Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected, Help!


  • This topic is locked This topic is locked
31 replies to this topic

#1 TRD10

TRD10

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 02 March 2011 - 12:06 PM

The problem I am having is when I turn on the computer it shows some sort of hard drive anti-virus program ("Hard Drive") that I know is not legit. I have tried booting in safe mode with networking, safe mode and normally. It shows a fake safe mode screen and prompts me to scan the hard drive. I have tool on the computer that I think I can use to fix it possibly (Malwarebytes, Hijackthis, Rkill) but how do I get out of this screen. It will not allow me to do anything, it says Administrator has disabled Task Manager. I'm hoping this is something easy. Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 02 March 2011 - 08:34 PM

Hello, is this XP??
Try first
Click Ctrl + Alt + Del to get the task manager up.
On the 'Processes' tab find "explorer.exe" and end that process.
Your desktop will go away.
Click on the 'Applications' tab and click New Task.
Enter explorer.exe as the task to start.
Your desktop will then come back.
Now try to launch IE again.


OR
Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #128 and click "Desktop and Screensaver Tabs" in the right column. Go to File, choose "Save page as" All Files and save desktoptab.reg to your desktop. Double-click on that file and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

This step involves making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own.


Now we should have a desktop >>>>>
Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
.

Edited by boopme, 02 March 2011 - 08:35 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TRD10

TRD10
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 03 March 2011 - 11:53 AM

This an XP computer that I am talking about and when I press Alt Ctrl Delete it says the the administrator has disabled the Task manager. Alos, there is no desktop showing at all.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 03 March 2011 - 12:03 PM

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File Exit.

Or you can download and use ERUNTwhich is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 TRD10

TRD10
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 03 March 2011 - 12:20 PM

There is no Start anymore at all, even tried pressing the Windows key, nothing.

Edited by TRD10, 03 March 2011 - 12:21 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 03 March 2011 - 04:19 PM

Can you run the backup of the registry


If you used ERUNDT
How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 TRD10

TRD10
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 04 March 2011 - 12:16 PM

Ok, I have a burned copy of an XP disc and successfully booted to the recovery console, but after typing "cd erdnt" it says can not find file or specified directory

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 04 March 2011 - 06:59 PM

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  • Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.


The first question...do you have access to a clean computer and do you have access to either a CD burner or a USB flash drive we can use to boot into an alternate non-Windows environment so the malware won't load?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 TRD10

TRD10
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 04 March 2011 - 07:43 PM

My problem has not been resolved.
I do not have the orginal disk, but I do have a copy
I do have access to a clean computer/cd burner/usb drive

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 05 March 2011 - 07:08 AM

OK, let's get started. First, this fix assumes you can get into Safe Mode with Command Prompt. You should see that option when you press F8 at the Windows splash screen like you are trying to get into normal Safe Mode. If that doesn't work, I have more tricks up my sleeve. This is just a scan so we can try to cut a few things out to keep the malware from loading and blocking our fixes.

  • From your clean computer:
    • Download OTL from the link below:
      This is THE Mirror
    • Save it to your USB flash drive.
    • Remove the flash drive from the "clean" computer and insert it into the "infected" computer.
  • With your infected computer
    • Boot into "Safe Mode w/ Command Prompt".
    • At the prompt, type CD\ at the prompt. The prompt should change to C:\>.
    • At the prompt, type Copy X:\OTL.exe C:\ and press Enter. You will have to replace X with the letter of your USB drive. Start with D:\OTL.exe then E:\OTL.exe and so on. It's likely E:\ if you have a CD drive. You'll know it worked when you are told that 1 file(s) copied after you press Enter.
    • Once it's copied, type OTL at the prompt and press Enter.
    • Click the Scan all users checkbox.
    • Push the Run Scan button.
    • Two reports will be created. You can close them and OTL.
    • At the command prompt, type each line and press Enter. Replace X with the letter of your USB drive you determined earlier.
      copy OTL.txt X:
      copy extra.txt X:
    • You can shut down that computer.

Please copy/paste the contents of those two text files we copied to the flash drive from your clean computer in your reply.

