1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Did I get it all?

Discussion in 'Virus & Other Malware Removal' started by Heatherly, Oct 24, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
    My father contracted the FBI Moneypak ransomware on the guest bedroom PC earlier today. When he told me, I immediately shut it down, booted it in safe mode, and ran Malwarebytes. All symptoms were gone, but as Malwarebytes was out of date, I updated its database and ran it again. (It found five more infections that we then removed.) Rebooted and ran a third Malwarebytes full scan, which came up clean. But I'm paranoid, so just to make sure it didn't miss anything, I ran HijackThis. Here's the log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:40:16 PM, on 10/24/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: Swiki_IE - {1D9C1749-118F-4111-9598-A36476426D18} - C:\Program Files\Swiki_IE\ScriptHost.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Swiki_IE - {34191E35-BBFC-4587-87A9-4B397107119D} - C:\Program Files\Swiki_IE\ScriptHost.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Google] "xidpwooedd.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

    --
    End of file - 4612 bytes
     
  2. Gizzy

    Gizzy Malware Specialist

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Hello Heatherly! :)
    My name is Gizzy and I'll be glad to help you with your malware problems.

    Please note the following while we work:
    • The fixes are specific to your problem and should only be used for this issue on this computer.
    • Perform all actions in the order given.
    • If you don't know or understand something stop and ask! Don't keep going on.
    • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
    • Please DO NOT run any tools or scans unless I ask you to.
    • It is important that you reply to this thread. Do not start a new topic.
    • Your security programs may give warnings for some of the tools I will ask you to use, Be assured, any links I give are safe.
    • The process is not instant, Please continue to respond to this thread until I give you the All Clean!. Absence of symptoms does not mean that everything is clear.
    • Topics not replied to within 3 days will be removed from my Subscribed Threads List.
    Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

    Because of this, I advise you to backup any personal files and folders before you start.
    Backup your data - XP


    Please post the Malwarebytes' logs where they detected infections.
    The log is automatically saved and can be viewed by clicking the Logs tab in Malwarebytes' Anti-Malware. It can also be found here:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Fix HijackThis Entries
    1. Open HijackThis
    2. Click Scan
    3. Tick the box next to the following entries (if present)
      • O2 - BHO: Swiki_IE - {1D9C1749-118F-4111-9598-A36476426D18} - C:\Program Files\Swiki_IE\ScriptHost.dll
        O2 - BHO: Swiki_IE - {34191E35-BBFC-4587-87A9-4B397107119D} - C:\Program Files\Swiki_IE\ScriptHost.dll
        O4 - HKCU\..\Run: [Google] "xidpwooedd.exe"
    4. Close all open windows/browsers and click Fix checked


    Uninstall List
    1. Open HijackThis.
    2. Click the Open the Misc Tools section button. (If you don't see that button click the Main Menu button first)
    3. Click the Open Uninstall Manager... button and then click the Save list... button.
    4. Save the uninstall_list.txt file to your HijackThis folder. (C:\Program Files\Trend Micro\HijackThis)
    5. Copy and Paste the contents of uninstall_list.txt in your next reply.


    Please reply with:
    • Malwarebytes' log(s)
    • Uninstall list
     
  3. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
    Hi Gizzy! Thank you for your response. Here are the two Malwarebytes logs where infections were found, and the uninstall list from HijackThis, as requested:

    First scan log:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.08.04

    Windows XP Service Pack 3 x86 NTFS (Safe Mode)
    Internet Explorer 8.0.6001.18702
    Grandpa :: OWNER-853ACF962 [administrator]

    10/24/2012 2:13:18 PM
    mbam-log-2012-10-24 (14-13-18).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 285696
    Time elapsed: 59 minute(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft Updater (Trojan.Agent.Gen) -> Data: "C:\Documents and Settings\Grandpa\0.430277689117476.exe" -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Documents and Settings\Darla\Local Settings\Application Data\GamesLeapSA\bin\1.0.7.0\gamesleapSA.exe (Adware.HotBar.CP) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Grandpa\0.430277689117476.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

    (end)

    Second scan log:

    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.10.24.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Grandpa :: OWNER-853ACF962 [administrator]

