Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect virus


  • Please log in to reply
11 replies to this topic

#1 weezer

weezer

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 10 November 2011 - 09:05 AM

I have a redirect virus on a networked computer and have run several malware removal programs that have not been able to remove it. The problem seems specific to google searches. Any suggestions?

Edited by hamluis, 10 November 2011 - 09:38 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 10 November 2011 - 10:08 AM

Hello, are other PC's on the network redirecting?

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 weezer

weezer
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 11 November 2011 - 08:45 AM

Only one PC in network affected. Had to remove some info from minitoolbox. Hope you can still help me.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 08:21 on 11/11/2011 (Installation)
Firefox version [Unable to determine]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:24 10/08/2009]

-=E.O.F=-
MiniToolBox by Farbar
Ran by (administrator) on 11-11-2011 at 08:22:30
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================







========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Alice

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . :



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-1C-C0-29-31-7F

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 68.87.64.150

68.87.75.198

Lease Obtained. . . . . . . . . . : Friday, November 11, 2011 8:22:23 AM

Lease Expires . . . . . . . . . . : Friday, November 11, 2011 8:26:23 AM

Server: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: google.com.
Address: 207.223.0.140



Pinging google.com [72.14.204.103] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 72.14.204.103:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Server: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: yahoo.com.
Address: 207.223.0.140



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c c0 29 31 7f ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:

===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/07/2011 03:09:55 PM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\SYSTEM~1\_RESTO~1\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 03:09:50 PM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\System Volume Information\_restore{9695361B-139C-436D-A9CB-4C4BC7BEF95E}\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 03:09:49 PM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\SYSTEM~1\_RESTO~1\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:25 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\Documents and Settings\AMuir\Local Settings\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:03:24 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\APPLIC~1\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:00:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\Documents and Settings\AMuir\Local Settings\Application Data\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:00:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\APPLIC~1\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (10/27/2011 08:10:45 AM) (Source: Application Error) (User: )
Description: Faulting application eq5.exe, version 1.0.0.1, faulting module eqdraw.ocx, version 1.0.0.1, fault address 0x0000df12.
Processing media-specific event for [eq5.exe!ws!]


System errors:
=============
Error: (11/09/2011 02:13:06 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/09/2011 02:13:05 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/09/2011 07:30:30 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/07/2011 11:43:33 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E0693F6C-4870-4C6F-AE5F-9BC2C5F7F384}.
The backup browser is stopping.

Error: (11/07/2011 08:39:34 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/04/2011 00:31:47 PM) (Source: Print) (User: AMuir)
Description: The document 10 Oct 2011 Monthly Report.xlsx owned by AMuir failed to print on printer HP Photosmart C4380 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 0. Number of pages printed: 0. Client machine: \\ALICE. Win32 error code returned by the print processor: 10 Oct 2011 Monthly Report.xlsx0. 10 Oct 2011 Monthly Report.xlsx1

Error: (11/04/2011 06:51:27 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/03/2011 11:01:14 AM) (Source: Print) (User: AMuir)
Description: The document 10 Oct 2011 Monthly Report.xlsx owned by AMuir failed to print on printer HP Photosmart C4380 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 0. Number of pages printed: 0. Client machine: \\ALICE. Win32 error code returned by the print processor: 10 Oct 2011 Monthly Report.xlsx0. 10 Oct 2011 Monthly Report.xlsx1

Error: (11/02/2011 00:53:27 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/02/2011 06:50:17 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E0693F6C-4870-4C6F-AE5F-9BC2C5F7F384}.
The backup browser is stopping.


Microsoft Office Sessions:
=========================
Error: (07/01/2011 02:05:16 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6557.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1865 seconds with 1380 seconds of active time. This session ended with a crash.

Error: (10/04/2010 10:13:41 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 2111 seconds with 1800 seconds of active time. This session ended with a crash.

