Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ping.exe overloading system & Google re-direct


  • This topic is locked This topic is locked
56 replies to this topic

#1 JayMoon

JayMoon

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 01 December 2011 - 09:45 AM

The system is running extremely slowly and Google has been re-directing at every link. Some of the times a search result link is clicked, a dozen or more new tabs will open in a new browser window. Some of these tabs are random pages and some are blank tabs. As I poked around to see what processes were running, I noticed Ping.exe. If I manually terminate the process, Google doesn't re-direct, however Ping.exe will restart in seconds and the problem is back. I experimented and terminated the process then renamed Ping.exe in the System32 folder to xping.exe to see if the process would continue to start. Not only did it re-start as it's original name, but a new Ping.exe showed up in the folder.

I attempted to run dds.scr but it won't run or scan and I only get a notepad doc with characters and little embedded text stating the program can't be run in dos mode. Because it wouldn't scan, it didn't produce dds.txt or attach.txt files. I've pasted the first 1/3 or so of the text from the dds.scr error message below as it looks like only that portion has any discernible language. I was able to run GMER and it did notify that a modification was found to be caused by rootkit activity. Only the ark.txt file is attached as the dds.scr error message file is too large to attach here and the other two couldn't be generated.

Any help you can give will be much appreciated. This system is having major issues.

Thanks - Jay


dds.scr error message:


MZ   @  !L!This program cannot be run in DOS mode.

$ 1:uiuiuiֵiwiuiiַidi!iiitiRichui PE L K   P   0   @               `    ` UPX0    UPX1 P  F  @ .rsrc    J @ 3.07 UPX!
 $И 'C & "U\} t+FEu
H
>Bl HPu Hr@  uS݌}V5EWPLel1E P}Dp; FRVVUu+M‰M3ҊQNUM1Tv>PE3m sPBprEP T޾9}qw ~Xtev453tn۶/jW: "͹* )XWKpgXh -PgWjh6%Xr 9Yw\_^3[_L$FSiAVWTtOq3;5sBi}YDGt /BOt 
u 3ڃ9ٴ۳F1Art[w7QQUi{3W?BF^~ 9M t$B;DiG|B
,R#u(@Ewt ;Ar7
͈,l t/N@狀?? V3 s49v,P $uGzt ~^$F[? seZmB=#+39tK;sEr5db(p۠<@w#ȋ;vCxw[w{rt
V rmCDN}@m @e
+Q;Jqvt$jxkt]8C\P!0=k iCu@FH+&|$ /{jv7{w5th0u
u0qu/PheDޯa{}^[|'Ctljhps˝? Qo8^Mʡ"JWjcY}NKcm
]
M܉
hM؃A׷$(S?(
ll߽9]c
!S9vBH-9w_S
ՃP8-׈|Fܿ-
^u" ?s7y`<-k){/4a;#ǶC64VÆ[ /Wp]`xl7+tRQ%ǜ<>[j=V}ຄ=!XWF_f;tBj\V
SWE c:u |=j5ۆW
x,{'F:utjBwmWh Kb.t<>j`SnN]co vjj}E#WVpj<1o?ؿfk
WHjani M~Po:Hl#;v%8c!C;t,`Vv mD#6I7WhdB{QVzSmd>9o,jh
j1VuckzFVpVYI P"wK~MĿp}|1ʸm]Qw7i`
р#\ouu5Ch$@۴19uv(SF@WV
-EZ1WPPD#6/еS'HVj<lN/js|(fTSSzu
6(^
Pߌ;$~ujV`~j~%hR pS4
['PYVjiD;J򴹅Ww21' zsKxj!j6G0 nԷJ}td*[woh37;~vx/sUnoc}x,ysoC7MN: o1vIRp5")WN)KPOl,6wV?]
yB m9{KOo-n;|~sov'',Jռ7 wm腥)ޠ b+^ϋ- lWЖm/J F#B3>Z04[v+u+ t/>
8 E&9ٽW]P -p}DH|?u
у #W.]KVP;t%}8
.GW6<d'hj@pF.GR5ƘT \!˄3 פD8Cm!uDM'fjjUkɆf`q?D,E/F슇f5v1Q#/-v
CY&h& FPg6ʭs(rQT1&N%,J8pg&A0Rq/*.iv\5. j[ m0 SS 5븙4hr)VOf| P HjZf{c\8.@PS*t\ ?F
6Fh m8B))6nއlC `
<S [\X

8jҥbpؖ訐Z%
S#p\[K!hu
gDpHVvUp~C)T,z8F9njjd=p'[m[t#(`b
0JŶ $$yaZps:ꊱN}Q6ZP`k8!a7̜ؐ jƈ456J4n0N@DTp܄ |& q9Xs܌U]͎o
q[wjStzOW:=ketVW8Ab1ī+(Ԫh(o=

