Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect trojan


  • This topic is locked This topic is locked
19 replies to this topic

#1 Dr Bob

Dr Bob

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 12 July 2012 - 05:19 AM

Hi all,

I'm new here, but happened on the site in my bid to tackle what I think is the Google redirect trojan.

I found this thread with a comprehensive list of instructions on how to tackle it (http://www.bleepingcomputer.com/forums/topic453588.html) and wondered if following them would also help me.

I am wary however as I am only a competent user rather than a tech wiz and all references to Combofix come with a healthy dose of warnings that only proficient people should undertake such a task!

If the instructions in the thread I have quoted are not suitable, would anyone be able to direct me to a set of simple to follow ones, or perhaps guide me through the process so that I don't turn my PC into scrap metal!

Thanks in advance,

Regards,
Bob

BC AdBot (Login to Remove)

 


#2 Dr Bob

Dr Bob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 12 July 2012 - 05:25 AM

Oops, I may have posted in the wrong forum and found the answer regarding whether I should follow the instructions meant for someone else in the 'Am I infected? What do I do?' forum. Sorry everyone, you must love guys like me pitching up and making a mess of things!

#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 PM

Posted 13 July 2012 - 08:52 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:
    netsvcs
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.
Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • OTL.txt and Extras.txt logs
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 Dr Bob

Dr Bob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 13 July 2012 - 11:50 AM

Hi RPMcMurphy,

Thanks for your help, much appreciated.

I have followed your instructions and here are the outputted logs:

OTL.txt

OTL logfile created on: 7/13/2012 17:39:50 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\Administrator.EXPERIENCE\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.48 Mb Total Physical Memory | 583.09 Mb Available Physical Memory | 60.77% Memory free
2.26 Gb Paging File | 1.97 Gb Available in Paging File | 87.24% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 36.53 Gb Free Space | 49.02% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 11.79 Gb Free Space | 31.64% Space Free | Partition Type: NTFS

Computer Name: EXPERIENCE | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/13 17:38:04 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.EXPERIENCE\My Documents\Downloads\OTL.exe
PRC - [2012/06/08 21:42:12 | 001,668,952 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2012/06/08 21:42:12 | 000,976,728 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2012/05/24 19:39:22 | 027,112,840 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2009/09/06 13:38:06 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2008/06/27 17:03:28 | 000,431,384 | ---- | M] (Maxtor) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/28 22:07:31 | 000,520,464 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportMS.dll
MOD - [2012/02/01 14:43:10 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
MOD - [2009/09/06 13:38:06 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
MOD - [2006/10/22 12:22:00 | 000,212,992 | ---- | M] () -- C:\WINDOWS\system32\nvapi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/07/02 19:00:07 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/25 20:09:45 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/06/08 21:42:12 | 000,976,728 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2012/02/15 14:30:18 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2009/09/06 13:38:06 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2008/06/27 17:03:28 | 000,431,384 | ---- | M] (Maxtor) [Auto | Running] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (MaxSch2Svc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\GT890x.SYS -- (GT890x) Dual-Mode DSC (Still Camera)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\GT891x1.SYS -- (DCamUSBDXGTech) Dual-Mode DSC (Video Camera)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/06/08 21:42:30 | 000,071,480 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
DRV - [2012/06/08 21:42:28 | 000,166,840 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2012/06/08 21:42:28 | 000,065,720 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\RapportKELL.sys -- (RapportKELL)
DRV - [2012/05/28 22:07:31 | 000,021,520 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Running] -- c:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys -- (RapportIaso)
DRV - [2011/12/20 20:54:10 | 000,228,208 | ---- | M] () [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys -- (RapportCerberus_34302)
DRV - [2010/03/02 17:16:03 | 000,390,528 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\RapportBuka.sys -- (RapportBuka)
DRV - [2009/11/12 14:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2009/05/23 19:46:03 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2009/05/23 19:46:03 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/05/23 19:45:55 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snapman.sys -- (snapman)
DRV - [2009/05/23 19:45:42 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\tdrpman.sys -- (tdrpman)
DRV - [2007/02/17 13:00:00 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2006/12/29 14:48:06 | 004,026,112 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2006/09/24 14:28:46 | 000,005,248 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/06/19 04:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/05/18 10:59:26 | 000,463,168 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/04/24 16:52:28 | 000,100,736 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)
DRV - [2006/02/17 10:28:32 | 000,013,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/02/17 10:28:30 | 000,034,176 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [1996/04/03 20:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie_rsearch.html
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie_rsearch.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{3823C968-B9E0-4F14-B868-38EF2C07A47D}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={7BB32934-A94F-4E41-8186-6A71F75563E0}&mid=0844cb1c0257a90fffaedbc3af373d2b-06ce4fc639803a2e3563922518183d8e94088cb9&lang=en&ds=AVG&pr=fr&d=2012-05-16 21:25:55&v=11.0.0.9&sap=dsp&q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: LogMeInClient@logmein.com:1.0.0.664
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: avg@toolbar:9.0.0.22
FF - prefs.js..extensions.enabledItems: newtaburl@sogame.cat:2.2.3
FF - prefs.js..keyword.URL: "http://isearch.avg.com/search?cid=%7B8990ef02-37dc-4371-8d84-099b65569ee3%7D&mid=0844cb1c0257a90fffaedbc3af373d2b-06ce4fc639803a2e3563922518183d8e94088cb9&ds=AVG&v=9.0.0.22&lang=en&pr=fr&d=2011-10-15%2017%3A43%3A48&sap=ku&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/02 19:00:08 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/11 12:21:39 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\ [2012/07/07 19:42:34 | 000,000,000 | ---D | M]

