Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijack/Locked hosts file


  • This topic is locked This topic is locked
40 replies to this topic

#1 Bluetick

Bluetick

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 01 September 2011 - 09:26 PM

My friend provided the following:
What you are experiencing is extreme slowness in general although the CPU itself does not register any large loads. The computer will bounce around 80-90% idle while still taking a long time to accomplish anything. When you go to Google you get a 404 error. I looked at the "hosts" file and it has been poisoned. It is also locked down and I could not be deleted or edit it. There were a bunch of Google redirects in the hosts file (as well as YouTube).

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by JKS at 17:46:55 on 2011-09-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.50 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Norton Online\Engine\2.2.0.20\ccSvcHst.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton Online\Engine\2.2.0.20\ccSvcHst.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ebay.com/sch/i.html?_trkparms=65%253A12%257C66%253A4%257C39%253A1%257C72%253A5049&rt=nc&_nkw=gibson+banjo&_ipg=&_sticky=1&_trksid=p3286.c0.m14&_sop=10&_sc=1
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Norton Safety Minder BHO: {b8e07826-0971-4f16-b133-047b88034e89} - c:\program files\norton online\addons\norton safety minder\engine\2.2.0.28\coIEPlg.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249177080875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.227.1
TCP: Interfaces\{EB18DA0E-8504-4634-8F07-860611382DBF} : DhcpNameServer = 192.168.227.1
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\240\g2ax_winlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-2 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-2 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110812.001\BHDrvx86.sys [2011-8-15 815736]
R1 ccSet_NOF;Norton Online Settings Manager;c:\windows\system32\drivers\nof\0202000.014\ccSetx86.sys [2011-8-3 131208]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-2 136312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-26 366640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110831.030\IDSXpx86.sys [2011-8-31 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-26 22712]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110901.002\NAVENG.SYS [2011-9-1 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20110901.002\NAVEX15.SYS [2011-9-1 1576312]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\240\g2ax_service.exe [2010-9-18 161144]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-26 41272]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\nsm\0202000.01c\symrdr.sys [2011-8-3 196600]
.
=============== Created Last 30 ================
.
2011-08-27 18:07:10 -------- d-----w- c:\program files\Sophos
2011-08-27 04:23:46 -------- d-----w- c:\documents and settings\jks\application data\Malwarebytes
2011-08-27 04:23:23 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-27 04:23:22 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-27 04:23:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-27 04:23:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-27 03:28:22 -------- d-----w- c:\documents and settings\jks\application data\TeamViewer
2011-08-18 00:26:24 -------- d-----w- C:\Google
2011-08-11 06:33:13 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 06:25:47 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-04 05:02:29 196600 ----a-r- c:\windows\system32\drivers\nsm\0202000.01c\symrdr.sys
2011-08-04 05:02:18 -------- d-----w- c:\windows\system32\drivers\nsm\0202000.01C
2011-08-04 05:02:18 -------- d-----w- c:\windows\system32\drivers\NSM
2011-08-04 05:01:40 131208 ----a-r- c:\windows\system32\drivers\nof\0202000.014\ccSetx86.sys
2011-08-04 05:01:33 -------- d-----w- c:\windows\system32\drivers\nof\0202000.014
2011-08-04 05:01:33 -------- d-----w- c:\windows\system32\drivers\NOF
2011-08-04 05:01:32 -------- d-----w- c:\program files\Norton Online
.
==================== Find3M ====================
.
2011-08-16 05:01:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-04 05:02:58 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-04 05:02:58 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 17:49:18.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:40 PM

Posted 01 September 2011 - 10:02 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Bluetick

Bluetick
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 02 September 2011 - 12:23 AM

I had Windows shut down while combofix was running because of a faulty driver msg. I rebooted and ran combofix again and it generated the below report. I just checked, and I can now access Youtube w/o the "not found 404" report.

