Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having trouble finalizing malware removal


  • This topic is locked This topic is locked
47 replies to this topic

#1 RFBF

RFBF

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 11 January 2012 - 03:18 PM

Hello. First, thank you for the work you do here. You guys are awesome.
I monitor the email to which notifications will be sent M-Th 9-5 eastern.
Thanks for your help and take care.
details below
RF

Win XP SP3
Microsoft Security Essentials, daily update.
Firefox

A while back this computer got infected with a domino effect of various security alert type viruses. I wiped the HD, reinstalled, and then got reinfected. I thought I had removed them but am stuck with a persistent browser hijack and a few other things. I don't remember all the details of the original infection and removal. One was definitely Windows Security Center. I did removal with rkill, tdss killer, and malware antibytes in safe mode and the computer would scan clean, even after restart. Shortly thereafter I'd get reinfected. For a while iexplore.exe would show in my running processes, even without my starting it, but that seems to have gone away. The infection now seems to be gone, but the following symptoms persist:
1) browser redirect to various "search results" pages; "get-answers-fast.com", h t t p://63.209.69.107, and others Sometimes some more unsavory domain names flash up, but the browser doesn't seem to land there.
2) after restart, Firefox is no longer my default browser
3) can not download .exe files; they start and then show as "Cancelled"
I downloaded DeFogger, DDS and GMER on a different computer and brought them in on a flash drive. I was working through the steps in your "Preparation Guide," but DDS will not complete. I don't believe I have any script blocking, unless it's in my firewall or virus software. I could not find mention of it in either place. DeFogger did not ask for a reboot, so I assume I don't have CD emulation software. I do have a GMER log and will past it in below. However, when I ran it i got an error:
Load Driver [C:\DOCUME~1\DAVID\LOCALS~1\TEMP\cxtcapob.sys"] error 0xC000010E: Cannot create a stable subkey under a volitile parent key.
GMER started as soon as I closed that error message, and some defaults were set: System - Libraries were all unchecked, and greyed out so I could not check them. Services through ADS were as shown in your guide, and Show All was unchecked but greyed out.

ark.txt:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-09 16:49:57
Windows 5.1.2600 Service Pack 3
Running: d01h9lcd.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\kxtcapob.sys


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\old email\Local Settings\Temporary Internet Files\Content.IE5\WTABCDEZ\fpi[1].htm 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 17 January 2012 - 03:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/437555 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 RFBF

RFBF
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 18 January 2012 - 01:45 PM

Previously mentioned problems persist.
Ran DDs with AV turned off, this time. DDS failed to complete, again. I let it run for 12 minutes. New ark.txt attached- the first one's contents is copied into the original post.
Oh- it's not letting me attache ark.txt. I get a message saying "no file selected" even though I browse to the file click it and its name and location show in the file name window. Also, ark.txt saved as blank- the original report that i saved said something like "no changes to your system were found"
Microsoft Windows XP Professional Version 2002 Service Pack 3 32-bit
Original CD available
Any help you can offer will be appreciated. Thanks,

#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:02 AM

Posted 18 January 2012 - 04:54 PM

Hi there,

My name is Casey and I will be helping you with your malware problems.

Whilst we work through your malware problems it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

:step1: Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


:step2: We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 RFBF

RFBF
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 19 January 2012 - 01:32 PM

Hi, and thanks for your help. I have downloaded TDSS killer, as it comes zipped. As mentioned I can not download .exe files on this machine. I will get OTL from another computer and bring it in on a thumb drive. I will have access to this computer again on Monday, 01/23, and will perform the requested actions and post them as requested at that time. Thanks and have a good weekend. RFBF

#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:02 AM

Posted 22 January 2012 - 12:56 PM

OK, great :thumbup2:

When using a usb drive to move things between your clean and infected PC, please do the following (to prevent cross-infection):

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 RFBF

RFBF
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 23 January 2012 - 03:43 PM

Hello, again.
well, partial success. TDSSKiller will not run, even when renamed. I got the .exe files in question by logging in as a different user on the same computer. I can not run them through Windows explorer, even with "run as" so I had to drag them onto my desktop off a Flash drive. I tried to run TDSS killer as the other user (which can download the .exe files) and It ask me "do you really want to open this file?" On my own desktop, it doesn't even get that far; I click and nothing happens at all.