[2009/05/20 21:07:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Mozilla\Extensions
[2012/05/19 20:39:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\extensions
[2010/12/02 21:00:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/05/19 20:39:30 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/06/25 10:37:11 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\extensions\LogMeInClient@logmein.com
[2011/12/23 10:50:32 | 000,000,000 | ---D | M] (NewTabURL) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\extensions\newtaburl@sogame.cat
[2012/05/19 20:39:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\extensions\trash
[2012/07/02 19:00:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/07 19:42:34 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.EXPERIENCE\LOCAL SETTINGS\APPLICATION DATA\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}
[2012/05/28 21:58:01 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/07/02 19:00:08 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/07/10 11:57:28 | 000,003,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/04/22 11:17:23 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/04/22 11:17:23 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/11 20:18:40 | 000,443,432 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15234 more lines...
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\Administrator.EXPERIENCE\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuFavorites = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyComputer = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyDocs = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyMusic = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowMyPics = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowRun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Start_ShowSearch = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242849826500 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{858946B7-0E0F-4318-94F1-D9C9691AF031}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/02 21:10:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/07/13 17:37:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\topic460332_files
[2012/07/12 13:08:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.EXPERIENCE\Recent
[2012/07/11 21:44:34 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools
[2012/07/11 21:38:31 | 000,203,088 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTSD.sys
[2012/07/11 21:38:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2012/07/11 21:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Tools
[2012/07/11 21:37:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\TestApp
[2012/07/11 13:08:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\AVG
[2012/07/11 13:07:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2012/07/11 12:52:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\Temp
[2012/07/07 19:42:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}
[2012/07/02 11:01:32 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/13 17:39:01 | 000,000,978 | ---- | M] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\aswMBR.exe.lnk
[2012/07/13 17:38:18 | 000,000,959 | ---- | M] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\OTL.exe.lnk
[2012/07/13 17:37:46 | 000,077,875 | ---- | M] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\topic460332.html
[2012/07/13 17:33:22 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/07/13 17:33:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/13 17:33:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/13 17:33:12 | 1006,161,920 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/12 12:09:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/11 21:39:09 | 000,574,744 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/07/11 21:27:59 | 000,033,758 | ---- | M] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\dt.dat
[2012/07/11 20:18:40 | 000,443,432 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/11 15:56:37 | 000,187,408 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/11 12:21:50 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader X.lnk
[2012/07/02 14:44:00 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[2012/06/25 20:09:44 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/06/25 20:09:44 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/13 17:39:01 | 000,000,978 | ---- | C] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\aswMBR.exe.lnk
[2012/07/13 17:38:18 | 000,000,959 | ---- | C] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\OTL.exe.lnk
[2012/07/13 17:37:45 | 000,077,875 | ---- | C] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\topic460332.html
[2012/07/11 21:38:44 | 000,574,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/07/11 21:27:59 | 000,033,758 | ---- | C] () -- C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\dt.dat
[2012/07/11 12:21:50 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader X.lnk
[2012/07/11 12:21:42 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Adobe Reader X.lnk
[2012/02/22 21:51:57 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/12 18:31:30 | 000,002,274 | ---- | C] () -- C:\WINDOWS\System32\GUCI_AVS.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:430C6D84
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B4227B4
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2

