Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP Antivirus/Home Security 2012 -google redirects and ping.exe


  • This topic is locked This topic is locked
33 replies to this topic

#1 Wordfencer

Wordfencer

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 13 December 2011 - 02:09 PM

Hello,

I was infected on 12/9/11 with something in the XP Antivirus/Home Security 2012 family. I immediately tried to run MalwareBytes, but it of course wouldn't start. I ran Spybot Search and destroy, which saw and shut down most of the "security" windows. After that, I was able to run MalwareBytes. After several runs of both those programs, they were showing the computer as clean.
However, I still have several problems. Firefox is occasionally hijacked. Sometimes extra tabs open and go to health ads, and occasionally links from a google results page are redirected to other 'results' pages, like "fast-web-search" or "search-web-results". There is also a process called ping.exe that keeps executing. It shows up in the task manager, sometimes using up to 99% CPU cycles and greater than 100M memory. I can kill it in task manger or process explorer, but it just starts again in a few minutes. I also occasionally get random windows alert sounds. This looks like the same problem many others are having here.
At this point I also tried tddskiller, but it did not find anything.
I've followed the reporting guide steps. Everything there worked fine except the DDS scan. DDS starts and appears to run normally for about 20 seconds, but then closes, and no log files open after that. GMER runs fine, and reported that a rootkit was detected. That log is below.
Thank you in advance for any help.
WF

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-13 12:39:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HDT722516DLAT80 rev.V43OA96A
Running: 02owi10d.exe; Driver: C:\TEMP\kxtdqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

? vmbadt.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6E5F360, 0x1FE48D, 0xE8000020]
? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
? C:\TEMP\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 023D000A
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 023E000A
.text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01DB000C
.text C:\WINDOWS\System32\ping.exe[1924] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B4000A
.text C:\WINDOWS\System32\ping.exe[1924] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B5000A
.text C:\WINDOWS\System32\ping.exe[1924] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\ping.exe[1924] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A0000A
.text C:\WINDOWS\System32\ping.exe[1924] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\ping.exe[1924] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00B8000A
.text C:\WINDOWS\System32\ping.exe[1924] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00B9000A
.text C:\WINDOWS\System32\ping.exe[1924] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\ping.exe[1924] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00B7000A

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F41BB000-F41D1000 (90112 bytes)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\system@83.133.124[3].txt 71 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0B0O9IP4\rss[4].png 707 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5YRIWDAH\18558;223784;201;jsiframe;InviteMediaUS;InviteMediaPredictive12111217160x600RMPE[1].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5YRIWDAH\ddc[4].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5YRIWDAH\l10n[1].js 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G6D45N0T\path-bg[1].gif 603 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J391384H\info_48[1] 6993 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q3YDHYXA\afr[3].php 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VFVAIVUP\cc_108_18[1].gif 593 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825 0 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\bckfg.tmp 850 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\keywords 159 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\L 0 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\L\meoxqhnz 162816 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\U 0 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB13345$\270541825\U\80000032.@ 98304 bytes
File C:\WINDOWS\$NtUninstallKB13345$\2735162838 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 18 December 2011 - 12:56 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 21 December 2011 - 02:05 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Wordfencer

Wordfencer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 21 December 2011 - 12:24 PM

Hello. Thank you for your reply, and I'm sorry about my slow reply. I'm back at the computer now.

I followed your instructions, and had only one problem.
- unhide.exe ran fine, and the computer restart was normal
- OTL ran fine, and I have both OTL.txt and Extras.txt
- When I tried to reply to this topic, I had to use another computer. When using the infected one, every time I tried to post, the browser would show that the connection had been reset. Other pages loaded normally.

OTL.txt is listed here:

OTL logfile created on: 12/21/2011 11:02:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.42 Mb Total Physical Memory | 537.19 Mb Available Physical Memory | 60.06% Memory free
1.74 Gb Paging File | 1.47 Gb Available in Paging File | 84.16% Paging File free
Paging file location(s): c:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.93 Gb Total Space | 53.29 Gb Free Space | 35.78% Space Free | Partition Type: NTFS
Drive H: | 4.43 Gb Total Space | 2.71 Gb Free Space | 61.16% Space Free | Partition Type: FAT32
Unable to calculate disk information.

