Grandpas old laptop

Superdumb · Sep 22, 2011

Hello, just got a Dell laptop that used to be my grandpas.
So yeah, ran Spybot and it found that along with fifty-some-odd nasty things there were 13k undeletable temp files.

Thanks in advance for any help you can offer.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Admin at 15:05:46 on 2011-09-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.248 [GMT -7:00]
.
AV: Norton 360 Premier Edition *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton 360 Premier Edition *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\progra~1\yahoo!\companion\installs\cpn0\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: My_comp9191 Toolbar: {e623cea5-661b-4071-bc1d-d53c0fcdf15a} - c:\program files\twitter-buttons\prxtbtwi0.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: My_comp9191 Toolbar: {e623cea5-661b-4071-bc1d-d53c0fcdf15a} - c:\program files\twitter-buttons\prxtbtwi0.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{63E64507-4C7E-42DB-B713-DB45466CDB81} : DhcpNameServer = 68.87.69.150 68.87.85.102
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl9ad19258;MpKsl9ad19258;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7b53693-dd2d-48cb-9839-c079874c4fed}\MpKsl9ad19258.sys [2011-9-22 28752]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-5-2 87936]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-1 136176]
.
=============== Created Last 30 ================
.
2011-09-22 20:41:05 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7b53693-dd2d-48cb-9839-c079874c4fed}\MpKsl9ad19258.sys
2011-09-22 20:40:39 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7b53693-dd2d-48cb-9839-c079874c4fed}\offreg.dll
2011-09-22 20:40:30 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e7b53693-dd2d-48cb-9839-c079874c4fed}\mpengine.dll
2011-09-22 10:42:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-09-22 10:42:53 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-09-22 06:14:01 -------- d-----w- c:\documents and settings\admin\application data\Azureus
2011-09-22 06:13:03 -------- d-----w- c:\program files\Vuze
2011-09-22 02:28:08 -------- d-----w- c:\documents and settings\admin\local settings\application data\DOSBox
2011-09-22 02:20:47 -------- d-----w- c:\program files\DOSBox-0.74
2011-09-21 23:55:36 -------- d-----w- c:\program files\3000AD
2011-09-21 23:49:52 -------- d--h--w- c:\windows\PIF
2011-09-21 11:19:22 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-09-21 03:32:59 -------- d-----w- c:\program files\mektek.net
2011-09-21 03:21:26 -------- d-----w- c:\windows\system32\XPSViewer
2011-09-21 03:20:23 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-09-21 03:19:42 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-09-21 03:19:42 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-09-21 03:19:42 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-09-21 03:19:42 117760 ------w- c:\windows\system32\prntvpt.dll
2011-09-21 03:19:41 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-09-21 03:19:41 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-09-21 03:19:41 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-09-21 03:19:41 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-09-21 03:19:40 -------- d-----w- C:\c8b789a63c21b6d4e8
2011-09-20 21:31:04 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-09-20 21:31:04 215920 ----a-w- c:\windows\system32\muweb.dll
2011-09-20 21:31:04 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-09-20 00:04:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-09-20 00:02:13 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-19 23:25:08 -------- d-----w- c:\windows\pss
2011-09-19 20:32:15 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-19 20:31:59 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-19 20:26:16 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-09 09:12:13 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-19 12:05:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-19 09:40:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 15:06:33.39 ===============

jeffce · Sep 24, 2011

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

Having said that....Let's get going!! :thumbup:
----------

GMER

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------

Please download aswMBR to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it
----------

In your next reply please post the logs created by GMER and aswMBR.

Superdumb · Sep 26, 2011

Here you are good sir. I would type in length of how awesome and great this is but I'm pressed for time.

Much thanks!

jeffce · Sep 26, 2011

Hi SuperD,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

Superdumb · Sep 27, 2011

I ran into a little hitch while trying to turn off the Tea Timer in Spybot-S&D. The instructions asked for me to uncheck the Tea Timer in tools>system startup but I didn't see anything referring to the Tea Timer in its menu. The instructions also went on about clearing previous entries but I don't know if that was needed or should just be ignored.
This is most likely nothing but thought I'd ask.

jeffce · Sep 27, 2011

Hi SuperD,

How about this...go ahead and right-click the Spybot SD icon in the tools bar next to your clock. Uncheck Resident Protection and then go ahead and run ComboFix.

That should be fine.