    10/24/2012 4:02:54 PM
    mbam-log-2012-10-24 (16-02-54).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 307908
    Time elapsed: 38 minute(s), 37 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\Documents and Settings\Darla\Local Settings\Application Data\GamesLeapSA\bin\1.0.7.0\GamesLeapSACB.exe (Adware.HotBar.Gen) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Darla\Local Settings\Application Data\Opera\Opera\cache\g_002A\opr00GTI.tmp (Adware.AdBundle) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Darla\Local Settings\Application Data\Opera\Opera\cache\g_002A\opr00GTK.tmp (PUP.BundleInstaller.VIO) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Darla\Local Settings\Application Data\Opera\Opera\temporary_downloads\XvidSetup.exe (Adware.AdBundle) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{58E20A39-CE8B-42D2-A087-C4FE43BC7A6E}\RP226\A0027722.exe (Adware.HotBar.CP) -> Quarantined and deleted successfully.

    (end)

    Uninstall list

    Ad-Aware
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Photoshop CS3
    Adobe Setup
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    Amazon Kindle
    Belarc Advisor 8.2
    BitTorrent
    Broadcom Management Programs
    Broadcom NetXtreme Ethernet Controller
    DAEMON Tools Lite
    DivX Setup
    Dream Aquarium
    Foxit Reader 5.1
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB2756822)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Intel(R) Graphics Media Accelerator Driver
    Java(TM) 6 Update 22
    K-Lite Mega Codec Pack 8.3.2
    Malwarebytes Anti-Malware version 1.65.1.1000
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Extended
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    OpenOffice.org 3.3
    Opera 12.02
    Pando Media Booster
    PDF Settings
    PrimoPDF -- brought to you by Nitro PDF Software
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2722913)
    Security Update for Windows Internet Explorer 8 (KB2744842)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544521)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2586448)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2718523)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135)
    Security Update for Windows XP (KB2724197)
    Security Update for Windows XP (KB2731847)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Swiki version 1.0
    Swiki_IE
    System Requirements Lab CYRI
    The Sims 2
    The Sims 2 Nightlife
    The Sims 2 Pets
    The Sims 2 University
    The Sims&#8482; 2 Apartment Life
    The Sims&#8482; 2 Mansion and Garden Stuff
    The Sims&#8482; 2 Seasons
    Trillian
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2736233)
    Update for Windows XP (KB2749655)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.6195
    VideoLAN VLC media player 0.8.6f
    Winamp
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    WinRAR 4.11 (32-bit)
     
  4. Gizzy

    Gizzy Malware Specialist

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Hi Heatherly,

    P2P Software
    I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    BitTorrent

    Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I strongly recommend you go to Control Panel > Add or Remove Programs and uninstall the programs listed above (in red). If you cannot find them in Programs and Features and would like them removed, let me know in your next reply.

    If you wish to keep them, please do not use them until your computer is cleaned.


    Security Check
    1. Download Security Check by screen317 from:
    2. Save it to your Desktop.
    3. Double-click SecurityCheck.exe, Then follow the onscreen instructions inside of the black box.
    4. A Notepad document should open automatically called checkup.txt
    5. Please post the contents of that document.


    Download and run OTL
    1. Download OTL to your desktop.
    2. Double-click on OTL.exe to run it. Make sure all other windows are closed and let it run uninterrupted.
    3. Check the box beside Scan All Users
    4. Ensure Use SafeList is selected under Extra Registry
    5. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    7. Please copy (Edit > Select All -- Edit > Copy) the contents of these files, one at a time, and post them with your next reply.


    Gmer Rootkit Scanner
    Download GMER Rootkit Scanner from here & save it to your desktop.
    1. Double-click the .exe file. If asked to allow gmer.sys driver to load, please consent
    2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    3. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
        [​IMG]
        Click the image to enlarge it
    4. Then click the Scan button & wait for it to finish
    5. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    6. Save it where you can easily find it, such as your desktop, and post it in your next reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Do not run any programs while Gmer is running.