Error: (09/24/2009 10:22:53 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (09/24/2009 10:22:49 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 4 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:48:33 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:47:17 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:47:09 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:45:40 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 6 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/07/2009 01:26:51 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/07/2009 01:26:45 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 1.0.0)
Ad-Aware (Version: 9.6.0)
Adobe Flash Player 10 ActiveX (Version: 10.2.153.1)
Adobe Reader 8.1.3 (Version: 8.1.3)
AIO_Scan (Version: 90.0.189.000)
AOL Registration
AOL Uninstaller (Choose which Products to Remove)
BufferChm (Version: 90.0.146.000)
C4380 (Version: 90.0.189.000)
C4380_doccd (Version: 90.0.189.000)
C4380_Help (Version: 90.0.189.000)
Copy (Version: 90.0.146.000)
Coupon Printer for Windows (Version: 5.0.0.0)
Destination Component (Version: 090.000.091.086)
DeviceDiscovery (Version: 90.0.146.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 9.0.0.0)
DocProcQFolder (Version: 1.00.0000)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 90.0.146.000)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.79)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HP Imaging Device Functions 9.0 (Version: 9.0)
HP OCR Software 9.0 (Version: 9.0)
HP Photo Creations (Version: 1.0.0.${CAB_VERSION})
HP Photosmart 6510 series Basic Device Software (Version: 24.0.342.0)
HP Photosmart 6510 series Help (Version: 140.0.2.2)
HP Photosmart All-In-One Software 9.0 (Version: 9.0)
HP Photosmart Essential 2.01 (Version: 2.01)
HP Photosmart Essential2.01 (Version: 1.01.0000)
HP Solution Center 9.0 (Version: 9.0)
HP Update (Version: 5.003.000.004)
HPProductAssistant (Version: 90.0.146.000)
Intel® Graphics Media Accelerator Driver
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.18.0)
Lotus NotesSQL 3.01 driver
Lotus SmartSuite - English (Version: 9.8.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Plus 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
PanoStandAlone (Version: 90.0.146.000)
Pretty Good Solitaire version 10.0.2 (Version: 10.0.2)
PS_AIO_02_ProductContext (Version: 90.0.189.000)
PS_AIO_02_Software (Version: 90.0.189.000)
PS_AIO_02_Software_min (Version: 90.0.189.000)
PSSWCORE (Version: 2.01.0000)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.08.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5436)
Scan (Version: 9.0.0.0)
SolutionCenter (Version: 90.0.146.000)
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Status (Version: 90.0.146.000)
Symantec AntiVirus (Version: 10.0.1000.1)
Toolbox (Version: 90.0.146.000)
TrayApp (Version: 90.0.146.000)
UnloadSupport (Version: 9.0.0)
VideoToolkit01 (Version: 90.0.146.000)
Viewpoint Media Player
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 90.0.146.000)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0059.1)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows XP Hotfix - KB873339 (Version: 20041117.092459)
Windows XP Hotfix - KB885835 (Version: 20041027.181713)
Windows XP Hotfix - KB885836 (Version: 20041028.173203)
Windows XP Hotfix - KB886185 (Version: 20041021.090540)
Windows XP Hotfix - KB887472 (Version: 20041014.162858)
Windows XP Hotfix - KB888302 (Version: 20041207.111426)
Windows XP Hotfix - KB890859 (Version: 1)
Windows XP Hotfix - KB891781 (Version: 20050110.165439)
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 2035.63 MB
Available physical RAM: 1339.4 MB
Total Pagefile: 3928.68 MB
Available Pagefile: 3546.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.47 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:279.97 GB) NTFS
4 Drive f: (STORE N GO) (Removable) (Total:7.45 GB) (Free:5.62 GB) FAT32

========================= Users: ========================================

User accounts for \\ALICE


========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 11 November 2011 - 03:35 PM

Did you remove the Hosts file info??

Are you running Firefox on the infected machine?