vLjJ=ʓ&K
|rqj6ؼ߲,gCl E" VDb!sܒ@^rq,D۶w뾄Rh)QLѷb<.$
-!K-:QR<+ܣl@R4)pߖU#>0ٜQDr ,~}|/hImoN+&п_#h@3q^̍=g
Gpd>[Ih4;nu
Sj^uOW\u0 8vf-+fM'hc@7o`q4B,=
t-j *p"g 943V `:8 ht
"RcfW 2Hv!N~ Bh V"ll$kVcu+n;ʟ.lѺ;VU uQ=R:2a`udX͘#S]
P
S UV"Rw2<PЪߓp@V!XRMouc }SεU
:^yh BC˶9V͐GQVQD n+UAG4t9WtuI~O%0q6k 8C
gVmv#\[Uw3''4uY QVu'A8;: &d׌Zup8K:\P&5jӈ,>0
6Xs0c.$(]Զ  3Do>;~̟ v v] >~}:(467Ե08zЈJ$,eZdx_ru!}
t+ou
)>st@;|9wlPM>$]8<6<
u1Bc4t|>|lXtLSm4ؖ!aNf-."8q웵t\i< 1Hpu?Ybq{,Q#EfD1w"+قSVV:
D$f@6h=ub@dg׻`DWW5pV?{g!w!C]:dV#MuЀTuQQX]MG#W&{ЯQG;W`K»Hj^}^2`DV@҃V5n_{| ,Vo=¬mRQt+ȺYj Ed%DN '_MBȥn,y ~O;J$t#XAcȮXQ"/c]:A;дe%V-+Qj́WsTpr@ba?# Ml֛f4g45Ml9ZEYvn!4Ͳ
"4le&XYmLus 6P r!#"lM#'$Y6M%4˦&>|}'3u`fy}4MM4M@2h4j?0gPlW}ďȠm%*N.ؙB''/R}WSRA *WP 3]-* >i
=( @,d^huKΚ"JW1>uqcN$5hHjbB$~c3 "u>ÇDG
$ ɠ( ):Z;p8EM0#']mX@} Ku9h4v !8NJ=6[8u;Yp<?3C h?=D9
@pA ·;|dQ×692 ȡL(;"`诈5v9Y f&j
dXt-~tGhP&~B?R#Vh;+]jo=ojP1i^;(ls/W|~q 
Sxcc,=B
t=
V@kV,P3V0h ^5e@Yp~% ~yRW>;mW\.u~j]P*/M;uqᆳuhInstu_sofVNulluM EZW(ƒ \c
_/kF@"9/DBp;vÅ\SY;5
=i}SNnS=_+,!0YWh*(/
j}򨄌w6U?k`O^jjЉ
%m*;ph0ؐ0Y=PcKqUU֮rјT+J.pVTDEHݍs޸`TƅA設>ʼ DY0I@D<nc]0F<T $z w(EW|w$WWD5j?&X3^o ?(6`gj,,TI,wQ`5N>>A\h |!})kx+ݾ@0" }+ZapY?tm;}wodV 7ula`)Es3 0jS3T9
jm|Z)2[:4F1zjXk*gUOUQ+x#&tzchp[; nTBx&1Kcω@.c+9LF`[^@R=h t)@<!0SGx~kc։-rˮdO~|{+t2$̶n<SUfϽ U;O|k
j
&=u73}o҅+
&L-ɣBW :҆n
', 3][Y~ , ÐA{2,
9e3
k  ('NgH;䶱V^ U2V2M;gfƀUǃa\y6m  10hAd68K'|p$L#գ@AM4h`KnӽXAXhKQ:oj'jHeS@="Ǫs
|"t|o |c X@8 t".}{6/u3SuH +8NCRC[Vx /D=eiQ[u@:uXb0HfUfЬk" hQͳuUHU"t~yD6Ônpue4x6M > _?N;sfztrdSG6Cn*V
]Wz
Li%fɝv%pfAV<DpFDUtf4,Gt8Yu N7Z+=jf[
_UX] oHVt?Y(&p-S-,W6$j́Pc_jOu5R $$9t{ 4љtHD@˽j(T][Մ,$ǧS(lth08D f$v ;"M8t i{

oָסEej!mW<\-2pZT;V6Y
vRum۱:%t.lw._%<}* OM HMV
|@N3hn~vVy
J@,j Ps_3 pHH^):1mC+Wj}fU*luJ[WR9N5MhJ0x k"I}!u#hs"]'hWK⑃)tMn3/ UO<\hRx Q2NHzVL3@.]؇vD{]:T<.A V<w3_h#%8yv&h76PB5Wb[vb Ue
׭_jgTC6~a5µ
w|`6TW_N65bD6.
P d^fllj0^ Sk9hqq i
0(POHhx21OID.\X)l^kmpa*Ƭ`
-:5B
#vWUIhlֽ-ȡs/
SihE:
T7B.{ +?ұ[l6Np'5 v(,  W`(mffiEDId
Nf)f3#mojzQ]oXHQ
uf%m`%|h1!~X^E=D}⋅"LP0V)Õ
\mf;W
;% /|3G9U Wp`Ǜu,H#n
PF
u0g6+^.xo>uRx (t0rz)bt/h %DoȠV.5X^ȥ-đ~^ _Pu47,WmhM*x.POJu%1a/{b?G/{߯u2KMckkֈm#W j `)}j?Yjр3<bN/<Ў5ޠ;|>u1Up"U$o$Z[DLZ'9.
 (`c_e Z_wHC997s{/
$^P Ƹ@b
hA($y(hzK- F; W`U˃,)%Px<PF6R;tUAeh|grx*`lO 8=AeO҃ߡfI7SbSprg Ҕϥ--t9dsDmg Hnw6vm#L<Ū>4wXBfFWG|[;hovK#y`Z,rt|pe5 U Vψu\
ÜKT Nbl@q^isx6j
WCzpzv(J\*,x5[
h>d C">)5 PO ! -4<N MKMd{Pv N&VQ}FP5܌A}@ߝ P9נ%*_.m)g<0!(=Cu$ H8=:Z[GdQ?F;c|M J!4]n6
1y$ L
 ]{0}M#+ȋ92s4pk/)C؃e
G}ۅM,@} s8j#*Z* ~8
ZPt;h8 DzScDcmh[47 @h bv~$hCRE&߄d&5㰭RuI&6&!2EuZh׀T.s3
*
ōy \ňo-æ$mٍP ȉnNF -} er iOW7+ʁ %Up?sLMQKj=s~F`kuE\c <
( Pz KɯuB
Јt3D+0FN ]B|"F%SWxFDP=$t(u(3Vu&T0R <50P;Nƀ
Vl^Hjp<DB%h8 7=M@WuE
VSH KaS[E<tk]^=b-\p4+
0j8$j<5n,=z9!3τlԋA,=* ׆- $|{hpE[v=PuRHݶPATc VPwN{S(@+ VP<WW[Bl~Pst
Qu [: Ah.̨&vCS7
4t5t-Ad"];lۢf!Q+]Zf\EAJH' qP";P:Ѿ Cpxf0-#U $~

0
v$ 9j7 ;sx <9Y+Q>;}'6WjV
VL
GãDL
A;Apt2\uFU:p 9q%} i4Lp:00
Vf(u-@8F[]Re2@[T _j[s8[1sj3 3V @-YhՄnύjߠ-5S
% *I3ҀYN
RVh'@W,TOi*oԋV>
ȋt'A

PJpXu8FWh\C. fap8<2 cv&@
Bp;3Al BPS,h0\
g 1AwBXpR4L"R.RH wm}[RcĆ]?jn\ѸT
\hTN!n
v:j!C+`43Ep|( 5Sh Wm/4l }
IrZ8BJ' 6^%AC/Q uvC'!|ɹtpC6v
u,=TNğaSB8 dժIYn^#ѣC
c328ʰMэ ؓqS:(}.tSjV*KLE>73'Q }G=KǶc:.$Ah-[4 "u!ӽ4&68>;&(mQb4 tA B~sn6syk5[v+9yuhT6V=Qs7SȨzBT
Ėj~@TCwńy
P
taWHPФ[G#9t7N
xnn,\0Pj(xڞPmV\DibsY\#RiMf OlH^=8D Gc#Pwl49<^X[[S g# 9~s][q"z ^Në2[A_!w,͔d{_]}= g7SGTx(t[Syt?Y{0 T2W~⻽tA@SWQhN+
&VT bg@y{0yKM
XYno7t )ԽC ̀c4Xml4-oK 6: 8A+Rh
R qGWHOgWD@2x
4$$ 56S,M Eɗ Wh6!qjouL u}h0U>w|SQBeZ
;NIt3WEcƪXCV+
_?S]Y4wm!C<0ҩJxqQu CCM% l =-Cbss~@&Z`b6DSZ04_ ~+ǔPDsw]P%3Os
t  o\V^" | x wj OFf6a
Զޅ `#6l T܄f PlAY!K}aB!(Mh }'+q૫=q,|H\`x,`d h霩t?0hTzw2t)Rs6TXYC̼xBr+,Ua6 U6f|&
& Y/|$!qybf0t4Skm