    Please reply with:
    • SecurityCheck log
    • OTL logs (OTL.txt and Extras.txt)
    • Gmer log
     
  5. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
    Hi Gizzy,

    Here are the requested logs:

    Security Check log

    Results of screen317's Security Check version 0.99.53
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    Please wait while WMIC compiles updated MOF files.d
    i
    s
    p
    l
    a
    y
    N
    a
    m
    e
    ECHO is off.
    L
    a
    v
    a
    s
    o
    f
    t
    ECHO is off.
    A
    d
    W
    a
    t
    c
    h
    ECHO is off.
    L
    i
    v
    e
    !
    ECHO is off.
    A
    n
    t
    i
    V
    i
    r
    u
    s
    ECHO is off.
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Ad-Aware
    Malwarebytes Anti-Malware version 1.65.1.1000
    Java(TM) 6 Update 22
    Java version out of Date!
    Adobe Flash Player 11.4.402.287
    ````````Process Check: objlist.exe by Laurent````````
    Ad-Aware AAWService.exe
    Ad-Aware AAWTray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````

    OTL

    OTL logfile created on: 10/25/2012 4:03:27 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Grandpa\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1015.23 Mb Total Physical Memory | 206.85 Mb Available Physical Memory | 20.37% Memory free
    2.39 Gb Paging File | 1.98 Gb Available in Paging File | 82.84% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.53 Gb Total Space | 33.71 Gb Free Space | 45.23% Space Free | Partition Type: NTFS
    Drive D: | 545.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: OWNER-853ACF962 | User Name: Grandpa | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/10/25 16:01:41 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Grandpa\Desktop\OTL.exe
    PRC - [2012/10/25 10:46:52 | 000,874,896 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
    PRC - [2012/08/25 13:08:09 | 001,191,768 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    PRC - [2012/05/23 13:07:00 | 002,152,720 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    PRC - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/10/25 10:47:01 | 000,316,928 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstoggdec.dll
    MOD - [2012/10/25 10:47:01 | 000,276,480 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstwebmdec.dll
    MOD - [2012/10/25 10:47:01 | 000,168,448 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstffmpegcolorspace.dll
    MOD - [2012/10/25 10:47:01 | 000,078,336 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstwavparse.dll
    MOD - [2012/10/25 10:47:01 | 000,076,800 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstdirectsound.dll
    MOD - [2012/10/25 10:47:01 | 000,064,000 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstautodetect.dll
    MOD - [2012/10/25 10:47:01 | 000,046,592 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstwaveform.dll
    MOD - [2012/10/25 10:47:01 | 000,045,568 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gsttypefindfunctions.dll
    MOD - [2012/10/25 10:47:00 | 000,783,360 | ---- | M] () -- C:\Program Files\Opera\gstreamer\gstreamer.dll
    MOD - [2012/10/25 10:47:00 | 000,099,840 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstcoreplugins.dll
    MOD - [2012/10/25 10:47:00 | 000,098,816 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstaudioresample.dll
    MOD - [2012/10/25 10:47:00 | 000,098,816 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstaudioconvert.dll
    MOD - [2012/10/25 10:47:00 | 000,068,608 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstdecodebin2.dll
    MOD - [2012/09/25 16:07:36 | 000,165,768 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libMachoUniv.dll
    MOD - [2012/09/25 16:07:34 | 000,190,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended\libBase64.dll
    MOD - [2012/05/23 13:07:31 | 000,430,568 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\VipreBridge.dll
    MOD - [2012/05/23 13:07:25 | 000,591,232 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\RPAPI.dll
    MOD - [2012/02/08 14:05:38 | 000,508,776 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\thorax.aaw
    MOD - [2011/12/23 08:12:12 | 000,308,560 | ---- | M] () -- C:\Program Files\Lavasoft\Ad-Aware\Vipre.dll
    MOD - [2011/07/28 18:09:42 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
    MOD - [2011/07/28 18:08:12 | 001,259,376 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    MOD - [2011/02/28 17:37:32 | 000,180,624 | ---- | M] () -- C:\WINDOWS\system32\Primomonnt.dll
    MOD - [2008/04/14 07:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


    ========== Services (SafeList) ==========

    SRV - [2012/10/09 14:26:11 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/05/23 13:07:00 | 002,152,720 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
    SRV - [2012/05/10 10:07:33 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - [2012/07/06 21:40:15 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
    DRV - [2011/12/23 08:12:12 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Lbd.sys -- (Lbd)
    DRV - [2011/08/09 17:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
    DRV - [2009/11/03 04:39:04 | 005,940,736 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
    DRV - [2008/11/26 16:37:42 | 000,187,392 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2008/10/28 15:39:44 | 000,089,600 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\baspxp32.sys -- (Blfp)
    DRV - [2008/08/05 05:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
    DRV - [2006/01/04 00:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-725345543-1844237615-1801674531-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_287.dll ()
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/03/31 00:22:56 | 000,000,000 | ---D | M]

