Problem with Windows XP machine Malware

**panzypotter** · 2011-03-12, 01:01

Hi guys, first post here, so here it is:

The computer is quite old but is only used for web browsing anyway, the Windows XP is all up to date with service pack 3 and the subsequent updates.

It seems to be quite badly infected with something that is causing a few problems. It's saying I don't have the administrative rights to open certain programs, one of those included is the AV software on the computer, Microsoft Security Essentials. Another thing it keeps doing is to tamper with the proxy server settings in the internet options section of the control panel. To browse the web I have to navigate into this and uncheck the proxy server option under LAN settings. If I don't do this I get an FTP, HTTP related error and I can't connect.

I have uploaded the zipped "attach" file as requested as well.

Anyway, here is my DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Compaq_Owner at 23:46:54.82 on 11/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.41 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Smart Internet Protection 2011 *Enabled/Updated* {29629175-6AB1-4717-A311-2D5C658F613B}
FW: Smart Internet Protection 2011 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.co.uk
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:33554
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Virgin Media Toolbar: {a057a204-bacc-4d26-cfc3-3cecc9ab2eda} - c:\progra~1\virgin~2\VIRGIN~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Virgin Media Toolbar: {a057a204-bacc-4d26-cfc3-3cecc9ab2eda} - c:\progra~1\virgin~2\VIRGIN~1.DLL
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WWllGOC1DSzdRRy05VUJVUi03U1VMUy00NEtSMi1GS1NV"&"inst=NzctNTQzMjMzMjc0LVQxLUJBKzEtS1YzKzctVUNBTEwrMS1CQVI4RysxLVVDQUxMMisyLUZMKzgtRjhNMTFDKzEtVVBHKzIwMTE"&"prod=90"&"ver=10.0.1204
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: wmplayer - {AA6C5B79-923F-4E84-8663-4F099A378989} - c:\windows\wmplayer.dll
SSODL: wmsound - {63DAE9BE-84E7-4E50-8022-AFC45EEF9C5F} - c:\windows\wmsound.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
Hosts: 64.34.212.70 www.google.com
Hosts: 64.34.212.70 google.com
Hosts: 64.34.212.70 google.com.au
Hosts: 64.34.212.70 www.google.com.au
Hosts: 64.34.212.70 google.be
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslcb5ead1a;MpKslcb5ead1a;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{249e0e77-cee2-41f6-8c8d-6cfb3cbdc90d}\MpKslcb5ead1a.sys [2011-3-11 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-25 135664]
.
=============== Created Last 30 ================
.
2011-03-11 23:45:51 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{249e0e77-cee2-41f6-8c8d-6cfb3cbdc90d}\MpKslcb5ead1a.sys
2011-03-11 10:37:46 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{249e0e77-cee2-41f6-8c8d-6cfb3cbdc90d}\mpengine.dll
2011-02-25 18:53:43 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-25 18:53:43 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-25 18:53:43 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-02-25 13:42:21 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-02-25 13:40:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-25 13:38:22 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-25 10:14:23 -------- d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2011-02-25 10:14:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-25 10:14:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-25 10:13:45 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2011-02-25 10:13:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 10:13:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-25 10:13:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 10:13:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-15 17:17:40 274801 ----a-w- c:\program files\online services\btesat\1890hp.exe
2011-02-14 18:03:41 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\SIPYOTP
2011-02-14 18:03:11 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\8fd40d
2011-02-14 17:48:17 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-14 17:40:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-10 11:35:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 23:48:17.73 ===============

Thanks.

**oldman960** · 2011-03-12, 15:42

Hi panzypotter, welcome to the forum.

To make cleaning this machine easier

Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Link 1or Link 2 to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
During the download, before you save it to your desktop, rename Combofix to jgh.exe

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with

combofix log

How is the computer?

Thanks

**panzypotter** · 2011-03-14, 16:27

I have run comboFix, re-named as requested. This is the log it produced when it had finished.