ţlkv!2շ Q@0uSX@fk΁ $6ή tC$'f;(h֯*<O,8  Bu6b];ֲZW[Ut&jx։,m7S

6"zV ;Aj
n{u4D FfMQj;Tģ\$ 1:Pak6m\j3;Ŗg^ u##,-&0Mu\(tS#>[ }jBPGfpfԏ<bf
FFC;vߣ3[sn+@gLBv.q$D޷h P 1TFtW4%qNktUP0 YG@l/46uG
HZWu*Gu; @A>
c_H|WuUܛDqeF5
Os]@+>3A ! 
hH 47wƀaр=(\u DW à+0} fj?P/ᨣcٍuۅ>.uFuh<
~%b#^VZ[<-N+=WZ pاH"[gmL4R[<z[ntMG@W >T9Yp V!1ӴPO\td'<rV^O


:L/R>uF> KB\w;@AVLȟ9\" <a|
<zmy:%Z>%&Sz |T8;:b!D?u8 ^j\PN@o;`VJ0'brL86sR'1t
!lu<+c,F ѭ RJVWW'*s{Z#3xx7"7$7h#{PNc[}Կ=47VBw~+JANu^' En
$hůAPWQj bѡ?
+d_Onsa܌33X(V~*d
n
OЀ& ];^[Q7+}Vj9MhpZnk0&B&ULU4޽a0UJWl/@ŏ ;_> X .UhT$,^& EaoTf(h']Eփ>lK/*6UǍD=0
oD<UQnۇ[;|uy s/_Z>P}
),P9QE43UW(n2ٳo]#
hPYkt@ >;s U +E;r-4,t+SFP(De
JX?8K>x,ߥIV  6ru tA1(@;F" : QQz9-Ѱ
ArHA0| 7F XuAֵ( ;0<oo!߃A|F )$)$f[ MZKS-1vp%}'T jW_ȸM+Ӂf:}"=V'M+AM mEA fq/< 6π[-J ̀7ZъTY0`yf=Zj#>Zt.JH7%$% y7\?q@Ps@nd_x) %>U萷fq$uhHh<GXTNB)tWQѯ\t8
,XdwAD[ă/u'޲! Hs XD#uj6&Wa,W[i!&s2fE@O3D,l߃oJ
#GAL,\
&䑵Vd81 n
Zt8ZWomdj?+ AٍߨJZޑt9{-$<v"\Lup[դFW5\ m:;9$
u]Ǎ
< t6pMX$HB@tʼn85OoW "01q`:3
$=
x0~W4
!A0TfI4*^UVu-0~V^ ҁt3
0'Aؾ|T'Ņv#W9/EƋ423AmJ_&C_(t HuIxE˲݊Ahd`\ "7Y$޵pШvDmtY鬋
~!H
:Wi֔ maՐ#%j-dj Y
1׾o҉}BJU
wx7 cƣ6<6;}9; 4W" 3yjO[5 NJpdla&ܷvvn E}%|;Et(bm$]v"ہ.x WAMuUAdeo!EMlrj  n[ǘ ##7.Dž|^D"tˍ4HW,U[!/,o`/*#JlV4/xض@_ x?lJ-&}IȪ[ 
}'mJhtFr
BC.Eh
uSp,Z̟Hg1g;ae9&VK ׽3Q
!
Υek9ф3`A( vA]so+ʰf)mO׶0f>.U\}m qøgQƺ}ܷ\@&{τ͞dZ sR̾8l x?hUxQF u 9TQhSCu'gh.'.4!,Y탕  hH$6bdP#N oN%.4 Q~;nF\
Bḻ?;WjӃ/' lwM@f%x`'O6rr & F)M5,MM >7
Eh
!@g.$C VK Э4P-\6+{'`DX^*4[B[%IrwU+~1Bz{^,\ۃ޸yW3R
m(i ~'7Zem;cJ8FrkXփbsýpD0 ,(!P۳}r LOh 4_^9UUKe *)xsmA㋹L$ (%G60)Ɉ$U|T]لtK4 9+<5,|mXy#;ѵ QT @k-ce#8E7|pϞXWp &y( $0|xk<pz%/s%Hc95բSt z$Js{~
&0E2,^MK`r- |BU mlomZ+[9`+ф)ض

@saY|
<'pdXsL@C=' 4(+l" 
FNT.bt,x&.tL#o_p`f[(agf\61ac:d}m,ebslGXf#(gg$hf5KiOfbhq뺔 +'gp fFrlh WRichEdit `20A32 .DEFAULT\Control Panel\I { ernatial'Desktop\RourceLoc&e' [1me]
%d ware\MtZw[?s
\Windowsq9sUVhsf;#? et Explo&r\Qukk Laun+!F n 
ID`1"$wD+@ ]3Em6\ veorifying stall: %d%%#~unpackda þde. I9owCtegPty cheohas faid1Commonauskes)clude
p 7` tnload andqmang6 mia<Yt ɶtV
'FL}kowto ob new
dopy.

Mifo`m*.t:
http://n_sis.sf.t/NSIS_ErrZ{X w7arfȊMakTsu[tYy[oamldviCl]۾vGeShPcvT ~u.tJ\Te `@@;HCBP n.exenU%E%s(
g<i>( 4Լ<4]Ӡ|h]aGLF
PihA[FOLDER AoCALWAPI 5Us3DÍۍe*ul
IL guB?3Adj/tTos,[LoupV][uepOp(oc$s4O [rKeyEx%ADVvk[j"FBDQ(\kFڠmKNEL+\*.*
[-mgs=D*?|<>/":BB$?FT @P2
d@(
Q  *@FTP2
`@* HʀM S h e l Dg` @ 2  lUDPdy    ne@
X; 
{ @EP7 m s c t%uݿ_ p r o/r?s3\0 ?q@@ mnyGL ie VYwWu  g%’# <f;lGȚO-E̺1"B"X.'``WAzarvTimeSechGetShortNa"Full
7/SnO"Dict:y2~ttributesLast5ʅ,
Oe3SSep:ckuf_:+iSize lYmdaDepy>Exi%$se)7mandLinoݝ,Loabral Pbn7k0MlobalUn,vX
L ThZlXd
7R`/$veІm/y n?Yky
(:77*hseH97SiA
ݍ%pEnvA0솆mJSngsAlYWaFbmlS'WObjzv-qJdشpAM-؋-Addr1m#9tiBy7oWiVvCh|:ivl{Af!M;b!5MlѺY _D-PBko+$b 9,
NexB\TXv,-aZ wgQu^y̽zl/$umKey  Yl6*{,fl. f1q="(jʍIge_M:^kedS'olAKE/<Bor_heLCaps
c#9BrushI(C$}ttAR
T3_SPctR79xbTM Xh팮O$LiU
<U`.uٗ{6ncCPaHnIIDHRDئr nV,Efoh1W+ll_0SkxrL0̵+ El1OlڮdDgcnTԴ`R6Z)ab`%Im/`
Q͎JTcIs;15ds<fK;d s CckDlgBtnb(S+BQt8p+loNVaim`pb7r
&D&aty!1S{,<Ox+wTrazpupApa|M2d Ag /&c%vzMqFBox۫^p肕her'P -[k
QƄasmlr[
|TtBicmGl QuoW;&SwtfJ7{,R%ElB+I|,S̙f 'GNfNKxͧ,

