Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Home Security 2012. Removed but not forgotten.


  • This topic is locked This topic is locked
3 replies to this topic

#1 checkyoufeet

checkyoufeet

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 27 June 2012 - 10:02 AM

OLD THREAD: http://www.bleepingcomputer.com/forums/topic458509.html

HP Laptop running Windows XP Home Edition, SP3.
Computer couldn't connect to the internet. Task Manager was closed immediately after opening, as was Internet Explorer (the only browser on the machine).
Got the Task Manager to open right as Windows started and stopped any process that looked suspicious. (This was before I found the guide on Bleeping, mind you. Forgive my ham-fisted attempts, but they worked.)
I was able to run Malwarebytes and XP Home Security was visibly gone when I rebooted.

How it stands:
-First Malwarebytes scan removed over 130 infections.
-Opening IE just flashes the white window of the program and then closes. No error message.
-Installed Opera and Firefox. Neither of them can connect to Google. Both of them get random tabs opened with long, nonsensical URLs. I close them immediately.
-Tried running DDS, got about 90% through the scan and it froze. Mouse still moved, but nothing was clickable.
-Tried running GMER, scanned for 15-20 minutes and the program window went white. Unresponsive. I left it like that for another 20 minutes, no change.

As requested by a Mod in this thread: http://www.bleepingcomputer.com/forums/topic458509.html
I ran QTL.

I am currently on a different machine. I will immediately make a reply from the other machine with the QTL logs.

BC AdBot (Login to Remove)

 


#2 checkyoufeet

checkyoufeet
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 27 June 2012 - 10:04 AM

I am pasting the QTL.txt log. I am attaching the Extras.txt log

OTL logfile created on: 6/27/2012 10:44:36 AM - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = C:\Documents and Settings\Elaine\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.17 Mb Total Physical Memory | 129.05 Mb Available Physical Memory | 28.92% Memory free
958.05 Mb Paging File | 740.89 Mb Available in Paging File | 77.33% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 47.29 Gb Total Space | 30.04 Gb Free Space | 63.52% Space Free | Partition Type: NTFS
Drive D: | 7.58 Gb Total Space | 0.61 Gb Free Space | 8.08% Space Free | Partition Type: FAT32

Computer Name: PC300862272413 | User Name: Elaine | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Elaine\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Lexmark 2400 Series\ezprint.exe (Lexmark International Inc.)
PRC - C:\WINDOWS\system32\lxcrcoms.exe ( )
PRC - C:\Program Files\HPQ\shared\HpqToaster.exe ()


========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\NetworkService\Local Settings\Application Data\hipomea.dll ()
MOD - C:\WINDOWS\system32\USB3Nw32.dll ()
MOD - C:\Program Files\Common Files\Pure Networks Shared\Platform\CAntiVirusCOM.dll ()
MOD - C:\Program Files\Common Files\Pure Networks Shared\Platform\CFirewallCOM.dll ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()
MOD - \\.\globalroot\systemroot\system32\mswsock.dll ()
MOD - C:\Program Files\Lexmark Fax Solutions\fxctrstr.dll ()
MOD - C:\WINDOWS\system32\LXPRMON.DLL ()
MOD - C:\Program Files\Lexmark Fax Solutions\ipcmt.dll ()
MOD - C:\Program Files\Lexmark 2400 Series\iptk.dll ()
MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\lxcrpp5c.dll ()
MOD - C:\Program Files\HP\QuickPlay\Kernel\common\CLDataSync.dll ()
MOD - C:\Program Files\HPQ\shared\HpqToaster.exe ()


