2.8.34 7.11.21.127 2012-01-22 0.26 -
Antiy 2.0.18 20120123.15905382 2012-01-23 0.02 -
Arcavir 2011 201201221541 2012-01-22 3.43 -
Authentium 5.1.1 201201230608 2012-01-23 1.50 -
AVAST! 4.7.4 120122-1 2012-01-22 0.03 -
AVG 10.0.1405 2090/4760 2012-01-22 0.09 -
BitDefender 7.90123.7901111 7.40702 2012-01-23 4.02 -
ClamAV 0.97.1 14338 2012-01-23 0.05 -
Comodo 5.1 11330 2012-01-23 2.11 -
CP Secure 1.3.0.5 2012.01.22 2012-01-22 0.07 -
Dr.Web 7.0.0.11250 2012.01.23 2012-01-23 11.42 -
F-Prot 4.6.2.117 20120122 2012-01-22 0.84 -
F-Secure 7.02.73807 2012.01.10.04 2012-01-10 0.28 -
Fortinet 4.2.257 15.124 2012-01-22 0.10 -
GData 22.3586 20120123 2012-01-23 4.91 -
ViRobot 20120121 2012.01.21 2012-01-21 0.33 -
Ikarus T3.1.32.20.0 2012.01.23.80304 2012-01-23 5.07 -
JiangMin 13.0.900 2011.11.26 2011-11-26 1.99 -
Kaspersky 5.5.10 2012.01.23 2012-01-23 0.20 -
KingSoft 2009.2.5.15 2012.1.23.9 2012-01-23 0.93 -
McAfee 5400.1158 6597 2012-01-22 10.86 -
Microsoft 1.8001 2012.01.23 2012-01-23 3.41 -
NOD32 3.0.21 6816 2012-01-22 0.04 -
Panda 9.05.01 2012.01.22 2012-01-22 2.07 -
Trend Micro 9.500-1005 8.728.02 2012-01-22 0.06 -
Quick Heal 11.00 2012.01.23 2012-01-23 1.15 -
Rising 20.0 23.93.02.01 2012-01-18 0.73 -
Sophos 3.27.0 4.73 2012-01-23 4.62 -
Sunbelt 3.9.2526.2 11438 2012-01-22 0.70 -
Symantec 1.3.0.24 20120122.004 2012-01-22 0.06 -
nProtect 20120122.01 11832391 2012-01-22 1.16 -
The Hacker 6.7.0.1 v00384 2012-01-22 0.54 -
VBA32 3.12.16.4 20120120.2024 2012-01-20 4.49 -
VirusBuster 5.4.0.10 14.1.180.1/74922422012-01-22 0.02 -

#10
psycho_candy

Posted 23 January 2012 - 02:02 AM

Member

Topic Starter
Member
17 posts

OTL scan after first Run Fix:

========== OTL ==========
No active process named aewrocmxsn.exe was found!
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\mdaw\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
File C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\qkm.exe not found.
C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8 moved successfully.
C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6 moved successfully.
C:\Documents and Settings\All Users\Application Data\ec640112 moved successfully.
File C:\Documents and Settings\All Users\Application Data\ec640112 not found.
File C:\Documents and Settings\JCHSStudent\Application Data\c8ca31d6 not found.
File C:\Documents and Settings\JCHSStudent\Local Settings\Application Data\35f875b8 not found.
========== FILES ==========
File\Folder C:\Documents and Settings\JCHSStudent\Local Settings\Temp\aewrocmxsn.exe not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 01222012_235623

#11
psycho_candy

Posted 23 January 2012 - 02:08 AM

Member

Topic Starter
Member
17 posts

second OTL quick scan:

OTL logfile created on: 1/23/2012 12:03:02 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\JCHSStudent\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.05 Mb Total Physical Memory | 355.55 Mb Available Physical Memory | 35.06% Memory free
2.38 Gb Paging File | 1.88 Gb Available in Paging File | 79.03% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.20 Gb Total Space | 2.62 Gb Free Space | 7.03% Space Free | Partition Type: NTFS