Computer Name: CHRIS | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()
MOD - \\.\globalroot\systemroot\system32\mswsock.dll ()


========== Win32 Services (SafeList) ==========

SRV - (LBTServ) -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe (Logitech, Inc.)


========== Driver Services (SafeList) ==========

DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (LHidEqd) -- C:\WINDOWS\system32\drivers\LHidEqd.sys (Logitech, Inc.)
DRV - (LEqdUsb) -- C:\WINDOWS\system32\drivers\LEqdUsb.sys (Logitech, Inc.)
DRV - (LBeepKE) -- C:\WINDOWS\system32\drivers\LBeepKE.sys (Logitech, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (nvata) -- C:\WINDOWS\system32\DRIVERS\nvata.sys (NVIDIA Corporation)
DRV - (nvnetbus) -- C:\WINDOWS\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS\system32\drivers\NVENETFD.sys (NVIDIA Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-484763869-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-484763869-2139871995-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-484763869-2139871995-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "www.gmail.com"
FF - prefs.js..extensions.enabledItems: {e5e868a3-2e53-4f10-a2a0-890c4a4774f4}:0.0.5.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: CertPatrol@PSYC.EU:1.8.1
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=utf-8&q="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/22 09:49:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/10/10 08:26:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/10/11 09:42:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 8.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/04/19 14:05:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/04/19 14:05:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/11/07 13:35:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9l3angwx.default\extensions
[2011/11/22 09:49:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9L3ANGWX.DEFAULT\EXTENSIONS\{0A01C4B6-B839-4DFB-910E-D1CEEF5C5B79}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9L3ANGWX.DEFAULT\EXTENSIONS\FIREBUG@SOFTWARE.JOEHEWITT.COM.XPI
[2011/11/22 09:49:04 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/11/11 15:06:21 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/10/04 09:34:59 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/22 09:49:04 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

