Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 34

Thread: Infection???? Help needed

  1. #11
    Guest
    Join Date
    May 2011
    Posts
    57

    Default

    Run Fix log

    All processes killed
    ========== PROCESSES ==========
    ========== OTL ==========
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ not found.
    File IZUVAS\\\\izcipica.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ not found.
    File IZUVAS\\\\\izcipica.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a623dc24-ba05-11df-9e5c-0014a5b00b85}\ not found.
    File IZUVAS\\\\\izcipica.exe not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    < ipconfig /release /c >
    Windows IP Configuration
    No operation can be performed on Local Area Connection while it has its media disconnected.
    Ethernet adapter Local Area Connection:
    Media State . . . . . . . . . . . : Media disconnected
    Ethernet adapter Wireless Network Connection:
    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 0.0.0.0
    Subnet Mask . . . . . . . . . . . : 0.0.0.0
    Default Gateway . . . . . . . . . :
    C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
    < ipconfig /renew /c >
    Windows IP Configuration
    No operation can be performed on Local Area Connection while it has its media disconnected.
    Ethernet adapter Local Area Connection:
    Media State . . . . . . . . . . . : Media disconnected
    Ethernet adapter Wireless Network Connection:
    Connection-specific DNS Suffix . : no-domain-set.bellcanada
    IP Address. . . . . . . . . . . . : 192.168.2.12
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.2.1
    C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Movie Watching
    ->Temp folder emptied: 2616 bytes
    ->Temporary Internet Files folder emptied: 152982 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Owner
    ->Temp folder emptied: 53091717 bytes
    ->Temporary Internet Files folder emptied: 28200804 bytes
    ->Java cache emptied: 1197916 bytes
    ->FireFox cache emptied: 53756733 bytes
    ->Flash cache emptied: 2791585 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2402044 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 104530400 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 79695254 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 229192 bytes

    Total Files Cleaned = 311.00 mb


    OTL by OldTimer - Version 3.2.22.3 log created on 05112011_164050

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...

  2. #12
    Guest
    Join Date
    May 2011
    Posts
    57

    Default

    I noticed that after the fix, a file Thumbs.db is now on the desktop. Is it ok?
    new scan after the fix

    OTL logfile created on: 5/11/2011 4:48:57 PM - Run 2
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,022.00 Mb Total Physical Memory | 632.00 Mb Available Physical Memory | 62.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.52 Gb Total Space | 25.47 Gb Free Space | 34.18% Space Free | Partition Type: NTFS

    Computer Name: CANADA-2A41275B | User Name: Owner | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\Mctray.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
    PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)


    ========== Modules (SafeList) ==========

    MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
    MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (HidServ) -- File not found
    SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
    SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
    SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
    SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
    SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


    ========== Driver Services (SafeList) ==========

    DRV - (MSHUSBVideo) -- C:\WINDOWS\system32\drivers\nx6000.sys (Microsoft Corporation)
    DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
    DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
    DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
    DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
    DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
    DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
    DRV - (mferkdk) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys (McAfee, Inc.)
    DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
    DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
    DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
    DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
    DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
    DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
    DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
    DRV - (HSFHWATI) -- C:\WINDOWS\system32\drivers\HSFHWATI.sys (Conexant Systems, Inc.)
    DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
    DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camc6hal.sys (Conexant Systems Inc.)
    DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camc6aud.sys (Conexant Systems Inc.)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

    IE - HKU\S-1-5-21-1844237615-436374069-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-1844237615-436374069-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: autopager@mozilla.org:0.6.2.4
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}:6.0.25
    FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323
    FF - prefs.js..network.proxy.type: 0

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/28 22:35:21 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/28 22:35:21 | 000,000,000 | ---D | M]