Xo ]rA;rCA6<,N
+O'gflBeg&iiFQ8
5l Djf
3-2wJinZhCgAs
AyVlPEL K5   \k{0`L!p@ Z;i<(XesX]-
W..t`}vZZ# 0.9n'`@.& ,Kr').n(#@+Tx' lwv V  ` B `W FGur usu s1Ƀr
Fttuuu Ausu s /vBGIucwL^J G,<w?u_f)ٍ   tE_0` P Gt܉yGPGWHU t(   PTjSWՍ `(XPTPSWXaD$j 9u{=   8  x    X     P   h    i j o             `  g 0   H     p               ( @   33333333330  o  ox   o xx  o8 ? o 8Ǐ ?̏ o8x ?̏ 8x o?̏ x ̏ o                              @        X 4 V S _ V E R S I O N _ I N F O           S t r i n g F i l e I n f o  0 4 0 9 0 4 e 4 X  C o m m e n t N o n i n v a s i v e d i a g n o s t i c s c a n n e r 4
 C o m p a n y N a m e S w e a r w a r e T   F i l e D e s c r i p t i o n D D S , D o e s n ' t D o S q u a t <   F i l e V e r s i o n 2 0 1 1 . 0 8 . 2 6 . 0 1 0   I n t e r n a l N a m e d d s . e x e .   L e g a l C o p y r i g h t s U B s 8   O r i g i n a l F i l e N a m e d d s . e x e ,   P r o d u c t N a m e D D S D V a r F i l e I n f o $  T r a n s l a t i o n  <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly> h    u  0   8   @   H   P   X   `      
 
 
  ,
 8
 H
 X
 `
 KERNEL32.DLL ADVAPI32.dll COMCTL32.dll GDI32.dll ole32.dll SHELL32.dll USER32.dll VERSION.dll LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess RegEnumKeyA SetBkMode CoTaskMemFree ShellExecuteA GetDC VerQueryValueA  ᆳNullsoftInstM`  ] & h
.ӄzj UxZHETCA{5}2H`ە=uMpZ)9o
t`
_Za%dF+nP7^,0"8l uG1c.V \2
J}#> \%+FG.90J%.%ݼBeEJ][lX 8W=(2i ;85ʘv.qzynY4ֲ9Ր^
0u{
i<~Ί$Y!6s ?'A~ҫZ™x]{՟_K#kNz kN!'ma8? *v˝9<e=g%p-#[(K.
aV._N 'B.t(i[F]?¡ұrֻ% k2(o7*VPC>"xՙA=hW =eģ]qEQ<NC<J2Y
I*-}oh-xĉΩb E@$.wL2Rɛd|m%30wse}"rpX~W02
1NZ_71?[wíɑVofZhd^&BWxl::p 
-,qW"2ѴGWrPqRt0;u4dɕ3,P A,2&=!ĔҌN2 *sMi{Leހ"˶Vwybږuxu!cCd\DěS?C!"[ #\G p].GRĨ'w÷!z
8wcۈ3RP񅁹Vg젚nJ˷Ğn7z'#Gmv8{Q߳W\g"x`^&8а6,ld:(B'q:bF sԜuxUcF>_Jdt;\Ұ6ԗaf8-Ù2(NF`PgѠ q/xBKs8۲}[R:ڤSuO|$U~#c'ѽg[XRY%R)"hQ(аcvk?;A8XM9ͭ Î,jxO 6Ѻ azP r)*p0mIU I9ֆy ~ *3Us5r$(„^<eWIӥݚx/) Xav^YMtros±4FqT*`,*7/C2j~ə;zYitq;ks31}E⣿Z”Ƌ5]q*I0v׀0,(<VUd^;Nz+F;5<sli5gv=DNh{3ń%$/Ň9"hy9&"e+[UlZU5(򏨰B ɇdCXܒw㷊)?dAM+91JRc CcG'vt?f l'8@]q^ҭo eFqހe}<>`8qkˆ"[- ,)nDݚϭߪ)=3Xb.^lQo]Y#|"=q<B
o6RPTҾa(sb?Ah\3쬎s$oMvI6YY^,gg&9QjH ^!+ t LtMERu{t&%`'1h ք[p  ǰ5®NgEC@]P'DBN%dUlRusAP_3

Attached Files

  • Attached File  ark.txt   12.17KB   1 downloads


BC AdBot (Login to Remove)

 


#2 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 01 December 2011 - 10:30 AM

Sorry - I didn't give you any system info:

Dell Optiplex 745
XP Pro SP3 v2002
Core 2 4300 @ 1.8
1.79GHz, 1GB RAM

I've run Malwarebytes and it has found infections but apparently they were unrelated to this problem.

Also - whatever the issue is seems to have disabled Symantec Endpoint.

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 PM

Posted 06 December 2011 - 09:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430216 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 06 December 2011 - 10:44 AM

As requested, I'm replying that I do still need help.

I'm still unable to run dds but the new GMER scan is running now.

I do have the XP Pro SP2 Re-installation CD.

32bit system
Dell Optiplex 745
XP Pro SP3 v2002
Core 2 4300 @ 1.8
1.79GHz, 1GB RAM

#5 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 06 December 2011 - 01:00 PM

Update: The GMER scan can't be completed - the system has shut down (blue screen of death) twice trying to run it. I'll post the exact error & shutdown messages next time it happens but the blue screen comes after a winlogon shut down error message. Once I close that error message window... windows shuts down with blue screen.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 07 December 2011 - 10:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 07 December 2011 - 11:09 AM

Hey Gringo - thanks for jumping in. Unhide ran with no apparent issues and the OTL log is below.