I will be gone until next Thursday night. Thanks.

bluetick

ComboFix 11-09-01.03 - JKS 09/01/2011 20:54:40.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.108 [GMT -8:00]
Running from: c:\documents and settings\JKS\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\c65e19
c:\documents and settings\All Users\Application Data\c65e19\732.mof
c:\documents and settings\All Users\Application Data\c65e19\BackUp\Digital Line Detect.lnk
c:\documents and settings\All Users\Application Data\c65e19\c65e1935e0b35f3c4e90c7ce1a33e504.ocx
c:\documents and settings\All Users\Application Data\c65e19\f45e7tm9q0fcswcw9qfcf0g9v.dll
c:\documents and settings\All Users\Application Data\c65e19\SME.ico
c:\documents and settings\JKS\Application Data\Smart Engine
c:\documents and settings\JKS\Application Data\Smart Engine\Instructions.ini
c:\documents and settings\JKS\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\JKS\g2mdlhlpx.exe
c:\documents and settings\JKS\My Documents\~WRL2340.tmp
c:\documents and settings\JKS\My Documents\~WRL2506.tmp
c:\documents and settings\JKS\Recent\ANTIGEN.dll
c:\documents and settings\JKS\Recent\ANTIGEN.drv
c:\documents and settings\JKS\Recent\CLSV.tmp
c:\documents and settings\JKS\Recent\ddv.tmp
c:\documents and settings\JKS\Recent\dudl.dll
c:\documents and settings\JKS\Recent\eb.exe
c:\documents and settings\JKS\Recent\eb.sys
c:\documents and settings\JKS\Recent\energy.drv
c:\documents and settings\JKS\Recent\energy.sys
c:\documents and settings\JKS\Recent\FS.drv
c:\documents and settings\JKS\Recent\hymt.exe
c:\documents and settings\JKS\Recent\hymt.tmp
c:\documents and settings\JKS\Recent\kernel32.drv
c:\documents and settings\JKS\Recent\pal.exe
c:\documents and settings\JKS\Recent\PE.dll
c:\documents and settings\JKS\Recent\PE.tmp
c:\documents and settings\JKS\Recent\tempdoc.tmp
c:\documents and settings\JKS\Recent\tjd.drv
c:\documents and settings\JKS\Recent\tjd.exe
c:\windows\system32\download
c:\windows\system32\Download\ispinfo.csv
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-08-27 18:07 . 2011-08-27 18:07 -------- d-----w- c:\program files\Sophos
2011-08-27 04:23 . 2011-08-27 04:23 -------- d-----w- c:\documents and settings\JKS\Application Data\Malwarebytes
2011-08-27 04:23 . 2011-07-07 03:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-27 04:23 . 2011-08-27 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-27 04:23 . 2011-08-27 04:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-27 04:23 . 2011-07-07 03:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-27 03:28 . 2011-08-27 03:28 -------- d-----w- c:\documents and settings\JKS\Application Data\TeamViewer
2011-08-18 00:26 . 2011-08-18 00:26 -------- d-----w- C:\Google
2011-08-11 06:33 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 06:25 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-04 05:02 . 2011-08-04 05:02 -------- d-----w- c:\windows\system32\drivers\NSM
2011-08-04 05:01 . 2011-08-04 05:01 -------- d-----w- c:\windows\system32\drivers\NOF
2011-08-04 05:01 . 2011-08-04 05:02 -------- d-----w- c:\program files\Norton Online
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 05:01 . 2011-06-02 01:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-04 05:02 . 2010-10-24 05:03 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-08-04 05:02 . 2010-10-24 05:03 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-15 13:29 . 2004-08-10 18:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-10 18:51 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2004-08-10 19:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-10 18:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-10 18:51 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-05 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-02 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-21 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-09-18 18:23 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\240\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\symds.sys [5/2/2011 3:18 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\symefa.sys [5/2/2011 3:18 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx86.sys [8/15/2011 4:51 PM 815736]
R1 ccSet_NOF;Norton Online Settings Manager;c:\windows\system32\drivers\NOF\0202000.014\ccSetx86.sys [8/3/2011 9:01 PM 131208]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\ironx86.sys [5/2/2011 3:18 PM 136312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/26/2011 8:23 PM 366640]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [5/2/2011 2:28 PM 130008]
R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.2.0.20\ccSvcHst.exe [8/3/2011 9:01 PM 138760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 4:30 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110831.030\IDSXpx86.sys [8/31/2011 5:00 PM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/26/2011 8:23 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 1:33 AM 135664]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\240\g2ax_service.exe [9/18/2010 10:23 AM 161144]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 1:33 AM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/26/2011 8:23 PM 41272]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\12.tmp --> c:\windows\system32\12.tmp [?]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0202000.01C\symrdr.sys [8/3/2011 9:02 PM 196600]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 09:33]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 09:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/sch/i.html?_trkparms=65%253A12%257C66%253A4%257C39%253A1%257C72%253A5049&rt=nc&_nkw=gibson+banjo&_ipg=&_sticky=1&_trksid=p3286.c0.m14&_sop=10&_sc=1
uInternet Connection Wizard,ShellNext = iexplore
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-01 21:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\2.2.0.20\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.2.0.20\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\12.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(604)
c:\program files\Citrix\GoToAssist Express Customer\240\g2ax_winlogon.dll
.
Completion time: 2011-09-01 21:17:32
ComboFix-quarantined-files.txt 2011-09-02 05:17
.
Pre-Run: 49,359,511,552 bytes free
Post-Run: 51,219,214,336 bytes free
.
- - End Of File - - DF13CAAD7F072E2571E709CAE05303C6