Computer Name: DELL620 | User Name: JCHSStudent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/21 13:16:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JCHSStudent\My Documents\Downloads\OTL.exe
PRC - [2012/01/08 20:36:16 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/01/17 18:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 18:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/09/26 23:21:09 | 000,708,608 | ---- | M] (RaduKing) -- C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\RKLauncher.exe
PRC - [2010/01/15 04:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/11/03 14:48:54 | 000,874,768 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/11/03 14:45:52 | 000,348,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
PRC - [2009/11/03 14:45:48 | 001,372,160 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PRC - [2009/11/03 14:42:00 | 000,909,312 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009/11/03 14:35:14 | 001,202,448 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PRC - [2009/11/03 14:33:48 | 000,473,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2009/10/23 13:59:56 | 000,228,352 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/10 09:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2007/02/16 08:58:12 | 000,856,064 | ---- | M] (Christian Diefer) -- C:\Program Files\I8kfanGUI\I8kfanGUI.exe
PRC - [2006/11/03 18:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2003/05/21 00:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
PRC - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
PRC - [2003/05/21 00:21:18 | 000,090,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe

========== Modules (No Company Name) ==========

MOD - [2012/01/08 20:36:12 | 002,124,760 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/12/07 21:45:36 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2011/11/17 22:30:09 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/09/26 23:21:06 | 000,135,168 | ---- | M] () -- C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\docklets\RecycleBin\RecycleBin.dll
MOD - [2009/11/03 14:35:46 | 000,200,704 | ---- | M] () -- C:\Program Files\Intel\WiFi\bin\iWMSProv.dll
MOD - [2003/05/21 00:19:00 | 000,045,056 | ---- | M] () -- C:\WINDOWS\system32\NavLogon.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/01/15 04:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/11/03 14:48:54 | 000,874,768 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2009/11/03 14:45:52 | 000,348,160 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2009/11/03 14:42:00 | 000,909,312 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2009/11/03 14:33:48 | 000,473,360 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/11/03 18:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2003/05/21 00:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

========== Driver Services (SafeList) ==========

DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/10/18 00:00:00 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/18 00:00:00 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101018.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/07/11 17:20:29 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/10/26 04:47:30 | 004,221,952 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/08/13 15:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2008/04/13 10:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/12/23 16:18:48 | 000,068,696 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/05/10 09:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/16 01:05:48 | 000,014,464 | ---- | M] (Christian Diefer) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fanio.sys -- (fanio)
DRV - [2005/10/26 09:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/05/02 20:08:22 | 000,030,208 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2003/05/02 20:08:18 | 000,224,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -- (NAVAP)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/08 20:36:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/22 10:08:36 | 000,000,000 | ---D | M]

[2010/10/17 20:14:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Extensions
[2010/10/17 20:14:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Extensions\[email protected]
[2012/01/20 16:59:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Profiles\1a1ltn3t.default\extensions
[2011/03/21 08:57:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Profiles\1a1ltn3t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/08 20:36:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/08 20:36:18 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 20:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2007/03/09 15:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll
[2012/01/08 20:36:07 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/08 20:36:07 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/01/22 23:56:24 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO File not found
O4 - HKCU..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe (Christian Diefer)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Touch Mouse Server.lnk = C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to RKLauncher.exe.lnk = C:\Program Files\RKLauncher\RK_Launcher_041_Beta_Nightly\RKLauncher.exe (RaduKing)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Defender.lnk = C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\JCHSStudent\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5B826DB3-68BA-4A15-97DF-83E8843C829D}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\JCHSStudent\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/17 08:34:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/22 23:56:23 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/21 14:11:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/01/06 14:22:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JCHSStudent\My Documents\Excel, Bus 43B
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/23 00:01:36 | 000,433,372 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/23 00:01:36 | 000,068,162 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/23 00:00:38 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/22 23:57:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/22 23:57:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/22 23:56:24 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/01/12 10:16:53 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/18 22:08:32 | 000,065,536 | ---- | C] () -- C:\WINDOWS\qt3wrap.dll
[2011/09/18 22:08:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2010/12/31 12:58:57 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2010/12/08 22:11:08 | 570,025,984 | ---- | C] () -- C:\Program Files\Adobe Acrobat 8 Professional.iso
[2010/09/19 22:01:03 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\MatrixS.INI
[2010/09/11 11:28:44 | 000,011,310 | ---- | C] () -- C:\WINDOWS\hpdj5600.ini
[2010/08/08 09:34:07 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/24 10:37:54 | 000,023,032 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/07/22 18:22:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/07/22 17:55:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2010/07/11 16:55:45 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2010/06/17 08:37:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/17 08:31:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/16 08:41:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/16 08:40:07 | 000,142,032 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/03/21 15:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 15:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 02:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 02:00:00 | 000,433,372 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 02:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 02:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 02:00:00 | 000,068,162 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 02:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 02:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 02:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 02:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 02:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/05/21 00:19:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll

========== LOP Check ==========

[2011/12/15 21:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/09/04 09:00:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/12/15 21:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/07/11 17:15:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/07/22 18:32:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/09/04 09:04:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\AVG2012
[2012/01/21 14:20:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\BitTorrent
[2010/10/17 20:14:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\Flickr
[2010/12/17 14:08:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\gtk-2.0
[2010/07/25 20:36:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\InterVideo
[2010/12/17 11:53:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\Local
[2010/07/26 19:15:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JCHSStudent\Application Data\OpenOffice.org
[2011/12/01 10:00:00 | 000,000,274 | ---- | M] () -- C:\WINDOWS\Tasks\JavaUpdate.job
[2012/01/23 00:00:38 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Custom Scans ==========

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

< C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\*.* >

< End of report >

#12
psycho_candy

Posted 23 January 2012 - 02:10 AM

Member

Topic Starter
Member
17 posts

extras.txt from OTL directory:

OTL Extras logfile created on: 1/22/2012 10:13:51 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\JCHSStudent\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.05 Mb Total Physical Memory | 338.13 Mb Available Physical Memory | 33.34% Memory free
2.38 Gb Paging File | 1.64 Gb Available in Paging File | 68.93% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.20 Gb Total Space | 2.57 Gb Free Space | 6.92% Space Free | Partition Type: NTFS

Computer Name: DELL620 | User Name: JCHSStudent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe" = C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe:*:Enabled:Logitech -- (Logitech, Inc.)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher
"C:\Program Files\World of Warcraft\Launcher.patch.exe" = C:\Program Files\World of Warcraft\Launcher.patch.exe:*:Enabled:Blizzard Launcher
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}" = Symantec AntiVirus Client
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 24
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{70FCF545-F942-4E6E-900B-43AF9476D723}" = Migratr
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{82CE6B7B-9665-4E29-8CE0-DD993484B38D}" = Intel® PROSet/Wireless WiFi Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DB5518BE-F40F-407A-B451-012625D4497B}" = hp deskjet 5600
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{EDC2B89F-3F72-48EA-B63E-985BC51622E4}" = OZ776 SCR Driver V1.1.4.202
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"BitTorrent" = BitTorrent
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Creative Jukebox Driver" = Creative Jukebox Driver
"HDMI" = Intel® Graphics Media Accelerator Driver
"I8kfanGUI" = I8kfanGUI V3.1
"InstallShield_{EDC2B89F-3F72-48EA-B63E-985BC51622E4}" = OZ776 SCR Driver V1.1.4.202
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Logitech Touch Mouse Server" = Logitech Touch Mouse Server 1.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"Picasa 3" = Picasa 3
"ProInst" = Intel PROSet Wireless
"VLC media player" = VLC media player 1.1.11
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.11
"Yahoo! Widget Engine" = Yahoo! Widgets
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/17/2012 12:23:02 AM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEAddInsAgent Error Code: 0x8007139f Error
description: The group or resource is not in the correct state to perform the requested
operation.

Error - 1/17/2012 12:23:02 AM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEDownloadsAndOutlookAttachmentsAgent Error
Code: 0x8007139f Error description: The group or resource is not in the correct
state to perform the requested operation.

Error - 1/17/2012 12:56:24 PM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEConfigurationAgent Error Code: 0x8007139f

Error
description: The group or resource is not in the correct state to perform the requested
operation.

Error - 1/17/2012 12:56:24 PM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEAddInsAgent Error Code: 0x8007139f Error
description: The group or resource is not in the correct state to perform the requested
operation.

Error - 1/17/2012 12:56:24 PM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEDownloadsAndOutlookAttachmentsAgent Error
Code: 0x8007139f Error description: The group or resource is not in the correct
state to perform the requested operation.

Error - 1/20/2012 8:56:48 PM | Computer Name = DELL620 | Source = Application Error | ID = 1000
Description = Faulting application installflashplayer.exe, version 0.0.0.0, faulting
module , version 0.0.0.0, fault address 0x00000000.

Error - 1/21/2012 6:20:01 AM | Computer Name = DELL620 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80070424, P2 updateservicemanager-_get_services,
P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender,
P8 NIL, P9 NIL, P10 NIL.

Error - 1/21/2012 6:22:55 PM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEConfigurationAgent Error Code: 0x8007139f

Error
description: The group or resource is not in the correct state to perform the requested
operation.

Error - 1/21/2012 6:22:55 PM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEAddInsAgent Error Code: 0x8007139f Error
description: The group or resource is not in the correct state to perform the requested
operation.