========== Win32 Services (SafeList) ==========

SRV - (slabbus) -- %systemroot%\system32\SE27obex.dll File not found
SRV - (NecUsb) -- C:\WINDOWS\system32\NUSB3w32.dll File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (6to4) -- C:\WINDOWS\system32\6to4v32.dll File not found
SRV - (nmservice) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (Cisco Systems, Inc.)
SRV - (mafwboot) -- C:\WINDOWS\system32\UCTblHid.dll (Oak Technology Inc.)
SRV - (lxcr_device) -- C:\WINDOWS\system32\lxcrcoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (tifm21) -- system32\drivers\tifm21.sys File not found
DRV - (SymIMMP) -- system32\DRIVERS\SymIM.sys File not found
DRV - (SymIM) -- system32\DRIVERS\SymIM.sys File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (LXARScan) -- System32\Drivers\Lxarscan.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (iuvnjje) -- System32\drivers\ypla.sys File not found
DRV - (i2omgmt) -- File not found
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\EABFiltr.sys File not found
DRV - (Changer) -- File not found
DRV - (NPF) WinPcap Packet Driver (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (purendis) -- C:\WINDOWS\system32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\WINDOWS\system32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (MCSTRM) -- C:\WINDOWS\System32\drivers\mcstrm.sys (RealNetworks, Inc.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSFHWATI) -- C:\WINDOWS\system32\drivers\HSFHWATI.sys (Conexant Systems, Inc.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camc6hal.sys (Conexant Systems Inc.)
DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camc6aud.sys (Conexant Systems Inc.)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_customize.aspx?tbid=80306
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80306&lng=en
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.inbox.com/homepage.aspx?tbid=80306&lng=en
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\SearchScopes,DefaultScope = {C04B7D22-5AEC-4561-8F49-27F6269208F6}
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}: "URL" = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=B14B482001CBAF4B1111F9DE&install_time=2011-01-08T15:50:08Z&src_id=11603&camp_id=1912&tb_version=2.5.15000.521
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\SearchScopes\{AECE488E-7D79-4078-86DD-0CAEDC291EE7}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7HPIB
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80306&lng=en
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\SearchScopes\VWPT: "URL" = http://search.viewpoint.com/pl/search?tab=1&k={searchTerms}&addr=1&query=vb=1%26tn%3D0%26addr%3D1%26type%3Drel39%5fxp%26instid%3DViewpointV35%5fxp
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.0.2\extensions\\Components: C:\Program Files\Flock\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.0.2\extensions\\Plugins: C:\Program Files\Flock\plugins [2012/03/04 12:38:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5\extensions\\Components: C:\Program Files\Flock\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5\extensions\\Plugins: C:\Program Files\Flock\plugins [2012/03/04 12:38:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Components: C:\Program Files\Flock\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Plugins: C:\Program Files\Flock\plugins [2012/03/04 12:38:47 | 000,000,000 | ---D | M]

[2012/06/27 09:23:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Elaine\Application Data\Mozilla\Extensions
[2008/12/19 18:27:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Elaine\Application Data\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b}
[2009/01/24 02:00:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Elaine\Application Data\Mozilla\Firefox\extensions
[2009/01/24 02:00:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Elaine\Application Data\Mozilla\Firefox\extensions\moveplayer@movenetworks.com
[2009/01/24 02:00:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Elaine\Application Data\Mozilla\Firefox\extensions\staged-xpis