Superdumb · Sep 27, 2011

Allrighty, I started combofix and it warned me that Norton 360 was still doing something funny. I had thought I uninstalled it but I am as my username says.
Sorry if I'm making it harder. :/

jeffce · Sep 27, 2011

No its not a problem. Go ahead and run ComboFix if you are able to do so even with the warning. If you still have problems running it use the Norton removal tool found here and then run ComboFix.

Superdumb · Sep 27, 2011

ComboFix log. WOOO!

jeffce · Sep 27, 2011

Hi SuperD,

ComboFix log. WOOO!

:bigthumb:
If you wouldn't mind, please copy and paste your logs into the replies please. It makes it easier for me to read. Thanks.

----------

1. Close any open browsers.

2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: My_comp9191 Toolbar: {e623cea5-661b-4071-bc1d-d53c0fcdf15a} - c:\program files\twitter-buttons\prxtbtwi0.dll
TB: My_comp9191 Toolbar: {e623cea5-661b-4071-bc1d-d53c0fcdf15a} - c:\program files\twitter-buttons\prxtbtwi0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

REGNULL::
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Superdumb · Sep 28, 2011

hope this is correct.

ComboFix 11-09-27.02 - Admin 09/27/2011 17:49:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.404 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\conduitengine\prxConduitEngine.dll
c:\program files\google\common\google updater\googleupdaterservice.exe
c:\program files\twitter-buttons\prxtbtwi0.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-28 )))))))))))))))))))))))))))))))
.
.
2011-09-27 10:28 . 2011-09-27 10:28 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{060D91BC-C310-4833-83C3-2A9492998E36}\MpKslf5250921.sys
2011-09-27 10:25 . 2011-09-27 10:25 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{060D91BC-C310-4833-83C3-2A9492998E36}\offreg.dll
2011-09-27 10:24 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{060D91BC-C310-4833-83C3-2A9492998E36}\mpengine.dll
2011-09-23 04:39 . 2011-09-23 04:39 -------- d-----w- c:\program files\Bethesda Softworks
2011-09-22 22:00 . 2011-09-22 22:00 -------- d-----w- c:\program files\ERUNT
2011-09-22 10:42 . 2011-09-22 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-09-22 10:42 . 2011-09-22 10:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-09-22 06:14 . 2011-09-22 09:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Azureus
2011-09-22 06:13 . 2011-09-22 06:13 -------- d-----w- c:\program files\Vuze
2011-09-22 02:28 . 2011-09-22 02:28 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\DOSBox
2011-09-22 02:20 . 2011-09-22 02:52 -------- d-----w- c:\program files\DOSBox-0.74
2011-09-21 23:55 . 2011-09-21 23:55 -------- d-----w- c:\program files\3000AD
2011-09-21 23:49 . 2011-09-21 23:49 -------- d--h--w- c:\windows\PIF
2011-09-21 11:19 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-21 03:32 . 2011-09-21 03:34 -------- d-----w- c:\program files\mektek.net
2011-09-21 03:21 . 2011-09-21 03:21 -------- d-----w- c:\windows\system32\XPSViewer
2011-09-21 03:21 . 2011-09-21 03:21 -------- d-----w- c:\program files\MSBuild
2011-09-21 03:21 . 2011-09-21 03:21 -------- d-----w- c:\program files\Reference Assemblies
2011-09-21 03:20 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-09-21 03:19 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-09-21 03:19 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-09-21 03:19 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-09-21 03:19 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-09-21 03:19 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-09-21 03:19 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-09-21 03:19 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-09-21 03:19 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-09-21 03:19 . 2011-09-21 03:20 -------- d-----w- C:\c8b789a63c21b6d4e8
2011-09-20 21:31 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-09-20 21:31 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-09-20 04:35 . 2011-09-20 04:35 -------- d-----w- c:\documents and settings\Admin\Application Data\SystemRequirementsLab
2011-09-20 04:33 . 2011-09-20 04:33 -------- d-----w- c:\program files\Common Files\Java
2011-09-20 00:04 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-09-20 00:02 . 2011-09-20 00:02 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-19 20:32 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-19 20:31 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-19 20:26 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-09 09:12 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-19 12:05 . 2010-09-06 21:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-19 09:40 . 2010-09-06 21:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 10:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-27_02.02.36 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 17:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 18:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2010-02-12 18:02 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-09-16 23:47 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wlidsvc"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"SeaPort"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"N360"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"EvtEng"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
.
R1 MpKslf5250921;MpKslf5250921;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{060D91BC-C310-4833-83C3-2A9492998E36}\MpKslf5250921.sys [9/27/2011 3:28 AM 28752]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/2/2009 4:20 PM 87936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 3:43 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 3:43 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MPKSL4C675024
*NewlyCreated* - MPKSLE69E5316
*NewlyCreated* - MPKSLF5250921
*NewlyCreated* - PXTDYPOG
*Deregistered* - aswMBR
*Deregistered* - MpKsl4c675024
*Deregistered* - MpKsle69e5316
*Deregistered* - pxtdypog
.
Contents of the 'Scheduled Tasks' folder
.
2010-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 22:43]
.
2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 22:43]
.
2011-09-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2011-09-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1336913123-3509466996-4123555272-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
2011-09-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1336913123-3509466996-4123555272-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-27 17:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-09-27 17:59:51
ComboFix-quarantined-files.txt 2011-09-28 00:59
ComboFix2.txt 2011-09-27 02:05
.
Pre-Run: 19,718,479,872 bytes free
Post-Run: 19,706,351,616 bytes free
.
- - End Of File - - 97F999D2639C6DE34204D9E26BC4B2ED