    [2012/10/22 23:19:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
    O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
    O4 - Startup: C:\Documents and Settings\Darla\Start Menu\Programs\Startup\Trillian.lnk = C:\Program Files\Trillian\trillian.exe (Cerulean Studios)
    O4 - Startup: C:\Documents and Settings\owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-725345543-1844237615-1801674531-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AC6CC84D-EC39-4F2B-88D5-586A1B7C89F7}: DhcpNameServer = 192.168.2.1 192.168.1.254
    O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/04/08 13:21:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2012/05/09 11:55:44 | 000,000,054 | RH-- | M] () - D:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/10/25 16:01:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Grandpa\Desktop\OTL.exe
    [2012/10/24 16:07:38 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2012/10/24 16:07:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Grandpa\Start Menu\Programs\HiJackThis
    [2012/10/24 14:12:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Grandpa\Application Data\Malwarebytes
    [2012/10/22 23:19:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\SChecker
    [2012/10/22 23:18:54 | 000,000,000 | ---D | C] -- C:\Program Files\Swiki_IE
    [2012/10/22 23:18:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Swiki
    [2012/10/22 23:18:54 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
    [2012/10/22 23:18:53 | 000,000,000 | ---D | C] -- C:\Program Files\SwikiIE
    [2012/10/22 23:18:53 | 000,000,000 | ---D | C] -- C:\Program Files\Swiki
    [2012/10/22 23:17:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
    [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/10/25 16:02:13 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Grandpa\Desktop\0mc4spol.exe
    [2012/10/25 16:01:41 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Grandpa\Desktop\OTL.exe
    [2012/10/25 16:00:20 | 000,881,773 | ---- | M] () -- C:\Documents and Settings\Grandpa\Desktop\SecurityCheck.exe
    [2012/10/25 15:25:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2012/10/25 10:52:31 | 000,002,451 | ---- | M] () -- C:\Documents and Settings\Grandpa\Desktop\HiJackThis.lnk
    [2012/10/24 18:05:28 | 000,528,782 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/10/24 18:05:27 | 000,090,924 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/10/24 18:01:16 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
    [2012/10/24 18:01:15 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/10/24 18:01:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/10/24 15:56:49 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/10/24 13:28:55 | 000,018,252 | ---- | M] () -- C:\Documents and Settings\Grandpa\1.mp3
    [2012/10/24 13:27:34 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
    [2012/10/24 13:27:34 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
    [2012/10/24 05:23:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/10/11 03:00:55 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/10/09 14:26:11 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
    [2012/10/09 14:26:11 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
    [2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/09/26 01:14:06 | 004,035,151 | ---- | M] () -- C:\MH_theme_song.zip
    [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/10/25 16:02:13 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Grandpa\Desktop\0mc4spol.exe
    [2012/10/25 16:00:20 | 000,881,773 | ---- | C] () -- C:\Documents and Settings\Grandpa\Desktop\SecurityCheck.exe
    [2012/10/24 16:07:38 | 000,002,451 | ---- | C] () -- C:\Documents and Settings\Grandpa\Desktop\HiJackThis.lnk
    [2012/10/24 13:28:55 | 000,018,252 | ---- | C] () -- C:\Documents and Settings\Grandpa\1.mp3
    [2012/09/26 01:13:38 | 004,035,151 | ---- | C] () -- C:\MH_theme_song.zip
    [2012/04/23 09:12:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/03/31 01:23:17 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/15 04:46:37 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/10 00:06:09 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
    [2012/02/09 23:36:36 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
    [2012/02/08 14:05:21 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
    [2012/02/08 14:05:21 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
    [2012/02/08 13:59:41 | 000,650,752 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2012/02/08 13:59:41 | 000,243,200 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2012/02/08 13:59:40 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2012/02/08 13:59:39 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2011/04/08 14:41:46 | 001,481,884 | ---- | C] () -- C:\WINDOWS\System32\igkrng400.bin
    [2011/04/08 14:41:46 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v5016.dll
    [2011/04/08 13:23:09 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/04/08 13:18:44 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2011/04/08 07:40:05 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/04/08 07:39:10 | 001,423,168 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/02/09 23:03:48 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini

    ========== ZeroAccess Check ==========

    [2012/05/10 07:55:58 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shdocvw.dll -- [2011/09/05 08:56:22 | 001,510,400 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 07:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    < End of report >

    Extras

    OTL Extras logfile created on: 10/25/2012 4:03:27 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Grandpa\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1015.23 Mb Total Physical Memory | 206.85 Mb Available Physical Memory | 20.37% Memory free
    2.39 Gb Paging File | 1.98 Gb Available in Paging File | 82.84% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.53 Gb Total Space | 33.71 Gb Free Space | 45.23% Space Free | Partition Type: NTFS
    Drive D: | 545.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: OWNER-853ACF962 | User Name: Grandpa | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

    [HKEY_USERS\S-1-5-21-725345543-1844237615-1801674531-1005\SOFTWARE\Classes\<extension>]
    .html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    http [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
    https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)
    Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)
    Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "58251:TCP" = 58251:TCP:*:Enabled:pando Media Booster
    "58251:UDP" = 58251:UDP:*:Enabled:pando Media Booster

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
    "58251:TCP" = 58251:TCP:*:Enabled:pando Media Booster
    "58251:UDP" = 58251:UDP:*:Enabled:pando Media Booster

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:pando Media Booster -- ()

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 -- (Microsoft Corporation)
    "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 -- (Microsoft Corporation)
    "C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
    "C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
    "C:\Program Files\Winamp\winamp.exe" = C:\Program Files\Winamp\winamp.exe:*:Enabled:Winamp -- (Nullsoft, Inc.)
    "C:\Program Files\Trillian\trillian.exe" = C:\Program Files\Trillian\trillian.exe:*:Enabled:Trillian -- (Cerulean Studios)
    "C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC
    "C:\Program Files\FTP Explorer\ftpx.exe" = C:\Program Files\FTP Explorer\ftpx.exe:*:Enabled:FTP Explorer
    "C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Computer, Inc.)
    "C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:pando Media Booster -- ()


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
    "{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
    "{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
    "{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
    "{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
    "{1A2A15C2-6780-49c1-B296-503230E9DE00}" = The Sims&#8482; 2 Mansion and Garden Stuff
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
    "{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{4817189D-1785-4627-A33C-39FD90919300}" = The Sims 2 Pets
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
    "{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
    "{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
    "{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = The Sims 2
    "{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
    "{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
    "{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
    "{8E9976D2-E563-43DE-A51F-5AEBC38D1F08}" = Ad-Aware
    "{8FD3F4BA-A4A6-4380-00A6-CC6853AB2DC2}" = The Sims 2 University
    "{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
    "{933B4015-4618-4716-A828-5289FC03165F}" = VC80CRTRedist - 8.0.50727.6195
    "{943A8D28-80D6-41DC-AE94-81FEB42041BF}" = System Requirements Lab CYRI
    "{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
    "{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
    "{9E325417-AE9C-4EE1-A158-13DF451A5987}" = Broadcom NetXtreme Ethernet Controller
    "{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
    "{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
    "{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
    "{B6F5B704-06D3-4687-90F3-6195304AD755}" = The Sims&#8482; 2 Apartment Life
    "{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
    "{C3CB6145-2F42-4C1C-B938-E254C8B5F48B}" = Broadcom Management Programs
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
    "{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
    "{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
    "{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
    "{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
    "{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = The Sims&#8482; 2 Seasons
    "{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F7529650-B9DB-481B-0089-A2AC3C2821C1}" = The Sims 2 Nightlife
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
    "Amazon Kindle" = Amazon Kindle
    "Belarc Advisor" = Belarc Advisor 8.2
    "BitTorrent" = BitTorrent
    "DAEMON Tools Lite" = DAEMON Tools Lite
    "DivX Setup" = DivX Setup
    "DreamAqua" = Dream Aquarium
    "Foxit Reader_is1" = Foxit Reader 5.1
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "ie8" = Windows Internet Explorer 8
    "KLiteCodecPack_is1" = K-Lite Mega Codec Pack 8.3.2
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "Opera 12.02.1578" = Opera 12.02
    "PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
    "Swiki_IE" = Swiki_IE
    "Swiki_is1" = Swiki version 1.0
    "Trillian" = Trillian
    "VLC media player" = VideoLAN VLC media player 0.8.6f
    "Winamp" = Winamp
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WinRAR archiver" = WinRAR 4.11 (32-bit)
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 20 Event Log Errors ==========