Error - 1/21/2012 6:22:55 PM | Computer Name = DELL620 | Source = WinDefendRtp | ID = 3002
Description = %%827 Real-Time Protection agent has encountered an error and failed
to start. User: DELL620\JCHSStudent Agent: IEDownloadsAndOutlookAttachmentsAgent Error
Code: 0x8007139f Error description: The group or resource is not in the correct
state to perform the requested operation.

[ System Events ]
Error - 1/17/2012 12:55:31 PM | Computer Name = DELL620 | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 1/17/2012 12:55:40 PM | Computer Name = DELL620 | Source = NAVAP | ID = 458772
Description = Unable to initialize the virus scanning engine database files.

Error - 1/21/2012 6:13:01 PM | Computer Name = DELL620 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm

Error - 1/21/2012 6:15:29 PM | Computer Name = DELL620 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/21/2012 6:17:27 PM | Computer Name = DELL620 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/21/2012 6:21:42 PM | Computer Name = DELL620 | Source = WinDefend | ID = 2004
Description = %%827 has encountered an error trying to load signatures and will
attempt reverting back to a known-good set of signatures. Signatures Attempted: %%824

Error
Code: 0x8050a001 Error description: The program can't find definition files that
help detect unwanted software. Check for updates to the definition files, and then
try again. For information on installing updates, see Help and Support. Signatures
loading: %%825 Loading signature version: 1.117.3022.0 Loading engine version: 1.1.7903.0

Error - 1/21/2012 6:21:47 PM | Computer Name = DELL620 | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 1/21/2012 6:21:47 PM | Computer Name = DELL620 | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 1/21/2012 6:21:47 PM | Computer Name = DELL620 | Source = DCOM | ID = 10016
Description = The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission
can be modified using the Component Services administrative tool.

Error - 1/21/2012 6:22:11 PM | Computer Name = DELL620 | Source = NAVAP | ID = 458772
Description = Unable to initialize the virus scanning engine database files.

< End of report >

#13
psycho_candy

Posted 23 January 2012 - 02:13 AM

Member

Topic Starter
Member
17 posts

thanks Josh. my handle is the title of a Jesus & Mary Chain album. they're one of my favorite bands. do you like them too? or do you just like the handle?

anyway, that's it for tonight. thanks for the help. i will do steps 3 & 4 tomorrow!

:thumbsup:

#14
psycho_candy

Posted 23 January 2012 - 10:59 AM

Member

Topic Starter
Member
17 posts

Rogue Killer report:

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: JCHSStudent [Admin rights]
Mode: Remove -- Date : 01/23/2012 08:57:31

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[SCRSV] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\WINDOWS\TARDIS~1.SCR) -> REPLACED (c:\windows\system32\logon.scr)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] df630065d569fb2802d50d95d927e2b5
[BSP] 7b8f5ee455403a1078baa61c380f6446 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 65 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 128520 | Size: 39941 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#15
psycho_candy

Posted 23 January 2012 - 11:08 AM

Member

Topic Starter
Member
17 posts

MBR scan report:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-23 09:04:24
-----------------------------
09:04:24.125 OS Version: Windows 5.1.2600 Service Pack 3
09:04:24.125 Number of processors: 2 586 0xF06
09:04:24.125 ComputerName: DELL620 UserName:
09:04:24.718 Initialize success
09:05:20.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:05:20.437 Disk 0 Vendor: ST940814AS 3.CDD Size: 38154MB BusType: 3
09:05:20.453 Disk 0 MBR read successfully
09:05:20.453 Disk 0 MBR scan
09:05:20.453 Disk 0 Windows XP default MBR code
09:05:20.453 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
09:05:20.468 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 38091 MB offset 128520
09:05:20.468 Disk 0 scanning sectors +78140160
09:05:20.953 Disk 0 scanning C:\WINDOWS\system32\drivers
09:05:26.531 Service scanning
09:05:27.468 Modules scanning
09:05:33.031 Disk 0 trace - called modules:
09:05:33.046 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:05:33.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d42030]
09:05:33.046 3 CLASSPNP.SYS[f757efd7] -> nt!IofCallDriver -> \Device\0000007d[0x86d6f2f0]
09:05:33.046 5 ACPI.sys[f7415620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d68940]
09:05:33.046 Scan finished successfully
09:06:05.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\JCHSStudent\My Documents\Downloads\MBR.dat"
09:06:05.640 The log file has been saved successfully to "C:\Documents and Settings\JCHSStudent\My Documents\Downloads\aswMBR.txt"