jeffce · Sep 28, 2011

Hi SuperD,

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan as shown below.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:
C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the

button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on
  
  to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the
  
  icon on your desktop.
Check
Click the Start button.
Accept any security warnings from your browser.
Check
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push

, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish

http://www.eset.com/onlinescan/
----------

In your next reply please post the logs created by Malwarebytes and ESET Online Scanner.

Superdumb · Sep 28, 2011

Malwarebyte log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7811

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/27/2011 9:01:44 PM
mbam-log-2011-09-27 (21-01-44).txt

Scan type: Quick scan
Objects scanned: 158713
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Admin\my documents\downloads\xvidsetup.exe (Adware.Agent) -> Quarantined and deleted successfully.

Superdumb · Sep 28, 2011

I just finished the ESET scan but it didn't find anything and I never saw a prompt for a report.

jeffce · Sep 28, 2011

Hi SuperD,

Moving right along...

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 9.4.6 first. Be sure to move any PDF documents to another folder first though.
----------

Please download JavaRa to your desktop and unzip it to its own
folder

Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer.

----------

Now go ahead and run DDS once more and post both of the logs that are created into your next reply.

How is your system running now?

Superdumb · Sep 28, 2011

Ahoy there, Jeff.

I'm about to run the first two steps from your last post but had a question about what you meant by DDS.

jeffce · Sep 28, 2011

Hi there SuperD,

DDS was the first scan that you ran and posted your first log. If you need another copy of it let me know and I will give you the link to download.

Superdumb · Sep 29, 2011

Oh that thing, my silly brain.

-DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Admin at 18:22:48 on 2011-09-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.359 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
svchost.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\progra~1\yahoo!\companion\installs\cpn0\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {e623cea5-661b-4071-bc1d-d53c0fcdf15a} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{63E64507-4C7E-42DB-B713-DB45466CDB81} : DhcpNameServer = 68.87.69.150 68.87.85.102
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl502e3bd4;MpKsl502e3bd4;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4fc031c2-e914-4db1-9bd0-7d77e3a9eadb}\MpKsl502e3bd4.sys [2011-9-28 28752]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-5-2 87936]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-1 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-1 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-09-28 21:09:14 -------- d-----w- c:\program files\Foxit Software
2011-09-28 21:06:00 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4fc031c2-e914-4db1-9bd0-7d77e3a9eadb}\MpKsl502e3bd4.sys
2011-09-28 21:04:54 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4fc031c2-e914-4db1-9bd0-7d77e3a9eadb}\offreg.dll
2011-09-28 21:04:37 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4fc031c2-e914-4db1-9bd0-7d77e3a9eadb}\mpengine.dll
2011-09-28 20:49:42 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan
2011-09-28 20:49:27 -------- d-----w- c:\program files\McAfee Security Scan
2011-09-28 13:06:30 -------- d-----w- c:\documents and settings\admin\application data\Mael
2011-09-28 12:55:25 -------- d-----w- c:\program files\HxD
2011-09-28 04:10:36 -------- d-----w- c:\program files\ESET
2011-09-28 03:52:07 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2011-09-28 03:51:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-28 03:51:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-28 03:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-27 01:52:57 -------- d-sha-r- C:\cmdcons
2011-09-27 00:52:12 98816 ----a-w- c:\windows\sed.exe
2011-09-27 00:52:12 518144 ----a-w- c:\windows\SWREG.exe
2011-09-27 00:52:12 256000 ----a-w- c:\windows\PEV.exe
2011-09-27 00:52:12 208896 ----a-w- c:\windows\MBR.exe
2011-09-23 04:39:49 -------- d-----w- c:\program files\Bethesda Softworks
2011-09-22 10:42:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-09-22 10:42:53 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-09-22 06:14:01 -------- d-----w- c:\documents and settings\admin\application data\Azureus
2011-09-22 06:13:03 -------- d-----w- c:\program files\Vuze
2011-09-22 02:28:08 -------- d-----w- c:\documents and settings\admin\local settings\application data\DOSBox
2011-09-22 02:20:47 -------- d-----w- c:\program files\DOSBox-0.74
2011-09-21 23:55:36 -------- d-----w- c:\program files\3000AD
2011-09-21 23:49:52 -------- d--h--w- c:\windows\PIF
2011-09-21 11:19:22 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-09-21 03:32:59 -------- d-----w- c:\program files\mektek.net
2011-09-21 03:21:26 -------- d-----w- c:\windows\system32\XPSViewer
2011-09-21 03:20:23 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-09-21 03:19:42 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-09-21 03:19:42 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-09-21 03:19:42 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-09-21 03:19:42 117760 ------w- c:\windows\system32\prntvpt.dll
2011-09-21 03:19:41 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-09-21 03:19:41 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-09-21 03:19:41 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-09-21 03:19:41 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-09-21 03:19:40 -------- d-----w- C:\c8b789a63c21b6d4e8
2011-09-20 21:31:04 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-09-20 21:31:04 215920 ----a-w- c:\windows\system32\muweb.dll
2011-09-20 21:31:04 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-09-20 00:04:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-09-20 00:02:13 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-19 23:25:08 -------- d-----w- c:\windows\pss