Edited by etavares, 05 March 2011 - 07:09 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 TRD10

TRD10
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 07 March 2011 - 02:21 AM

Sorry for the delayed reply. I ran the program and it scnned and work at both txt files popped up, but only the OTL.txt file I was able to copy for some reason, here is the OTL.txt:

OTL logfile created on: 3/5/2011 4:50:36 PM - Run 1
OTL by OldTimer - Version 3.2.22.2 Folder = C:\
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 99.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 224.33 Gb Total Space | 101.01 Gb Free Space | 45.03% Space Free | Partition Type: NTFS
Drive D: | 8.53 Gb Total Space | 0.41 Gb Free Space | 4.83% Space Free | Partition Type: FAT32
Drive J: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive K: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.93% Space Free | Partition Type: FAT

Computer Name: YOUR-4DACD0EA75 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/05 12:48:16 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
PRC - [2004/08/09 20:00:00 | 000,388,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe


========== Modules (SafeList) ==========

MOD - [2011/03/05 12:48:16 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
MOD - [2004/08/10 03:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/03/04 15:08:20 | 002,106,760 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2010/03/04 15:08:20 | 000,099,720 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2008/02/11 17:22:14 | 000,191,848 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2008/02/11 17:22:14 | 000,169,320 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2008/01/29 17:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)
SRV - [2007/09/13 17:49:48 | 000,202,088 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy)
SRV - [2006/02/13 17:51:50 | 001,119,888 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2005/11/08 13:51:54 | 000,180,224 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe -- (ELService)
SRV - [2005/10/22 16:28:54 | 000,045,696 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\comHost.exe -- (comHost)
SRV - [2005/10/13 06:48:40 | 000,072,280 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\ccPwdSvc.exe -- (ccISPwdSvc)
SRV - [2005/10/12 19:30:24 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel®
SRV - [2005/10/06 22:25:36 | 000,133,744 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe -- (navapsvc)
SRV - [2005/09/24 14:10:56 | 000,749,696 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE -- (NSCService)
SRV - [2005/09/19 09:24:20 | 000,214,672 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/09/15 14:21:14 | 001,160,800 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2005/08/26 12:22:48 | 000,198,368 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe -- (SAVScan)


========== Driver Services (SafeList) ==========

DRV - [2011/03/01 20:59:28 | 000,124,464 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/02/13 17:51:50 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2006/01/13 16:13:18 | 004,137,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/12/12 15:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/11/08 13:51:40 | 000,007,808 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ELacpi.sys -- (ELacpi)
DRV - [2005/11/08 13:51:38 | 000,007,040 | ---- | M] (Intel Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ELmon.sys -- (ELmon)
DRV - [2005/11/08 13:51:22 | 000,006,912 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELkbd.sys -- (ELkbd)
DRV - [2005/11/08 13:51:20 | 000,006,400 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELmou.sys -- (ELmou)
DRV - [2005/11/08 13:51:18 | 000,010,112 | ---- | M] (Intel Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ELhid.sys -- (ELhid)
DRV - [2005/10/20 15:01:56 | 001,095,009 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/09/19 09:23:52 | 000,196,240 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/09/19 09:23:48 | 000,024,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/09/19 09:23:40 | 000,031,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
DRV - [2005/09/19 09:23:36 | 000,027,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2005/09/19 09:23:32 | 000,109,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
DRV - [2005/09/19 09:23:26 | 000,012,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
DRV - [2005/09/15 14:21:14 | 000,389,728 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/09/11 23:00:00 | 000,665,816 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050912.024\NAVEX15.SYS -- (NAVEX15)
DRV - [2005/09/11 23:00:00 | 000,077,816 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050912.024\NAVENG.SYS -- (NAVENG)
DRV - [2005/09/01 17:07:36 | 000,199,408 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\20050901.036\SymIDSCo.sys -- (SYMIDSCO)
DRV - [2005/08/26 12:22:50 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/08/26 12:22:48 | 000,334,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/06/29 16:03:18 | 000,175,104 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2004/08/03 13:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/05 06:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2003/07/16 13:27:40 | 000,043,264 | ---- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1983092693-468887934-220614965-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