OTL runs, and the results are pasted below. Thanks for your continuing help.
db

OTL.TXT:
OTL logfile created on: 1/23/2012 3:28:08 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\David\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

759.48 Mb Total Physical Memory | 558.47 Mb Available Physical Memory | 73.53% Memory free
1.81 Gb Paging File | 1.51 Gb Available in Paging File | 83.51% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 62.23 Gb Free Space | 83.50% Space Free | Partition Type: NTFS
Drive I: | 953.61 Mb Total Space | 948.96 Mb Free Space | 99.51% Space Free | Partition Type: FAT32
Drive Z: | 111.78 Gb Total Space | 74.40 Gb Free Space | 66.56% Space Free | Partition Type: NTFS

Computer Name: DBOFFICE | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/23 15:01:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/01/17 17:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 17:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/23 09:11:18 | 000,102,400 | ---- | M] (SHARP CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\SN0XRCV.exe
PRC - [2003/06/02 02:01:52 | 000,053,248 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (No Company Name) ==========

MOD - [2011/09/29 09:25:39 | 000,170,496 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxslt.dll
MOD - [2011/09/29 09:25:38 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/09/28 08:50:20 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/11/09 23:53:10 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\76787847.sys -- (76787847)
DRV - [2011/11/09 23:53:10 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\16069020.sys -- (16069020)
DRV - [2011/09/02 01:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 01:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/09/02 01:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2011/02/14 02:42:36 | 000,020,864 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2011/02/14 02:42:34 | 000,025,216 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2011/02/14 02:42:32 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2004/08/03 21:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/06/02 02:01:48 | 000,719,052 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-823518204-1677128483-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-823518204-1677128483-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-823518204-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-823518204-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {02450954-cdd9-410f-b1da-db804e18c671}:0.96.3
FF - prefs.js..extensions.enabledItems: avg@igeared:6.103.018.001
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1319
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110929&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 62586
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/03 14:51:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/09/27 15:54:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/09/27 15:26:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Extensions
[2011/09/29 10:52:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\nagfx7tm.default\extensions
[2011/09/29 10:29:31 | 000,001,945 | ---- | M] () -- C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\nagfx7tm.default\searchplugins\bing-zugo.xml
[2011/11/09 14:56:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/03 14:51:48 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/09/22 20:16:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml.old
[2011/11/09 14:56:28 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/11/10 14:06:11 | 000,000,726 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SN0XRCV] C:\WINDOWS\system32\spool\drivers\w32x86\3\SN0XRCV.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\David\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-823518204-1677128483-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-823518204-1677128483-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-823518204-1677128483-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-823518204-1677128483-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B74833F2-0754-478A-B372-3153B300252F}: DhcpNameServer = 192.168.1.1 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/09/27 13:19:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/01/23 15:02:58 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2012/01/23 15:03:00 | 000,000,000 | RHSD | M] - I:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{8d05dfdf-3d2a-11e1-852f-0040ca7b33e9}\Shell - "" = AutoRun
O33 - MountPoints2\{8d05dfdf-3d2a-11e1-852f-0040ca7b33e9}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8d05dfdf-3d2a-11e1-852f-0040ca7b33e9}\Shell\AutoRun\command - "" = I:\TL_Bootstrap.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/23 15:20:43 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
[2012/01/23 15:20:39 | 002,054,448 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\David\Desktop\rellik.com
[2012/01/23 15:12:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\AV older
[2012/01/23 15:02:58 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2012/01/23 08:57:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/01/19 09:24:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Desktop\Hi Fi
[2012/01/18 14:44:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2012/01/18 14:15:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Local Settings\Application Data\Temp
[2012/01/18 14:12:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2012/01/18 14:09:43 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2012/01/18 14:08:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2012/01/16 14:58:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Application Data\Foxit Software
[2012/01/12 09:53:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\LGMOBILEAX
[2012/01/12 09:53:14 | 000,000,000 | ---D | C] -- C:\Program Files\LG Electronics
[2012/01/09 14:32:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Application Data\Softland
[2012/01/09 14:20:55 | 000,023,376 | ---- | C] (Softland) -- C:\WINDOWS\System32\dopdfmn7.dll
[2012/01/09 14:20:55 | 000,020,816 | ---- | C] (Softland) -- C:\WINDOWS\System32\dopdfmi7.dll
[2012/01/09 14:20:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\doPDF 7
[2012/01/09 14:20:47 | 000,000,000 | ---D | C] -- C:\Program Files\Softland
[2012/01/09 14:17:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxit Reader 5.1
[2012/01/09 14:17:42 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2012/01/09 13:43:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Softland
[2012/01/09 13:43:33 | 001,700,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\GdiPlus.dll
[2012/01/04 10:20:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Application Data\PriceGong
[2012/01/04 10:20:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\David\Local Settings\Application Data\Conduit
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/23 15:19:06 | 002,054,448 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\David\Desktop\rellik.com
[2012/01/23 15:18:31 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/23 15:01:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David\Desktop\OTL.exe
[2012/01/23 14:50:37 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/23 08:59:51 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/23 08:55:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-823518204-1677128483-839522115-1003.job
[2012/01/23 08:54:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/19 13:52:12 | 000,006,312 | ---- | M] () -- C:\Documents and Settings\David\.recently-used.xbel
[2012/01/19 10:43:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-823518204-1677128483-839522115-1003.job
[2012/01/19 08:44:45 | 000,125,320 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/18 03:00:56 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/17 22:01:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/01/16 11:48:05 | 002,299,795 | ---- | M] () -- C:\Documents and Settings\David\Desktop\SleekSleeves-newlogo-onfabric.pdf
[2012/01/16 11:28:32 | 001,098,473 | ---- | M] () -- C:\Documents and Settings\David\Desktop\SleekSleevenew_white_web-1.ai
[2012/01/09 15:55:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\David\defogger_reenable
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/19 13:52:12 | 000,006,312 | ---- | C] () -- C:\Documents and Settings\David\.recently-used.xbel
[2012/01/18 14:11:19 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/01/16 11:48:03 | 002,299,795 | ---- | C] () -- C:\Documents and Settings\David\Desktop\SleekSleeves-newlogo-onfabric.pdf
[2012/01/16 11:28:31 | 001,098,473 | ---- | C] () -- C:\Documents and Settings\David\Desktop\SleekSleevenew_white_web-1.ai
[2012/01/09 15:55:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\David\defogger_reenable
[2012/01/09 13:43:38 | 000,007,549 | ---- | C] () -- C:\WINDOWS\System32\dopdf7.ctm
[2012/01/09 13:09:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/29 09:40:23 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2011/09/28 09:15:41 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\SN0ELMON.dat
[2011/09/28 09:15:16 | 000,159,836 | ---- | C] () -- C:\WINDOWS\_isusr32.dll
[2011/09/28 09:15:16 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\_isusr2k.dll
[2011/09/28 09:15:12 | 000,000,397 | ---- | C] () -- C:\WINDOWS\System32\SCN2PM.DAT
[2011/09/27 13:22:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/09/27 13:16:56 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/09/27 09:05:55 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/09/27 09:05:04 | 000,125,320 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >


Extras.Txt:
OTL Extras logfile created on: 1/23/2012 3:28:08 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\David\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

759.48 Mb Total Physical Memory | 558.47 Mb Available Physical Memory | 73.53% Memory free
1.81 Gb Paging File | 1.51 Gb Available in Paging File | 83.51% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 62.23 Gb Free Space | 83.50% Space Free | Partition Type: NTFS
Drive I: | 953.61 Mb Total Space | 948.96 Mb Free Space | 99.51% Space Free | Partition Type: FAT32
Drive Z: | 111.78 Gb Total Space | 74.40 Gb Free Space | 66.56% Space Free | Partition Type: NTFS

Computer Name: DBOFFICE | User Name: David | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-823518204-1677128483-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\FileMaker\FileMaker Pro 10\FileMaker Pro.exe" = C:\Program Files\FileMaker\FileMaker Pro 10\FileMaker Pro.exe:*:Enabled:FileMaker Pro -- (FileMaker, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\SN0XNJR.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SN0XNJR.exe:*:Enabled:PC-Fax Notify Job Results -- (SHARP CORPORATION)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96F5D143-C950-465D-A8BE-C3D4D9CB3C1F}" = FileMaker Pro 10
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B03954CC-E130-4E57-BC83-869978685902}" = LG United Mobile Drivers
"{F52FD1A1-B8AA-4988-B5A2-FC3FBBB9211B}" = OnSite 7 Workstation Files
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE v.6.80
"doPDF 7 printer_is1" = doPDF 7.2 printer
"Foxit Reader_is1" = Foxit Reader 5.1
"GPL Ghostscript 8.15" = GPL Ghostscript 8.15
"GPL Ghostscript Fonts" = GPL Ghostscript Fonts
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"IE Privacy Keeper" = IE Privacy Keeper
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"Mozilla Thunderbird 9.0.1 (x86 en-US)" = Mozilla Thunderbird 9.0.1 (x86 en-US)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RKU" = Rootkit Unhooker Uninstall
"SHARP MX-2300 2700 3500 4500 Series PC-Fax Driver" = SHARP MX/DX Series PC-Fax Driver
"SHARP MX-2300 2700 3500 4500 Series PCL PS Printer Driver" = SHARP MX/DX Series PCL/PS Printer Driver
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-823518204-1677128483-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Inkscape" = Inkscape 0.48.2
"pdfsam" = pdfsam

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/9/2012 5:21:43 PM | Computer Name = DBOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 9.0.1.4371, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/10/2012 4:49:48 PM | Computer Name = DBOFFICE | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 9.0.1.4371, faulting module
unknown, version 0.0.0.0, fault address 0x00a08c67.