2011-09-19 20:32:15 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-19 20:31:59 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-19 20:26:16 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-09 09:12:13 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-28 21:52:49 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 21:52:48 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 18:24:29.18 ===============

-Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/3/2009 1:45:05 PM
System Uptime: 9/28/2011 5:58:43 AM (13 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel(R) Pentium(R) M processor 1.73GHz | Microprocessor | 1728/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 37 GiB total, 17.835 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP181: 9/19/2011 2:53:03 PM - Software Distribution Service 3.0
RP182: 9/19/2011 3:14:42 PM - Software Distribution Service 3.0
RP183: 9/19/2011 5:04:01 PM - Software Distribution Service 3.0
RP184: 9/19/2011 9:32:30 PM - Installed Java(TM) 6 Update 27
RP185: 9/20/2011 3:40:34 PM - Software Distribution Service 3.0
RP186: 9/20/2011 8:19:57 PM - Installed Windows KB954550-v5.
RP187: 9/20/2011 8:20:14 PM - Printer Driver Microsoft XPS Document Writer Installed
RP188: 9/20/2011 8:20:29 PM - Printer Driver Microsoft XPS Document Writer Installed
RP189: 9/20/2011 8:32:55 PM - Installed MTX
RP190: 9/20/2011 8:45:08 PM - Software Distribution Service 3.0
RP191: 9/21/2011 3:14:24 AM - Software Distribution Service 3.0
RP192: 9/21/2011 4:18:08 AM - Software Distribution Service 3.0
RP193: 9/21/2011 4:55:24 PM - Installed Battlecruiser Millennium FREEWARE
RP194: 9/22/2011 1:39:08 PM - Software Distribution Service 3.0
RP195: 9/23/2011 4:37:35 PM - Software Distribution Service 3.0
RP196: 9/25/2011 12:21:33 AM - System Checkpoint
RP197: 9/25/2011 12:26:34 AM - Software Distribution Service 3.0
RP198: 9/26/2011 5:04:19 AM - Software Distribution Service 3.0
RP199: 9/27/2011 3:24:46 AM - Software Distribution Service 3.0
RP200: 9/27/2011 10:27:51 PM - Software Distribution Service 3.0
RP201: 9/28/2011 1:52:10 PM - Removed Adobe Reader 9.4.6.
RP202: 9/28/2011 1:56:54 PM - Installed Adobe Reader X (10.1.1).
RP203: 9/28/2011 2:04:32 PM - Software Distribution Service 3.0
RP204: 9/28/2011 2:52:32 PM - Installed Java(TM) 7
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
ALPS Touch Pad Driver
Apple Application Support
Apple Software Update
Battlecruiser Millennium FREEWARE
Conexant D110 MDC V.92 Modem
Daggerfall
DoubleDeck Pinochle 4.0
eCalc Calculator
ERUNT 1.1j
ESET Online Scanner v3
Foxit Reader 5.0
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HxD Hex Editor version 1.7.7.0
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Java Auto Updater
Java(TM) 7
Live TV
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework SDK (English) 1.1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Search Enhancement Pack
Microsoft Security Client
Microsoft Security Essentials
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSN
MSN Toolbar
MSN Toolbar Platform
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MTX
mWlsSafe
mWMI
mXML
mZConfig
QuickSet
QuickTime
RealPlayer
RealUpgrade 1.0
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic CinePlayer DVD Pack
Spybot - Search & Destroy
Texas Instruments PCIxx21/x515 drivers.
TI_Inst
twitter-buttons Toolbar
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 0.9.8a
Vuze
WebFldrs XP
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
9/27/2011 9:04:57 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
9/26/2011 4:44:18 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/25/2011 5:21:27 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
9/21/2011 3:23:04 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2595.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/21/2011 3:23:04 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2595.0 Update Source: Microsoft Update Server Update Stage: Install Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/21/2011 3:23:04 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.2595.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80240016 Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
.
==== End Of File ===========================