[2010/11/18 13:27:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/11/10 21:01:52 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/11/10 21:01:39 | 000,000,000 | ---D | M] (Real Networks Settings) -- C:\Program Files\Mozilla Firefox\extensions\real-networks@partners.mozilla.com
[2009/01/24 15:14:52 | 000,000,000 | ---D | M] (Talkback) -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2009/02/01 02:49:46 | 000,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2009/02/01 02:49:47 | 000,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2009/02/01 02:49:47 | 000,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/02/01 02:49:47 | 000,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2009/02/01 02:49:47 | 000,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll

O1 HOSTS File: ([2004/08/10 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (CNavExtBho Class) - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
O2 - BHO: (hpWebHelper Class) - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll (TODO: <Company name>)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
O4 - HKLM..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe (Digital Interactive Systems Corporation)
O4 - HKLM..\Run: [DiscUpdateManager] C:\Program Files\DISC\DISCUpdateMgr.exe (Digital Interactive Systems Corporation, Inc.)
O4 - HKLM..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe (Sonic Solutions)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1983092693-468887934-220614965-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1983092693-468887934-220614965-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O9 - Extra Button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\welcome.htm
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\welcome.htm
O31 - SafeBoot: UseAlternatShell - 1
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/13 17:34:35 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 07:01:14 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2007/10/22 23:22:58 | 000,000,285 | R--- | M] () - J:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
O33 - MountPoints2\J\Shell - "" = AutoRun
O33 - MountPoints2\J\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- [2007/10/22 23:45:39 | 001,336,632 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: AppSecDll - (C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll) - C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll (ACTS)
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/05 16:49:57 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\OTL.exe
[2011/03/02 08:05:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\U3
[2011/03/02 08:03:12 | 001,374,808 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\123.com.exe
[2011/03/01 21:26:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Hard Drive
[2011/03/01 21:23:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/03/01 21:21:57 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/03/01 21:21:56 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/01 21:21:56 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/01 21:21:56 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/01 21:20:10 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\plugin.ocx
[2011/03/01 21:20:10 | 000,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\plugin.ocx
[2011/03/01 21:19:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/03/01 21:16:11 | 000,733,184 | ---- | C] (ACTS) -- C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll
[2011/03/01 21:10:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2011/03/01 20:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\LiveUpdate Notice
[2011/03/01 20:56:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2011/03/01 08:24:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/03/01 08:24:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/01 08:24:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/01 08:24:03 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/01 08:24:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/01 08:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2011/03/01 08:21:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2011/03/01 08:17:30 | 000,012,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mouhid.sys
[54 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/05 16:43:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/05 12:54:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/05 12:53:54 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/05 12:48:16 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\OTL.exe
[2011/03/02 08:33:38 | 000,000,376 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\24140
[2011/03/02 08:17:00 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/02 08:03:18 | 001,374,808 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\123.com.exe
[2011/03/02 08:02:54 | 000,721,337 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2011/03/02 07:55:24 | 000,671,744 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\24140.exe
[2011/03/02 07:26:00 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\32859
[2011/03/02 07:24:05 | 000,671,744 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\32859.exe
[2011/03/01 21:37:09 | 000,000,392 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\23250
[2011/03/01 21:36:14 | 000,000,240 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~23250
[2011/03/01 21:33:17 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2011/03/01 21:26:30 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~23250r
[2011/03/01 21:26:27 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Hard Drive.lnk
[2011/03/01 21:23:11 | 000,000,246 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2011/03/01 21:16:11 | 000,733,184 | ---- | M] (ACTS) -- C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll
[2011/03/01 21:10:20 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/01 21:05:46 | 000,039,472 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/01 21:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2011/03/01 21:00:00 | 000,000,294 | -H-- | M] () -- C:\WINDOWS\tasks\BE8FA766904C4356.job
[2011/03/01 20:59:28 | 000,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/03/01 20:59:28 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/03/01 20:59:28 | 000,010,635 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/03/01 20:59:28 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/03/01 08:24:06 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[54 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/02 08:13:48 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/02 08:02:51 | 000,721,337 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2011/03/02 07:55:26 | 000,000,376 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\24140
[2011/03/02 07:55:24 | 000,671,744 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\24140.exe