    [2010/09/03 00:11:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
    [2011/05/10 16:10:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3d9ghmci.default\extensions
    [2010/10/29 21:52:16 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3d9ghmci.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/05/09 15:54:35 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3d9ghmci.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    [2011/02/04 22:21:29 | 000,000,000 | ---D | M] ("AutoPager") -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\3d9ghmci.default\extensions\autopager@mozilla.org
    [2011/05/10 16:10:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/05/04 15:24:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    [2010/09/07 17:20:40 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
    [2011/04/14 05:08:00 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2011/05/11 16:41:18 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
    O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1844237615-436374069-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn...Detection2.cab (GMNRev Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_25)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_25)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/09/02 14:42:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O35 - HKU\S-1-5-21-1844237615-436374069-1801674531-1003..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\S-1-5-21-1844237615-436374069-1801674531-1003\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/05/11 16:40:50 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/05/11 04:57:44 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
    [2011/05/09 21:05:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
    [2011/05/09 21:05:40 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2011/05/09 21:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2011/05/09 20:54:03 | 000,712,192 | ---- | C] (Claude Dekokčre) -- C:\Documents and Settings\Owner\Desktop\captimag_captimag_3.7.3_francais_anglais_124710.exe
    [2011/05/08 18:04:26 | 020,526,976 | ---- | C] (InstallShield Software Corporation) -- C:\Documents and Settings\Owner\Desktop\Install PagePlus SE.exe
    [2011/05/08 17:43:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\petit chauffeur
    [2011/05/04 15:24:19 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2011/05/04 15:24:19 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2011/05/04 15:24:19 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2011/05/04 15:17:06 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
    [2011/04/20 22:21:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\i can hear the sea
    [2011/04/20 18:33:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\AVIAddXSubs
    [2011/04/20 04:32:53 | 000,000,000 | ---D | C] -- C:\divx
    [2011/04/20 02:25:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\GHIBLI MOVIES
    [2011/04/18 18:36:14 | 000,201,728 | ---- | C] (Freebyte.com) -- C:\Documents and Settings\Owner\Desktop\hjsplit.exe
    [2011/04/18 18:35:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\'sub converter
    [2011/04/16 02:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Any Video Converter
    [2011/04/16 02:16:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AnvSoft
    [2011/04/16 01:42:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Youtube Downloader HD
    [1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/05/11 16:42:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/05/11 16:42:18 | 1071,894,528 | -HS- | M] () -- C:\hiberfil.sys
    [2011/05/11 16:41:18 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
    [2011/05/11 04:57:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
    [2011/05/10 15:24:53 | 001,655,016 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/05/09 22:41:23 | 000,008,570 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Attach.zip
    [2011/05/09 22:35:20 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2011/05/09 22:03:10 | 000,009,997 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\1.jpg
    [2011/05/09 21:05:46 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
    [2011/05/09 20:52:35 | 000,712,192 | ---- | M] (Claude Dekokčre) -- C:\Documents and Settings\Owner\Desktop\captimag_captimag_3.7.3_francais_anglais_124710.exe
    [2011/05/05 16:35:57 | 000,023,227 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Resume- King_Kathleen.odt
    [2011/05/05 16:21:07 | 000,093,265 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King Resume_Summer Animator.pdf
    [2011/05/05 16:18:47 | 000,032,122 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King Cover Letter_Summer Animator.pdf
    [2011/05/05 16:12:51 | 000,093,213 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King_Resume_Summer Animator.pdf
    [2011/05/05 02:43:08 | 000,014,916 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\maison transistionnelle cover letter.pdf
    [2011/05/05 02:40:03 | 000,078,082 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Resume- King_Kathleen.pdf
    [2011/05/05 01:42:25 | 000,013,996 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\maison transistionnelle cover letter.pdf
    [2011/05/04 18:21:57 | 000,444,928 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/05/04 18:21:57 | 000,072,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/05/03 23:08:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/05/01 14:21:34 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
    [2011/04/27 23:36:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/04/21 03:03:16 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/04/21 02:33:56 | 602,230,978 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\I Can Hear The Sea.divx
    [2011/04/20 14:58:25 | 000,026,369 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CDK FINAL REFLECTION PAPER.odt
    [2011/04/20 14:57:05 | 000,024,412 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\CDK quotes.odt
    [2011/04/19 03:56:07 | 000,103,028 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ocean.srt
    [2011/04/18 03:23:57 | 000,022,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RESUME for life stories 2.odt
    [2011/04/17 15:21:07 | 000,069,017 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RESUME for life stories 2.pdf
    [2011/04/15 21:24:48 | 000,119,162 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Kathleen King_9203788_LEGAL SYSTEMS FINAL EXAM.pdf