O1 HOSTS File: ([2012/02/07 09:57:42 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (ALOT Toolbar Helper) - {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files\alot\bin\alot.dll (Vertro)
O2 - BHO: (Viewpoint Toolbar BHO) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll (Viewpoint Corporation)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (ALOT Toolbar) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (Vertro)
O3 - HKLM\..\Toolbar: (Viewpoint Toolbar) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll (Viewpoint Corporation)
O3 - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 2400 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [LXCRCATS] rundll32 \3\LXCRtime.dll,_RunDLLEntry@16 File not found
O4 - HKLM..\Run: [lxcrmon.exe] C:\Program Files\Lexmark 2400 Series\lxcrmon.exe ()
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe File not found
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe (SoftThinks)
O4 - HKU\S-1-5-21-2278815631-235163067-2839462154-1006..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
O4 - HKU\S-1-5-21-2278815631-235163067-2839462154-1006..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 File not found
O4 - HKLM..\RunOnceEx: [] File not found
O4 - Startup: C:\Documents and Settings\Elaine\Start Menu\Programs\Startup\Adobe Media Player.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm090YYUS File not found
O9 - Extra Button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\nwprovau.dll File not found
O15 - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..Trusted Domains: aol.com ([aimexpress] https in Trusted sites)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{44661460-A21C-4E19-B3EB-BEE24BD695B3}: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\hipomea: DllName - (C:\Documents and Settings\NetworkService\Local Settings\Application Data\hipomea.dll) - C:\Documents and Settings\NetworkService\Local Settings\Application Data\hipomea.dll ()
O20 - Winlogon\Notify\NecUsb3Sevice: DllName - (USB3Nw32.dll) - C:\WINDOWS\System32\USB3Nw32.dll ()
O20 - Winlogon\Notify\USB3Nw32: DllName - (USB3Nw32.dll) - C:\WINDOWS\System32\USB3Nw32.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Elaine\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Elaine\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 23:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2012/03/04 12:13:40 | 000,000,090 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 15:01:14 | 000,000,053 | -HS- | M] () - D:\AUTORUN.FCB -- [ FAT32 ]
O33 - MountPoints2\{8e334536-9e8a-11de-8db3-0014a525916a}\Shell\AutoRun\command - "" = F:\SETUP.EXE /AUTORUN
O33 - MountPoints2\{8e334536-9e8a-11de-8db3-0014a525916a}\Shell\configure\command - "" = F:\SETUP.EXE
O33 - MountPoints2\{8e334536-9e8a-11de-8db3-0014a525916a}\Shell\install\command - "" = F:\SETUP.EXE
O34 - HKLM BootExecute: ('autocheck autochk *')
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2100/02/08 16:03:54 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe
[2012/06/27 10:44:10 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Elaine\Desktop\OTL.exe
[2012/06/27 09:47:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Elaine\Desktop\bleep
[2012/06/27 09:16:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Elaine\Local Settings\Application Data\Opera
[2012/06/27 09:16:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Elaine\Application Data\Opera
[2012/06/27 09:16:00 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2012/06/26 22:39:59 | 008,624,296 | ---- | C] (Mozilla) -- C:\Documents and Settings\Elaine\Desktop\Firefox Setup 3.6.28.exe
[2012/06/26 22:37:49 | 010,620,880 | ---- | C] (Opera Software ASA) -- C:\Documents and Settings\Elaine\My Documents\Opera_1164_int_Setup.exe
[2012/06/26 22:33:11 | 000,000,000 | ---D | C] -- C:\Avenger
[2012/06/26 22:12:33 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Elaine\Desktop\winsockxpfix.exe
[2012/06/26 22:08:43 | 010,620,880 | ---- | C] (Opera Software ASA) -- C:\Documents and Settings\Elaine\Desktop\Opera_1164_int_Setup.exe
[2012/06/26 21:14:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Elaine\Application Data\Malwarebytes
[2012/06/26 21:13:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/26 21:13:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/06/26 21:13:55 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/26 21:13:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/06/26 21:12:42 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Elaine\Desktop\mbam-setup-1.61.0.1400.exe
[2012/06/26 14:22:53 | 000,000,000 | ---D | C] -- C:\Program Files\WebEx
[2012/06/26 14:22:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Sonic Shared
[2012/06/26 14:22:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sonic
[2012/06/26 14:22:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SureThing Shared
[2012/06/26 14:22:01 | 000,000,000 | ---D | C] -- C:\Program Files\alot
[2012/06/26 14:22:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Elaine\Application Data\alot
[2012/06/01 17:38:46 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Elaine\PrivacIE
[2012/06/01 17:38:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Elaine\Local Settings\Application Data\AOL Toolbar
[2012/06/01 06:47:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Elaine\IETldCache
[2012/06/01 06:45:10 | 000,000,000 | ---D | C] -- C:\Program Files\AOL Toolbar
[2012/06/01 06:45:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL Toolbar
[2012/06/01 06:40:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/27 10:47:03 | 000,446,386 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/27 10:47:03 | 000,073,426 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/27 10:44:11 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Elaine\Desktop\OTL.exe
[2012/06/27 10:42:56 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/27 10:42:55 | 000,001,048 | -HS- | M] () -- C:\hpqp.ini
[2012/06/27 10:42:54 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2012/06/27 10:42:39 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/06/27 10:42:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/27 10:42:32 | 467,914,752 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/27 09:16:05 | 000,001,492 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2012/06/26 22:39:28 | 008,624,296 | ---- | M] (Mozilla) -- C:\Documents and Settings\Elaine\Desktop\Firefox Setup 3.6.28.exe
[2012/06/26 22:12:54 | 000,000,059 | ---- | M] () -- C:\Documents and Settings\Elaine\Application Data\mbam.context.scan
[2012/06/26 22:11:46 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Elaine\Desktop\winsockxpfix.exe
[2012/06/26 21:58:38 | 000,017,062 | -HS- | M] () -- C:\Documents and Settings\Elaine\Local Settings\Application Data\8ts01xw8576g0sj431m51847dwckb8133
[2012/06/26 21:58:38 | 000,017,062 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8ts01xw8576g0sj431m51847dwckb8133
[2012/06/26 21:13:58 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/26 21:11:32 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Elaine\Desktop\mbam-setup-1.61.0.1400.exe
[2012/06/26 14:25:09 | 000,347,400 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/07 06:45:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/07 05:42:13 | 003,396,608 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2012/06/07 05:42:13 | 001,625,088 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2012/05/30 22:33:20 | 010,620,880 | ---- | M] (Opera Software ASA) -- C:\Documents and Settings\Elaine\My Documents\Opera_1164_int_Setup.exe
[2012/05/30 22:33:20 | 010,620,880 | ---- | M] (Opera Software ASA) -- C:\Documents and Settings\Elaine\Desktop\Opera_1164_int_Setup.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2100/02/08 15:53:34 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini
[2012/06/27 09:16:05 | 000,001,498 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Opera.lnk
[2012/06/27 09:16:04 | 000,001,492 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2012/06/27 09:14:40 | 000,002,600 | ---- | C] () -- C:\Documents and Settings\Elaine\Desktop\xp_exe_fix.reg
[2012/06/26 22:36:25 | 467,914,752 | -HS- | C] () -- C:\hiberfil.sys
[2012/06/26 22:12:54 | 000,000,059 | ---- | C] () -- C:\Documents and Settings\Elaine\Application Data\mbam.context.scan
[2012/06/26 21:13:58 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/20 11:30:20 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\hipomea.dll
[2012/01/29 07:09:58 | 000,105,324 | ---- | C] () -- C:\WINDOWS\System32\itusbcore.dat
[2012/01/29 07:09:58 | 000,000,198 | ---- | C] () -- C:\WINDOWS\System32\itlsvc.dat
[2012/01/29 07:05:02 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\USB3Nw32.dll
[2012/01/04 14:11:25 | 000,017,062 | -HS- | C] () -- C:\Documents and Settings\Elaine\Local Settings\Application Data\8ts01xw8576g0sj431m51847dwckb8133
[2012/01/04 14:11:25 | 000,017,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8ts01xw8576g0sj431m51847dwckb8133
[2012/01/04 08:48:14 | 000,017,248 | -HS- | C] () -- C:\Documents and Settings\Elaine\Local Settings\Application Data\qim00vl17wy6bgvpckeo603312g0nwg182r64xkrdu0
[2012/01/04 08:48:14 | 000,017,248 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\qim00vl17wy6bgvpckeo603312g0nwg182r64xkrdu0
[2011/07/25 09:19:23 | 000,007,072 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\N360BUOptions.ini
[2011/07/19 14:08:42 | 000,016,526 | -HS- | C] () -- C:\Documents and Settings\Elaine\Local Settings\Application Data\03u66i33ddp14k
[2011/07/19 14:08:42 | 000,016,526 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\03u66i33ddp14k
[2011/05/09 12:04:39 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2006/06/01 14:33:21 | 000,004,438 | ---- | C] () -- C:\Documents and Settings\Elaine\Application Data\wklnhst.dat
[2006/05/31 03:33:57 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Elaine\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/31 01:14:24 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Elaine\Local Settings\Application Data\fusioncache.dat
[2001/07/20 10:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB
[2000/12/05 15:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll
[2000/01/11 12:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB62280$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 02 July 2012 - 08:28 AM