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:40 PM

Posted 02 September 2011 - 12:28 AM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.1.2
J2SE Runtime Environment 5.0 Update 6


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 02 September 2011 - 12:28 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Bluetick

Bluetick
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 02 September 2011 - 06:50 PM

Gringo,

I may have time to do these tasks Monday afternoon, but if not, please remember that I won't be back in town until Thursday evening. Please keep the topic open. Thanks.

Bluetick

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:40 PM

Posted 02 September 2011 - 07:05 PM

thanks for letting me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Bluetick

Bluetick
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 05 September 2011 - 04:49 PM

Gringo,

I got back a little early today. Computer is very, very slow. I got as far as installing TFC but when I try to run it, I get a "TFC not responding" msg. The hour glass just stays there, and I have to reboot. I've tried 3 times with the same result. The same msg is in task manager.

It took a long time to get Adobe Reader downloaded. Last Friday I tried it and it timed out. Today I got it installed successfully, along with Java.

What now?

Again, I'll be out of the net until Thursday.

Ken

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:40 PM

Posted 05 September 2011 - 07:37 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Bluetick

Bluetick
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 05 September 2011 - 08:15 PM

Gringo,

I forgot to mention that when I hac the TFC open, there was a note that said you had to be logged on as an administrator, I think. Also, there are 2 icons in task manager that both say not responding.

OTL logfile created on: 9/5/2011 4:49:52 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\JKS\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.42 Mb Total Physical Memory | 142.91 Mb Available Physical Memory | 32.01% Memory free
1.03 Gb Paging File | 0.40 Gb Available in Paging File | 39.07% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.46 Gb Total Space | 46.79 Gb Free Space | 65.48% Space Free | Partition Type: NTFS

Computer Name: KEN | User Name: JKS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\JKS\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Norton Online\Engine\2.2.0.20\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\2.2.0.28\wincfi36.dll ()
MOD - C:\WINDOWS\system32\nvapi.dll ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (NOF) -- C:\Program Files\Norton Online\Engine\2.2.0.20\ccSvcHst.exe (Symantec Corporation)
SRV - (NIS) -- C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe (Symantec Corporation)
SRV - (GoToAssist Express Customer) -- C:\Program Files\Citrix\GoToAssist Express Customer\240\g2ax_service.exe (Citrix Online, a division of Citrix Systems, Inc.)


========== Driver Services (SafeList) ==========

DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110902.030\IDSXpx86.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110904.002_7a8\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20110904.002_7a8\NAVENG.SYS (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110812.001\BHDrvx86.sys (Symantec Corporation)
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (ccSet_NOF) -- C:\WINDOWS\system32\drivers\NOF\0202000.014\ccSetx86.sys (Symantec Corporation)
DRV - (SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}) -- C:\WINDOWS\system32\drivers\NSM\0202000.01C\SymRdr.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SRTSPX.SYS (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\NIS\1206000.01D\SYMTDI.SYS (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMEFA.SYS (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\SYMDS.SYS (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\NIS\1206000.01D\Ironx86.SYS (Symantec Corporation)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (ASCTRM) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (nvatabus) -- C:\WINDOWS\system32\drivers\nvatabus.sys (NVIDIA Corporation)
DRV - (mr7910) -- C:\WINDOWS\system32\drivers\mr7910.sys (Mars Semiconductor Corp.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (DSproct) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)
DRV - (SQTECH905C) -- C:\WINDOWS\system32\drivers\Capt905c.sys (Service & Quality Technology.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061121
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/sch/i.html?_trkparms=65%253A12%257C66%253A4%257C39%253A1%257C72%253A5049&rt=nc&_nkw=gibson+banjo&_ipg=&_sticky=1&_trksid=p3286.c0.m14&_sop=10&_sc=1
IE - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\JKS\Application Data\Facebook\npfbplugin_1_0_3.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn\ [2011/08/17 08:34:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn_2011_7_1_3 [2011/09/05 16:37:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}: C:\Documents and Settings\All Users\Application Data\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.2.0.28\coFFFw\ [2011/08/03 21:06:59 | 000,000,000 | ---D | M]