    [2011/04/15 21:24:03 | 000,025,998 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Kathleen King_9203788_LEGAL SYSTEMS FINAL EXAM.odt
    [2011/04/15 00:41:52 | 000,132,981 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Kathleen King_Imperialism Final Paper_9203788.pdf
    [2011/04/15 00:41:12 | 000,038,892 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King_ imperialism Today FINAL PAPER.odt
    [2011/04/14 23:30:38 | 000,036,065 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\franceafrique quotes.odt
    [2011/04/14 11:53:15 | 000,028,492 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\after 1990.odt
    [2011/04/14 05:08:11 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2011/04/14 05:08:10 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2011/04/14 05:08:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2011/04/14 05:07:59 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
    [2011/04/14 03:09:27 | 001,378,557 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\french africa.pdf
    [2011/04/14 02:57:53 | 000,032,940 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\referenceformat.pdf
    [2011/04/14 02:40:22 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
    [2011/04/13 01:21:13 | 000,021,581 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RESUME for Life Stories Montreal.odt
    [1 C:\Documents and Settings\Owner\*.tmp files -> C:\Documents and Settings\Owner\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/05/09 22:41:23 | 000,008,570 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Attach.zip
    [2011/05/09 22:35:19 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2011/05/09 22:03:10 | 000,009,997 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\1.jpg
    [2011/05/09 21:05:46 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Spybot - Search & Destroy.lnk
    [2011/05/05 16:12:51 | 000,093,213 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King_Resume_Summer Animator.pdf
    [2011/05/05 16:07:26 | 000,093,265 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King Resume_Summer Animator.pdf
    [2011/05/05 15:49:00 | 000,032,122 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King Cover Letter_Summer Animator.pdf
    [2011/05/05 02:43:08 | 000,014,916 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\maison transistionnelle cover letter.pdf
    [2011/05/05 02:42:41 | 000,023,227 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Resume- King_Kathleen.odt
    [2011/05/05 02:40:02 | 000,078,082 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Resume- King_Kathleen.pdf
    [2011/05/05 01:42:23 | 000,013,996 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\maison transistionnelle cover letter.pdf
    [2011/04/21 02:29:59 | 602,230,978 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\I Can Hear The Sea.divx
    [2011/04/20 18:30:44 | 000,103,028 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ocean.srt
    [2011/04/20 01:42:42 | 000,026,369 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CDK FINAL REFLECTION PAPER.odt
    [2011/04/19 03:52:49 | 000,024,412 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CDK quotes.odt
    [2011/04/17 15:21:07 | 000,069,017 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RESUME for life stories 2.pdf
    [2011/04/16 18:53:45 | 000,022,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RESUME for life stories 2.odt
    [2011/04/15 21:24:47 | 000,119,162 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Kathleen King_9203788_LEGAL SYSTEMS FINAL EXAM.pdf
    [2011/04/15 00:41:50 | 000,132,981 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Kathleen King_Imperialism Final Paper_9203788.pdf
    [2011/04/14 10:13:17 | 000,028,492 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\after 1990.odt
    [2011/04/14 03:09:27 | 001,378,557 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\french africa.pdf
    [2011/04/14 02:57:53 | 000,032,940 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\referenceformat.pdf
    [2011/04/13 23:56:04 | 000,038,892 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Kathleen King_ imperialism Today FINAL PAPER.odt
    [2011/04/13 01:21:12 | 000,021,581 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RESUME for Life Stories Montreal.odt
    [2011/04/12 16:36:16 | 000,036,065 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\franceafrique quotes.odt
    [2011/04/02 13:16:48 | 000,010,338 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\jcl665ep0rnlp562hps
    [2011/03/09 13:50:30 | 000,010,810 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\178748ryx4
    [2011/03/09 13:50:30 | 000,010,810 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\178748ryx4
    [2010/10/06 12:19:01 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/09/22 14:34:51 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
    [2010/09/22 13:41:21 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
    [2010/09/22 13:34:20 | 000,118,641 | ---- | C] () -- C:\WINDOWS\hpoins09.dat
    [2010/09/06 18:30:48 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/09/05 17:20:43 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
    [2010/09/03 00:11:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
    [2010/09/02 21:02:14 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
    [2010/09/02 14:50:00 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/09/02 14:38:34 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/09/02 10:32:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
    [2010/09/02 10:27:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/09/02 10:21:03 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
    [2010/09/02 10:13:45 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
    [2010/09/02 10:13:45 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
    [2010/09/02 10:13:44 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
    [2010/09/02 10:13:44 | 000,112,794 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2010/09/02 10:12:34 | 001,655,016 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2008/04/14 08:00:00 | 000,444,928 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2008/04/14 08:00:00 | 000,072,654 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2008/04/14 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2006/03/09 13:28:40 | 000,011,645 | ---- | C] () -- C:\WINDOWS\hpomdl09.dat
    [2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