Lets do this and see if they stop.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 weezer

weezer
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 11 November 2011 - 04:08 PM

Boopme,
Firefox is not on the PC in question. Although I prefer it as a browser it's a company machine. I didn't think I removed the hosts files other than ip addresses. I reran gooredfx on the hosts desktop and the fix failed. At shutdown rundll32.exe is still running. Here's the minitool results but again I have to remove certain files
Thanks
MiniToolBox by Farbar
Ran by AMuir on 11-11-2011 at 15:49:47
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================







127.0.0.1 localhost
127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Alice

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . :



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-1C-C0-29-31-7F

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . :

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 68.87.64.150

68.87.75.198

Lease Obtained. . . . . . . . . . : Friday, November 11, 2011 3:48:23 PM

Lease Expires . . . . . . . . . . : Friday, November 11, 2011 3:52:23 PM

Server: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: google.com.
Address: 207.223.0.140



Pinging google.com [72.14.204.103] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 72.14.204.103:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Server: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: yahoo.com.
Address: 207.223.0.140



Pinging yahoo.com [98.139.180.149] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 98.139.180.149:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c c0 29 31 7f ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric

===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/07/2011 03:09:55 PM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\SYSTEM~1\_RESTO~1\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 03:09:50 PM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\System Volume Information\_restore{9695361B-139C-436D-A9CB-4C4BC7BEF95E}\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 03:09:49 PM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\SYSTEM~1\_RESTO~1\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:25 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\Documents and Settings\AMuir\Local Settings\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:03:24 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\APPLIC~1\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:00:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\Documents and Settings\AMuir\Local Settings\Application Data\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:00:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\APPLIC~1\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (10/27/2011 08:10:45 AM) (Source: Application Error) (User: )
Description: Faulting application eq5.exe, version 1.0.0.1, faulting module eqdraw.ocx, version 1.0.0.1, fault address 0x0000df12.
Processing media-specific event for [eq5.exe!ws!]


System errors:
=============
Error: (11/09/2011 02:13:06 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/09/2011 02:13:05 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/09/2011 07:30:30 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/07/2011 11:43:33 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E0693F6C-4870-4C6F-AE5F-9BC2C5F7F384}.
The backup browser is stopping.

Error: (11/07/2011 08:39:34 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/04/2011 00:31:47 PM) (Source: Print) (User: AMuir)
Description: The document 10 Oct 2011 Monthly Report.xlsx owned by AMuir failed to print on printer HP Photosmart C4380 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 0. Number of pages printed: 0. Client machine: \\ALICE. Win32 error code returned by the print processor: 10 Oct 2011 Monthly Report.xlsx0. 10 Oct 2011 Monthly Report.xlsx1

Error: (11/04/2011 06:51:27 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/03/2011 11:01:14 AM) (Source: Print) (User: AMuir)
Description: The document 10 Oct 2011 Monthly Report.xlsx owned by AMuir failed to print on printer HP Photosmart C4380 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 0. Number of pages printed: 0. Client machine: \\ALICE. Win32 error code returned by the print processor: 10 Oct 2011 Monthly Report.xlsx0. 10 Oct 2011 Monthly Report.xlsx1

Error: (11/02/2011 00:53:27 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/02/2011 06:50:17 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E0693F6C-4870-4C6F-AE5F-9BC2C5F7F384}.
The backup browser is stopping.


Microsoft Office Sessions:
=========================
Error: (07/01/2011 02:05:16 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6557.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1865 seconds with 1380 seconds of active time. This session ended with a crash.

Error: (10/04/2010 10:13:41 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 2111 seconds with 1800 seconds of active time. This session ended with a crash.