I tried four times to add this reply on the affected computer. I kept getting "connection was reset" errors and had to close the tab and open a new one to get back to this page every time. I'm sending this from another computer.

OTL logfile created on: 12/7/2011 10:44:58 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\jmoon\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.54 Mb Total Physical Memory | 416.88 Mb Available Physical Memory | 41.13% Memory free
3.24 Gb Paging File | 2.78 Gb Available in Paging File | 85.77% Paging File free
Paging file location(s): C:\pagefile.sys 2400 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 53.94 Gb Free Space | 72.44% Space Free | Partition Type: NTFS
Drive Z: | 231.83 Gb Total Space | 185.65 Gb Free Space | 80.08% Space Free | Partition Type: NTFS

Computer Name: URBANE-93746985 | User Name: jmoon | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\jmoon\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\Temp\_ex-68.exe ()
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\jmoon\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc)
PRC - C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe (Uniblue Systems Limited)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\Temp\_ex-68.exe ()
MOD - C:\WINDOWS\system32\6to4v32.dll ()
MOD - C:\WINDOWS\system32\sqlesw32.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()
MOD - C:\WINDOWS\system32\Primomonnt.dll ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()
MOD - \\.\globalroot\systemroot\system32\mswsock.dll ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (DataSvr2) -- File not found
SRV - (6to4) -- C:\WINDOWS\system32\6to4v32.dll ()
SRV - (SqlCSS) -- C:\WINDOWS\system32\sqlcsw32.dll (Intel Corporation )
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (NPF) WinPcap Packet Driver (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111128.002\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20111128.002\NAVENG.SYS (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (COH_Mon) -- C:\WINDOWS\system32\drivers\COH_Mon.sys (Symantec Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3014567974-160216032-1282719925-1138\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3014567974-160216032-1282719925-1138\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3014567974-160216032-1282719925-1138\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3014567974-160216032-1282719925-1138\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 78 6D 59 26 43 B4 CC 01 [binary data]
IE - HKU\S-1-5-21-3014567974-160216032-1282719925-1138\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/29 13:21:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/28 08:54:52 | 000,000,000 | ---D | M]