    [ Application Events ]
    Error - 9/29/2012 2:10:30 PM | Computer Name = OWNER-853ACF962 | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 10/3/2012 2:08:56 PM | Computer Name = OWNER-853ACF962 | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 10/6/2012 2:08:04 PM | Computer Name = OWNER-853ACF962 | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 10/7/2012 12:08:16 PM | Computer Name = OWNER-853ACF962 | Source = Application Hang | ID = 1002
    Description = Hanging application Sims2EP9.exe, version 1.17.0.66, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 10/7/2012 12:21:50 PM | Computer Name = OWNER-853ACF962 | Source = Application Hang | ID = 1001
    Description = Fault bucket 970167895.

    Error - 10/10/2012 2:08:47 PM | Computer Name = OWNER-853ACF962 | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 10/13/2012 2:09:05 PM | Computer Name = OWNER-853ACF962 | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 10/17/2012 2:10:07 PM | Computer Name = OWNER-853ACF962 | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 10/20/2012 2:07:55 PM | Computer Name = OWNER-853ACF962 | Source = Lavasoft Ad-Aware Service | ID = 0
    Description =

    Error - 10/24/2012 4:36:12 PM | Computer Name = OWNER-853ACF962 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The server name or address could not be resolved

    [ System Events ]
    Error - 10/24/2012 4:34:48 PM | Computer Name = OWNER-853ACF962 | Source = Service Control Manager | ID = 7001
    Description = The IPSEC Services service depends on the IPSEC driver service which
    failed to start because of the following error: %%31

    Error - 10/24/2012 4:34:48 PM | Computer Name = OWNER-853ACF962 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AFD BANTExt Fips i8042prt intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

    Error - 10/24/2012 4:35:43 PM | Computer Name = OWNER-853ACF962 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 10/24/2012 4:35:46 PM | Computer Name = OWNER-853ACF962 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 10/24/2012 4:49:54 PM | Computer Name = OWNER-853ACF962 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 10/24/2012 4:50:08 PM | Computer Name = OWNER-853ACF962 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 10/24/2012 4:51:12 PM | Computer Name = OWNER-853ACF962 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    i8042prt

    Error - 10/24/2012 4:58:20 PM | Computer Name = OWNER-853ACF962 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    i8042prt

    Error - 10/24/2012 7:01:05 PM | Computer Name = OWNER-853ACF962 | Source = sr | ID = 1
    Description = The System Restore filter encountered the unexpected error '0xC0000001'
    while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
    the volume.

    Error - 10/24/2012 7:01:15 PM | Computer Name = OWNER-853ACF962 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    i8042prt


    < End of report >

    Gmer

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-10-25 17:48:45
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-60LSA5 rev.10.01E03
    Running: 0mc4spol.exe; Driver: C:\DOCUME~1\Grandpa\LOCALS~1\Temp\pxxcikow.sys


    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF763787E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7637BFE]

    ---- Kernel code sections - GMER 1.0.15 ----

    ? pjrdhg.sys The system cannot find the file specified. !

    ---- EOF - GMER 1.0.15 ----
     
  6. Gizzy

    Gizzy Malware Specialist

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Hi Heatherly,

    Disable CD Emulator(s)
    CD Emulator (Daemon Tools, Alcohol 120%, Astroburn, AnyDVD) be aware that they use hidden drivers with rootkit-like techniques to hide from other applications. When dealing with malware infections, CD Emulators can interfere with investigative tools producing misleading or inaccurate scan results, false detection of legitimate files, cause unexpected crashes, BSODs, and general 'dross' which often makes it hard to differentiate between malicious rootkits and the legitimate drivers used by Emulators. Since the hidden drivers from CD Emulators can be seen as a rootkit, we need to remove or disable them until disinfection is completed.

    Please download DeFogger by jpshortstuff and save it to your desktop.
    1. Double-click DeFogger.exe to run the tool.
    2. The application window will appear.
    3. Click the Disable button to disable your CD Emulation drivers
    4. Click Yes to continue.
    5. A 'Finished!' message will appear.
    6. Click OK...DeFogger will now ask to reboot the machine...click OK. If not, reboot manually.
    7. Do not re-enable these drivers until instructed or your system has been cleaned.
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


    Please re-run gmer

    Gmer Rootkit Scanner
    Should still be on your desktop

    1. Double-click the .exe file. If asked to allow gmer.sys driver to load, please consent
    2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    3. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
        [​IMG]
        Click the image to enlarge it
    4. Then click the Scan button & wait for it to finish
    5. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    6. Save it where you can easily find it, such as your desktop, and post it in your next reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

    Do not run any programs while Gmer is running.


    RogueKiller
    1. Please download RogueKiller by Tigzy and save it to your desktop.
    2. Allow the download if prompted by your security software and please close all your programs.
    3. Double-click on RogueKiller.exe to run it.
    4. If it does not run, please try a few times, If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com
    5. Wait for PreScan to finish, Then Accept the eula.
    6. Click on the Scan button in the upper right. Wait for it to finish.
    7. Once completed, a log called RKreport[1].txt will be created on the desktop. It can also be accessed via the Report button.
    8. Please copy and paste the contents of that log in your next reply.
    9. When you exit RogueKiller, you may get a popup reporting "None of the Elements have been deleted. Do you want to quit?" Click Yes.


    Please reply with:
    • Gmer log
    • RogueKiller log
     
  7. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
    Hi gizzy,

    New logs ahoy.


    Gmer

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-10-27 09:46:03
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-60LSA5 rev.10.01E03
    Running: 0mc4spol.exe; Driver: C:\DOCUME~1\Grandpa\LOCALS~1\Temp\pxxcikow.sys


    ---- System - GMER 1.0.15 ----

    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF762787E]
    SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7627BFE]

    ---- EOF - GMER 1.0.15 ----

    RogueKiller

    RogueKiller V8.2.0 [10/22/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : Grandpa [Admin rights]
    Mode : Scan -- Date : 10/27/2012 09:47:13

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 1 ¤¤¤
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINDOWS\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD800JD-60LSA5 +++++
    --- User ---
    [MBR] 6e0dbb8f6b4a213110d59dc1e9e62ca3
    [BSP] 23731bc60efffc0f5f8e494355e295aa : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  8. Gizzy

    Gizzy Malware Specialist

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Hi Heatherly,
    Did you install Swiki? If not uninstall it by doing the following,
    Remove Programs
    Click Start > Control Panel > Add/Remove Programs
    Remove the following programs by clicking Remove

    • Swiki_IE
    • Swiki version 1.0


    Upload File(s) for Scanning
    Please go to VirusTotal or Jotti to upload a file for scanning.

    1. Click Choose File (For VirusTotal) or Browse... (For Jotti)
    2. Copy and paste the below file and path into the File name: box.
    3. Click Open
    4. Click on Scan it! (For VirusTotal) or Submit file (For Jotti)
    5. Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
      Example of web address:
      [​IMG]


    Update Java
    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 7 Update 9.

    1. Go Here
    2. Click the Windows 7/XP/Vista/2000/2003/2008 Offline link to download it, Save this to a convenient location.
    3. Go to Start > Control Panel > Add or Remove Programs
    4. Uninstall all old versions of Java (Java(TM) 6 Update 22)
    5. Reboot your computer
    6. Delete the folder C:\Program Files\Java if present
    7. Install the new version by double-clicking the downloaded file jre-7u9-windows-i586-s.exe and follow the on-screen instructions.
    8. Reboot your computer


    Please reply with:
    • VirusTotal/Jotti results
     
  9. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
  10. Gizzy

    Gizzy Malware Specialist

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Hi Heatherly,
    Just a few more things to do.

    TFC (Temp File Cleaner)
    1. Please download TFC from here and save it to your desktop.
    2. Double-click TFC.exe to run the program.
    3. Click the Start button in the bottom left of TFC
    4. If prompted, click Yes to reboot.

    Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


    ESET Online Scanner
    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    1. Please go here then click on: Run ESET Online Scanner
    2. Select the option YES, I accept the Terms of Use then click on: Start
    3. When prompted allow the Add-On/Active X to install.
    4. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
    5. Now click on Advanced Settings and select the following:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
    6. Now click on: Start
    7. The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
    8. When completed the Online Scan will begin automatically, Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    9. When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
    10. Copy and paste that log as a reply to this topic.
    11. Now click on: Finish (Selecting Uninstall application on close if you so wish)

      Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


    Please reply with:
    • Eset log
     
  11. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
    Ran TFC successfully. Here's the ESET log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=f145966be44b49489c6c2652ee47983a
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2012-10-27 09:27:30
    # local_time=2012-10-27 04:27:30 (-0600, Central Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 172265 172265 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=74022
    # found=1
    # cleaned=0
    # scan_time=1726
    C:\RECYCLER\S-1-5-21-725345543-1844237615-1801674531-1003\Dc1.exe Win32/Graboid application (unable to clean) 00000000000000000000000000000000 I
     
  12. Gizzy

    Gizzy Malware Specialist

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Hi Heatherly,
    Computer is running fine?


    Run OTL Script
    Should still be on your desktop.

    1. Double-click OTL.exe to start the program
    2. Copy and Paste everything from the Code box below into the Custom Scans/Fixes box in OTL
      Code:
      :OTL
      [6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [1 C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp -> ]
      
      :Reg
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
      "EnableFirewall" = 1
      
      :Files
      C:\RECYCLER\S-1-5-21-725345543-1844237615-1801674531-1003\Dc1.exe
      C:\Documents and Settings\Grandpa\1.mp3
      C:\Program Files\Swiki_IE
      C:\Documents and Settings\All Users\Start Menu\Programs\Swiki
      C:\Program Files\SwikiIE
      C:\Program Files\Swiki
      
      :Commands
      [EMPTYTEMP]
      [CLEARALLRESTOREPOINTS]
    3. Then click the Run Fix button at the top.
    4. If prompted, Click OK
    5. OTL may ask to reboot the computer. Please do so if asked
    6. When finished a report should appear in Notepad. Copy and Paste that report in your next reply.

      Note: The log can also be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log


    Please reply with:
    • OTL log
    • How is your computer running?
     
  13. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
    Hi Gizzy,

    Computer's running fine. No problems as far as I can see. Programs open and close when told to, nothing unfamiliar appears to be running in the background processes, everything's running as quickly as a computer of this age with these specs can reasonably be expected to. There's no redirects in webpages, or failures to load. Nothing's locking or freezing. It seems fine.

    Here's the latest OTL log:

    All processes killed
    ========== OTL ==========
    File/Folder C:\WINDOWS\System32\*.tmp not found.
    File/Folder C:\WINDOWS\*.tmp not found.
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp deleted successfully.
    File EY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] not found.
    File PTYTEMP] not found.
    File EARALLRESTOREPOINTS] not found.

    OTL by OldTimer - Version 3.2.69.0 log created on 10282012_142316

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  14. Gizzy

    Gizzy Malware Specialist

    Joined:
    Aug 2, 2005
    Messages:
    3,832
    Hi Heatherly,
    That log doesn't look right, Could you try following the instructions again please. :)
     
  15. Heatherly

    Heatherly Thread Starter

    Joined:
    Sep 17, 2008
    Messages:
    16
    Tried it again. (I think it went wrong last time because I copied it from my e-mail notification of the thread, not from the thread itself.)

    New log:

    All processes killed
    ========== OTL ==========
    File/Folder C:\WINDOWS\System32\*.tmp not found.
    File/Folder C:\WINDOWS\*.tmp not found.
    File/Folder C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.tmp not found.
    ========== REGISTRY ==========
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"EnableFirewall" | 1 /E : value set successfully!
    ========== FILES ==========
    C:\RECYCLER\S-1-5-21-725345543-1844237615-1801674531-1003\Dc1.exe moved successfully.
    C:\Documents and Settings\Grandpa\1.mp3 moved successfully.
    File\Folder C:\Program Files\Swiki_IE not found.
    File\Folder C:\Documents and Settings\All Users\Start Menu\Programs\Swiki not found.
    File\Folder C:\Program Files\SwikiIE not found.
    File\Folder C:\Program Files\Swiki not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Darla
    ->Temp folder emptied: 672389 bytes
    ->Temporary Internet Files folder emptied: 758960 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 54569015 bytes
    ->Flash cache emptied: 1316 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Grandpa
    ->Temp folder emptied: 670202 bytes
    ->Temporary Internet Files folder emptied: 5635450 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 3719317 bytes
    ->Flash cache emptied: 492 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: owner
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16867 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 63.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 10282012_154800

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat not found!

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1073995