Error: (09/24/2009 10:22:53 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (09/24/2009 10:22:49 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 4 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:48:33 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:47:17 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:47:09 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:45:40 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 6 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/07/2009 01:26:51 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/07/2009 01:26:45 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 1.0.0)
Ad-Aware (Version: 9.6.0)
Adobe Flash Player 10 ActiveX (Version: 10.2.153.1)
Adobe Reader 8.1.3 (Version: 8.1.3)
AIO_Scan (Version: 90.0.189.000)
AOL Registration
AOL Uninstaller (Choose which Products to Remove)
BufferChm (Version: 90.0.146.000)
C4380 (Version: 90.0.189.000)
C4380_doccd (Version: 90.0.189.000)
C4380_Help (Version: 90.0.189.000)
Copy (Version: 90.0.146.000)
Coupon Printer for Windows (Version: 5.0.0.0)
Destination Component (Version: 090.000.091.086)
DeviceDiscovery (Version: 90.0.146.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 9.0.0.0)
DocProcQFolder (Version: 1.00.0000)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 90.0.146.000)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.79)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HP Imaging Device Functions 9.0 (Version: 9.0)
HP OCR Software 9.0 (Version: 9.0)
HP Photo Creations (Version: 1.0.0.${CAB_VERSION})
HP Photosmart 6510 series Basic Device Software (Version: 24.0.342.0)
HP Photosmart 6510 series Help (Version: 140.0.2.2)
HP Photosmart All-In-One Software 9.0 (Version: 9.0)
HP Photosmart Essential 2.01 (Version: 2.01)
HP Photosmart Essential2.01 (Version: 1.01.0000)
HP Solution Center 9.0 (Version: 9.0)
HP Update (Version: 5.003.000.004)
HPProductAssistant (Version: 90.0.146.000)
Intel® Graphics Media Accelerator Driver
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.18.0)
Lotus NotesSQL 3.01 driver
Lotus SmartSuite - English (Version: 9.8.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Plus 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
PanoStandAlone (Version: 90.0.146.000)
Pretty Good Solitaire version 10.0.2 (Version: 10.0.2)
PS_AIO_02_ProductContext (Version: 90.0.189.000)
PS_AIO_02_Software (Version: 90.0.189.000)
PS_AIO_02_Software_min (Version: 90.0.189.000)
PSSWCORE (Version: 2.01.0000)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.08.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5436)
Scan (Version: 9.0.0.0)
SolutionCenter (Version: 90.0.146.000)
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Status (Version: 90.0.146.000)
Symantec AntiVirus (Version: 10.0.1000.1)
Toolbox (Version: 90.0.146.000)
TrayApp (Version: 90.0.146.000)
UnloadSupport (Version: 9.0.0)
VideoToolkit01 (Version: 90.0.146.000)
Viewpoint Media Player
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 90.0.146.000)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0059.1)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows XP Hotfix - KB873339 (Version: 20041117.092459)
Windows XP Hotfix - KB885835 (Version: 20041027.181713)
Windows XP Hotfix - KB885836 (Version: 20041028.173203)
Windows XP Hotfix - KB886185 (Version: 20041021.090540)
Windows XP Hotfix - KB887472 (Version: 20041014.162858)
Windows XP Hotfix - KB888302 (Version: 20041207.111426)
Windows XP Hotfix - KB890859 (Version: 1)
Windows XP Hotfix - KB891781 (Version: 20050110.165439)
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 40%
Total physical RAM: 2035.63 MB
Available physical RAM: 1219.46 MB
Total Pagefile: 3928.68 MB
Available Pagefile: 3509.8 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.78 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:279.93 GB) NTFS
4 Drive f: (STORE N GO) (Removable) (Total:7.45 GB) (Free:5.61 GB) FAT32

========================= Users: ========================================

User accounts for \\ALICE



========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 11 November 2011 - 04:57 PM

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 weezer

weezer
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 14 November 2011 - 08:48 AM

Hi Boopme,

Here's the minitool info from the infected pc. Only took out the network ips. not the host.

MiniToolBox by Farbar
Ran by AMuir on 14-11-2011 at 08:30:15
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================
Windows IP ConfigurationSuccessfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================








127.0.0.1 localhost
127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : Alice Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC Physical Address. . . . . . . . . : 00-1C-C0-29-31-7F Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.19.198 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.19.10 DHCP Server . . . . . . . . . . . : 192.168.19.10 DNS Servers . . . . . . . . . . . : 68.87.64.150 68.87.75.198 Lease Obtained. . . . . . . . . . : Monday, November 14, 2011 8:29:49 AM Lease Expires . . . . . . . . . . : Monday, November 14, 2011 8:33:49 AMServer: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: google.com.
Address: 207.223.0.140

Pinging google.com [72.14.204.103] with 32 bytes of data:Request timed out.Request timed out.Ping statistics for 72.14.204.103: Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),Server: cns.inflow.pa.bo.comcast.net
Address: 68.87.64.150