[2011/11/29 13:22:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jmoon\Application Data\Mozilla\Extensions
[2011/11/29 13:21:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/20 23:04:51 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2000/01/01 03:00:00 | 000,170,080 | ---- | M] (Tracker Software Products Ltd.) -- C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
[2011/11/20 20:04:05 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/20 20:04:05 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/11/30 12:48:33 | 000,001,392 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 217.23.4.166 www.google-analytics.com.
O1 - Hosts: 217.23.4.166 ad-emea.doubleclick.net.
O1 - Hosts: 217.23.4.166 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [MozillaAgent] C:\WINDOWS\Temp\_ex-68.exe ()
O4 - HKU\S-1-5-21-3014567974-160216032-1282719925-1138..\Run: [Akamai NetSession Interface] C:\Documents and Settings\jmoon\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3014567974-160216032-1282719925-1138\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265306682487 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Urbane.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6C8E2D45-8E51-4C99-9AB6-D916F851E019}: DhcpNameServer = 192.168.1.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\sqlesw32: DllName - (sqlesw32.dll) - C:\WINDOWS\System32\sqlesw32.dll ()
O20 - Winlogon\Notify\Sqlseses: DllName - (sqlesw32.dll) - C:\WINDOWS\System32\sqlesw32.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/17 09:24:00 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2010/02/04 11:39:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/07 10:43:44 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jmoon\Desktop\OTL.exe
[2011/12/06 13:42:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/12/06 13:41:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/12/01 10:49:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Desktop\SGM PV Panel Submittal
[2011/11/30 16:18:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Desktop\TEMPLATE PROJECT FOLDER
[2011/11/30 15:38:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Desktop\gmer
[2011/11/30 15:33:06 | 000,607,260 | ---- | C] (Swearware) -- C:\Documents and Settings\jmoon\Desktop\dds(1).scr
[2011/11/30 12:48:38 | 000,187,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\acpi.sys
[2011/11/30 12:47:52 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/11/30 12:47:52 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/11/30 12:47:51 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/11/30 12:47:37 | 000,162,304 | ---- | C] (Intel Corporation ) -- C:\WINDOWS\System32\sqlcsw32.dll
[2011/11/30 10:22:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/11/29 13:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Mozilla
[2011/11/29 13:15:45 | 014,761,224 | ---- | C] (Mozilla) -- C:\Documents and Settings\jmoon\Desktop\Firefox Setup 8.0.1.exe
[2011/11/29 09:11:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/28 13:50:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/28 13:50:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/11/28 08:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PDF-XChange PDF Viewer
[2011/11/28 08:54:35 | 000,000,000 | ---D | C] -- C:\Program Files\Tracker Software
[2011/11/17 09:44:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Autodesk
[2011/11/17 09:42:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Autodesk Shared
[2011/11/17 09:42:32 | 000,000,000 | ---D | C] -- C:\Program Files\Autodesk
[2011/11/17 09:42:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Autodesk
[2011/11/17 09:41:59 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2011/11/17 09:41:58 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2011/11/17 09:41:57 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2011/11/17 09:41:56 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2011/11/17 09:41:45 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2011/11/17 09:41:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2011/11/17 09:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Autodesk
[2011/11/17 09:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2011/11/17 09:24:00 | 000,000,000 | ---D | C] -- C:\Autodesk
[2011/11/17 09:21:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Akamai
[2011/11/16 08:53:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\Start Menu\Programs\Administrative Tools
[2011/11/15 13:56:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\PrimoPDF
[2011/11/15 13:51:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PrimoPDF
[2011/11/15 13:51:19 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2011/11/15 12:32:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Temp
[2011/11/15 11:59:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/11/14 12:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Uniblue
[2011/11/14 12:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2011/11/14 12:14:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Uniblue
[2011/11/14 12:14:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
[2011/11/14 12:13:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\PackageAware
[2011/11/14 11:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\My Documents\Downloads
[2011/11/14 11:47:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Mozilla
[2011/11/14 11:47:22 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/11/14 11:43:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Malwarebytes
[2011/11/14 11:43:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/14 11:43:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/11/14 11:43:39 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/14 11:43:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/14 09:52:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\FileZilla
[2011/11/14 09:51:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FileZilla FTP Client
[2011/11/14 09:51:28 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2011/11/11 11:55:08 | 000,000,000 | ---D | C] -- C:\Scans
[2011/11/11 11:19:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Sun
[2011/11/11 10:15:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Adobe
[2011/11/11 09:58:45 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\jmoon\IECompatCache
[2011/11/11 09:56:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\jmoon\PrivacIE
[2011/11/11 09:54:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Windows Desktop Search
[2011/11/11 09:54:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Identities
[2011/11/11 09:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Identities
[2011/11/11 09:54:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\My Documents\My Music
[2011/11/11 09:54:42 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\My Documents\My Pictures
[2011/11/11 09:54:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\jmoon\IETldCache
[2011/11/11 09:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Symantec
[2011/11/11 09:54:37 | 000,000,000 | --SD | C] -- C:\Documents and Settings\jmoon\Application Data\Microsoft
[2011/11/11 09:54:37 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\Favorites
[2011/11/11 09:54:37 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\Application Data
[2011/11/11 09:54:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\jmoon\Cookies
[2011/11/11 09:54:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Microsoft
[2011/11/11 09:54:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Application Data\Macromedia
[2011/11/11 09:54:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Desktop
[2011/11/11 09:54:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Local Settings\Application Data\Adobe
[2011/11/11 09:54:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\Start Menu\Programs\Startup
[2011/11/11 09:54:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\Start Menu
[2011/11/11 09:54:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\SendTo
[2011/11/11 09:54:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\Recent
[2011/11/11 09:54:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\My Documents
[2011/11/11 09:54:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\jmoon\Start Menu\Programs\Accessories
[2011/11/11 09:54:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\jmoon\Local Settings
[2011/11/11 09:54:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\Templates
[2011/11/11 09:54:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\PrintHood
[2011/11/11 09:54:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jmoon\NetHood
[2011/11/11 09:31:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WindowsPowerShell
[2011/11/11 09:31:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
[2011/11/11 09:31:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$
[2011/11/11 09:30:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/11/11 09:30:02 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2011/11/11 09:30:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/11/11 09:29:04 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mimefilt.dll
[2011/11/11 09:29:03 | 000,192,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\offfilt.dll
[2011/11/11 09:29:03 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nlhtml.dll
[2011/11/11 09:28:55 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2011/11/11 09:28:38 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2011/11/11 09:26:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2011/11/11 09:26:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/07 10:43:45 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jmoon\Desktop\OTL.exe
[2011/12/07 10:41:38 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/07 10:41:35 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/12/07 10:38:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/07 10:36:21 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/07 10:22:26 | 000,684,297 | ---- | M] () -- C:\Documents and Settings\jmoon\Desktop\unhide.exe
[2011/12/02 08:51:12 | 000,527,342 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/02 08:51:12 | 000,096,690 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/01 11:43:50 | 001,996,521 | ---- | M] () -- C:\Documents and Settings\jmoon\Desktop\SGM PV Panel Submittal.zip
[2011/12/01 10:01:33 | 001,008,114 | ---- | M] () -- C:\Documents and Settings\jmoon\Desktop\rkill.com
[2011/11/30 15:37:34 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\jmoon\Desktop\gmer.zip
[2011/11/30 15:33:07 | 000,607,260 | ---- | M] (Swearware) -- C:\Documents and Settings\jmoon\Desktop\dds(1).scr
[2011/11/30 12:51:25 | 000,100,926 | ---- | M] () -- C:\WINDOWS\System32\itusbcore.dat
[2011/11/30 12:51:25 | 000,000,196 | ---- | M] () -- C:\WINDOWS\System32\itlsvc.dat
[2011/11/30 12:48:33 | 000,001,392 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/30 12:47:52 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2011/11/30 12:47:52 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2011/11/30 12:47:52 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2011/11/30 12:47:42 | 000,053,248 | ---- | M] () -- C:\WINDOWS\System32\6to4v32.dll
[2011/11/30 12:47:37 | 000,162,304 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\System32\sqlcsw32.dll
[2011/11/30 12:47:36 | 000,037,888 | ---- | M] () -- C:\WINDOWS\System32\sqlesw32.dll
[2011/11/30 10:39:56 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\jmoon\defogger_reenable
[2011/11/30 03:29:54 | 000,462,848 | ---- | M] () -- C:\WINDOWS\System32\0.6356031451267443.exe
[2011/11/29 13:38:54 | 004,845,856 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\jmoon\Desktop\procexp.exe
[2011/11/29 13:21:20 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/11/29 13:16:15 | 014,761,224 | ---- | M] (Mozilla) -- C:\Documents and Settings\jmoon\Desktop\Firefox Setup 8.0.1.exe
[2011/11/28 08:54:42 | 000,000,866 | ---- | M] () -- C:\Documents and Settings\jmoon\Desktop\PDF-Viewer.lnk
[2011/11/17 09:46:21 | 000,341,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/11/17 09:44:50 | 000,001,866 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DWG TrueView 2012.lnk
[2011/11/17 09:23:17 | 222,364,016 | ---- | M] () -- C:\Documents and Settings\jmoon\My Documents\SetupDWGTrueView2012_32bit.exe
[2011/11/15 13:51:37 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2011/11/15 13:51:23 | 000,000,314 | ---- | M] () -- C:\WINDOWS\primopdf.ini
[2011/11/15 12:01:15 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/11/14 15:14:39 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/11/14 12:14:03 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\jmoon\Desktop\Uniblue RegistryBooster.lnk
[2011/11/14 12:14:03 | 000,001,477 | ---- | M] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
[2011/11/14 11:43:44 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/14 09:51:39 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FileZilla Client.lnk
[2011/11/12 03:01:33 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/11 12:46:55 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\jmoon\Desktop\Shortcut to Scans.lnk
[2011/11/11 11:33:30 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\jmoon\My Documents\SWWATER.INI
[2011/11/11 10:23:13 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/11/11 10:22:22 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2011/11/11 09:54:50 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/11 09:54:49 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/11/11 09:30:11 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/11/11 09:28:49 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/11/11 09:28:49 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/11/11 09:26:43 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/07 10:22:24 | 000,684,297 | ---- | C] () -- C:\Documents and Settings\jmoon\Desktop\unhide.exe
[2011/12/01 11:43:49 | 001,996,521 | ---- | C] () -- C:\Documents and Settings\jmoon\Desktop\SGM PV Panel Submittal.zip
[2011/12/01 10:01:32 | 001,008,114 | ---- | C] () -- C:\Documents and Settings\jmoon\Desktop\rkill.com
[2011/11/30 15:37:32 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\jmoon\Desktop\gmer.zip
[2011/11/30 12:51:25 | 000,100,926 | ---- | C] () -- C:\WINDOWS\System32\itusbcore.dat
[2011/11/30 12:51:25 | 000,000,196 | ---- | C] () -- C:\WINDOWS\System32\itlsvc.dat
[2011/11/30 12:47:42 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\6to4v32.dll
[2011/11/30 12:47:36 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\sqlesw32.dll
[2011/11/30 10:39:56 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\jmoon\defogger_reenable
[2011/11/30 03:29:49 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\0.6356031451267443.exe
[2011/11/29 13:21:20 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/11/29 13:21:13 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/11/28 08:54:42 | 000,000,866 | ---- | C] () -- C:\Documents and Settings\jmoon\Desktop\PDF-Viewer.lnk
[2011/11/17 13:23:56 | 000,312,410 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/11/17 12:57:19 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/17 10:13:19 | 000,312,410 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3014567974-160216032-1282719925-1138-0.dat
[2011/11/17 09:44:50 | 000,001,866 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DWG TrueView 2012.lnk
[2011/11/17 09:22:07 | 222,364,016 | ---- | C] () -- C:\Documents and Settings\jmoon\My Documents\SetupDWGTrueView2012_32bit.exe
[2011/11/15 13:51:37 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2011/11/15 13:51:24 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2011/11/15 12:01:15 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/11/15 12:01:15 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/11/14 12:14:40 | 000,000,264 | ---- | C] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/11/14 12:14:03 | 000,001,493 | ---- | C] () -- C:\Documents and Settings\jmoon\Desktop\Uniblue RegistryBooster.lnk
[2011/11/14 12:14:03 | 000,001,477 | ---- | C] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
[2011/11/14 11:43:44 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/14 09:51:39 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FileZilla Client.lnk
[2011/11/11 12:46:55 | 000,000,410 | ---- | C] () -- C:\Documents and Settings\jmoon\Desktop\Shortcut to Scans.lnk
[2011/11/11 11:33:30 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\jmoon\My Documents\SWWATER.INI
[2011/11/11 10:23:13 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/11/11 09:54:50 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/11 09:54:50 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\jmoon\Start Menu\Programs\Internet Explorer.lnk
[2011/11/11 09:54:49 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\jmoon\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/11/11 09:54:45 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\jmoon\Start Menu\Programs\Outlook Express.lnk
[2011/11/11 09:54:37 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\jmoon\Start Menu\Programs\Remote Assistance.lnk
[2011/11/11 09:54:37 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\jmoon\Start Menu\Programs\Windows Media Player.lnk
[2011/11/11 09:30:11 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2011/11/11 09:30:11 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/11/11 09:26:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2011/11/11 09:25:45 | 000,225,262 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msimain.sdb
[2011/02/09 23:03:48 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2010/02/04 12:46:35 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/02/04 12:38:15 | 000,000,172 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/02/04 12:03:11 | 000,348,880 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2010/02/04 12:03:11 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll
[2010/02/04 11:41:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/02/04 11:36:27 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/02/04 06:21:41 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/02/04 06:20:34 | 000,341,832 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/09/08 08:30:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[2005/11/18 13:47:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/03/21 18:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/21 18:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,527,342 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,096,690 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,049,156 | ---- | C] () -- C:\WINDOWS\System32\certstore.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========