ComboFix 11-03-12.01 - Compaq_Owner 14/03/2011 10:19:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.147 [GMT 0:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\jgh.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Compaq_Owner\Recent\ANTIGEN.dll
c:\documents and settings\Compaq_Owner\Recent\ANTIGEN.exe
c:\documents and settings\Compaq_Owner\Recent\cb.drv
c:\documents and settings\Compaq_Owner\Recent\cid.exe
c:\documents and settings\Compaq_Owner\Recent\cid.tmp
c:\documents and settings\Compaq_Owner\Recent\CLSV.dll
c:\documents and settings\Compaq_Owner\Recent\CLSV.sys
c:\documents and settings\Compaq_Owner\Recent\CLSV.tmp
c:\documents and settings\Compaq_Owner\Recent\DBOLE.dll
c:\documents and settings\Compaq_Owner\Recent\ddv.exe
c:\documents and settings\Compaq_Owner\Recent\eb.drv
c:\documents and settings\Compaq_Owner\Recent\energy.dll
c:\documents and settings\Compaq_Owner\Recent\energy.drv
c:\documents and settings\Compaq_Owner\Recent\energy.sys
c:\documents and settings\Compaq_Owner\Recent\exec.drv
c:\documents and settings\Compaq_Owner\Recent\exec.sys
c:\documents and settings\Compaq_Owner\Recent\fan.dll
c:\documents and settings\Compaq_Owner\Recent\fan.tmp
c:\documents and settings\Compaq_Owner\Recent\fix.sys
c:\documents and settings\Compaq_Owner\Recent\FS.dll
c:\documents and settings\Compaq_Owner\Recent\FW.drv
c:\documents and settings\Compaq_Owner\Recent\kernel32.dll
c:\documents and settings\Compaq_Owner\Recent\kernel32.drv
c:\documents and settings\Compaq_Owner\Recent\kernel32.tmp
c:\documents and settings\Compaq_Owner\Recent\pal.sys
c:\documents and settings\Compaq_Owner\Recent\PE.exe
c:\documents and settings\Compaq_Owner\Recent\PE.sys
c:\documents and settings\Compaq_Owner\Recent\PE.tmp
c:\documents and settings\Compaq_Owner\Recent\ppal.drv
c:\documents and settings\Compaq_Owner\Recent\runddlkey.exe
c:\documents and settings\Compaq_Owner\Recent\tempdoc.exe
c:\documents and settings\Compaq_Owner\Recent\tjd.dll
c:\documents and settings\Compaq_Owner\Recent\tjd.drv
c:\documents and settings\Compaq_Owner\Recent\tjd.sys
c:\windows\dat.txt
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-14 10:10 . 2011-03-14 10:10 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F7E6BCBF-6058-45D6-9544-8F4309BB6D02}\MpKsl78b26175.sys
2011-03-11 23:50 . 2011-02-10 22:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F7E6BCBF-6058-45D6-9544-8F4309BB6D02}\mpengine.dll
2011-02-25 18:53 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-25 18:53 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-25 13:42 . 2011-02-10 22:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-25 13:40 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-25 13:38 . 2011-02-25 13:38 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-25 10:22 . 2011-02-25 12:16 -------- d-----w- c:\documents and settings\Administrator
2011-02-25 10:14 . 2011-02-25 10:14 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-02-25 10:14 . 2011-02-25 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-25 10:14 . 2011-02-25 10:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-25 10:13 . 2011-02-25 10:13 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2011-02-25 10:13 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 10:13 . 2011-02-25 10:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 10:13 . 2011-02-25 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-25 10:13 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-15 17:17 . 2011-02-15 17:17 274801 ----a-w- c:\program files\Online Services\BTESAT\1890hp.exe
2011-02-14 18:03 . 2011-02-14 18:03 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SIPYOTP
2011-02-14 18:03 . 2011-02-16 15:05 -------- d-sh--w- c:\documents and settings\All Users\Application Data\8fd40d
2011-02-14 17:48 . 2011-02-14 17:48 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-02-14 17:40 . 2011-02-21 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 04:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 04:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 04:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 04:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 04:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 04:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 04:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-04 04:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 04:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CFC3-3CECC9AB2EDA}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-03 98304]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-05-04 278528]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 344064]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-03 180269]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-9-27 303104]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl78b26175;MpKsl78b26175;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F7E6BCBF-6058-45D6-9544-8F4309BB6D02}\MpKsl78b26175.sys [14/03/2011 10:10 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 19:09 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL78B26175
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 19:08]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 19:08]
.
2011-03-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
.
2011-03-14 c:\windows\Tasks\User_Feed_Synchronization-{14DE05CA-C2FB-410A-9D0F-B754CBF4345A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = http=127.0.0.1:33554
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-AROReminder - c:\program files\Advanced Registry Optimizer\aro.exe
AddRemove-Scooby-Doo(TM), Phantom of the Knight(TM) - c:\program files\The Learning Company\Scooby-Doo(TM)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 10:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-03-14 10:31:36
ComboFix-quarantined-files.txt 2011-03-14 10:31
.
Pre-Run: 135,306,452,992 bytes free
Post-Run: 136,554,303,488 bytes free
.
- - End Of File - - E601D09E42A057DB0F68A0C74B6C3B52