Name: yahoo.com.
Address: 207.223.0.140

Pinging yahoo.com [72.30.2.43] with 32 bytes of data:Request timed out.Request timed out.Ping statistics for 72.30.2.43: Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),Pinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c c0 29 31 7f ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.19.10 192.168.19.198 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.19.0 255.255.255.0 192.168.19.198 192.168.19.198 20
192.168.19.198 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.19.255 255.255.255.255 192.168.19.198 192.168.19.198 20
224.0.0.0 240.0.0.0 192.168.19.198 192.168.19.198 20
255.255.255.255 255.255.255.255 192.168.19.198 192.168.19.198 1
Default Gateway: 192.168.19.10
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/07/2011 03:09:55 PM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\SYSTEM~1\_RESTO~1\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 03:09:50 PM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\System Volume Information\_restore{9695361B-139C-436D-A9CB-4C4BC7BEF95E}\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 03:09:49 PM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\SYSTEM~1\_RESTO~1\RP907\A0064594.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:25 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\Documents and Settings\AMuir\Local Settings\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:17:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\Temp\168f25.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:03:24 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\APPLIC~1\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:00:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Threat Found!Threat: Trojan.Gen.2 in File: C:\Documents and Settings\AMuir\Local Settings\Application Data\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully.

Error: (11/07/2011 10:00:21 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Threat: Trojan.Gen.2 in File: C:\DOCUME~1\AMuir\LOCALS~1\APPLIC~1\ddl.exe by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.

Error: (10/27/2011 08:10:45 AM) (Source: Application Error) (User: )
Description: Faulting application eq5.exe, version 1.0.0.1, faulting module eqdraw.ocx, version 1.0.0.1, fault address 0x0000df12.
Processing media-specific event for [eq5.exe!ws!]


System errors:
=============
Error: (11/09/2011 02:13:06 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/09/2011 02:13:05 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/09/2011 07:30:30 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/07/2011 11:43:33 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E0693F6C-4870-4C6F-AE5F-9BC2C5F7F384}.
The backup browser is stopping.

Error: (11/07/2011 08:39:34 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/04/2011 00:31:47 PM) (Source: Print) (User: AMuir)
Description: The document 10 Oct 2011 Monthly Report.xlsx owned by AMuir failed to print on printer HP Photosmart C4380 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 0. Number of pages printed: 0. Client machine: \\ALICE. Win32 error code returned by the print processor: 10 Oct 2011 Monthly Report.xlsx0. 10 Oct 2011 Monthly Report.xlsx1

Error: (11/04/2011 06:51:27 AM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/03/2011 11:01:14 AM) (Source: Print) (User: AMuir)
Description: The document 10 Oct 2011 Monthly Report.xlsx owned by AMuir failed to print on printer HP Photosmart C4380 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 0. Number of bytes printed: 0. Total number of pages in the document: 0. Number of pages printed: 0. Client machine: \\ALICE. Win32 error code returned by the print processor: 10 Oct 2011 Monthly Report.xlsx0. 10 Oct 2011 Monthly Report.xlsx1

Error: (11/02/2011 00:53:27 PM) (Source: DCOM) (User: AMuir)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user ALICE\AMuir SID (S-1-5-21-1801674531-630328440-839522115-1008). This security permission can be modified using the Component Services administrative tool.

Error: (11/02/2011 06:50:17 AM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{E0693F6C-4870-4C6F-AE5F-9BC2C5F7F384}.
The backup browser is stopping.


Microsoft Office Sessions:
=========================
Error: (07/01/2011 02:05:16 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6557.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1865 seconds with 1380 seconds of active time. This session ended with a crash.

Error: (10/04/2010 10:13:41 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 2111 seconds with 1800 seconds of active time. This session ended with a crash.