< %TEMP%\smtmp\*.* /s >

< End of report >

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 07 December 2011 - 11:12 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 07 December 2011 - 11:48 AM

ComboFix detected Symantec Endpoint Protection scanner as active. Symantec has been disabled since I first saw this computer (+/- a month ago), and I just went the step further and manually disabled all Symantec services through "services.msc" then restarted. Both the tray icon and services show Symantec as disabled. ComboFix continues to warn that SEP scanner is active. Should I allow ComboFix to run or dig further into Symantec?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 07 December 2011 - 12:38 PM

go ahead with combofix and remind me later about it and we will remove it completely



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 07 December 2011 - 01:17 PM

ComboFix detected rootkit activity and required restart - restarted - Winlogon.exe Application error popup - Unknown software exception (0x0eedfade) occurred in application at 0x7c812afb. Had to OK out of that twice - Combofix ran for +/- 10 seconds then:

Blue Screen
STOP: c000021a {Fatal System Error}
The windows logon process system process terminated unexpectedly with a status of 0x0eefade (0x00000000 0x00000000).
The system has been shut down.

This is the same issue I mentioned earlier in this thread. Being that Combofix was in the middle of running, I'm wary to power down and re-start, but I don't see another option, no?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 07 December 2011 - 01:22 PM

yes do a restart


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 07 December 2011 - 02:43 PM

ComboFix ran successfully. The system is definitely running faster and I was able to enable all the Symantec processes finally, however I no longer can connect to the network. Local area Connection status shows it's connected but no activity. Also no detail under Connection status. IP, subnet & gateway are all blank. Repair does nothing. "Failed to query TCP/IP settings..." As a result I have no Internet connection. My Firewall is also down, "...cannot start the Windows Firewall/Internet Connection Sharing (ICS) service."

Here's the log:

ComboFix 11-12-06.02 - jmoon 12/07/2011 13:31:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.488 [GMT -5:00]
Running from: c:\documents and settings\jmoon\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
c:\windows\system32\0.6356031451267443.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\sqlcsw32.dll
c:\windows\system32\sqlesw32.dll
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-68.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_NPF
-------\Service_6to4
-------\Service_NPF
-------\Legacy_SqlCSS
-------\Service_SqlCSS
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-11-30 17:48 . 2008-04-13 18:36 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-11-30 17:48 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-11-28 13:54 . 2011-11-28 13:54 -------- d-----w- c:\program files\Tracker Software
2011-11-17 14:42 . 2011-11-17 14:44 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2011-11-17 14:42 . 2011-11-17 14:42 -------- d-----w- c:\program files\Autodesk
2011-11-17 14:41 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2011-11-17 14:41 . 2009-09-04 22:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2011-11-17 14:41 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-11-17 14:41 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-11-17 14:41 . 2011-11-17 14:41 -------- d-----w- c:\windows\Logs
2011-11-17 14:30 . 2011-11-17 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2011-11-17 14:24 . 2011-11-17 14:24 -------- dc----w- C:\Autodesk
2011-11-15 18:51 . 2011-02-28 22:37 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-11-15 18:51 . 2011-11-15 18:51 -------- d-----w- c:\program files\Nitro PDF
2011-11-15 16:59 . 2011-11-15 17:00 -------- d-----w- c:\program files\Common Files\Adobe
2011-11-14 17:14 . 2011-11-14 17:14 -------- dc----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-11-14 17:14 . 2011-11-14 17:14 -------- d-----w- c:\program files\Uniblue
2011-11-14 16:43 . 2011-11-14 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-14 16:43 . 2011-11-14 16:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-14 16:43 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-14 14:51 . 2011-11-14 14:51 -------- d-----w- c:\program files\FileZilla FTP Client
2011-11-11 16:55 . 2011-12-07 15:41 -------- d-----w- C:\Scans
2011-11-11 14:54 . 2011-11-30 15:39 -------- d-----w- c:\documents and settings\jmoon
2011-11-11 14:33 . 2011-11-11 14:39 -------- d-----w- c:\documents and settings\administrator
2011-11-11 14:31 . 2011-11-11 14:31 -------- d-----w- c:\windows\system32\winrm
2011-11-11 14:31 . 2011-11-11 14:31 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2011-11-11 14:30 . 2011-11-11 17:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-11-11 14:30 . 2011-11-12 08:01 -------- d-----w- c:\program files\Windows Desktop Search
2011-11-11 14:30 . 2011-11-11 14:30 -------- d-----w- c:\windows\system32\GroupPolicy
2011-11-11 14:29 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2011-11-11 14:29 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2011-11-11 14:29 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2011-11-11 14:28 . 2011-11-11 14:28 -------- d-----w- c:\program files\Windows Media Connect 2
2011-11-11 14:26 . 2011-11-11 14:27 -------- d-----w- c:\windows\system32\drivers\UMDF
2011-11-11 14:26 . 2011-11-11 14:26 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 20:14 . 2011-06-10 17:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-02-04 16:36 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-21 04:04 . 2011-11-29 18:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\jmoon\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-11-17 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-03 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\jmoon\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1199:TCP"= 1199:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/17/2011 1:02 PM 106104]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/3/2008 12:16 PM 23888]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-07 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-11-14 09:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.2
FF - ProfilePath - c:\documents and settings\jmoon\Application Data\Mozilla\Firefox\Profiles\gbbrpymu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Notify-IsWow64Process - sqlesw32.dll
Notify-sqlesw32 - sqlesw32.dll
Notify-Sqlseses - sqlesw32.dll
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 14:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1956)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-12-07 14:12:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-07 19:12
.
Pre-Run: 57,924,591,616 bytes free
Post-Run: 59,301,134,336 bytes free
.
- - End Of File - - 110676EFDBB57F9CE0D2CAA6AB726C4F