[2011/03/02 07:26:00 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\32859
[2011/03/02 07:24:05 | 000,671,744 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\32859.exe
[2011/03/01 21:26:30 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~23250r
[2011/03/01 21:26:29 | 000,000,240 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~23250
[2011/03/01 21:26:27 | 000,000,793 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Hard Drive.lnk
[2011/03/01 21:26:23 | 000,000,392 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\23250
[2011/03/01 20:59:28 | 000,010,635 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/03/01 20:59:28 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/03/01 08:24:06 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/16 13:07:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/13 16:04:33 | 000,019,586 | ---- | C] () -- C:\Program Files\Common Files\vanu.dll
[2009/07/13 16:04:33 | 000,018,610 | ---- | C] () -- C:\Program Files\Common Files\jonyhy._sy
[2009/07/13 16:04:33 | 000,015,470 | ---- | C] () -- C:\Program Files\Common Files\xylyfire.com
[2009/07/13 16:04:33 | 000,012,771 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\gisubuni.sys
[2009/07/13 16:04:33 | 000,011,608 | ---- | C] () -- C:\WINDOWS\sade.sys
[2009/07/13 16:04:31 | 000,017,098 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sinuhoroni.bin
[2009/07/13 16:04:31 | 000,016,534 | ---- | C] () -- C:\WINDOWS\vegoh.dll
[2009/07/13 16:04:31 | 000,014,121 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\zyvosowa.inf
[2009/07/13 16:04:31 | 000,012,511 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\nohytahehe._dl
[2009/07/13 15:54:31 | 000,017,061 | ---- | C] () -- C:\Program Files\Common Files\dijonolasu.exe
[2009/07/13 15:54:31 | 000,012,245 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\eviluxacus.pif
[2009/07/13 15:54:31 | 000,011,068 | ---- | C] () -- C:\WINDOWS\ovasak.exe
[2009/07/13 15:54:31 | 000,010,399 | ---- | C] () -- C:\WINDOWS\nasykilew.exe
[2009/07/12 17:44:31 | 000,000,001 | ---- | C] () -- C:\WINDOWS\ckms134.dat
[2008/11/10 21:04:41 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/11/06 13:51:01 | 000,000,086 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/03/09 12:31:30 | 000,006,656 | ---- | C] () -- C:\WINDOWS\ictions.dll
[2007/11/20 16:04:39 | 000,000,035 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2006/12/12 17:29:42 | 000,198,032 | ---- | C] () -- C:\WINDOWS\picsvdll.dll
[2006/12/12 17:29:42 | 000,000,761 | ---- | C] () -- C:\WINDOWS\picsaver.ini
[2006/10/06 10:31:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2006/08/04 11:39:08 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/11 19:25:41 | 000,111,990 | ---- | C] () -- C:\WINDOWS\hpoins07.dat.temp
[2006/06/11 19:25:41 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat.temp
[2006/06/10 20:55:18 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/06/10 20:55:18 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2006/02/13 18:03:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/13 17:40:20 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/02/13 17:38:04 | 000,118,842 | R--- | C] () -- C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
[2006/02/13 17:37:20 | 000,014,317 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/02/13 17:37:13 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/02/13 17:35:00 | 000,000,054 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2006/02/13 17:32:41 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/13 17:24:02 | 000,000,108 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/02/13 17:22:52 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/02/13 17:22:52 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/02/13 17:18:06 | 000,080,417 | ---- | C] () -- C:\WINDOWS\HPHins08.dat
[2006/02/13 17:18:06 | 000,004,011 | ---- | C] () -- C:\WINDOWS\hphmdl08.dat
[2006/02/13 17:17:22 | 000,072,881 | ---- | C] () -- C:\WINDOWS\hpiins01.dat
[2006/02/13 17:17:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpimdl01.dat
[2006/02/13 17:15:00 | 000,087,276 | ---- | C] () -- C:\WINDOWS\hpqins69.dat
[2006/02/13 17:13:44 | 000,112,873 | ---- | C] () -- C:\WINDOWS\hpoins07.dat
[2006/02/13 17:13:44 | 000,021,124 | ---- | C] () -- C:\WINDOWS\hpomdl07.dat
[2006/02/13 17:11:26 | 000,088,403 | ---- | C] () -- C:\WINDOWS\hpoins06.dat
[2006/02/13 17:11:26 | 000,005,389 | ---- | C] () -- C:\WINDOWS\hpomdl06.dat
[2006/02/13 17:10:38 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/02/13 17:07:38 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/02/13 17:07:38 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/02/13 17:07:38 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/02/13 17:07:38 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/02/13 17:07:38 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/02/13 17:07:38 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/02/13 17:07:38 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/02/13 17:07:38 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/02/13 17:06:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/02/13 16:49:03 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2006/02/13 16:46:38 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2006/02/13 16:46:38 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2006/02/13 16:46:20 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/12/09 13:03:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/30 20:17:40 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/08/30 20:07:46 | 000,381,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/30 20:07:46 | 000,053,436 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/30 20:05:30 | 000,200,144 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/30 20:01:42 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/30 19:58:02 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/08/05 21:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/10 03:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/09 20:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/09 20:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/09 20:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/09 20:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/09 20:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/09 20:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/09 20:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/09 20:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/09 20:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/07/26 06:51:38 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/06/27 00:47:36 | 000,214,528 | ---- | C] () -- C:\WINDOWS\acroinst.exe
[2003/01/07 22:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 07:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/07/06 22:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