Hosts file not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: wv490 = C:\DOCUME~1\Owner\LOCALS~1\Temp\x0bpy.exe
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-484763869-2139871995-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272293570281 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 151.164.1.8 151.164.1.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BCB56D58-D846-4C42-9DA9-130CBE52C5DF}: DhcpNameServer = 151.164.1.8 151.164.1.7
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/18 13:40:36 | 000,000,047 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - H:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - H:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/21 11:00:51 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/12/13 10:48:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\My Documents\My Videos
[2011/12/13 10:48:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
[2011/12/12 13:52:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2011/12/09 13:53:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/12/09 13:53:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/09 13:53:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/29 13:10:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\NVIDIA Corporation
[2011/11/29 13:10:48 | 000,000,000 | ---D | C] -- C:\Program Files\AGEIA Technologies
[2011/11/29 13:10:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\AGEIA
[2011/11/29 13:10:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2011/11/29 12:48:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Defcon
[2011/11/29 12:48:39 | 000,000,000 | ---D | C] -- C:\Program Files\Defcon
[2011/11/29 12:46:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TRAUMA
[2011/11/29 12:46:32 | 000,000,000 | ---D | C] -- C:\Program Files\TRAUMA
[2011/11/23 17:11:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\iphone leave out
[2011/11/23 16:58:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Copy (2) of iphone pics
[2011/11/23 16:58:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Copy of iphone pics
[2011/11/23 10:09:27 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/21 11:00:51 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/12/21 10:59:20 | 000,030,277 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/12/21 10:59:15 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/21 10:59:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/21 10:44:43 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/21 10:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2011/12/21 10:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2011/12/21 09:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2011/12/21 09:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2011/12/21 08:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2011/12/21 08:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2011/12/21 07:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2011/12/21 07:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2011/12/21 06:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2011/12/21 06:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2011/12/21 05:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2011/12/21 05:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2011/12/21 04:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2011/12/21 04:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2011/12/21 03:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2011/12/21 03:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2011/12/21 02:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2011/12/21 02:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2011/12/21 01:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/12/21 01:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/12/21 00:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/12/21 00:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/12/20 23:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2011/12/20 23:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2011/12/20 22:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2011/12/20 22:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2011/12/20 21:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2011/12/20 21:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2011/12/20 20:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2011/12/20 20:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2011/12/20 19:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2011/12/20 19:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2011/12/20 18:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2011/12/20 18:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2011/12/20 17:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2011/12/20 17:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2011/12/20 16:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2011/12/20 16:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2011/12/20 15:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2011/12/20 15:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2011/12/20 14:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2011/12/20 14:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2011/12/20 13:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2011/12/20 13:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2011/12/20 12:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2011/12/20 12:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2011/12/20 11:19:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2011/12/20 11:19:00 | 000,000,344 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2011/12/19 16:14:20 | 000,059,280 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\proex_pingexe.JPG
[2011/12/14 10:49:38 | 000,021,848 | ---- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/12/13 12:40:47 | 000,056,114 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds_ss.JPG
[2011/12/13 10:45:10 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\02owi10d.exe
[2011/12/13 10:44:06 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/12/13 10:43:21 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/12/12 11:04:20 | 000,000,321 | -HS- | M] () -- C:\boot.ini
[2011/12/09 14:04:08 | 937,984,000 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2011/12/09 13:24:14 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1lg5u4wXA.dat
[2011/12/09 13:24:14 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\l2P54.com.b
[2011/12/09 13:20:48 | 000,118,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/09 12:30:11 | 000,015,242 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\f7mn80i4id3grh
[2011/12/09 12:30:11 | 000,015,242 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\f7mn80i4id3grh
[2011/11/29 13:09:35 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/11/23 12:28:30 | 000,392,626 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/23 12:28:30 | 000,058,800 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/23 12:27:46 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/19 16:14:20 | 000,059,280 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\proex_pingexe.JPG
[2011/12/13 12:40:47 | 000,056,114 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds_ss.JPG
[2011/12/13 10:45:07 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\02owi10d.exe
[2011/12/13 10:43:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/12/09 13:57:31 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/09 13:24:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\l2P54.com.b
[2011/12/09 13:21:55 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1lg5u4wXA.dat
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2011/12/09 13:21:25 | 000,000,346 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2011/12/09 13:21:25 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2011/12/09 13:21:24 | 000,000,344 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2011/12/09 10:09:23 | 000,015,242 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\f7mn80i4id3grh
[2011/12/09 10:09:23 | 000,015,242 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\f7mn80i4id3grh
[2011/09/06 14:06:28 | 000,000,275 | ---- | C] () -- C:\WINDOWS\QTW.ini
[2011/05/17 11:39:41 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2010/09/16 15:01:00 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/18 13:40:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2010/06/18 13:37:18 | 000,003,058 | ---- | C] () -- C:\WINDOWS\PANEL.INI
[2010/06/18 13:37:18 | 000,000,110 | ---- | C] () -- C:\WINDOWS\DBPOST.INI
[2010/06/02 10:00:30 | 000,021,848 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/05/07 10:41:05 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/04/15 14:57:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/15 14:43:44 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2010/04/15 14:39:01 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/04/15 14:38:33 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2010/04/15 14:38:29 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2010/04/14 14:38:55 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/04/14 14:34:11 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/04/14 08:38:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/04/14 08:37:50 | 000,118,152 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2005/09/18 07:32:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/09/18 07:32:00 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2005/09/18 07:32:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/09/18 07:32:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2005/09/18 07:32:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/09/18 07:32:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/09/18 07:32:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/09/18 07:32:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2005/09/18 07:32:00 | 000,393,216 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2005/09/18 07:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/09/18 07:32:00 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004/08/04 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 06:00:00 | 000,392,626 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 06:00:00 | 000,058,800 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 06:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Custom Scans ==========


< %TEMP%\smtmp\*.* /s >

< End of report >

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 21 December 2011 - 01:15 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Wordfencer

Wordfencer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 21 December 2011 - 02:18 PM

I ran combofix (which also installed Windows Recovery console). It did detect a rootkit, and seems to have run fine.

Now the computer seems to be running fine. Everything looks normal, I have access to the internet, ping.exe is not popping up in the task manager, and after testing for a few minutes, I have not been redirected during a search or when opening a page.