Error - 1/10/2012 4:51:28 PM | Computer Name = DBOFFICE | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 9.0.1.4371, faulting module
unknown, version 0.0.0.0, fault address 0x00a08c67.

Error - 1/18/2012 3:04:07 PM | Computer Name = DBOFFICE | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00037331.

Error - 1/18/2012 3:19:04 PM | Computer Name = DBOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 9.0.1.4371, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/18/2012 3:19:10 PM | Computer Name = DBOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 9.0.1.4371, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/18/2012 3:19:13 PM | Computer Name = DBOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 9.0.1.4371, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/18/2012 3:19:14 PM | Computer Name = DBOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 9.0.1.4371, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/23/2012 4:23:36 PM | Computer Name = DBOFFICE | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.31.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/15/2011 8:20:41 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:22:41 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:23:12 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:25:12 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:27:12 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:27:43 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:29:43 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:31:43 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:32:14 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 11/15/2011 8:34:14 PM | Computer Name = DBOFFICE | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.


< End of report >

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:02 AM

Posted 23 January 2012 - 05:14 PM

Hmmmm... let's try this then:

Download and run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Note: Please rename ComboFix.exe to Caseyboy.com and re-run. (For details on how to change a file extension please see here)

Please include the C:\ComboFix.txt in your next reply for further review.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 RFBF

RFBF
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 25 January 2012 - 01:07 PM

Perhaps we need an exorcism not malware removal. Or a sledgehammer. Anyway... I tried to run ComboFix yesterday, and got as far as the "should be 10 min. may easily double" notice. I let it run for about 35 min and it never got off that screen. Couldn't close the screen after 35min, or open TaskManager, I could move my mouse and that's about it-right or left clicking had no results on any buttons. Had to manually turn off the computer.

Started ComboFix before leaving for the day and in the am (about 16 hours later) it was still there and the computer was frozen again. I tried to run CaseyBoy.com, today. There were a few additional preliminary messages and screens at the beginning, but I got to the "10 min or double" notice and, again nothing happened after about 45 min, the computer was frozen again, and I had to push button restart.

Rats. Any further suggestions?
Thanks for your continued help, and sorry this is a pain.
RF

#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:02 AM

Posted 25 January 2012 - 02:45 PM

That's OK. The latest malware tends to block our tools, so let's try something else :)

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 RFBF

RFBF
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 25 January 2012 - 03:23 PM

How exciting! I feel like I'm in a spy movie.
More tomorrow.
Thanks again for the help.

#12 RFBF

RFBF
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 26 January 2012 - 04:05 PM

Well, it's not done yet. Thanks for hanging in there on this.
Not everything went exactly as described, so I'll try to be precise.
Double clicking 387.exe I had to choose drive letter and select the .iso file BEFORE clicking OK.
When booting the sick computer F12 didn't do anything, so I hit DEL to enter set-up, and changed the boot order to
1) Removable 2)Hard Drive and then set removable disk preference to USB.
Then, when trying to boot I get a non-system disc failure.
I'm attaching a screenshot of what the contents of the USB drive look like, after completing the above.
I will be back here on Monday. Thanks again for your help, and have a good weekend.
RFBF

#13 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:02 AM

Posted 27 January 2012 - 07:29 AM

Hi,

If booting from USB is causing some issues, we can try with a CD. You will need to set the boot up options to boot from cd before your hard drive.

Try this please. You will also need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:02 AM

Posted 30 January 2012 - 04:16 PM

Hi,

This is a 3 day bump.

Hopefully you're still with me but please be aware that if there is no reply within two days, then this topic will be closed as stale.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#15 RFBF

RFBF
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 30 January 2012 - 04:45 PM

Definitely still with you, and thanks for you patience. This is a work computer so nothing happens Friday-Sunday. Today was just busy, and it's hard to get access to a second computer. I hope that my delay in replying hasn't held you up, at all. Is this reply enough to reset the clock? I hope to do something tomorrow. Thanks again for all your help. RFBF




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users