Run OTL - Double-click OTL.exe Posted Image to start it.

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    MOD - C:\Documents and Settings\NetworkService\Local Settings\Application Data\hipomea.dll ()
    MOD - C:\WINDOWS\system32\USB3Nw32.dll ()
    IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}: "URL" = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=B14B482001CBAF4B1111F9DE&install_time=2011-01-08T15:50:08Z&src_id=11603&camp_id=1912&tb_version=2.5.15000.521
    IE - HKU\S-1-5-21-2278815631-235163067-2839462154-1006\..\SearchScopes\VWPT: "URL" = http://search.viewpoint.com/pl/search?tab=1&k={searchTerms}&addr=1&query=vb=1%26tn%3D0%26addr%3D1%26type%3Drel39%5fxp%26instid%3DViewpointV35%5fxp
    O2 - BHO: (ALOT Toolbar Helper) - {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files\alot\bin\alot.dll (Vertro)
    O2 - BHO: (Viewpoint Toolbar BHO) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll (Viewpoint Corporation)
    O3 - HKLM\..\Toolbar: (ALOT Toolbar) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (Vertro)
    O3 - HKLM\..\Toolbar: (Viewpoint Toolbar) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll (Viewpoint Corporation)
    O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
    O4 - HKU\S-1-5-21-2278815631-235163067-2839462154-1006..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
    O4 - HKLM..\RunOnceEx: [] File not found
    O4 - Startup: C:\Documents and Settings\Elaine\Start Menu\Programs\Startup\Adobe Media Player.lnk = File not found
    O20 - Winlogon\Notify\hipomea: DllName - (C:\Documents and Settings\NetworkService\Local Settings\Application Data\hipomea.dll) - C:\Documents and Settings\NetworkService\Local Settings\Application Data\hipomea.dll ()
    O20 - Winlogon\Notify\NecUsb3Sevice: DllName - (USB3Nw32.dll) - C:\WINDOWS\System32\USB3Nw32.dll ()
    O20 - Winlogon\Notify\USB3Nw32: DllName - (USB3Nw32.dll) - C:\WINDOWS\System32\USB3Nw32.dll ()
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
===

Restart the computer normally and run this tool if you can.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 09 July 2012 - 10:19 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users