The Combofix log is here:

ComboFix 11-12-21.02 - Owner 12/21/2011 12:51:13.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.683 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Start
c:\documents and settings\Owner\Application Data\Start\temp_BE4AAD34\flash.10.0.32.18.ocx
c:\documents and settings\Owner\WINDOWS
c:\windows\$NtUninstallKB13345$\270541825\@
c:\windows\$NtUninstallKB13345$\270541825\bckfg.tmp
c:\windows\$NtUninstallKB13345$\270541825\cfg.ini
c:\windows\$NtUninstallKB13345$\270541825\Desktop.ini
c:\windows\$NtUninstallKB13345$\270541825\keywords
c:\windows\$NtUninstallKB13345$\270541825\kwrd.dll
c:\windows\$NtUninstallKB13345$\270541825\L\meoxqhnz
c:\windows\$NtUninstallKB13345$\270541825\lsflt7.ver
c:\windows\$NtUninstallKB13345$\270541825\U\00000001.@
c:\windows\$NtUninstallKB13345$\270541825\U\00000002.@
c:\windows\$NtUninstallKB13345$\270541825\U\00000004.@
c:\windows\$NtUninstallKB13345$\270541825\U\80000000.@
c:\windows\$NtUninstallKB13345$\270541825\U\80000004.@
c:\windows\$NtUninstallKB13345$\270541825\U\80000032.@
c:\windows\$NtUninstallKB13345$\2735162838
c:\windows\alcrmv.exe
c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\system\msvbvm60.dll
c:\windows\system32\5jgpnrw.log
c:\windows\system32\Install.txt
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
c:\windows\system32\sarz8z.log
H:\Autorun.inf
c:\windows\$NtUninstallKB13345$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_TCPPID
.
.
((((((((((((((((((((((((( Files Created from 2011-11-21 to 2011-12-21 )))))))))))))))))))))))))))))))
.
.
2011-12-12 19:52 . 2011-12-12 19:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-09 19:53 . 2011-12-13 03:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-09 19:51 . 2011-12-09 19:51 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-12-09 19:51 . 2011-12-09 19:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-29 19:10 . 2011-11-29 19:10 -------- d-----w- c:\program files\AGEIA Technologies
2011-11-29 19:10 . 2011-11-29 19:10 -------- d-----w- c:\windows\system32\AGEIA
2011-11-29 19:10 . 2011-11-29 19:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-11-29 18:48 . 2011-11-29 20:48 -------- d-----w- c:\program files\Defcon
2011-11-29 18:46 . 2011-11-29 18:46 -------- d-----w- c:\program files\TRAUMA
2011-11-23 16:09 . 2011-11-23 16:09 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 18:27 . 2011-07-18 13:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-22 15:49 . 2011-04-04 17:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"SoundMan"="SOUNDMAN.EXE" [2005-12-15 577536]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\FrozenSynapse\\FrozenSynapse.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Defcon\\defcon.exe"=
.
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [10/8/2010 12:31 PM 10448]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 3:01 AM 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 3:01 AM 10448]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 151.164.1.8 151.164.1.7
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9l3angwx.default\
FF - prefs.js: browser.startup.homepage - www.gmail.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Testcase Test & Measurement - c:\testcase\DeIsL1.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-21 13:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-21 13:05:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-21 19:05
.
Pre-Run: 59,774,193,664 bytes free
Post-Run: 60,804,038,656 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 1D79DCD12FB70C64BE5E347BD7A4AC16

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 21 December 2011 - 02:35 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Wordfencer

Wordfencer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 21 December 2011 - 03:27 PM

Hello,

I ran combofix by dropping in the script. It went quickly and I got the log below. The computer seems the same as last time, working fine, and no internet problems.