< End of report >

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 07 March 2011 - 06:30 PM

Hello, TRD10.

That's OK, we can worry about the extras later, this is perfect. We can also run MBAM this way if this doesn't render normal windows bootable.

Let's fix what we can see.

On your clean computer:
  • Copy and paste the text in the codebox into Notepad. Make sure you get the ":" before OTL, that's often missed. Save the file as OTLfix.txt to your flash drive with OTL.exe on it.
    :OTL
    O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites)
    O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites)
    O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O33 - MountPoints2\D\Shell - "" = AutoRun
    O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\D\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
    O33 - MountPoints2\J\Shell - "" = AutoRun
    O33 - MountPoints2\J\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- [2007/10/22 23:45:39 | 001,336,632 | R--- | M] ()
    O36 - AppCertDlls: AppSecDll - (C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll) - C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll (ACTS)
    :files
    C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll
    C:\Documents and Settings\Administrator\Start Menu\Programs\Hard Drive
    C:\Documents and Settings\All Users\Application Data\24140
    C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    C:\Documents and Settings\All Users\Application Data\24140.exe
    C:\Documents and Settings\All Users\Application Data\32859
    C:\Documents and Settings\All Users\Application Data\32859.exe
    C:\Documents and Settings\All Users\Application Data\23250
    C:\Documents and Settings\All Users\Application Data\~23250
    C:\Documents and Settings\All Users\Application Data\~23250r
    C:\Documents and Settings\Administrator\Desktop\Hard Drive.lnk
    C:\WINDOWS\tasks\At*.job
    C:\WINDOWS\tasks\BE8FA766904C4356.job
    C:\Program Files\Common Files\vanu.dll
    C:\Program Files\Common Files\jonyhy._sy
    C:\Program Files\Common Files\xylyfire.com
    C:\Documents and Settings\All Users\Application Data\gisubuni.sys
    C:\WINDOWS\sade.sys
    C:\Documents and Settings\All Users\Application Data\sinuhoroni.bin
    C:\WINDOWS\vegoh.dll
    C:\Documents and Settings\All Users\Application Data\zyvosowa.inf
    C:\Documents and Settings\All Users\Application Data\nohytahehe._dl
    C:\Program Files\Common Files\dijonolasu.exe
    C:\Documents and Settings\All Users\Application Data\eviluxacus.pif
    C:\WINDOWS\ovasak.exe
    C:\WINDOWS\nasykilew.exe
    

