Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think i have malware and trojans


  • This topic is locked This topic is locked
20 replies to this topic

#1 dgbeeby

dgbeeby

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 30 January 2010 - 10:17 AM

Hi there,

I can't seem to access any of the Microsoft web pages. I'm trying to access them so i can download the free virus software they provide "microsoft security essential" but it always says that the web site is down. Im also getting lots of other redirection issues when using google chrome and trying to enter my Gmail account. I deleted the cookies and gone through the basic sets it suggests on the page that shows up after get the redirection loops. I'm pretty sure i have some malware or trojan issues but not so sure what to do about it. Please help.

DDS (Ver_09-12-01.01) - NTFSx86
Run by David Beeby at 14:03:29.23 on 02/03/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2046.1107 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\CTHELPER.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\TuneUp Utilities 2010\integrator.exe
C:\Program Files\TuneUp Utilities 2010\DiskDoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\David Beeby\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {140BD8E3-C167-11D4-B4A3-080000180323} - No File
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Auction Auto Bidder]
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
IE: Download all by Rapidown... - c:\program files\rapidown\RapidownGetAll.htm
IE: Download by Rapidown... - c:\program files\rapidown\RapidownGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {57E91B47-F40A-11D1-B792-444553540011} - c:\program files\rapidown\Rapidown.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: o2.co.uk\*.broadband
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB
DPF: {126EEDB7-24A2-43EA-A53D-9B7067BD2AB8} - hxxp://www.nomisfootball.com/player/player_ocx.jpeg
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://serveraccess.livetrain.com/+CSCO+0h756767633A2F2F63656E7067767072796E6F66+115158026@7168000@1221920490@A57FEF91BEF69C936DAFC73CE06CDD150129F6D6+/msrdp.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://serveraccess.livetrain.com/+CSCOL+/cscopf.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} - hxxp://www.thesecret.tv/movie/player/player_ocx.jpeg
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidb~1\applic~1\mozilla\firefox\profiles\od0k1io0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mytalktalk.co.uk
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 1\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.1 beta 1\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-22 276816]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-11-13 1021256]
R3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\drivers\camdrv21.sys [2008-3-11 223232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-22 19160]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
R3 WN5401;Liteon Wireless LAN PCI 802.11 a/b/g adapter WN5401A;c:\windows\system32\drivers\wn5401.sys [2005-1-6 449920]
S2 gupdate1c9b6bb12ee8672;Google Update Service (gupdate1c9b6bb12ee8672);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 leaxz;leaxz;c:\windows\system32\06.tmp [2009-10-9 4096]
S3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\phtvtune.sys [2009-11-23 26848]
S3 wouzkebpc;wouzkebpc;c:\windows\system32\03.tmp [2009-9-3 4096]
S3 zfderfjwi;zfderfjwi;c:\windows\system32\05.tmp [2009-9-18 4096]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2020-01-09 17:20:13 0 d-----w- c:\program files\RapidDown
2020-01-09 17:12:37 0 d-----w- c:\program files\Rapidown
2010-03-02 02:28:45 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-03-02 02:28:45 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-03-02 02:28:45 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-03-02 02:28:45 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-03-02 02:28:45 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-03-02 02:28:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-03-02 02:28:43 0 d-----w- c:\program files\Trojan Remover
2010-03-02 02:28:43 0 d-----w- c:\docume~1\davidb~1\applic~1\Simply Super Software

==================== Find3M ====================

2007-04-16 15:52:53 171376 --sha-r- c:\windows\system32\djiexs.dll

============= FINISH: 14:03:54.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:54 PM

Posted 07 February 2010 - 10:52 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<


Please see this topic and follow the instructions to disable your CD Emulation programs using DeFogger, before running Gmer.
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 dgbeeby

dgbeeby
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 07 February 2010 - 01:01 PM

Thank you for you response but unfortunately my computer recently pretty much died on me.

It keeps having a reboot loop. And when i run it on safemode it does the same thing with the last file it loads being MUP.sys

Do you have any idea what could be happening to my computer?

Thanks

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:54 PM

Posted 07 February 2010 - 01:17 PM

It's hard to say what is wrong without having any information, it could be a few things. Can you tell me if you had done any scans
or made any other changes to your system just prior to it starting the reboot loop?

Boot up and tap F8 so you get the boot options, then click on Disable automatic restart on system failure then carry on booting
into windows, this time when it fails it should give you a blue screen with an error code, please not down the error code and post it
in your next reply.

Thanks

unite.jpg


#5 dgbeeby

dgbeeby
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 07 February 2010 - 02:06 PM

Yeah I think I had done a Malwarebytes anti malware scan.

The blue screen that comes up now when i boot says.

0X0000007B (0XBACC7528, 0XC0000034, 0X0000034, 0X00000000, 0x00000000)

Not really sure what to do next?

Just put it in google now and am seeing what it brings up.

If you could help in anyway I would be forever indebted.

Thanks


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:54 PM

Posted 07 February 2010 - 03:45 PM

I need to try and get some information from the machine so please do the following steps.

We need to create an OTL ReportAfter you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      Please note: You can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the C:\OTL.txt file in your reply.

unite.jpg


#7 dgbeeby

dgbeeby
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 09 February 2010 - 12:20 PM

Hi there,

Thanks again for your help.

I have done all the things you asked me to do and have attached the note pad file to this response.

Hope this I've done it all correctly.

Please let me know what else i can do.

Thanks

Attached Files

  • Attached File  OTL1.txt   82.97KB   14 downloads
  • Attached File  OTL1.txt   82.97KB   9 downloads


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:54 PM

Posted 09 February 2010 - 02:22 PM

Hi,

You did it fine but please post your logs rather than attaching them when you reply.

Please run OTL again, then copy and paste the following code into the Custom scans/Fixes textbox. Do not include the word "Code"

CODE
C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace


Then push the Run Fix button.

Please post back with the OTL results and let me know if Windows will now boot successfully.

unite.jpg


#9 dgbeeby

dgbeeby
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 10 February 2010 - 08:38 AM

Ok,

Thanks for you time again.

I'll get onto doing the scan and fix as soon as I can but unfortunately i'm away for a couple of days so won't be able to get back to you for a couple of days.

Hope this ok.

I'll message you when i can.

Thanks

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:54 PM

Posted 10 February 2010 - 10:02 AM

Yep that is fine, thanks for informing me smile.gif

unite.jpg


#11 dgbeeby

dgbeeby
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 15 February 2010 - 05:39 AM

Hi again,

Sorry for the delay, and thanks for being so patient.

Ok, I've ran the the scan again with the change that you suggested but unfortunately it doesn't seem to have resolved the issue.

I tried rebooting but its still hitting the same buffer and getting to MUP.sys on safe mode and nowhere on a standard rebooting.





Here is the latest report:






OTL logfile created on: 2/15/2010 10:25:30 AM - Run
OTLPE by OldTimer - Version 3.1.28.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 85.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.32 Gb Total Space | 24.92 Gb Free Space | 32.65% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 128.90 Gb Free Space | 55.35% Space Free | Partition Type: NTFS
Drive E: | 46.92 Mb Total Space | 46.79 Mb Free Space | 99.72% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 232.83 Gb Total Space | 140.08 Gb Free Space | 60.16% Space Free | Partition Type: NTFS
Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand] -- -- (WMPNetworkSvc)
SRV - File not found [On_Demand] -- -- (WLSetupSvc)
SRV - File not found [On_Demand] -- -- (usnjsvc)
SRV - File not found [Auto] -- -- (TuneUp.UtilitiesSvc)
SRV - File not found [On_Demand] -- -- (TuneUp.Defrag)
SRV - File not found [Auto] -- -- (tgsrvc_TalkTalk) SupportSoft Repair Service (TalkTalk)
SRV - File not found [Auto] -- -- (sprtsvc_TalkTalk) SupportSoft Sprocket Service (TalkTalk)
SRV - File not found [On_Demand] -- -- (odserv)
SRV - File not found [Auto] -- -- (NVSvc)
SRV - File not found [On_Demand] -- -- (NipSvc)
SRV - File not found [Disabled] -- -- (msvsmon80)
SRV - File not found [On_Demand] -- -- (Microsoft Office Groove Audit Service)
SRV - File not found [Auto] -- -- (LightScribeService)
SRV - File not found [Auto] -- -- (JavaQuickStarterService)
SRV - File not found [On_Demand] -- -- (IDriverT)
SRV - File not found [Auto] -- -- (gupdate1c9b6bb12ee8672) Google Update Service (gupdate1c9b6bb12ee8672)
SRV - File not found [On_Demand] -- -- (getPlus® Helper) getPlus®
SRV - File not found [On_Demand] -- -- (FLEXnet Licensing Service)
SRV - File not found [On_Demand] -- -- (clr_optimization_v2.0.50727_32)
SRV - File not found [Auto] -- -- (Bonjour Service)
SRV - File not found [On_Demand] -- -- (aspnet_state)
SRV - File not found [Auto] -- -- (Apple Mobile Device)
SRV - File not found [Auto] -- -- (AgereModemAudio)
SRV - [2007/03/26 07:06:24 | 000,292,864 | ---- | M] (Nokia.) [On_Demand] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/02/07 11:41:59 | 000,138,168 | ---- | M] (Google) [Auto] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2006/02/28 07:00:00 | 000,038,912 | ---- | M] (Microsoft Corporation) [Auto] -- D:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2005/12/21 16:16:24 | 000,323,584 | ---- | M] (Apple Computer, Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2004/03/18 10:55:48 | 000,065,536 | ---- | M] (HP) [Auto] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/07/28 07:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (zfderfjwi)
DRV - File not found [Kernel | On_Demand] -- -- (wouzkebpc)
DRV - File not found [Kernel | On_Demand] -- -- (WN5401)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (Wdf01000)
DRV - File not found [Kernel | On_Demand] -- -- (UsbserFilt)
DRV - File not found [Kernel | On_Demand] -- -- (usbser)
DRV - File not found [Kernel | On_Demand] -- -- (upperdev)
DRV - File not found [Kernel | On_Demand] -- -- (TuneUpUtilitiesDrv)
DRV - File not found [Kernel | Boot] -- -- (sptd)
DRV - File not found [Kernel | On_Demand] -- -- (RTL8023xp)
DRV - File not found [Kernel | On_Demand] -- -- (Ps2)
DRV - File not found [Kernel | On_Demand] -- -- (PhTVTune)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (pccsmcfd)
DRV - File not found [Kernel | On_Demand] -- -- (ossrv)
DRV - File not found [Kernel | Boot] -- -- (ohci1394)
DRV - File not found [Kernel | On_Demand] -- -- (MagicTune)
DRV - File not found [Kernel | On_Demand] -- -- (leaxz)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (hap17v2k)
DRV - File not found [Kernel | On_Demand] -- -- (hap16v2k)
DRV - File not found [Kernel | On_Demand] -- -- (ha10kx2k)
DRV - File not found [Kernel | On_Demand] -- -- (emupia)
DRV - File not found [Kernel | On_Demand] -- -- (ctsfm2k)
DRV - File not found [Kernel | On_Demand] -- -- (ctprxy2k)
DRV - File not found [Kernel | On_Demand] -- -- (ctdvda2k)
DRV - File not found [Kernel | On_Demand] -- -- (ctaud2k) Creative Audio Driver (WDM)
DRV - File not found [Kernel | On_Demand] -- -- (ctac32k)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (Cap7134)
DRV - File not found [Kernel | On_Demand] -- -- (AgereSoftModem)
DRV - [2007/09/04 19:46:34 | 000,092,544 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2007/04/22 19:15:25 | 000,036,624 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/02/22 04:15:56 | 000,137,216 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (nmwcd)
DRV - [2007/02/22 04:15:14 | 000,008,320 | ---- | M] (Nokia) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nmwcdc.sys -- (nmwcdc)
DRV - [2006/08/16 04:37:30 | 000,225,664 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2005/02/09 18:59:38 | 000,011,973 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2005/02/01 20:21:04 | 000,014,408 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2004/08/03 18:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 17:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/21 06:50:26 | 000,021,744 | ---- | M] (HP) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2004/06/21 06:50:26 | 000,016,496 | ---- | M] (HP) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2004/06/21 06:50:24 | 000,051,088 | ---- | M] (HP) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2001/08/23 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/23 07:00:00 | 000,007,936 | ---- | M] (Microsoft Corporation) [Recognizer | System] -- C:\WINDOWS\system32\drivers\fs_rec.sys -- (Fs_Rec)
DRV - [2001/08/23 07:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) [Adapter | On_Demand] -- C:\WINDOWS\system32\winsock.dll -- (Winsock)
DRV - [2001/08/17 09:04:46 | 000,223,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camdrv21.sys -- (camvid20)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\David_Beeby_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\David_Beeby_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\David_Beeby_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\David_Beeby_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\David_Beeby_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKU\David_Beeby_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE A7 7A E7 0C 14 CA 01 [binary data]
IE - HKU\David_Beeby_ON_D\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\System32\ieframe.dll File not found
IE - HKU\David_Beeby_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\David_Beeby_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\LocalService_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.q-serve.net/signup.htm

IE - HKU\NetworkService_ON_D\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.q-serve.net/signup.htm


FF - HKLM\software\mozilla\Mozilla Firefox 3.1b1\extensions\\Components: C:\Program Files\Mozilla Firefox 3.1 Beta 1\components
FF - HKLM\software\mozilla\Mozilla Firefox 3.1b1\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.1 Beta 1\plugins


O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll File not found
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found
O3 - HKU\David_Beeby_ON_D\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found
O3 - HKU\David_Beeby_ON_D\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\System32\ieframe.dll File not found
O4 - HKLM..\Run: [AGRSMMSG] File not found
O4 - HKLM..\Run: [CTHelper] File not found
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe File not found
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL File not found
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL File not found
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [PS2] C:\WINDOWS\System32\ps2.exe File not found
O4 - HKU\David_Beeby_ON_D..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\David_Beeby_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll File not found
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL File not found
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\David_Beeby_ON_D\..Trusted Domains: o2.co.uk ([*.broadband] http in Trusted sites)
O15 - HKU\David_Beeby_ON_D\..Trusted Domains: o2.co.uk ([*.broadband] https in Trusted sites)
O15 - HKU\David_Beeby_ON_D\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/da/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {126EEDB7-24A2-43EA-A53D-9B7067BD2AB8} http://www.nomisfootball.com/player/player_ocx.jpeg (VPlayer Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://serveraccess.livetrain.com/+CSCO+0h...F6D6+/msrdp.cab (Microsoft Terminal Services Client Control (redist))
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} https://serveraccess.livetrain.com/+CSCOL+/cscopf.cab (CISCO Portforwarder Control)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} http://www.thesecret.tv/movie/player/player_ocx.jpeg (VPlayer Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll File not found
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL File not found
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/24 08:27:31 | 000,000,631 | ---- | M] () - C:\autoAlbum.log -- [ NTFS ]
O32 - AutoRun File - [2005/02/09 05:34:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/02/04 16:37:13 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{15ba13f5-d36b-11dc-bcda-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{15ba13f5-d36b-11dc-bcda-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{514bfae4-6bce-11de-ab15-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{514bfae4-6bce-11de-ab15-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5af3cc8e-6481-11dd-a874-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{5af3cc8e-6481-11dd-a874-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{71b6ace8-0192-11de-aa6f-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{71b6ace8-0192-11de-aa6f-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{84141ea2-c222-11de-abd8-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{84141ea2-c222-11de-abd8-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{961cd324-800e-11de-ab3e-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{961cd324-800e-11de-ab3e-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ede67936-0126-11df-ac92-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{ede67936-0126-11df-ac92-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f582efcc-f3e7-11de-ac6c-0013d3912135}\Shell - "" = AutoRun
O33 - MountPoints2\{f582efcc-f3e7-11de-ac6c-0013d3912135}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/12 16:15:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2005/05/16 13:04:43 | 000,014,968 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\winddx.sys
[2005/05/16 12:48:07 | 000,013,288 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2005/05/16 12:48:06 | 001,302,680 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2005/05/16 12:48:05 | 000,230,664 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2005/05/16 12:48:05 | 000,180,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2005/05/16 12:48:05 | 000,013,920 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\RecAgent.sys
[2005/05/16 12:48:04 | 000,632,960 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2005/05/16 12:48:03 | 000,095,768 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2005/02/09 06:14:10 | 000,151,552 | R--- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2007/04/22 19:15:29 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/04/22 19:01:47 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/02/07 11:25:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2007/02/07 11:25:41 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2006/02/21 08:29:10 | 000,000,604 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/12/29 08:24:53 | 000,308,736 | ---- | C] () -- C:\WINDOWS\System32\fpxlib.dll
[2005/12/29 08:24:53 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\jpeglib.dll
[2005/12/29 08:24:27 | 000,000,663 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2005/12/29 08:24:19 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2005/12/29 08:24:07 | 000,000,021 | ---- | C] () -- C:\WINDOWS\VI_setup.ini
[2005/12/29 08:23:03 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PB_setup.ini
[2005/12/07 06:31:00 | 000,202,752 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2005/11/13 11:34:49 | 000,000,162 | ---- | C] () -- C:\WINDOWS\pc-cillin.ini
[2005/11/07 09:07:39 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/08/09 17:13:31 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/08/09 17:13:31 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/05/26 10:46:36 | 000,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2005/05/16 13:04:43 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\SLMOHServ.dll
[2005/05/16 13:04:42 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\SLLights.dll
[2005/05/16 12:48:06 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\slextspk.dll
[2005/05/16 12:48:02 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\SLGen.dll
[2005/05/16 10:59:47 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\WSBar.dll
[2005/05/04 11:14:52 | 000,000,010 | ---- | C] () -- C:\WINDOWS\smdat32m.sys
[2005/04/04 09:05:45 | 000,000,479 | ---- | C] () -- C:\WINDOWS\eolupclnt.ini
[2005/02/11 04:51:33 | 000,004,500 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2005/02/11 04:51:32 | 000,165,376 | ---- | C] () -- C:\Program Files\UNWISE.EXE
[2005/02/09 12:48:29 | 000,000,135 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/02/09 07:58:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/09 06:51:10 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2005/02/09 06:16:36 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/02/09 06:04:30 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2005/02/09 06:04:29 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2005/02/09 06:04:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2005/02/09 06:04:28 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2005/02/09 06:04:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2005/02/09 06:00:50 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2005/02/09 06:00:32 | 000,002,394 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2005/02/09 06:00:31 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004/10/26 17:39:05 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/08/25 00:27:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/05/03 07:19:26 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\coinst.dll
[2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/07/23 08:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 05:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

========== LOP Check ==========

[2006/03/08 19:51:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\NetMon
[2007/02/22 11:26:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\NCH Swift Sound
[2007/10/26 10:00:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\{0A512702-4C3A-46D5-ABAB-137D539AA873}_CUSTOMER-001_customer.job
[2006/10/12 03:00:00 | 000,000,396 | -H-- | M] () -- C:\WINDOWS\Tasks\{18ECE9BF-50A5-4503-9A3E-E31335A83801}_DBEEBY_customer.job
[2007/10/26 10:00:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\{7985A09F-1E41-4B22-9BD2-B130AC60167F}_CUSTOMER-001_customer.job
[2007/10/26 10:00:00 | 000,000,396 | -H-- | M] () -- C:\WINDOWS\Tasks\{87D35D86-3EC3-4C63-9C0B-94911C25CBAB}_DBEEBY_customer.job
[2007/10/26 10:00:00 | 000,000,396 | -H-- | M] () -- C:\WINDOWS\Tasks\{9486BD62-03B0-4225-9878-34462F3C487E}_DBEEBY_customer.job
[2006/10/12 03:00:00 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\{EC65CE7B-FCF6-4860-8D56-85922D6F6BF6}_CUSTOMER-001_customer.job

========== Purity Check ==========



========== Custom Scans ==========


< C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace >
Invalid Switch: replace

========== Files - Unicode (All) ==========
[2008/07/16 08:26:57 | 000,000,000 | ---D | M](C:\Program Files\?ssembly) -- C:\Program Files\аssembly
[2008/07/16 08:26:57 | 000,000,000 | ---D | M](C:\Program Files\?ssembly) -- C:\Program Files\аssembly
[2008/07/16 08:26:55 | 000,000,000 | ---D | M](C:\Program Files\??mbols) -- C:\Program Files\ѕуmbols
[2008/07/16 08:26:55 | 000,000,000 | ---D | M](C:\Program Files\??mbols) -- C:\Program Files\ѕуmbols
[2007/10/28 10:52:58 | 000,000,000 | ---D | M](C:\Program Files\??mbols\??mbols) -- C:\Program Files\ѕуmbols\ѕуmbols
(C:\Program Files\?ssembly) -- C:\Program Files\аssembly
(C:\Program Files\??mbols) -- C:\Program Files\ѕуmbols

< End of report >


Thanks again for your time as your expertise is very much appreciated.

Please let me know what to do next and hopefully we can get to the bottom of this.

Thanks

David


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:54 PM

Posted 15 February 2010 - 12:25 PM

Hello,

It seems you have pressed the run scan button instead of the run fix button, please do it again and press run fix then post the log.
When finished, the log will be saved in drive C:\_OTL\MovedFiles with a name made up of the date/time that the fix was performed.

unite.jpg


#13 dgbeeby

dgbeeby
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 18 February 2010 - 07:09 AM

Hi again,

I ran Otl again and added the fix then ran the fix scan alone but unfortunately i don't think it worked.

below is the read out it gave:

Error: Unable to interpret <C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace> in the current context!

OTLPE by OldTimer - Version 3.1.28.0 log created on 02122010_161517

Thats all that was in the log file.

I tried botting again but with but with no success.

what do you feel i should try now?

Thanks again

David.


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:54 PM

Posted 18 February 2010 - 11:40 AM

Sorry that's my bad, I have give you the wrong code, please try this.

CODE
:files
C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace

unite.jpg


#15 dgbeeby

dgbeeby
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 18 February 2010 - 01:34 PM

Hi again,

Tried what you suggested again. This time with the new change but still no joy.

the report says this:

Error: Unable to interpret <C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace> in the current context!

OTLPE by OldTimer - Version 3.1.28.0 log created on 02182010_182125

Is there anything else I can do?

Thanks

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users