[2010/07/27 01:12:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JKS\Application Data\Mozilla\Extensions

O1 HOSTS File: ([2011/09/01 21:12:05 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (Norton Safety Minder BHO) - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\2.2.0.28\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab (Reg Error: Key error.)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249177080875 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.227.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EB18DA0E-8504-4634-8F07-860611382DBF}: DhcpNameServer = 192.168.227.1
O18 - Protocol\Handler\lbxfile {56831180-F115-11d2-B6AA-00104B2B9943} - C:\Program Files\Libronix DLS\System\FileProt.dll (Libronix Corporation)
O18 - Protocol\Handler\lbxres {24508F1B-9E94-40EE-9759-9AF5795ADF52} - C:\Program Files\Libronix DLS\System\ResProt.dll (Libronix Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist Express Customer: DllName - C:\Program Files\Citrix\GoToAssist Express Customer\240\g2ax_winlogon.dll - C:\Program Files\Citrix\GoToAssist Express Customer\240\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\JKS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\JKS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/05 16:47:16 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JKS\Desktop\OTL.exe
[2011/09/05 12:40:33 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JKS\Desktop\TFC.exe
[2011/09/05 12:29:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/09/05 12:28:11 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/09/05 12:28:10 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/09/05 12:28:10 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/09/05 12:28:09 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/09/05 12:28:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/09/05 12:13:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/09/02 16:46:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/09/02 16:29:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/09/02 16:04:35 | 000,739,296 | ---- | C] (Adobe Systems Incorporated) -- C:\Documents and Settings\JKS\Desktop\install_reader10_en_air_gtbp_chra_aih.exe
[2011/09/01 20:23:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/01 20:14:32 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/01 20:14:32 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/01 20:14:32 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/01 20:14:31 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/01 20:14:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/01 20:14:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/01 20:04:07 | 004,192,529 | R--- | C] (Swearware) -- C:\Documents and Settings\JKS\Desktop\ComboFix.exe
[2011/09/01 17:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JKS\Desktop\gmer
[2011/09/01 17:46:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\JKS\Start Menu\Programs\Administrative Tools
[2011/09/01 17:43:42 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\JKS\Desktop\dds.scr
[2011/08/27 10:07:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sophos
[2011/08/27 10:07:10 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011/08/26 20:23:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JKS\Application Data\Malwarebytes
[2011/08/26 20:23:23 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/26 20:23:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/26 20:23:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/08/26 20:23:17 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/26 20:23:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/26 19:28:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JKS\Application Data\TeamViewer
[2011/08/26 19:27:38 | 002,683,376 | ---- | C] (TeamViewer GmbH) -- C:\Documents and Settings\JKS\Desktop\TeamViewerQS_en.exe
[2011/08/17 16:26:24 | 000,000,000 | ---D | C] -- C:\Google
[2011/08/10 22:33:13 | 000,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rdpwd.sys
[2011/08/10 22:25:47 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/05 16:47:28 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JKS\Desktop\OTL.exe
[2011/09/05 16:39:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/05 16:37:33 | 000,081,191 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/09/05 16:37:19 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/05 16:36:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/05 16:36:54 | 468,176,896 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/05 16:26:27 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/05 12:40:48 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JKS\Desktop\TFC.exe
[2011/09/05 12:27:23 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/09/05 12:27:23 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/09/05 12:27:23 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/09/05 12:27:23 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/09/05 12:27:23 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/09/05 12:14:29 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/09/03 23:35:08 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/09/02 16:46:41 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\JKS\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/09/02 16:36:32 | 000,008,336 | ---- | M] () -- C:\{F58A0087-F7A6-4159-A4EF-305FEE43A440}
[2011/09/02 16:04:35 | 000,739,296 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\JKS\Desktop\install_reader10_en_air_gtbp_chra_aih.exe
[2011/09/01 21:12:05 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/01 20:23:17 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/01 20:04:07 | 004,192,529 | R--- | M] (Swearware) -- C:\Documents and Settings\JKS\Desktop\ComboFix.exe
[2011/09/01 17:53:59 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\JKS\Desktop\gmer.zip
[2011/09/01 17:43:52 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\JKS\Desktop\dds.scr
[2011/09/01 17:41:37 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\JKS\defogger_reenable
[2011/09/01 17:40:20 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\JKS\Desktop\Defogger.exe
[2011/08/31 19:45:54 | 000,038,437 | ---- | M] () -- C:\Documents and Settings\JKS\Application Data\Comma Separated Values (Windows).ADR
[2011/08/26 20:41:55 | 000,000,165 | ---- | M] () -- C:\Documents and Settings\JKS\Desktop\Sophos Anti-Rootkit.url
[2011/08/26 19:46:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/08/26 19:46:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/08/26 19:28:06 | 002,683,376 | ---- | M] (TeamViewer GmbH) -- C:\Documents and Settings\JKS\Desktop\TeamViewerQS_en.exe