Insert the flash drive in the infected computer and boot your infected computer into Safe Mode with command prompt as before.
  • Type CD\ and press enter to make the prompt read C:\>
  • Type copy X:\OTLFix.txt C: (replace X with the letter of your flash drive) and press Enter. You should see 1 file(s) copied.
  • Type OTL and press Enter
  • Minimize the OTL window by clicking the "-" sign at the top right of that window.
  • Type OTLfix at the command prompt and press Enter. Notepad should open that file automatically.
  • In notepad, select Edit -> Select All then Edit -> Copy.
  • Close notepad by pressing the X in the top corner.
  • Bring OTL back up by clicking the square between - and X on the icon.
  • This part may require you to resize OTL...first, right-click in the Custom Scans/Fixes area and press Paste. If the pointer doesn't change to a cursor when you mouse over it you can't paste. if that happens...
    • Move your mouse pointer to the top edge of OTL until it changes to a double arrow.
    • Click and hold to pull the window down a few inches.
    • Click and drag the OTL by OldTimer title bar to move the window up to the top of your screen.
    • Pull the bottom edge down (when the cursor is a double arrow) to stretch it out. It should give you enough space to paste in the custom fix area.
  • Push Run Fix.
  • OTL may ask to reboot the machine...let it if it asks.
  • If you're able to, save the logfile that pops up to your flash drive and post here.
  • Reboot normally and let me know if you can do things in Windows or if it's still pretty locked down.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 TRD10

TRD10
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 08 March 2011 - 12:39 AM

Doesn't seem to be locked down at all! Here is the log that popped up after reboot:

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trymedia.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trymedia.com\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J\ not found.
File move failed. J:\LaunchU3.exe scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\\AppSecDll:C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll deleted successfully.
C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll moved successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll not found.
C:\Documents and Settings\Administrator\Start Menu\Programs\Hard Drive folder moved successfully.
C:\Documents and Settings\All Users\Application Data\24140 moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
C:\Documents and Settings\All Users\Application Data\24140.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\32859 moved successfully.
C:\Documents and Settings\All Users\Application Data\32859.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\23250 moved successfully.
C:\Documents and Settings\All Users\Application Data\~23250 moved successfully.
C:\Documents and Settings\All Users\Application Data\~23250r moved successfully.
C:\Documents and Settings\Administrator\Desktop\Hard Drive.lnk moved successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
C:\WINDOWS\tasks\BE8FA766904C4356.job moved successfully.
C:\Program Files\Common Files\vanu.dll moved successfully.
C:\Program Files\Common Files\jonyhy._sy moved successfully.
C:\Program Files\Common Files\xylyfire.com moved successfully.
C:\Documents and Settings\All Users\Application Data\gisubuni.sys moved successfully.
C:\WINDOWS\sade.sys moved successfully.
C:\Documents and Settings\All Users\Application Data\sinuhoroni.bin moved successfully.
C:\WINDOWS\vegoh.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\zyvosowa.inf moved successfully.
C:\Documents and Settings\All Users\Application Data\nohytahehe._dl moved successfully.
C:\Program Files\Common Files\dijonolasu.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\eviluxacus.pif moved successfully.
C:\WINDOWS\ovasak.exe moved successfully.
C:\WINDOWS\nasykilew.exe moved successfully.

OTL by OldTimer - Version 3.2.22.2 log created on 03072011_212623

Files\Folders moved on Reboot...
File\Folder J:\LaunchU3.exe not found!

Registry entries deleted on Reboot...

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 08 March 2011 - 07:05 PM

Hello, TRD10.
Great, at this point let's run Combofix to get rid of what's left. Please boot into normal mode ot run it and please don't forget to rename it.



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 TRD10

TRD10
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 09 March 2011 - 08:12 AM

