Help
This topic is locked
Idid find another log from 1st run. I am rebooting and running toolbx.
2011/08/06 14:01:22.0921 2780 TDSS rootkit removing tool 2.5.14.0 Aug 5 2011 16:09:29
2011/08/06 14:01:23.0656 2780 ================================================================================
2011/08/06 14:01:23.0656 2780 SystemInfo:
2011/08/06 14:01:23.0656 2780
2011/08/06 14:01:23.0656 2780 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/06 14:01:23.0656 2780 Product type: Workstation
2011/08/06 14:01:23.0656 2780 ComputerName: RELATIONSMART
2011/08/06 14:01:23.0656 2780 UserName: Randall
2011/08/06 14:01:23.0656 2780 Windows directory: C:\WINDOWS
2011/08/06 14:01:23.0656 2780 System windows directory: C:\WINDOWS
2011/08/06 14:01:23.0656 2780 Processor architecture: Intel x86
2011/08/06 14:01:23.0656 2780 Number of processors: 1
2011/08/06 14:01:23.0656 2780 Page size: 0x1000
2011/08/06 14:01:23.0656 2780 Boot type: Normal boot
2011/08/06 14:01:23.0656 2780 ================================================================================
2011/08/06 14:01:26.0562 2780 Initialize success
2011/08/06 14:01:40.0484 2240 Deinitialize success
redirect, antivirus malware attack
Back to top
#17
- Member
-
- Group: Members
- Posts: 42
- Joined: 05-August 11
Posted 06 August 2011 - 03:56 PM
I rebooted in normal mode.
On reboot I got an "Error loading C:\WINDOWS\ovewulaqocu.dll,Startup
Then Win Patrol warned me about these being added to start menu:
C:\WINDOWS\ovewulaqocu.dll,Startup
C:\WINDOWS\Sfanya.exe
C:\WINDOWS\ocostuof.dll,Startup
C:\DOCUME~1\Randall\LOCALS~1\Temp\Scq.exe
I declined all. The first one has repeated a few times. Am starting toolkit now
On reboot I got an "Error loading C:\WINDOWS\ovewulaqocu.dll,Startup
Then Win Patrol warned me about these being added to start menu:
C:\WINDOWS\ovewulaqocu.dll,Startup
C:\WINDOWS\Sfanya.exe
C:\WINDOWS\ocostuof.dll,Startup
C:\DOCUME~1\Randall\LOCALS~1\Temp\Scq.exe
I declined all. The first one has repeated a few times. Am starting toolkit now
#18
- Member
-
- Group: Members
- Posts: 42
- Joined: 05-August 11
Posted 06 August 2011 - 04:38 PM
Here is the Toolbox log:
MiniToolBox by Farbar
Ran by Randall (administrator) on 06-08-2011 at 14:57:57
Microsoft Windows XP Service Pack 3 (X86)
***************************************************************************
========================= Flush DNS: ===================================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= FF Proxy Settings: ==============================
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
========================= Hosts content: =================================
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
There are 14324 more lines starting with "127.0.0.1"
========================= IP Configuration: ================================
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection"
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
popd
# End of interface IP configuration
Windows IP Configuration
Host Name . . . . . . . . . . . . : relationsmart
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.actdsltmp
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : domain.actdsltmp
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-C0-A8-89-F3-9F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
205.171.3.25
Lease Obtained. . . . . . . . . . : Saturday, August 06, 2011 2:43:59 PM
Lease Expires . . . . . . . . . . : Sunday, August 07, 2011 2:43:59 PM
Server: home.domain.actdsltmp
Address: 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 74.125.127.99, 74.125.127.103, 74.125.127.104, 74.125.127.105
74.125.127.106, 74.125.127.147
Pinging google.com [74.125.127.106] with 32 bytes of data:
Reply from 74.125.127.106: bytes=32 time=60ms TTL=54
Reply from 74.125.127.106: bytes=32 time=60ms TTL=54
Ping statistics for 74.125.127.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 60ms, Maximum = 60ms, Average = 60ms
Server: home.domain.actdsltmp
Address: 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65
Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=73ms TTL=55
Reply from 98.137.149.56: bytes=32 time=72ms TTL=55
Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 72ms, Maximum = 73ms, Average = 72ms
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 a8 89 f3 9f ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.6 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.6 192.168.0.6 20
192.168.0.0 255.255.255.0 192.168.0.6 192.168.0.6 20
192.168.0.6 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.6 192.168.0.6 20
224.0.0.0 240.0.0.0 192.168.0.6 192.168.0.6 20
255.255.255.255 255.255.255.255 192.168.0.6 192.168.0.6 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
========================= Event log errors: ===============================
Application errors:
==================
Error: (08/06/2011 02:13:18 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
Error: (08/06/2011 02:13:03 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
Error: (08/06/2011 02:12:19 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
System errors:
=============
Error: (08/06/2011 02:45:36 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 02:36:32 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 02:31:29 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 00:43:55 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 00:41:29 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Error: (08/06/2011 00:40:32 PM) (Source: DCOM) (User: Administrator)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Microsoft Office Sessions:
=========================
Error: (08/06/2011 02:13:18 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.
Error: (08/06/2011 02:13:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.
Error: (08/06/2011 02:12:19 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
=========================== Installed Programs ============================
Adobe Flash Player 10 ActiveX (Version: 10.1.53.64)
Adobe Flash Player 10 Plugin (Version: 10.3.181.26)
AiO_Scan_CDA (Version: 70.0.231.000)
AiOSoftwareNPI (Version: 70.0.231.000)
Amazon MP3 Downloader 1.0.12 (Version: 1.0.12)
Apple Application Support (Version: 1.4.1)
Apple Software Update (Version: 2.1.1.116)
Battleship - Fleet Command (remove only)
Bonjour (Version: 1.0.106)
BufferChm (Version: 70.0.170.000)
Byki (Version: 4.0)
Byki Express
C3100 (Version: 70.0.231.000)
c3100_Help (Version: 70.0.231.000)
CCleaner (Version: 2.33)
CDBurnerXP (Version: 4.3.8.2474)
Chessmaster Challenge (remove only) (Version: 3.3.3.40)
Chessmaster Challenge (Version: 3.3.3.40)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
CustomerResearchQFolder (Version: 1.00.0000)
Dell ResourceCD
Destinations (Version: 70.0.170.000)
DeviceManagementQFolder (Version: 1.00.0000)
DivX Setup (Version: 2.5.0.15)
DocProc (Version: 7.0.0.0)
DocProcQFolder (Version: 1.00.0000)
doubleTwist (Version: 3.1.2.10091)
eSupportQFolder (Version: 1.00.0000)
Family Feud Holiday Edition (remove only)
Fax_CDA (Version: 70.0.231.000)
ffdshow [rev 2527] [2008-12-19] (Version: 1.0)
Foxit PDF Editor (Version: 2.2.0.0205)
Foxit Reader
Free M4a to MP3 Converter 6.2
Graboid Video 2.06 (Version: 2.06)
HP Customer Participation Program 7.0 (Version: 7.0)
HP Imaging Device Functions 7.0 (Version: 7.0)
HP Photosmart Essential (Version: 1.9.1.3)
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Detection (Version: 10.7.9.0)
HP Software Update (Version: 3.0.7.014)
HP Solution Center 7.0 (Version: 7.0)
HPPhotoSmartExpress (Version: 70.0.170.000)
HPProductAssistant (Version: 70.0.170.000)
Idaho Child Support Program (Version: 2.2006.53)
Initio USB Default Controller Driver 32-bit (Version: 1.0.4)
InstantShareDevicesMFC (Version: 70.0.170.000)
Intkey
Java Auto Updater (Version: 2.0.4.1)
Java™ 6 Update 25 (Version: 6.0.250)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
MarketResearch (Version: 70.0.170.000)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works 6-9 Converter (Version: 9.7.0621)
Mozilla Firefox (3.6.18) (Version: 3.6.18 (en-US))
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NewCopy_CDA (Version: 70.0.231.000)
NVIDIA Display Driver
OCR Software by I.R.I.S 7.0 (Version: 7.0)
PanoStandAlone (Version: 70.0.170.000)
ProductContextNPI (Version: 70.0.231.000)
QuickTime (Version: 7.69.80.9)
Qwest Installer (Version: 1.1)
Qwest QuickAssist Desktop Tools (Version: 23)
Readme (Version: 70.0.231.000)
RealPlayer
Risk II (remove only)
Scan (Version: 7.0.0.0)
ScannerCopy (Version: 7.0.0.0)
Skype Toolbars (Version: 5.3.7280)
Skype™ 5.3 (Version: 5.3.116)
Softonic-Eng7 Toolbar (Version: 6.3.3.3)
SolutionCenter (Version: 70.0.170.000)
Spybot - Search & Destroy (Version: 1.6.2)
Status (Version: 70.0.170.000)
SUPERAntiSpyware (Version: 5.0.1108)
Toolbox (Version: 70.0.170.000)
TrayApp (Version: 70.0.170.000)
TurboTax 2010
TurboTax 2010 widiper (Version: 010.000.1276)
TurboTax 2010 WinPerFedFormset (Version: 010.000.4227)
TurboTax 2010 WinPerReleaseEngine (Version: 010.000.0483)
TurboTax 2010 WinPerTaxSupport (Version: 010.000.0214)
TurboTax 2010 wrapper (Version: 010.000.0157)
Unload (Version: 7.0.0)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
VLC media player 1.0.1 (Version: 1.0.1)
WD SmartWare (Version: 1.4.1.1)
WebFldrs XP (Version: 9.50.5318)
WebReg (Version: 70.0.170.000)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinMerge 2.12.4 (Version: 2.12.4)
WinPatrol 2009 (Version: 16.0.2009.1)
Yontoo Layers Runtime 1.10.01 (Version: 1.10.01)
========================= Memory info: ===================================
Percentage of memory in use: 67%
Total physical RAM: 766.8 MB
Available physical RAM: 251.57 MB
Total Pagefile: 1876.39 MB
Available Pagefile: 1397.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1998.13 MB
========================= Partitions: =====================================
2 Drive c: () (Fixed) (Total:37.24 GB) (Free:12.77 GB) NTFS
========================= Users: ========================================
User accounts for \\RELATIONSMART
Administrator Guest HelpAssistant
Randall Robert Sarah
SUPPORT_388945a0
========================= Minidump Files ==================================
No minidump file found
== End of log ==
MiniToolBox by Farbar
Ran by Randall (administrator) on 06-08-2011 at 14:57:57
Microsoft Windows XP Service Pack 3 (X86)
***************************************************************************
========================= Flush DNS: ===================================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= FF Proxy Settings: ==============================
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
========================= Hosts content: =================================
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
There are 14324 more lines starting with "127.0.0.1"
========================= IP Configuration: ================================
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection"
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
popd
# End of interface IP configuration
Windows IP Configuration
Host Name . . . . . . . . . . . . : relationsmart
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.actdsltmp
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : domain.actdsltmp
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-C0-A8-89-F3-9F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
205.171.3.25
Lease Obtained. . . . . . . . . . : Saturday, August 06, 2011 2:43:59 PM
Lease Expires . . . . . . . . . . : Sunday, August 07, 2011 2:43:59 PM
Server: home.domain.actdsltmp
Address: 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
Name: google.com
Addresses: 74.125.127.99, 74.125.127.103, 74.125.127.104, 74.125.127.105
74.125.127.106, 74.125.127.147
Pinging google.com [74.125.127.106] with 32 bytes of data:
Reply from 74.125.127.106: bytes=32 time=60ms TTL=54
Reply from 74.125.127.106: bytes=32 time=60ms TTL=54
Ping statistics for 74.125.127.106:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 60ms, Maximum = 60ms, Average = 60ms
Server: home.domain.actdsltmp
Address: 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65
Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=73ms TTL=55
Reply from 98.137.149.56: bytes=32 time=72ms TTL=55
Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 72ms, Maximum = 73ms, Average = 72ms
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 a8 89 f3 9f ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.6 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.6 192.168.0.6 20
192.168.0.0 255.255.255.0 192.168.0.6 192.168.0.6 20
192.168.0.6 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.6 192.168.0.6 20
224.0.0.0 240.0.0.0 192.168.0.6 192.168.0.6 20
255.255.255.255 255.255.255.255 192.168.0.6 192.168.0.6 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
========================= Event log errors: ===============================
Application errors:
==================
Error: (08/06/2011 02:13:18 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
Error: (08/06/2011 02:13:03 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
Error: (08/06/2011 02:12:19 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
System errors:
=============
Error: (08/06/2011 02:45:36 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 02:36:32 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 02:31:29 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 00:43:55 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
intelppm
Error: (08/06/2011 00:41:29 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Error: (08/06/2011 00:40:32 PM) (Source: DCOM) (User: Administrator)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Error: (08/06/2011 00:31:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Management service terminated with the following error:
%%126
Microsoft Office Sessions:
=========================
Error: (08/06/2011 02:13:18 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:13:18 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.
Error: (08/06/2011 02:13:03 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:12:34 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.
Error: (08/06/2011 02:12:19 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.
Error: (08/06/2011 02:06:10 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
=========================== Installed Programs ============================
Adobe Flash Player 10 ActiveX (Version: 10.1.53.64)
Adobe Flash Player 10 Plugin (Version: 10.3.181.26)
AiO_Scan_CDA (Version: 70.0.231.000)
AiOSoftwareNPI (Version: 70.0.231.000)
Amazon MP3 Downloader 1.0.12 (Version: 1.0.12)
Apple Application Support (Version: 1.4.1)
Apple Software Update (Version: 2.1.1.116)
Battleship - Fleet Command (remove only)
Bonjour (Version: 1.0.106)
BufferChm (Version: 70.0.170.000)
Byki (Version: 4.0)
Byki Express
C3100 (Version: 70.0.231.000)
c3100_Help (Version: 70.0.231.000)
CCleaner (Version: 2.33)
CDBurnerXP (Version: 4.3.8.2474)
Chessmaster Challenge (remove only) (Version: 3.3.3.40)
Chessmaster Challenge (Version: 3.3.3.40)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
CustomerResearchQFolder (Version: 1.00.0000)
Dell ResourceCD
Destinations (Version: 70.0.170.000)
DeviceManagementQFolder (Version: 1.00.0000)
DivX Setup (Version: 2.5.0.15)
DocProc (Version: 7.0.0.0)
DocProcQFolder (Version: 1.00.0000)
doubleTwist (Version: 3.1.2.10091)
eSupportQFolder (Version: 1.00.0000)
Family Feud Holiday Edition (remove only)
Fax_CDA (Version: 70.0.231.000)
ffdshow [rev 2527] [2008-12-19] (Version: 1.0)
Foxit PDF Editor (Version: 2.2.0.0205)
Foxit Reader
Free M4a to MP3 Converter 6.2
Graboid Video 2.06 (Version: 2.06)
HP Customer Participation Program 7.0 (Version: 7.0)
HP Imaging Device Functions 7.0 (Version: 7.0)
HP Photosmart Essential (Version: 1.9.1.3)
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Detection (Version: 10.7.9.0)
HP Software Update (Version: 3.0.7.014)
HP Solution Center 7.0 (Version: 7.0)
HPPhotoSmartExpress (Version: 70.0.170.000)
HPProductAssistant (Version: 70.0.170.000)
Idaho Child Support Program (Version: 2.2006.53)
Initio USB Default Controller Driver 32-bit (Version: 1.0.4)
InstantShareDevicesMFC (Version: 70.0.170.000)
Intkey
Java Auto Updater (Version: 2.0.4.1)
Java™ 6 Update 25 (Version: 6.0.250)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
MarketResearch (Version: 70.0.170.000)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works 6-9 Converter (Version: 9.7.0621)
Mozilla Firefox (3.6.18) (Version: 3.6.18 (en-US))
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NewCopy_CDA (Version: 70.0.231.000)
NVIDIA Display Driver
OCR Software by I.R.I.S 7.0 (Version: 7.0)
PanoStandAlone (Version: 70.0.170.000)
ProductContextNPI (Version: 70.0.231.000)
QuickTime (Version: 7.69.80.9)
Qwest Installer (Version: 1.1)
Qwest QuickAssist Desktop Tools (Version: 23)
Readme (Version: 70.0.231.000)
RealPlayer
Risk II (remove only)
Scan (Version: 7.0.0.0)
ScannerCopy (Version: 7.0.0.0)
Skype Toolbars (Version: 5.3.7280)
Skype™ 5.3 (Version: 5.3.116)
Softonic-Eng7 Toolbar (Version: 6.3.3.3)
SolutionCenter (Version: 70.0.170.000)
Spybot - Search & Destroy (Version: 1.6.2)
Status (Version: 70.0.170.000)
SUPERAntiSpyware (Version: 5.0.1108)
Toolbox (Version: 70.0.170.000)
TrayApp (Version: 70.0.170.000)
TurboTax 2010
TurboTax 2010 widiper (Version: 010.000.1276)
TurboTax 2010 WinPerFedFormset (Version: 010.000.4227)
TurboTax 2010 WinPerReleaseEngine (Version: 010.000.0483)
TurboTax 2010 WinPerTaxSupport (Version: 010.000.0214)
TurboTax 2010 wrapper (Version: 010.000.0157)
Unload (Version: 7.0.0)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
VLC media player 1.0.1 (Version: 1.0.1)
WD SmartWare (Version: 1.4.1.1)
WebFldrs XP (Version: 9.50.5318)
WebReg (Version: 70.0.170.000)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinMerge 2.12.4 (Version: 2.12.4)
WinPatrol 2009 (Version: 16.0.2009.1)
Yontoo Layers Runtime 1.10.01 (Version: 1.10.01)
========================= Memory info: ===================================
Percentage of memory in use: 67%
Total physical RAM: 766.8 MB
Available physical RAM: 251.57 MB
Total Pagefile: 1876.39 MB
Available Pagefile: 1397.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1998.13 MB
========================= Partitions: =====================================
2 Drive c: () (Fixed) (Total:37.24 GB) (Free:12.77 GB) NTFS
========================= Users: ========================================
User accounts for \\RELATIONSMART
Administrator Guest HelpAssistant
Randall Robert Sarah
SUPPORT_388945a0
========================= Minidump Files ==================================
No minidump file found
== End of log ==
#19
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,775
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 06 August 2011 - 07:26 PM
Hi, they are malware attempting to start.
Its not unusual to receive such an error after using specialized fix tools.
A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.
To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
ovewulaqocu.dll
Sfanya.exe
ocostuof.dll
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
This one.. C:\DOCUME~1\Randall\LOCALS~1\Temp\Scq.exeshould go away with this.
Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Rerun MBAM (MalwareBytes) like this:
Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
Quote
On reboot I got an "Error loading C:\WINDOWS\ovewulaqocu.dll,Startup
Then Win Patrol warned me about these being added to start menu:
C:\WINDOWS\ovewulaqocu.dll,Startup
C:\WINDOWS\Sfanya.exe
C:\WINDOWS\ocostuof.dll,Startup
Then Win Patrol warned me about these being added to start menu:
C:\WINDOWS\ovewulaqocu.dll,Startup
C:\WINDOWS\Sfanya.exe
C:\WINDOWS\ocostuof.dll,Startup
Its not unusual to receive such an error after using specialized fix tools.
A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.
To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
ovewulaqocu.dll
Sfanya.exe
ocostuof.dll
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
This one.. C:\DOCUME~1\Randall\LOCALS~1\Temp\Scq.exeshould go away with this.
Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link
- Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Rerun MBAM (MalwareBytes) like this:
Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
This post has been edited by boopme: 06 August 2011 - 07:28 PM
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#20
- Member
-
- Group: Members
- Posts: 42
- Joined: 05-August 11
Posted 06 August 2011 - 11:31 PM
Below is the mbam log. I found one of those files with autoruns. I delete it and it comes back. I went into regedit and deleted it and when I reopen regedit it is there. Here is it's location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtufegix DATA:rundll32.exe "Windows\ovewulaqocu.dll".startup
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7398
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/6/2011 10:12:54 PM
mbam-log-2011-08-06 (22-12-53).txt
Scan type: Quick scan
Objects scanned: 194998
Time elapsed: 6 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtufegix DATA:rundll32.exe "Windows\ovewulaqocu.dll".startup
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7398
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/6/2011 10:12:54 PM
mbam-log-2011-08-06 (22-12-53).txt
Scan type: Quick scan
Objects scanned: 194998
Time elapsed: 6 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#21
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,775
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 07 August 2011 - 03:07 PM
Hello again as that file only comes up with nothing of value on any search, we can remove it.
Let's use MBAM's FileAssassin feature.
Open MBAM again.
Let's use MBAM's FileAssassin feature.
Open MBAM again.
- Click the More Tools tab and then the Run Tool button
Now browse to the file(s) we want to remove using the drop down box next to Look in: at the top.
Locate the file(s), click Open.
You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.
Quote
Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to disastrous problems with your operating system.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#22
- Member
-
- Group: Members
- Posts: 42
- Joined: 05-August 11
Posted 07 August 2011 - 05:30 PM
I was not able to see any of those directories on C: drive. I was able to logon as admin in safemode and use rededit to delete. The line also disappeared from the startup choices on msconfig. I believe that all that is left is to figure out wht command is not allowing MSSE to start.
#23
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,775
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 07 August 2011 - 06:33 PM
Verify that Windows Defender is uninstalled (if XP).
Verify that you are up-to-date with patches and service packs. Go to windows Update
Verify that your PC clock is correctly set.
Verify that you are using build 1961 of MSE.
Verify that the Windows Firewall is on, and set to defaults.
In IE, reset all security zones to default level.
Then, restart your PC.
Verify that you are up-to-date with patches and service packs. Go to windows Update
Verify that your PC clock is correctly set.
Verify that you are using build 1961 of MSE.
Verify that the Windows Firewall is on, and set to defaults.
In IE, reset all security zones to default level.
Then, restart your PC.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#24
- Member
-
- Group: Members
- Posts: 42
- Joined: 05-August 11
Posted 08 August 2011 - 11:24 AM
I am unable to update Windows. I just get a white screen that says done at the bottom My webpages on Internet Explorer and Firefox are being redirected. And I am unable to post to the forum on my computer. I'm doing this from my phone.
#25
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,775
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 08 August 2011 - 11:30 AM
Obviously,we have a protected maleware to find and need specialized tools.
Please go here....
Preparation Guide ,do steps 6 - 9.
Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
Please go here....
Preparation Guide ,do steps 6 - 9.
Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#26
- Member
-
- Group: Members
- Posts: 42
- Joined: 05-August 11
Posted 08 August 2011 - 11:32 AM
Thanks. I am on it.
#27
- Member
-
- Group: Members
- Posts: 42
- Joined: 05-August 11
Posted 08 August 2011 - 12:05 PM
Ran both programs and posted logs.
#28
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,775
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 08 August 2011 - 10:05 PM
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
To avoid confusion, I am closing this topic.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