**oldman960** · 2011-03-15, 06:16

Hi panzypotter,

How's the computer? Can you access your programs now?

I need some information on an unidentified . We will use Virustotal Please submit this file for analysis

To submit a file to virustotal, please click on this link

Http://www.virustotal.com

copy and paste the following into the upload a file box

c:\program files\Online Services\BTESAT\1890hp.exe

scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note [i]that sometimes the scans take a few minutes. Please ensure that the scan[b] has completed. Also please make sure each result is clearly identified as to which sample they belong to.

Next

We'll use combofix again but run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code:

Folder::
c:\documents and settings\All Users\Application Data\AVG10

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:33554
uInternet Settings,ProxyOverride = <local>

DirLook::
c:\documents and settings\All Users\Application Data\8fd40d
c:\documents and settings\All Users\Application Data\SIPYOTP

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Please posr back with

VirusTotal results
Combofix log

Any issues?

Thanks

**panzypotter** · 2011-03-15, 21:14

The computer does seem better now, administrative rights for programs seems to be back to normal and the web browser doesn't seem to be re-directing anymore.

The machine itself still seems a bit sluggish, definite improvement though. I was hoping as well for some recommendations into some programs that could prevent the infection from ocurring again when we're done here.

Anyway, I have done as you asked:

VirusTotal results:
File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 5f025d2a12583989adffcbbd35b7a34f
Date first seen: 2007-10-04 15:06:34 (UTC)
Date last seen: 2010-09-15 05:35:44 (UTC)
Detection ratio: 14/43

Combofix log with script:

ComboFix 11-03-15.01 - Compaq_Owner 15/03/2011 19:58:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.230 [GMT 0:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\jgh.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AVG10
c:\documents and settings\All Users\Application Data\AVG10\Chjw\33b2373c0e6678d6\avgcchff.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\33b2373c0e6678d6\avgcchfi.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\33b2373c0e6678d6\avgcchmf.dat
c:\documents and settings\All Users\Application Data\AVG10\Chjw\33b2373c0e6678d6\avgcchmi.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-11 23:50 . 2011-02-10 22:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F7E6BCBF-6058-45D6-9544-8F4309BB6D02}\mpengine.dll
2011-02-25 18:53 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-02-25 18:53 . 2009-08-06 19:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-02-25 13:42 . 2011-02-10 22:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-25 13:40 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-25 13:38 . 2011-02-25 13:38 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-25 10:22 . 2011-02-25 12:16 -------- d-----w- c:\documents and settings\Administrator
2011-02-25 10:14 . 2011-02-25 10:14 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2011-02-25 10:14 . 2011-02-25 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-25 10:14 . 2011-02-25 10:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-25 10:13 . 2011-02-25 10:13 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2011-02-25 10:13 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 10:13 . 2011-02-25 10:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-25 10:13 . 2011-02-25 10:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-25 10:13 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-15 17:17 . 2011-02-15 17:17 274801 ----a-w- c:\program files\Online Services\BTESAT\1890hp.exe
2011-02-14 18:03 . 2011-02-14 18:03 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SIPYOTP
2011-02-14 18:03 . 2011-02-16 15:05 -------- d-sh--w- c:\documents and settings\All Users\Application Data\8fd40d
2011-02-14 17:48 . 2011-02-14 17:48 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 04:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 04:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 04:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 04:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 04:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 04:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 04:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-04 04:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 04:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\8fd40d ----
.
2011-02-14 18:09 . 2011-02-15 17:08 4286 ----a-w- c:\documents and settings\All Users\Application Data\8fd40d\SIP.ico
2011-02-14 18:09 . 2011-02-16 09:50 79 ----a-w- c:\documents and settings\All Users\Application Data\8fd40d\8fd40dd167f1cac892075fd58bf690f1.ocx
.
---- Directory of c:\documents and settings\All Users\Application Data\SIPYOTP ----
.
2011-02-14 18:03 . 2011-02-16 09:50 39524 --sha-w- c:\documents and settings\All Users\Application Data\SIPYOTP\SIEUMTPIPP.cfg
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-14_10.27.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-15 19:47 . 2011-03-15 19:47 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CFC3-3CECC9AB2EDA}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-09-03 98304]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-05-04 278528]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 344064]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-03 180269]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-9-27 303104]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-5-11 73728]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2010 19:09 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 19:08]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-25 19:08]
.
2011-03-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 12:26]
.
2011-03-15 c:\windows\Tasks\User_Feed_Synchronization-{14DE05CA-C2FB-410A-9D0F-B754CBF4345A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 20:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-03-15 20:07:09
ComboFix-quarantined-files.txt 2011-03-15 20:06
ComboFix2.txt 2011-03-14 10:31
.
Pre-Run: 136,562,999,296 bytes free
Post-Run: 136,542,486,528 bytes free
.
- - End Of File - - 497022B18875C73F70143601782B9B4A

**oldman960** · 2011-03-16, 01:16

Hi panzypotter,

I was hoping as well for some recommendations into some programs that could prevent the infection from ocurring again when we're done here.

All part of the All Clean speech you will get at the end.

Let's get rid of the old vulnerable java and see if we can perk this computer Up.

Go to start > Control Panel > Add/remove programs and uninstall

J2SE Runtime Environment 5.0
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7

Do not uninstall Java(TM) 6 Update 11

While you are in there uninstall this program if you no longer use it.

LiveUpdate Notice (Symantec Corporation)]

Next, still in Control panel.

Locate the Java icon (it looks like a coffee cup)
double click it to open it
click the Update tab
Click update now

Next

Download OTL to your desktop.

Double click on OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following
Do Not copy the word CODE
please note the fix starts with the :

Code:

:Services

:Files
c:\documents and settings\All Users\Application Data\8fd40d
c:\documents and settings\All Users\Application Data\SIPYOTP
ipconfig /flushdns /c
c:\program files\Online Services\BTESAT\1890hp.exe

:Commands
[purity]
[emptytemp]
[createrestorepoint]
[Reboot]

Then click the Run Fix button at the top

Let the program run unhindered
Please save the resulting log to be posted in your next reply.

Please post the OTL fix log.

Next

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Please post just the OTL.txt

Please post back with

OTL fix log
MBAM log
OTL.txt

How's the computer?

Thanks

**panzypotter** · 2011-03-16, 19:21

Ok, I have done.

OTL Log with the script provided:

All processes killed

========== SERVICES/DRIVERS ==========

========== FILES ==========

c:\documents and settings\All Users\Application Data\8fd40d\SIPSys folder moved successfully.

c:\documents and settings\All Users\Application Data\8fd40d\Quarantine Items folder moved successfully.

c:\documents and settings\All Users\Application Data\8fd40d folder moved successfully.

c:\documents and settings\All Users\Application Data\SIPYOTP folder moved successfully.