No other symptoms

ComboFix 11-03-08.06 - HP_Administrator 03/09/2011 1:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1546 [GMT -8:00]
Running from: K:\etavaresCF.exe
AV: Norton Internet Security 2006 *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\check_LSA7.txt
c:\documents and settings\HP_Administrator\Application Data\gbxsabcv.dll
c:\documents and settings\HP_Administrator\Cookies\hobyvyse.dll
c:\documents and settings\HP_Administrator\Cookies\ojyqanufy._dl
c:\documents and settings\HP_Administrator\Cookies\wituguva.db
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{23B952AA-A0DB-4076-B688-AC76E763CD90}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{23B952AA-A0DB-4076-B688-AC76E763CD90}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{23B952AA-A0DB-4076-B688-AC76E763CD90}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{23B952AA-A0DB-4076-B688-AC76E763CD90}\chrome\content\c.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{23B952AA-A0DB-4076-B688-AC76E763CD90}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{23B952AA-A0DB-4076-B688-AC76E763CD90}\install.rdf
c:\program files\Bat
c:\program files\Bat\Bat.dll.intermediate.manifest
c:\program files\Bat\Bat.info
c:\program files\Bat\Bat.original
c:\program files\Bat\Info.dll
c:\program files\Bat\un_BatSetup_15041.exe
c:\program files\Bat\un_BatSetup_15041.txt
c:\program files\Bat\X_Bat.log
c:\program files\Common Files\Uninstall
c:\program files\Quicktime\QTTask.exe
c:\program files\RcvSystem
c:\program files\sFX
c:\temp\tn3
c:\windows\IA
c:\windows\IA\asappsrv.dll
c:\windows\IA\command.exe
c:\windows\IA\KE.vbs
c:\windows\ictions.dll
c:\windows\imyden.scr
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\ryvunom._sy
c:\windows\wiaserviv.log
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-08 05:26 . 2011-03-08 05:26 -------- d-----w- C:\_OTL
2011-03-06 00:49 . 2011-03-05 20:48 581120 ----a-w- C:\OTL.exe
2011-03-02 16:05 . 2011-03-02 16:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2011-03-02 05:21 . 2011-02-03 05:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-02 05:19 . 2011-03-02 05:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-02 05:08 . 2010-04-16 15:36 357888 ------w- c:\windows\system32\SETC4.tmp
2011-03-02 05:08 . 2010-04-16 15:36 205312 ------w- c:\windows\system32\SETC3.tmp
2011-03-02 05:08 . 2010-04-16 15:36 39424 ------w- c:\windows\system32\SETBB.tmp
2011-03-02 05:08 . 2010-04-16 15:36 449024 ------w- c:\windows\system32\SETBE.tmp
2011-03-02 05:08 . 2010-04-16 15:36 474112 ----a-w- c:\windows\system32\SETB9.tmp
2011-03-02 05:08 . 2010-04-16 15:36 624640 ----a-w- c:\windows\system32\SETB7.tmp
2011-03-02 05:08 . 2010-04-16 13:21 352768 ------w- c:\windows\system32\SETC9.tmp
2011-03-02 05:07 . 2010-04-16 15:36 662016 ----a-w- c:\windows\system32\SETB6.tmp
2011-03-02 05:07 . 2010-04-16 15:36 1023488 ----a-w- c:\windows\system32\SETC7.tmp
2011-03-02 05:07 . 2010-04-16 15:36 1506304 ----a-w- c:\windows\system32\SETBA.tmp
2011-03-02 05:07 . 2010-04-16 15:36 3065344 ----a-w- c:\windows\system32\SETBF.tmp
2011-03-02 04:52 . 2011-03-02 04:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-03-01 16:24 . 2011-03-01 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-01 16:24 . 2011-03-01 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-01 16:24 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-01 16:24 . 2011-03-01 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-01 16:24 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-01 16:17 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-03-01 16:17 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-02 04:59 . 2006-02-14 01:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-03-02 04:59 . 2006-02-14 01:50 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-02-03 03:19 . 2009-10-14 23:30 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-02-01 10:49 . 2008-11-11 05:01 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-02-01 10:49 . 2008-11-11 05:01 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-01 10:49 . 2008-11-11 05:01 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-02-01 10:49 . 2008-11-11 05:01 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-02-01 10:49 . 2008-11-11 05:01 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-12 68856]
"ares"="c:\program files\Ares\Ares.exe" [2008-08-21 888832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-13 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-11-12 1064960]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-11-12 61440]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-12 53096]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-10 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-13 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-12-14 21:51 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 06:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-01-12 00:23 15961088 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2010 2:17 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2010-12-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
.
2009-10-13 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-03 22:17]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-03 22:17]
.
2010-11-20 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-09-24 08:03]
.
2010-12-04 c:\windows\Tasks\Norton Security Scan for HP_Administrator.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-09-03 04:21]
.
2010-12-03 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-09 01:50
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-03-09 01:52:48
ComboFix-quarantined-files.txt 2011-03-09 09:52
.
Pre-Run: 106,079,621,120 bytes free
Post-Run: 112,793,296,896 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - FA86F900F398AC86587211753F1F43AA




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users