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:01 PM

Posted 07 December 2011 - 02:48 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 JayMoon

JayMoon
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:01 PM

Posted 07 December 2011 - 03:21 PM

No issues running that scan but no apparent change to Network functionality.


ComboFix 11-12-06.02 - jmoon 12/07/2011 14:58:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.498 [GMT -5:00]
Running from: c:\documents and settings\jmoon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jmoon\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-07 19:21 . 2008-09-03 17:16 38248 ----a-w- c:\windows\system32\drivers\WGX.SYS
2011-11-30 17:48 . 2008-04-13 18:36 187776 -c--a-w- c:\windows\system32\dllcache\acpi.sys
2011-11-30 17:48 . 2008-04-13 18:36 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-11-28 13:54 . 2011-11-28 13:54 -------- d-----w- c:\program files\Tracker Software
2011-11-17 14:42 . 2011-11-17 14:44 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2011-11-17 14:42 . 2011-11-17 14:42 -------- d-----w- c:\program files\Autodesk
2011-11-17 14:41 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2011-11-17 14:41 . 2009-09-04 22:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2011-11-17 14:41 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-11-17 14:41 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-11-17 14:41 . 2011-11-17 14:41 -------- d-----w- c:\windows\Logs
2011-11-17 14:30 . 2011-11-17 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2011-11-17 14:24 . 2011-11-17 14:24 -------- dc----w- C:\Autodesk
2011-11-15 18:51 . 2011-02-28 22:37 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-11-15 18:51 . 2011-11-15 18:51 -------- d-----w- c:\program files\Nitro PDF
2011-11-15 16:59 . 2011-11-15 17:00 -------- d-----w- c:\program files\Common Files\Adobe
2011-11-14 17:14 . 2011-11-14 17:14 -------- dc----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-11-14 17:14 . 2011-11-14 17:14 -------- d-----w- c:\program files\Uniblue
2011-11-14 16:43 . 2011-11-14 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-14 16:43 . 2011-11-14 16:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-14 16:43 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-14 14:51 . 2011-11-14 14:51 -------- d-----w- c:\program files\FileZilla FTP Client
2011-11-11 16:55 . 2011-12-07 15:41 -------- d-----w- C:\Scans
2011-11-11 14:54 . 2011-11-30 15:39 -------- d-----w- c:\documents and settings\jmoon
2011-11-11 14:33 . 2011-11-11 14:39 -------- d-----w- c:\documents and settings\administrator
2011-11-11 14:31 . 2011-11-11 14:31 -------- d-----w- c:\windows\system32\winrm
2011-11-11 14:31 . 2011-11-11 14:31 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2011-11-11 14:30 . 2011-11-11 17:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-11-11 14:30 . 2011-11-12 08:01 -------- d-----w- c:\program files\Windows Desktop Search
2011-11-11 14:30 . 2011-11-11 14:30 -------- d-----w- c:\windows\system32\GroupPolicy
2011-11-11 14:29 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2011-11-11 14:29 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2011-11-11 14:29 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2011-11-11 14:28 . 2011-11-11 14:28 -------- d-----w- c:\program files\Windows Media Connect 2
2011-11-11 14:26 . 2011-11-11 14:27 -------- d-----w- c:\windows\system32\drivers\UMDF
2011-11-11 14:26 . 2011-11-11 14:26 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-14 20:14 . 2011-06-10 17:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2010-02-04 16:36 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-21 04:04 . 2011-11-29 18:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-07_19.04.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-07 19:21 . 2011-12-07 19:21 16384 c:\windows\Temp\Perflib_Perfdata_ef8.dat
+ 2011-12-07 19:22 . 2011-12-07 19:22 16384 c:\windows\Temp\Perflib_Perfdata_a44.dat
+ 2010-02-04 16:56 . 2011-12-07 19:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-02-04 16:56 . 2011-12-01 13:36 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-12-07 19:24 . 2011-12-07 19:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-02-04 16:56 . 2011-12-01 13:36 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\jmoon\Local Settings\Application Data\Akamai\netsession_win.exe" [2011-11-17 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-03 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\jmoon\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1199:TCP"= 1199:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-08 106104]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NAPAGENT
*NewlyCreated* - NETDDE
*NewlyCreated* - NETDDEDSDM
*NewlyCreated* - NETTCPPORTSHARING
*NewlyCreated* - WGX
*NewlyCreated* - XMLPROV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-07 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-11-14 09:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.2
FF - ProfilePath - c:\documents and settings\jmoon\Application Data\Mozilla\Firefox\Profiles\gbbrpymu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-07 15:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2092)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-07 15:18:37
ComboFix-quarantined-files.txt 2011-12-07 20:18
ComboFix2.txt 2011-12-07 19:12
.
Pre-Run: 59,583,807,488 bytes free
Post-Run: 59,591,135,232 bytes free
.
- - End Of File - - 56BEC3E646460FD391EB69BBD58F41C6




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users