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Compaq_Owner\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\Compaq_Owner\Desktop\cmd.txt deleted successfully.

c:\program files\Online Services\BTESAT\1890hp.exe moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: brandon(2)

User: Compaq_Owner

->Temp folder emptied: 1790773 bytes

->Temporary Internet Files folder emptied: 17295097 bytes

->Java cache emptied: 17778465 bytes

->Google Chrome cache emptied: 6544893 bytes

->Flash cache emptied: 190281 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 128210 bytes

User: mick(2)

User: NetworkService

->Temp folder emptied: 3452 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 3210257 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 3078 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 274 bytes

Total Files Cleaned = 45.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 03162011_172210

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Perflib_Perfdata_e74.dat not found!

File\Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFD6D9.tmp not found!

File\Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFD6E6.tmp not found!

File\Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFD740.tmp not found!

File\Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFD74D.tmp not found!

File\Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFD78A.tmp not found!

File\Folder C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFD797.tmp not found!

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\VSMOG39R\showthread[1].htm moved successfully.

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\0D3NVGIB\search[1].htm moved successfully.

Registry entries deleted on Reboot...

MalwareBytes Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6078

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

16/03/2011 17:39:10

mbam-log-2011-03-16 (17-39-10).txt

Scan type: Quick scan

Objects scanned: 155489

Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

OTL log from scan:

OTL logfile created on: 16/03/2011 18:15:56 - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Compaq_Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

446.00 Mb Total Physical Memory | 194.00 Mb Available Physical Memory | 43.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free

Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 142.07 Gb Total Space | 127.65 Gb Free Space | 89.85% Space Free | Partition Type: NTFS

Drive D: | 6.96 Gb Total Space | 3.53 Gb Free Space | 50.73% Space Free | Partition Type: FAT32

Drive J: | 477.72 Mb Total Space | 426.55 Mb Free Space | 89.29% Space Free | Partition Type: FAT

Computer Name: WHITAKERS | User Name: Compaq_Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\Hp\Digital Imaging\bin\hpqimzone.exe (Hewlett-Packard Co.)

PRC - C:\WINDOWS\system32\bgsvcgen.exe (B.H.A Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (SymAppCore) -- File not found

SRV - (AppMgmt) -- File not found

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)

SRV - (bgsvcgen) -- C:\WINDOWS\system32\bgsvcgen.exe (B.H.A Corporation)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)

DRV - (s116obex) -- C:\WINDOWS\system32\drivers\s116obex.sys (MCCI Corporation)

DRV - (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s116mgmt.sys (MCCI Corporation)

DRV - (s116mdm) -- C:\WINDOWS\system32\drivers\s116mdm.sys (MCCI Corporation)

DRV - (s116mdfl) -- C:\WINDOWS\system32\drivers\s116mdfl.sys (MCCI Corporation)

DRV - (s116bus) Sony Ericsson Device 116 driver (WDM) -- C:\WINDOWS\system32\drivers\s116bus.sys (MCCI Corporation)

DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)

DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)

DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )

DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)

DRV - (ndiscm) -- C:\WINDOWS\system32\drivers\NetMotCM.sys (Motorola Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2011/03/15 20:03:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (Virgin Media Toolbar) - {A057A204-BACC-4D26-CFC3-3CECC9AB2EDA} - C:\Program Files\virginmediatoolbar\virginmediatoolbar.dll ([[[COMPANYNAME]]]----------------------------)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKLM\..\Toolbar: (Virgin Media Toolbar) - {A057A204-BACC-4D26-CFC3-3CECC9AB2EDA} - C:\Program Files\virginmediatoolbar\virginmediatoolbar.dll ([[[COMPANYNAME]]]----------------------------)

O3 - HKCU\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()

O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)

O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe (FUJIFILM Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll (Sun Microsystems, Inc.)