Error: (09/24/2009 10:22:53 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (09/24/2009 10:22:49 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 4 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:48:33 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:47:17 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:47:09 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/19/2009 00:45:40 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 6 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/07/2009 01:26:51 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/07/2009 01:26:45 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 1.0.0)
Ad-Aware (Version: 9.6.0)
Adobe Flash Player 10 ActiveX (Version: 10.2.153.1)
Adobe Reader 8.1.3 (Version: 8.1.3)
AIO_Scan (Version: 90.0.189.000)
AOL Registration
AOL Uninstaller (Choose which Products to Remove)
BufferChm (Version: 90.0.146.000)
C4380 (Version: 90.0.189.000)
C4380_doccd (Version: 90.0.189.000)
C4380_Help (Version: 90.0.189.000)
Copy (Version: 90.0.146.000)
Coupon Printer for Windows (Version: 5.0.0.0)
Destination Component (Version: 090.000.091.086)
DeviceDiscovery (Version: 90.0.146.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 9.0.0.0)
DocProcQFolder (Version: 1.00.0000)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 90.0.146.000)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.79)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HP Imaging Device Functions 9.0 (Version: 9.0)
HP OCR Software 9.0 (Version: 9.0)
HP Photo Creations (Version: 1.0.0.${CAB_VERSION})
HP Photosmart 6510 series Basic Device Software (Version: 24.0.342.0)
HP Photosmart 6510 series Help (Version: 140.0.2.2)
HP Photosmart All-In-One Software 9.0 (Version: 9.0)
HP Photosmart Essential 2.01 (Version: 2.01)
HP Photosmart Essential2.01 (Version: 1.01.0000)
HP Solution Center 9.0 (Version: 9.0)
HP Update (Version: 5.003.000.004)
HPProductAssistant (Version: 90.0.146.000)
Intel® Graphics Media Accelerator Driver
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.18.0)
Lotus NotesSQL 3.01 driver
Lotus SmartSuite - English (Version: 9.8.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Plus 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
PanoStandAlone (Version: 90.0.146.000)
Pretty Good Solitaire version 10.0.2 (Version: 10.0.2)
PS_AIO_02_ProductContext (Version: 90.0.189.000)
PS_AIO_02_Software (Version: 90.0.189.000)
PS_AIO_02_Software_min (Version: 90.0.189.000)
PSSWCORE (Version: 2.01.0000)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.08.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5436)
Scan (Version: 9.0.0.0)
SolutionCenter (Version: 90.0.146.000)
Spelling Dictionaries Support For Adobe Reader 8 (Version: 8.0.0)
Status (Version: 90.0.146.000)
Symantec AntiVirus (Version: 10.0.1000.1)
Toolbox (Version: 90.0.146.000)
TrayApp (Version: 90.0.146.000)
UnloadSupport (Version: 9.0.0)
VideoToolkit01 (Version: 90.0.146.000)
Viewpoint Media Player
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 90.0.146.000)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0059.1)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows XP Hotfix - KB873339 (Version: 20041117.092459)
Windows XP Hotfix - KB885835 (Version: 20041027.181713)
Windows XP Hotfix - KB885836 (Version: 20041028.173203)
Windows XP Hotfix - KB886185 (Version: 20041021.090540)
Windows XP Hotfix - KB887472 (Version: 20041014.162858)
Windows XP Hotfix - KB888302 (Version: 20041207.111426)
Windows XP Hotfix - KB890859 (Version: 1)
Windows XP Hotfix - KB891781 (Version: 20050110.165439)
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 42%
Total physical RAM: 2035.63 MB
Available physical RAM: 1176.67 MB
Total Pagefile: 3928.68 MB
Available Pagefile: 3542.12 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.78 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.08 GB) (Free:279.97 GB) NTFS
4 Drive f: (STORE N GO) (Removable) (Total:7.45 GB) (Free:5.61 GB) FAT32

========================= Users: ========================================



========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 14 November 2011 - 03:38 PM

OK One more look...
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (2.6.11.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 weezer

weezer
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 15 November 2011 - 08:27 AM

Oh boy! TDSSKiller.exe can be run on the admin desktop (with no threats found). When I download it to the infected host desktop it will not initialize even renamed as instructed. I downladed and renamed it several times to the infected desktop. Am I missing something?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 15 November 2011 - 01:30 PM

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 weezer

weezer
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 15 November 2011 - 02:19 PM

I ran FixTDSS.exe as administrator and got the following message: Backdoor Tidserv has not been found on your computer.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 15 November 2011 - 08:03 PM

It appears we have something else.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users