Hope I did that right.

jeffce · Sep 29, 2011

Hi SuperD,

Yep you are doing just fine.

How is your system running??

----------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
BHO: {e623cea5-661b-4071-bc1d-d53c0fcdf15a} - No File
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
----------

Superdumb · Sep 30, 2011

She seems happy! Much thanks to you, again!

Here is the Combofix log

ComboFix 11-09-28.06 - Admin 09/28/2011 21:52:17.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.409 [GMT -7:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Desktop\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-28 to 2011-09-29 )))))))))))))))))))))))))))))))
.
.
2011-09-28 21:53 . 2011-09-28 21:53 -------- d-----w- c:\program files\Common Files\Java
2011-09-28 21:09 . 2011-09-28 21:09 -------- d-----w- c:\program files\Foxit Software
2011-09-28 21:06 . 2011-09-28 21:06 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC031C2-E914-4DB1-9BD0-7D77E3A9EADB}\MpKsl502e3bd4.sys
2011-09-28 21:04 . 2011-09-28 21:04 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC031C2-E914-4DB1-9BD0-7D77E3A9EADB}\offreg.dll
2011-09-28 21:04 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC031C2-E914-4DB1-9BD0-7D77E3A9EADB}\mpengine.dll
2011-09-28 20:49 . 2011-09-28 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-09-28 20:49 . 2011-09-28 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-09-28 20:49 . 2011-09-28 20:49 -------- d-----w- c:\program files\McAfee Security Scan
2011-09-28 13:06 . 2011-09-28 13:06 -------- d-----w- c:\documents and settings\Admin\Application Data\Mael
2011-09-28 12:55 . 2011-09-28 12:55 -------- d-----w- c:\program files\HxD
2011-09-28 04:10 . 2011-09-28 04:10 -------- d-----w- c:\program files\ESET
2011-09-28 03:52 . 2011-09-28 03:52 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2011-09-28 03:51 . 2011-09-28 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-28 03:51 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-28 03:51 . 2011-09-28 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-23 04:39 . 2011-09-23 04:39 -------- d-----w- c:\program files\Bethesda Softworks
2011-09-22 22:00 . 2011-09-22 22:00 -------- d-----w- c:\program files\ERUNT
2011-09-22 10:42 . 2011-09-22 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-09-22 10:42 . 2011-09-22 10:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-09-22 06:14 . 2011-09-22 09:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Azureus
2011-09-22 06:13 . 2011-09-22 06:13 -------- d-----w- c:\program files\Vuze
2011-09-22 02:28 . 2011-09-22 02:28 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\DOSBox
2011-09-22 02:20 . 2011-09-22 02:52 -------- d-----w- c:\program files\DOSBox-0.74
2011-09-21 23:55 . 2011-09-21 23:55 -------- d-----w- c:\program files\3000AD
2011-09-21 23:49 . 2011-09-21 23:49 -------- d--h--w- c:\windows\PIF
2011-09-21 11:19 . 2011-09-12 23:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-21 03:32 . 2011-09-21 03:34 -------- d-----w- c:\program files\mektek.net
2011-09-21 03:21 . 2011-09-21 03:21 -------- d-----w- c:\windows\system32\XPSViewer
2011-09-21 03:21 . 2011-09-21 03:21 -------- d-----w- c:\program files\MSBuild
2011-09-21 03:21 . 2011-09-21 03:21 -------- d-----w- c:\program files\Reference Assemblies
2011-09-21 03:20 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-09-21 03:19 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-09-21 03:19 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-09-21 03:19 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-09-21 03:19 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-09-21 03:19 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-09-21 03:19 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-09-21 03:19 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-09-21 03:19 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-09-21 03:19 . 2011-09-21 03:20 -------- d-----w- C:\c8b789a63c21b6d4e8
2011-09-20 21:31 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-09-20 21:31 . 2009-08-07 02:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-09-20 04:35 . 2011-09-20 04:35 -------- d-----w- c:\documents and settings\Admin\Application Data\SystemRequirementsLab
2011-09-20 00:04 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-09-20 00:02 . 2011-09-20 00:02 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-19 20:32 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-09-19 20:31 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-09-19 20:26 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-09-09 09:12 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-28 21:52 . 2010-09-06 21:00 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 21:52 . 2010-09-06 21:00 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-04 10:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 10:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-27_02.02.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-28 21:53 . 2011-09-28 21:53 16384 c:\windows\Temp\Perflib_Perfdata_aa8.dat
+ 2011-09-28 21:53 . 2011-09-28 21:52 214408 c:\windows\system32\javaws.exe
+ 2011-09-28 21:53 . 2011-09-28 21:52 173960 c:\windows\system32\javaw.exe
+ 2011-09-28 21:53 . 2011-09-28 21:52 173960 c:\windows\system32\java.exe
+ 2011-09-28 21:53 . 2011-09-28 21:53 176640 c:\windows\Installer\3d1c4bb.msi
+ 2011-09-28 21:52 . 2011-09-28 21:52 937984 c:\windows\Installer\3d1c4ad.msi
+ 2011-09-28 04:05 . 2011-09-28 04:05 311296 c:\windows\ERDNT\AutoBackup\9-27-2011\Users\00000002\UsrClass.dat
+ 2011-09-28 04:05 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\9-27-2011\ERDNT.EXE
+ 2011-09-28 04:05 . 2011-09-28 04:05 7512064 c:\windows\ERDNT\AutoBackup\9-27-2011\Users\00000001\NTUSER.DAT
+ 2009-05-25 22:23 . 2011-09-28 05:28 47369160 c:\windows\system32\MRT.exe
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\3998917.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 17:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-07-17 18:12 288080 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Toolbar]
2010-02-12 18:02 240992 ----a-w- c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 20:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-09-16 23:47 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"wlidsvc"=2 (0x2)
"WLANKEEPER"=2 (0x2)
"SeaPort"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"N360"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"EvtEng"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
.
R1 MpKsl502e3bd4;MpKsl502e3bd4;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4FC031C2-E914-4DB1-9BD0-7D77E3A9EADB}\MpKsl502e3bd4.sys [9/28/2011 2:06 PM 28752]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [5/2/2009 4:20 PM 87936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 3:43 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 3:43 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL0E2746CF
*NewlyCreated* - MPKSL502E3BD4
*Deregistered* - MpKsl0e2746cf
.
Contents of the 'Scheduled Tasks' folder
.
2010-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 22:43]
.
2011-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-01 22:43]
.
2011-09-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2011-09-28 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1336913123-3509466996-4123555272-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
2011-09-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1336913123-3509466996-4123555272-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 10:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-28 21:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-09-28 22:01:27
ComboFix-quarantined-files.txt 2011-09-29 05:01
ComboFix2.txt 2011-09-28 00:59
ComboFix3.txt 2011-09-27 02:05
.
Pre-Run: 19,188,350,976 bytes free
Post-Run: 19,222,482,944 bytes free
.
- - End Of File - - BB910AA083F99EBAFFCD911BEBF55D71

Grandpas old laptop

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member

New member

Emeritus

New member

Emeritus

New member

Emeritus

New member