[2011/08/24 16:57:04 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/08/15 21:01:06 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/13 12:53:37 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2011/08/11 17:18:47 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\JKS\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/08/11 12:47:16 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/05 12:14:28 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/09/05 12:14:26 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/09/02 16:46:39 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\JKS\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/09/02 16:46:37 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/09/02 16:36:32 | 000,008,336 | ---- | C] () -- C:\{F58A0087-F7A6-4159-A4EF-305FEE43A440}
[2011/09/01 20:23:16 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/09/01 20:23:09 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/09/01 20:14:32 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/01 20:14:32 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/01 20:14:32 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/01 20:14:32 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/01 20:14:32 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/09/01 17:53:57 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\JKS\Desktop\gmer.zip
[2011/09/01 17:41:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\JKS\defogger_reenable
[2011/09/01 17:40:15 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\JKS\Desktop\Defogger.exe
[2011/08/31 19:45:54 | 000,038,437 | ---- | C] () -- C:\Documents and Settings\JKS\Application Data\Comma Separated Values (Windows).ADR
[2011/08/26 20:40:40 | 000,000,165 | ---- | C] () -- C:\Documents and Settings\JKS\Desktop\Sophos Anti-Rootkit.url
[2011/08/26 19:46:10 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2011/08/26 19:46:10 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2011/08/13 12:53:36 | 000,004,128 | ---- | C] () -- C:\INFCACHE.1
[2010/09/18 10:37:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2010/08/15 14:38:42 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/28 18:09:10 | 000,000,036 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2007/03/15 18:06:59 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/03/15 18:06:59 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\702D826648.sys
[2007/03/06 08:33:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/12/09 17:50:53 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\JKS\Application Data\dvd.bmk
[2006/12/09 17:25:50 | 000,000,047 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/12/09 17:25:40 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\JKS\Local Settings\Application Data\fusioncache.dat
[2006/11/26 18:40:46 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\JKS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/21 12:49:47 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/21 12:38:01 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/21 12:32:29 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/11/21 12:30:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/21 12:08:22 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2006/11/21 12:08:05 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/11/21 12:08:05 | 001,617,920 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/11/21 12:08:05 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/11/21 12:08:05 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/11/21 12:08:04 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/11/21 12:08:04 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/11/21 12:08:04 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/11/21 12:08:04 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/11/21 12:08:03 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/11/21 12:08:03 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/11/21 12:08:03 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/11/21 12:07:09 | 000,000,394 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/09 23:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 11:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 11:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 11:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 11:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 10:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 10:57:15 | 000,138,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 10:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 10:51:20 | 000,384,926 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 10:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 10:51:20 | 000,054,484 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 10:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 10:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 10:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 10:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 10:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 10:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 10:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 10:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 13:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

< End of report >

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:40 PM

Posted 05 September 2011 - 08:26 PM

Hello

I want you to run this custem OTL script for me and then let me know how things are after you finish.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY] 
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS] 
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Bluetick

Bluetick
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 05 September 2011 - 08:49 PM

I've done the pasting and am running the fix, but task mgr is again showing 2 separate OTL icons with "not responding." The hour glass has been on the OTL box for about 15 minutes, and the note at the bottom says to not interrupt.

#12 Bluetick

Bluetick
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 05 September 2011 - 09:17 PM

I cant paste anything with the hour glass running, but right after I clicked on run fix, the following showed up in the box:

EMPTYTEMP
EMPTYFLASH
RESETHOSTS

I have only about 30 minutes before I have to catch a flight.

Bluetick

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:40 PM

Posted 06 September 2011 - 08:44 AM

did it finish or what happened?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Bluetick

Bluetick
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 08 September 2011 - 09:20 PM

No, it never finished. I had to cut off the computer and leave.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:40 PM

Posted 08 September 2011 - 10:11 PM

Hello

I have change the script a little see if it will work

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\S-1-5-21-2136716960-3508903367-182643003-1007\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY] 
    [EMPTYTEMP]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users