The Combofix log is here:

ComboFix 11-12-21.02 - Owner 12/21/2011 14:14:04.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.605 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-11-21 to 2011-12-21 )))))))))))))))))))))))))))))))
.
.
2011-12-12 19:52 . 2011-12-12 19:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-09 19:53 . 2011-12-13 03:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-09 19:51 . 2011-12-09 19:51 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-12-09 19:51 . 2011-12-09 19:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-11-29 19:10 . 2011-11-29 19:10 -------- d-----w- c:\program files\AGEIA Technologies
2011-11-29 19:10 . 2011-11-29 19:10 -------- d-----w- c:\windows\system32\AGEIA
2011-11-29 19:10 . 2011-11-29 19:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-11-29 18:48 . 2011-11-29 20:48 -------- d-----w- c:\program files\Defcon
2011-11-29 18:46 . 2011-11-29 18:46 -------- d-----w- c:\program files\TRAUMA
2011-11-23 16:09 . 2011-11-23 16:09 -------- d-----w- c:\program files\iPod
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 18:27 . 2011-07-18 13:15 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-22 15:49 . 2011-04-04 17:04 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"SoundMan"="SOUNDMAN.EXE" [2005-12-15 577536]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\FrozenSynapse\\FrozenSynapse.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Defcon\\defcon.exe"=
.
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [10/8/2010 12:31 PM 10448]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 3:01 AM 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 3:01 AM 10448]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 151.164.1.8 151.164.1.7
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\9l3angwx.default\
FF - prefs.js: browser.startup.homepage - www.gmail.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-21 14:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3320)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2011-12-21 14:21:43
ComboFix-quarantined-files.txt 2011-12-21 20:21
ComboFix2.txt 2011-12-21 19:05
.
Pre-Run: 60,808,851,456 bytes free
Post-Run: 60,797,980,672 bytes free
.
- - End Of File - - 7A66965BC00096F3AF4296D9CE093E1E

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 21 December 2011 - 09:01 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Wordfencer

Wordfencer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 22 December 2011 - 10:18 AM

Hello,

Here is the additional combofix report:

Acrobat.com
Adobe AIR
Adobe Flash Player 11 Plugin
Adobe Reader 9.3.3
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Console Classix 4.16
Defcon v1.6
eReg
Eschalon Book 2 1.04
Final Fantasy XI Theme Installer
Frozen Synapse
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
iTunes
Java Auto Updater
Java™ 6 Update 22
Logitech SetPoint 6.15
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office XP Standard
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 8.0.1 (x86 en-US)
Mozilla Thunderbird (8.0)
MSXML 6 Service Pack 2 (KB973686)
Myst Masterpiece Edition
Myst Uru - Complete Chronicles
Myst Uru Complete Chronicles
NVIDIA Drivers
NVIDIA PhysX
QuickTime
realMyst
Realtek AC'97 Audio
Resource Hacker Version 3.6.0
Riven The sequel to Myst
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB982381)
SeriousSamGold (remove only)
Spybot - Search & Destroy
TRAUMA version 1.0
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
Zork Nemesis - The Forbidden Lands

#11 Wordfencer

Wordfencer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 22 December 2011 - 03:36 PM

Hello,

Unfortunately, it looks like I'm back to square one here. I just had another outbreak of the XP security center windows. I'm unable to get any virus scans to start, and I can't start process explorer to kill them either. I've disconnected the internet cable, but I'm not sure where to go from here.

WF

UPATE:12/22/11 16:11 CST

I apologize for skipping ahead, but I had to retrieve some information from that computer.

I followed the steps in this guide;
http://www.bleepingcomputer.com/virus-removal/remove-xp-internet-security-2012

Specifically, I:
- ran FixNCR.reg
- ran rKill (which did shut down the "XP security" windows)
- ran tddskiller (which found nothing)
- ran MalwareBytes (which found two problems, quarantined and deleted them)
- ran SpyBot Search and Destroy (which found and fixed several problems)
- reran MalwareBytes (which came up clean)

I also have the logs from rKill, tddskiller, and MalwareBytes, if needed.

I've stopped at this point, and will wait for your reply. I have not reconnected the internet cable, and have not tried to run the browser or any programs other than Notepad.

WF

Edited by Wordfencer, 22 December 2011 - 05:20 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 23 December 2011 - 08:24 AM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Wordfencer

Wordfencer
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:42 PM

Posted 24 December 2011 - 03:14 AM

Hello,
Thank you for the reply. I will be back to the computer on Monday, and will run combo fix and reply then.

WF

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 24 December 2011 - 06:09 AM

thanks for letting me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:42 PM

Posted 28 December 2011 - 01:27 AM

Greetings


it has been about three or four days since I have heard from you so I am coming by just to check on you.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users