    < End of report >

  3. #13
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Wonderful, how is your computer behaving now ?



    ESET Online Scanner
    I'd like us to scan your machine with ESET OnlineScan

    *Note
    It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
    Please don't go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Make sure that the option "Remove found threats" is Unchecked
    9. Push the Start button.
    10. ESET will then download updates for itself, install itself, and begin
      scanning your computer. Please be patient as this can take some time.
    11. When the scan completes, push
    12. Push , and save the file to your desktop using a unique name, such as
      ESETScan. Include the contents of this report in your next reply.
    13. Push the button.
    14. Push
    Please make sure you include the following items in your next post:
    The log that was produced after running ESET Online Scanner.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  4. #14
    Guest
    Join Date
    May 2011
    Posts
    57

    Default

    So far, there is no more windows security red icon in the system tray.
    I am monitoring the machine, if there is a change I'll let you know.
    But the machine is still slow.
    next post, the ESET scan

  5. #15
    Guest
    Join Date
    May 2011
    Posts
    57

    Default

    After two scan, I can confirm you that ESET does not give me any possibility to create a log. Both scans came clean, meaning no threat found but I could not create a log. i ran the scan first and no log came out so I ran it again to make sure I did not make any mistake but it is the same thing. here is a picture of the window of the scan in attachment.

  6. #16
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Thats fine, glad it didnt find anything. Lets run Combofix and see if there is anything else to remove



    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #17
    Guest
    Join Date
    May 2011
    Posts
    57

    Default

    after the scan, the windows security alerts red icon came back in the system tray. I put a picture of the red icon in attachment.
    here is the log of combofix

    ComboFix 11-05-11.02 - Owner 05/12/2011 4:58.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.586 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-11 23:54 . 2011-05-11 23:54 -------- d-----w- c:\program files\ESET
    2011-05-11 20:40 . 2011-05-11 20:40 -------- d-----w- C:\_OTL
    2011-05-10 01:05 . 2011-05-10 01:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-05-10 01:05 . 2011-05-10 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-04-20 08:32 . 2011-04-20 09:50 -------- d-----w- C:\divx
    2011-04-16 06:16 . 2011-04-16 06:16 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
    2011-04-16 05:42 . 2011-05-04 19:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Youtube Downloader HD
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-14 09:07 . 2010-09-07 21:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-14 06:40 . 2010-09-02 18:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    .
    ------- Sigcheck -------
    .
    [-] 2008-05-13 . 8FCF3A8C83D93FA7BD01574DBD861786 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-25 111952]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2010-06-24 124928]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    .
    R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 2:06 PM 231424]
    S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [9/22/2010 2:26 PM 30576]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3d9ghmci.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-12 05:03
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
    @DACL=(02 0000)
    @SACL=
    "WinSock_Registry_Version"="2.0"
    "Current_NameSpace_Catalog"="NameSpace_Catalog5"
    "Current_Protocol_Catalog"="Protocol_Catalog9"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(852)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(1272)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-05-12 05:05:24
    ComboFix-quarantined-files.txt 2011-05-12 09:05
    .
    Pre-Run: 27,341,283,328 bytes free
    Post-Run: 27,302,047,744 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 74F29B81AAD577BB099FD7FBB72C0CA1

  8. #18
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    That looks like it may be related to McAfee since you disabled it, re enable mcAfee and see if it goes away

    Download and Run SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      sfcfiles.dll
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #19
    Guest
    Join Date
    May 2011
    Posts
    57

    Default

    Ken545, out of the sudden, the computer download some updates from Microsoft!!! it did not happened for a long while because of the red microsoft security alert icon in the sytem tray. but today, couple of hours ago, some "updates from microsoft" got installed and I restarted the machine. after the restart, I had an error message. this is the first I see this message. In attachment the specific message.
    about McAfee, it is enable and like I said the red icon is gone but the machine got updated, something that did not happened for a long while...
    ok I am about to do the next step you told me too. I'll post the log in the next answer

  10. #20
    Guest
    Join Date
    May 2011
    Posts
    57

    Default

    SystemLook Log

    SystemLook 04.09.10 by jpshortstuff
    Log created at 16:40 on 12/05/2011 by Owner
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "sfcfiles.dll"
    C:\WINDOWS\system32\sfcfiles.dll --a---- 1614848 bytes [03:56 13/05/2008] [03:56 13/05/2008] 8FCF3A8C83D93FA7BD01574DBD861786

    -= EOF =-

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •