Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect


  • This topic is locked This topic is locked
42 replies to this topic

#31 CooOp

CooOp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 14 March 2011 - 02:36 PM

OTL.txt as requested:

------------------
OTL logfile created on: 14/03/2011 19:31:08 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\B Garforth\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 628.00 Mb Available Physical Memory | 62.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 78.09 Gb Free Space | 69.86% Space Free | Partition Type: NTFS
Drive D: | 60.96 Mb Total Space | 60.41 Mb Free Space | 99.09% Space Free | Partition Type: FAT

Computer Name: YOUR-C05175F61D | User Name: B Garforth | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\B Garforth\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\Toshiba\ConfigFree\NDSTray.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe ()
PRC - C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe (TOSHIBA)
PRC - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
PRC - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)
PRC - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
PRC - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
PRC - C:\WINDOWS\system32\acs.exe (Atheros)
PRC - C:\WINDOWS\system32\TODDSrv.exe (TOSHIBA Corporation)
PRC - C:\Program Files\Toshiba\TOSHIBA Direct Disc Writer\DDWMon.exe (TOSHIBA Corporation)
PRC - C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
PRC - C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\B Garforth\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (TAPPSRV) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe (TOSHIBA Corp.)
SRV - (TNaviSrv) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe (TOSHIBA Corporation)
SRV - (TOSHIBA Bluetooth Service) -- c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)
SRV - (TODDSrv) -- C:\WINDOWS\system32\TODDSrv.exe (TOSHIBA Corporation)
SRV - (CFSvcs) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)