O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()

O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} http://downloads.virginmedia.com/CST/ver1/xp_mail.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 192.168.0.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O24 - Desktop WallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/11/09 13:20:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2001/07/28 07:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/16 18:13:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee

[2011/03/16 17:22:10 | 000,000,000 | ---D | C] -- C:\_OTL

[2011/03/16 17:21:09 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2011/03/16 17:16:09 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe

[2011/03/14 10:16:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2011/03/14 10:16:01 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2011/03/14 10:16:01 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2011/03/14 10:16:01 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2011/03/14 10:13:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2011/03/14 10:13:30 | 000,000,000 | ---D | C] -- C:\Qoobox

[2011/02/25 18:53:43 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll

[2011/02/25 18:53:43 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui

[2011/02/25 13:40:41 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2011/02/25 13:38:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client

[2011/02/25 10:14:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com

[2011/02/25 10:14:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2011/02/25 10:14:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware

[2011/02/25 10:14:10 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2011/02/25 10:13:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes

[2011/02/25 10:13:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/02/25 10:13:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2011/02/25 10:13:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2011/02/25 10:13:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011/02/25 10:13:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

========== Files - Modified Within 30 Days ==========

[2011/03/16 18:17:00 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{14DE05CA-C2FB-410A-9D0F-B754CBF4345A}.job

[2011/03/16 17:34:59 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2011/03/16 17:29:04 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2011/03/16 17:28:55 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/03/16 17:28:06 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2011/03/16 17:28:06 | 000,000,188 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT

[2011/03/16 17:27:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/03/16 17:27:56 | 468,242,432 | -HS- | M] () -- C:\hiberfil.sys

[2011/03/16 17:01:20 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Compaq_Owner\Desktop\OTL.exe

[2011/03/15 20:03:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2011/03/15 19:55:20 | 004,287,930 | R--- | M] () -- C:\Documents and Settings\Compaq_Owner\Desktop\jgh.exe

[2011/03/10 21:08:20 | 003,855,355 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\answering_machine_mfl.wmv

[2011/03/09 21:16:56 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/03/01 19:31:55 | 000,008,192 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/03/01 19:27:30 | 003,781,597 | ---- | M] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Bird_With_Balls.wmv

[2011/02/25 13:38:57 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif

[2011/02/25 13:26:11 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2011/02/25 10:14:12 | 000,001,686 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2011/02/25 10:13:36 | 000,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2011/03/14 10:16:01 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2011/03/14 10:16:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2011/03/14 10:16:01 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2011/03/14 10:16:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2011/03/14 10:16:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2011/03/14 10:13:00 | 004,287,930 | R--- | C] () -- C:\Documents and Settings\Compaq_Owner\Desktop\jgh.exe

[2011/03/11 20:40:31 | 468,242,432 | -HS- | C] () -- C:\hiberfil.sys

[2011/03/10 21:08:11 | 003,855,355 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\answering_machine_mfl.wmv

[2011/03/01 19:27:20 | 003,781,597 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\My Documents\Bird_With_Balls.wmv

[2011/02/25 13:43:48 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2011/02/25 13:38:34 | 000,001,688 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk

[2011/02/25 13:26:11 | 000,001,816 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[2011/02/25 13:26:11 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ExifLauncher2.lnk

[2011/02/25 13:26:11 | 000,000,806 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[2011/02/25 10:19:30 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif

[2011/02/25 10:14:12 | 000,001,686 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2011/02/25 10:13:36 | 000,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/06/15 10:02:44 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/04/21 19:44:36 | 000,001,084 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat

[2008/09/27 11:22:41 | 000,112,391 | ---- | C] () -- C:\WINDOWS\hpoins07.dat.temp

[2008/09/27 11:22:40 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat.temp

[2007/09/25 16:06:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI

[2007/08/14 19:03:16 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI

[2006/08/25 08:30:05 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2006/05/01 13:20:07 | 000,000,300 | ---- | C] () -- C:\WINDOWS\cdplayer.ini