========== Driver Services (SafeList) ==========

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (RSUSBSTOR) -- C:\WINDOWS\system32\drivers\RTS5121.sys (Realtek Semiconductor Corp.)
DRV - (tos_sps32) -- C:\WINDOWS\system32\DRIVERS\tos_sps32.sys (TOSHIBA Corporation)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (UVCFTR) -- C:\WINDOWS\system32\drivers\UVCFTR_S.SYS (Chicony Electronics Co., Ltd.)
DRV - (AR5416) -- C:\WINDOWS\system32\drivers\athw.sys (Atheros Communications, Inc.)
DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)
DRV - (FwLnk) -- C:\WINDOWS\system32\drivers\FwLnk.sys (TOSHIBA Corporation)
DRV - (tdudf) -- C:\WINDOWS\system32\drivers\tdudf.sys (TOSHIBA Corporation)
DRV - (trudf) -- C:\WINDOWS\system32\drivers\trudf.sys (TOSHIBA Corporation)
DRV - (tosrfec) -- C:\WINDOWS\system32\drivers\tosrfec.sys (TOSHIBA Corporation)
DRV - (tdcmdpst) -- C:\WINDOWS\system32\drivers\tdcmdpst.sys (TOSHIBA Corporation.)
DRV - (Netdevio) -- C:\WINDOWS\system32\drivers\Netdevio.sys (TOSHIBA Corporation.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2011/02/22 16:10:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2011/03/10 08:43:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - File not found
O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [CFSServ.exe] File not found
O4 - HKLM..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe ()
O4 - HKLM..\Run: [Google EULA Launcher] C:\Program Files\Google\Google EULA\GoogleEULALauncher.exe (Google)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKU\.DEFAULT..\Run: [TOSHIBA Online Product Information] C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe ()
O4 - HKU\S-1-5-18..\Run: [TOSHIBA Online Product Information] C:\Program Files\Toshiba\Toshiba Online Product Information\TOPI.exe ()
O4 - HKU\S-1-5-21-3180693857-1644820493-517896142-1006..\Run: [TOSHIBA Online Product Information] C:/Program Files/TOSHIBA/Toshiba Online Product Information/topi.exe ()
O4 - Startup: C:\Documents and Settings\B Garforth\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3180693857-1644820493-517896142-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra Button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.139.132.27 212.139.132.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Program Files\ahlgaaxn\indskdha.exe) - C:\Program Files\ahlgaaxn\indskdha.exe File not found
O24 - Desktop WallPaper: C:\Documents and Settings\B Garforth\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\B Garforth\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/19 06:27:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/14 19:28:55 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\B Garforth\Desktop\OTL.exe
[2011/03/14 17:09:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/14 17:09:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/14 17:09:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/14 17:09:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/14 16:34:47 | 000,000,000 | ---D | C] -- C:\Program Files\ahlgaaxn
[2011/02/26 10:42:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\B Garforth\Desktop\gmer
[2011/02/23 12:37:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/02/23 11:05:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2011/02/23 10:08:44 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2011/02/23 09:07:54 | 001,372,248 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\B Garforth\Desktop\yes.com.exe
[2011/02/22 19:46:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ParetoLogic
[2011/02/22 19:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\ParetoLogic
[2011/02/22 19:46:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2011/02/22 17:19:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\B Garforth\Application Data\Malwarebytes
[2011/02/22 16:21:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/02/22 16:21:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/02/22 16:21:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/02/22 16:14:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/22 16:14:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/02/22 16:14:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/02/22 16:14:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/02/22 16:14:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/02/22 16:05:32 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/02/22 16:03:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/02/22 16:03:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2008/09/19 07:26:21 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/14 19:29:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/14 19:27:44 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/14 19:27:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/14 19:27:23 | 1063,202,816 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/14 19:26:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\B Garforth\Desktop\OTL.exe
[2011/03/14 17:08:26 | 004,286,725 | R--- | M] () -- C:\Documents and Settings\B Garforth\Desktop\ComboFix.exe
[2011/03/14 16:40:09 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/14 16:34:35 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/10 08:43:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/05 12:09:06 | 000,027,646 | ---- | M] () -- C:\Documents and Settings\B Garforth\Desktop\RKReport
[2011/03/05 12:00:44 | 000,304,113 | ---- | M] () -- C:\Documents and Settings\B Garforth\Desktop\RKUnhookerLE.EXE
[2011/02/26 10:37:55 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\B Garforth\defogger_reenable
[2011/02/26 10:09:58 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\B Garforth\Desktop\gmer.zip
[2011/02/26 10:03:24 | 000,794,576 | ---- | M] () -- C:\Documents and Settings\B Garforth\Desktop\dds.scr
[2011/02/26 10:02:10 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\B Garforth\Desktop\Defogger.exe
[2011/02/23 11:16:38 | 000,261,432 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/22 23:29:50 | 001,372,248 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\B Garforth\Desktop\yes.com.exe
[2011/02/22 21:18:56 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version3.job
[2011/02/22 21:18:56 | 000,000,392 | ---- | M] () -- C:\WINDOWS\tasks\PC Health Advisor Defrag.job
[2011/02/22 21:18:56 | 000,000,374 | ---- | M] () -- C:\WINDOWS\tasks\PC Health Advisor.job
[2011/02/22 19:46:59 | 000,001,537 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TOSHIBA Warranty.lnk
[2011/02/22 19:46:25 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[2011/02/22 16:21:35 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/02/22 16:14:43 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/22 16:05:37 | 000,000,342 | RHS- | M] () -- C:\boot.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/14 17:09:10 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/14 17:09:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/14 17:09:10 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/14 17:09:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/14 17:09:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/10 23:38:48 | 1063,202,816 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/05 17:44:08 | 004,286,725 | R--- | C] () -- C:\Documents and Settings\B Garforth\Desktop\ComboFix.exe
[2011/03/05 12:09:06 | 000,027,646 | ---- | C] () -- C:\Documents and Settings\B Garforth\Desktop\RKReport
[2011/03/05 12:03:37 | 000,304,113 | ---- | C] () -- C:\Documents and Settings\B Garforth\Desktop\RKUnhookerLE.EXE
[2011/02/26 10:37:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\B Garforth\defogger_reenable
[2011/02/26 10:36:52 | 000,794,576 | ---- | C] () -- C:\Documents and Settings\B Garforth\Desktop\dds.scr
[2011/02/26 10:36:52 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\B Garforth\Desktop\gmer.zip
[2011/02/26 10:36:52 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\B Garforth\Desktop\Defogger.exe
[2011/02/22 19:46:25 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\ParetoLogic Registration3.job
[2011/02/22 19:46:19 | 000,000,434 | ---- | C] () -- C:\WINDOWS\tasks\ParetoLogic Update Version3.job
[2011/02/22 19:46:18 | 000,000,392 | ---- | C] () -- C:\WINDOWS\tasks\PC Health Advisor Defrag.job
[2011/02/22 19:46:18 | 000,000,374 | ---- | C] () -- C:\WINDOWS\tasks\PC Health Advisor.job
[2011/02/22 16:21:35 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/02/22 16:14:43 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/22 16:05:36 | 000,000,226 | ---- | C] () -- C:\Boot.bak
[2011/02/22 16:05:34 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2009/01/03 20:40:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ToDisc.INI
[2008/12/26 14:31:19 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\B Garforth\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/19 08:16:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/09/19 07:57:08 | 000,000,563 | ---- | C] () -- C:\WINDOWS\TBTdetect.ini
[2008/09/19 07:26:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2008/09/19 07:21:11 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/09/19 07:20:28 | 000,261,432 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/09/19 07:10:02 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2008/09/19 07:05:05 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/09/19 06:52:08 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2008/09/19 06:51:47 | 000,159,744 | ---- | C] () -- C:\WINDOWS\MakeMrk.exe
[2008/09/19 06:51:47 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/09/19 06:30:05 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/09/19 06:25:57 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/09/19 05:15:15 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/09/19 05:15:14 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/09/19 05:15:14 | 000,441,894 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/09/19 05:15:14 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/09/19 05:15:14 | 000,071,854 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/09/19 05:15:14 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/09/19 05:15:14 | 000,004,631 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/09/19 05:15:14 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/09/19 05:15:13 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/09/19 05:15:13 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/09/19 05:15:09 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/09/19 05:15:09 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/12/21 15:46:32 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 20:30:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll

< End of report >

BC AdBot (Login to Remove)

 


#32 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:04 AM

Posted 14 March 2011 - 03:10 PM

Run OTL Script

We need to run an OTL Fix

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    O20 - HKLM Winlogon: UserInit - (C:\Program Files\ahlgaaxn\indskdha.exe) - C:\Program Files\ahlgaaxn\indskdha.exe File not found
    [2011/03/14 16:34:47 | 000,000,000 | ---D | C] -- C:\Program Files\ahlgaaxn
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - File not found
    O4 - HKLM..\Run: [CFSServ.exe] File not found
    O4 - HKLM..\Run: [NDSTray.exe] File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra Button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found
    :Files
    ipconfig /flushdns /c
    c:\program files\ahlgaaxn\indskdha.exe
    c:\documents and settings\B Garforth\Start Menu\Programs\Startup\indskdha.exe
    :Commands
    [PURITY] 
    [EMPTYTEMP]
    [EMPTYFLASH]
    [REBOOT]
    [RESETHOSTS] 
    [CREATERESTOREPOINT]
    [CLEARALLRESTOREPOINTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#33 CooOp

CooOp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 14 March 2011 - 03:36 PM

The OTL report:

----------------
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Program Files\ahlgaaxn\indskdha.exe deleted successfully.
C:\Program Files\ahlgaaxn folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CFSServ.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NDSTray.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{76577871-04EC-495E-A12B-91F7C3600AFA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76577871-04EC-495E-A12B-91F7C3600AFA}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\B Garforth\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\B Garforth\Desktop\cmd.txt deleted successfully.
File\Folder c:\program files\ahlgaaxn\indskdha.exe not found.
File\Folder c:\documents and settings\B Garforth\Start Menu\Programs\Startup\indskdha.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Flash cache emptied: 56504 bytes

User: All Users

User: B Garforth
->Temp folder emptied: 588877 bytes
->Temporary Internet Files folder emptied: 1351150 bytes
->Java cache emptied: 58993 bytes
->Flash cache emptied: 88659 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: B Garforth
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)
Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.22.3 log created on 03142011_203206

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#34 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:04 AM

Posted 14 March 2011 - 07:13 PM

Hello

run combofix for me again and how are things at this point?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#35 CooOp

CooOp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 15 March 2011 - 03:54 AM

Hi Gringo,

I still have blocking and redirects, combofix report below:

Thanks,

---------------------
ComboFix 11-03-14.06 - B Garforth 15/03/2011 8:41.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.737 [GMT 0:00]
Running from: c:\documents and settings\B Garforth\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
.
.
2011-03-14 20:34 . 2011-03-14 20:34 -------- d-----w- c:\program files\ahlgaaxn
2011-03-14 20:32 . 2011-03-14 20:32 -------- d-----w- C:\_OTL
2011-02-23 11:05 . 2011-02-23 11:05 -------- d-----w- c:\windows\ie8updates
2011-02-23 10:08 . 2010-12-20 23:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-02-23 10:08 . 2010-12-20 23:59 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-02-23 10:08 . 2010-12-20 23:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-22 19:46 . 2011-02-22 19:46 -------- d-----w- c:\program files\Common Files\ParetoLogic
2011-02-22 19:46 . 2011-02-22 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-02-22 19:46 . 2011-02-22 19:46 -------- d-----w- c:\program files\ParetoLogic
2011-02-22 17:19 . 2011-02-22 17:19 -------- d-----w- c:\documents and settings\B Garforth\Application Data\Malwarebytes
2011-02-22 16:21 . 2011-02-22 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-22 16:21 . 2011-02-22 16:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-22 16:14 . 2011-02-22 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-22 16:14 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-22 16:14 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 16:14 . 2011-02-23 13:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-22 16:01 . 2011-03-10 15:05 -------- d-----w- c:\documents and settings\Administrator
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-09-19 05:15 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-09-19 05:15 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2008-09-19 06:25 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-09-19 06:25 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-09-19 05:15 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-09-19 05:15 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2008-09-19 05:15 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-09-19 05:15 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-09-19 05:15 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-09-19 05:15 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2008-09-19 05:15 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2008-09-19 05:15 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-09-19 05:15 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-14_17.23.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-15 08:39 . 2011-03-15 08:39 16384 c:\windows\temp\Perflib_Perfdata_33c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="C:" [X]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-12 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-12 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-12 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-11 16851456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-13 1196404]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-04-14 450648]
"ITSecMng"="%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [N/A]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-09-05 393216]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-09 332116]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 668172]
"Google EULA Launcher"="c:\program files\Google\Google EULA\\GoogleEULALauncher.exe" [2008-08-29 20480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-08-19 590358]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-12-01 594358]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TOSHIBA Online Product Information"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2008-09-08 5567800]
.
c:\documents and settings\B Garforth\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 554431]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\ahlgaaxn\indskdha.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Toshiba\\ConfigFree\\NDSTray.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
.
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 11:22 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 11:15 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [19/09/2008 07:26 5888]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [19/09/2008 07:09 157696]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [04/02/2010 20:09 135664]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 20:09]
.
2011-03-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 20:09]
.
2011-02-22 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]
.
2011-02-22 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]
.
2011-02-22 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
2011-02-22 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
2008-12-25 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-09-19 12:00]
.
2008-12-25 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-09-19 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/redirectdomain?brand=TSED&bmod=TSED
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 08:47
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\B Garforth\Start Menu\Programs\Startup\indskdha.exe 167278 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-15 08:49:20
ComboFix-quarantined-files.txt 2011-03-15 08:49
ComboFix2.txt 2011-03-14 17:24
ComboFix3.txt 2011-03-10 08:46
ComboFix4.txt 2011-03-09 08:36
ComboFix5.txt 2011-03-15 08:33
.
Pre-Run: 95,620,661,248 bytes free
Post-Run: 95,525,924,864 bytes free
.
- - End Of File - - FB0294D9DE0456B35931E5897D5498E8

#36 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:04 AM

Posted 16 March 2011 - 12:15 PM

Dr.Web CureIt

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Posted Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#37 CooOp

CooOp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 16 March 2011 - 05:00 PM

Hi Gringo,

I'm running the DrWeb scan at the moment and it moved indskdha.exe and then found 2410 instances, so far, of either Trojan.muldrop1.64009 or Trojan.Inor. These have all been moved so I'm not sure what will happen when I reboot?

Thanks

#38 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:04 AM

Posted 16 March 2011 - 09:27 PM

Let me know what happens



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#39 CooOp

CooOp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 17 March 2011 - 05:12 AM

Hi Gringo,

Final count was 3357! I selected them all and tried to move them, then switched off DrWeb and it said their were threats that hadn't been dealt with? Rebooted and XP went into a recover mode but did reboot but windows explorer wont start. I've restarted DrWeb and it has found indiskdh.exe again and listed it as Trojan.MulDrop1.64009.

You asked "in your next reply with a new hijackthis log." I don't have this?

DrWeb file, I've listed just the first few lines, there are another 3000+ like this if you would like me to list them?

------------------------

indskdha.exe;C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup;Trojan.MulDrop1.64009;Incurable.Moved.;
iedw.exe\data001;C:\WINDOWS\system32\dllcache\iedw.exe;Trojan.MulDrop1.64009;;
iedw.exe;C:\WINDOWS\system32\dllcache;Container contains infected objects;Moved.;
moviemk.exe/data002\data001;C:\WINDOWS\system32\dllcache\moviemk.exe/data002;Trojan.MulDrop1.64009;;
data002;C:\WINDOWS\system32\dllcache;Container contains infected objects;;
moviemk.exe;C:\WINDOWS\system32\dllcache;Container contains infected objects;Moved.;
msoe.dll/data002\data001;C:\WINDOWS\system32\dllcache\msoe.dll/data002;Trojan.MulDrop1.64009;;
data002;C:\WINDOWS\system32\dllcache;Container contains infected objects;;
msoe.dll;C:\WINDOWS\system32\dllcache;Container contains infected objects;Moved.;
triedit.dll\data001;C:\WINDOWS\system32\dllcache\triedit.dll;Trojan.MulDrop1.64009;;
triedit.dll;C:\WINDOWS\system32\dllcache;Container contains infected objects;Moved.;
wab.exe\data001;C:\WINDOWS\system32\dllcache\wab.exe;Trojan.MulDrop1.64009;;
wab.exe;C:\WINDOWS\system32\dllcache;Container contains infected objects;Moved.;
wordpad.exe/data002\data001;C:\WINDOWS\system32\dllcache\wordpad.exe/data002;Trojan.MulDrop1.64009;;
data002;C:\WINDOWS\system32\dllcache;Container contains infected objects;;
wordpad.exe;C:\WINDOWS\system32\dllcache;Container contains infected objects;Moved.;
flac.exe\data001;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\flac.exe;Trojan.MulDrop1.64009;;
flac.exe;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver);Container contains infected objects;Moved.;
Help.htm\VBScript.0;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\Help.htm;Trojan.Inor;;
Help.htm;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver);Container contains infected objects;Moved.;
msvcp80.dll\data001;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\msvcp80.dll;Trojan.MulDrop1.64009;;
msvcp80.dll;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver);Container contains infected objects;Moved.;
msvcr80.dll\data001;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\msvcr80.dll;Trojan.MulDrop1.64009;;
msvcr80.dll;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver);Container contains infected objects;Moved.;
Help.htm\VBScript.0;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\XXHighEnd-09g\Help.ht;Trojan.Inor;;
Help.htm;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\XXHighEnd-09g;Container contains infected objects;Moved.;
msvcp80.dll\data001;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\XXHighEnd-09g\msvcp80;Trojan.MulDrop1.64009;;
msvcp80.dll;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\XXHighEnd-09g;Container contains infected objects;Moved.;
msvcr80.dll\data001;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\XXHighEnd-09g\msvcr80;Trojan.MulDrop1.64009;;
msvcr80.dll;C:\Documents and Settings\B Garforth\My Documents\My Music\XXHighEnd current on Musicserver (Musicserver)\XXHighEnd-09g;Container contains infected objects;Moved.;
indskdha.exe;c:\documents and settings\b garforth\start menu\programs\startup;Trojan.MulDrop1.64009;Incurable.Moved.;
indskdha.exe;c:\program files\ahlgaaxn;Trojan.MulDrop1.64009;Incurable.Moved.;
ceccmdll.dll\data001;c:\program files\camera assistant software for toshiba\ceccmdll.dll;Trojan.MulDrop1.64009;;
ceccmdll.dll;c:\program files\camera assistant software for toshiba;Container contains infected objects;Invalid path to file ;
traybar.exe\data001;c:\program files\camera assistant software for toshiba\traybar.exe;Trojan.MulDrop1.64009;;
traybar.exe;c:\program files\camera assistant software for toshiba;Container contains infected objects;Moved.;
pdfshell.dll\data001;c:\program files\common files\adobe\acrobat\activex\pdfshell.dll;Trojan.MulDrop1.64009;;
pdfshell.dll;c:\program files\common files\adobe\acrobat\activex;Container contains infected objects;;
pareto_update3.exe\data001;c:\program files\common files\paretologic\uus3\pareto_update3.exe;Trojan.MulDrop1.64009;;
pareto_update3.exe;c:\program files\common files\paretologic\uus3;Container contains infected objects;Moved.;
msvcr71.dll\data001;c:\program files\java\jre6\bin\msvcr71.dll;Trojan.MulDrop1.64009;;
msvcr71.dll;c:\program files\java\jre6\bin;Container contains infected objects;;
jqs_plugin.dll\data001;c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll;Trojan.MulDrop1.64009;;
jqs_plugin.dll;c:\program files\java\jre6\lib\deploy\jqs\ie;Container contains infected objects;Moved.;
aggmi.dll\data001;c:\program files\openoffice.org 3\basis\program\aggmi.dll;Trojan.MulDrop1.64009;;
aggmi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
avmediami.dll\data001;c:\program files\openoffice.org 3\basis\program\avmediami.dll;Trojan.MulDrop1.64009;;
avmediami.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
basegfxmi.dll\data001;c:\program files\openoffice.org 3\basis\program\basegfxmi.dll;Trojan.MulDrop1.64009;;
basegfxmi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
canvastoolsmi.dll\data001;c:\program files\openoffice.org 3\basis\program\canvastoolsmi.dll;Trojan.MulDrop1.64009;;
canvastoolsmi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
cppcanvasmi.dll\data001;c:\program files\openoffice.org 3\basis\program\cppcanvasmi.dll;Trojan.MulDrop1.64009;;
cppcanvasmi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
drawinglayermi.dll\data001;c:\program files\openoffice.org 3\basis\program\drawinglayermi.dll;Trojan.MulDrop1.64009;;
drawinglayermi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
emsermi.dll\data001;c:\program files\openoffice.org 3\basis\program\emsermi.dll;Trojan.MulDrop1.64009;;
emsermi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
fwemi.dll\data001;c:\program files\openoffice.org 3\basis\program\fwemi.dll;Trojan.MulDrop1.64009;;
fwemi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
fwimi.dll\data001;c:\program files\openoffice.org 3\basis\program\fwimi.dll;Trojan.MulDrop1.64009;;
fwimi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
fwkmi.dll\data001;c:\program files\openoffice.org 3\basis\program\fwkmi.dll;Trojan.MulDrop1.64009;;
fwkmi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
gomi.dll\data001;c:\program files\openoffice.org 3\basis\program\gomi.dll;Trojan.MulDrop1.64009;;
gomi.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
i18nisolang1msc.dll\data001;c:\program files\openoffice.org 3\basis\program\i18nisolang1msc.dll;Trojan.MulDrop1.64009;;
i18nisolang1msc.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
i18nutilmsc.dll\data001;c:\program files\openoffice.org 3\basis\program\i18nutilmsc.dll;Trojan.MulDrop1.64009;;
i18nutilmsc.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
icuuc40.dll\data001;c:\program files\openoffice.org 3\basis\program\icuuc40.dll;Trojan.MulDrop1.64009;;
icuuc40.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
jmi_g.dll\data001;c:\program files\openoffice.org 3\basis\program\jmi_g.dll;Trojan.MulDrop1.64009;;
jmi_g.dll;c:\program files\openoffice.org 3\basis\program;Container contains infected objects;;
lngmi.dll\data001;c:\program files\openoffice.org 3\basis\program\lngmi.dll;Trojan.MulDrop1.64009;;

Edited by CooOp, 17 March 2011 - 05:14 AM.


#40 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:04 AM

Posted 17 March 2011 - 06:08 AM

I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#41 CooOp

CooOp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 17 March 2011 - 06:30 AM

Hi Gringo,

When I saw 3000+ files infected I knew this would be the outcome. Many thanks for your help and support and sticking with me to this outcome, your help is very much appreciated.

Can you recommend an anti virus program that would have blocked this infection please?

Many Thanks.

#42 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:04 AM

Posted 17 March 2011 - 07:27 AM

Hello

I like kaspersky and eset also I use the free Avira on my systems


but it really depends on how this got on the system.

this virus likes usb drives and comes in alot in peer to peer downloads



sorry it came to this

oh and if you back up anything it caNNOT BE ANY TYPE of program only picture and videos and documents and make sure you scan them before moving to another computer


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#43 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:04 AM

Posted 20 March 2011 - 05:22 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users