[2005/12/20 20:02:08 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat

[2005/12/20 19:48:15 | 000,112,331 | ---- | C] () -- C:\WINDOWS\hpoins07.dat

[2005/12/20 19:48:15 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat

[2005/09/03 11:34:41 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2005/09/03 11:12:42 | 000,015,783 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS

[2005/09/03 11:12:35 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll

[2005/09/03 11:05:27 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2005/09/03 11:05:27 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2005/09/03 11:05:27 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2005/09/03 11:05:27 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2005/09/03 11:05:27 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2005/09/03 11:05:26 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2005/09/03 11:03:29 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2005/09/03 10:59:05 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2005/09/03 10:55:42 | 000,001,040 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat

[2005/09/03 10:55:15 | 000,094,574 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat

[2005/09/03 10:45:20 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2005/09/03 10:41:39 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll

[2005/09/03 10:41:39 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll

[2005/09/03 10:41:17 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll

[2005/07/07 13:07:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/11/09 13:39:12 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2004/11/09 13:25:42 | 000,382,466 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/11/09 13:25:42 | 000,053,892 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/11/09 13:22:42 | 000,168,304 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/11/09 13:19:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2004/11/09 13:17:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2004/08/04 11:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/04 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/04 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/04 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/04 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/04 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/04 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2004/08/04 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2004/06/24 19:10:06 | 000,000,573 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2001/08/23 15:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2001/08/23 15:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2001/07/06 14:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2011/02/14 17:48:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files

[2009/09/07 17:21:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure

[2010/09/19 16:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations

[2011/02/14 16:50:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData

[2009/08/15 14:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic

[2009/07/18 20:10:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite

[2011/02/10 11:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/08/15 14:30:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\DriverCure

[2008/09/28 16:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\FUJIFILM

[2006/02/26 09:30:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\InterVideo

[2005/12/31 16:29:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Leadertech

[2009/07/18 20:10:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Nokia

[2009/07/18 20:10:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\PC Suite

[2011/03/11 12:45:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Sammsoft

[2005/09/03 19:41:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\SampleView

[2009/04/21 19:44:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\Template

[2011/03/11 12:47:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\VIRGINMEDIATOOLBAR

[2007/08/26 08:38:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch

[2011/03/16 17:34:59 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2011/03/16 18:17:00 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{14DE05CA-C2FB-410A-9D0F-B754CBF4345A}.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

Thanks.

**oldman960** · 2011-03-17, 00:22

Hi panzypotter,

One more scan to do.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
Re-enable your Antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. or C:\Program Files\ESET\log.txtWe will need this later.

Please post back with the ESET log.

Any remaining issues?

Thanks

**panzypotter** · 2011-03-17, 02:37

The computer seems much better now, no incidents with website re-direction or administrative right problems with opening programs. Was the computer quite badly infected when we first started the cleaning process?

I ran the ESET scanner, here's the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=e4ef1ba48c5aaf408fc1cd99b9e40c37
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-17 01:29:31
# local_time=2011-03-17 01:29:31 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 2620026 2620026 0 0
# compatibility_mode=5891 16776869 42 87 225091 12366988 0 0
# compatibility_mode=8192 67108863 100 0 111 111 0 0
# scanned=74893
# found=0
# cleaned=0
# scan_time=2846

**oldman960** · 2011-03-17, 13:39

Hi panzypotter,

The main infection was a rogue security program and a Hosts file hijacking.

We'll clean up our tools and send you on your way.

From your desktop, please delete, if present

any notepads/logs that we created

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK

Combofix /uninstall

Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

ESET online scan can be removed via add/remove programs if you have not already uninstalled it.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware, IMO)

You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

- You may also want to read this article By Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879

We will keep this thread open for a couple of days. Please post back if you have any problems or questions. Please post back when you have finished so this thread can be marked "Resolved".

Take care

Thread: Problem with Windows XP machine Malware

Thread Tools

Display

Problem with Windows XP machine Malware

Posting Permissions