< End of report >






Extras.txt


OTL Extras logfile created on: 7/13/2012 17:39:50 - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\Administrator.EXPERIENCE\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.48 Mb Total Physical Memory | 583.09 Mb Available Physical Memory | 60.77% Memory free
2.26 Gb Paging File | 1.97 Gb Available in Paging File | 87.24% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 36.53 Gb Free Space | 49.02% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 11.79 Gb Free Space | 31.64% Space Free | Partition Type: NTFS

Computer Name: EXPERIENCE | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k cd "%L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [openNew] -- explorer %1 (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\CambridgeSoft\ChemOffice2004\ChemDraw\ChemDraw.exe" = C:\Program Files\CambridgeSoft\ChemOffice2004\ChemDraw\ChemDraw.exe:*:Disabled:ChemDraw Ultra 8.0 -- (CambridgeSoft Corp.)
"C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216032FF}" = Java™ 6 Update 32
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{3AE87269-BD57-4A58-B13D-FC67664BCFB8}" = BlackBerry Desktop Software 4.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AC7B4E7-59B7-4E48-A60D-263C486FC33A}_is1" = System Checkup 3.0
"{5A33744D-33F5-451A-9CB0-2FE49EE3809C}" = ChemOffice Ultra 2004
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43E4B9C-14C8-4EB0-998B-85211B6EDD61}" = Maxtor MaxBlast
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E5026CE8-B6E0-46CB-A63C-040B920C8611}" = inSSIDer 2.0
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"BlackBerry_{3AE87269-BD57-4A58-B13D-FC67664BCFB8}" = BlackBerry Desktop Software 4.3
"EndNote" = EndNote
"EPSON Printer and Utilities" = EPSON Printer Software
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ISI ResearchSoft - Export Helper" = ISI ResearchSoft - Export Helper
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Rapport_msi" = Rapport
"SpeedFan" = SpeedFan (remove only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/31/2011 14:20:45 | Computer Name = EXPERIENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 8/22/2011 13:02:35 | Computer Name = EXPERIENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 8/22/2011 13:02:39 | Computer Name = EXPERIENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 8/22/2011 13:02:39 | Computer Name = EXPERIENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/4/2011 5:57:06 | Computer Name = EXPERIENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/4/2011 5:57:06 | Computer Name = EXPERIENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/4/2011 5:57:06 | Computer Name = EXPERIENCE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 10/22/2011 4:33:00 | Computer Name = EXPERIENCE | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
. Error code = 0x80070020

[ System Events ]
Error - 7/9/2012 8:06:31 | Computer Name = EXPERIENCE | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/11/2012 16:59:40 | Computer Name = EXPERIENCE | Source = PlugPlayManager | ID = 12
Description = The device 'ST340810A' (IDE\DiskST340810A_______________________________3.34____\4633314245533942202020202020202020202020)
disappeared from the system without first being prepared for removal.

Error - 7/11/2012 16:59:43 | Computer Name = EXPERIENCE | Source = PCTCore | ID = 327960
Description =

Error - 7/11/2012 16:59:43 | Computer Name = EXPERIENCE | Source = PCTCore | ID = 327960
Description =

Error - 7/12/2012 3:45:42 | Computer Name = EXPERIENCE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PC Tools Security Service
service to connect.

Error - 7/12/2012 3:45:42 | Computer Name = EXPERIENCE | Source = Service Control Manager | ID = 7000
Description = The PC Tools Security Service service failed to start due to the following
error: %%1053

Error - 7/12/2012 3:52:33 | Computer Name = EXPERIENCE | Source = PCTCore | ID = 327960
Description =

Error - 7/13/2012 12:33:30 | Computer Name = EXPERIENCE | Source = NetBT | ID = 4321
Description = The name "EXPERIENCE :0" could not be registered on the Interface
with IP address 192.168.1.66. The machine with the IP address 192.168.1.71 did not
allow the name to be claimed by this machine.

Error - 7/13/2012 12:33:37 | Computer Name = EXPERIENCE | Source = NetBT | ID = 4321
Description = The name "EXPERIENCE :20" could not be registered on the Interface
with IP address 192.168.1.66. The machine with the IP address 192.168.1.71 did not
allow the name to be claimed by this machine.

Error - 7/13/2012 12:33:37 | Computer Name = EXPERIENCE | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetBT_Tcpip_{858946B7-0E0F-4318-94F1-D9C9691AF031}
because another computer on the network has the same name. The server could not
start.


< End of report >






aswMBR.txt

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-13 17:43:51
-----------------------------
17:43:51.468 OS Version: Windows 5.1.2600 Service Pack 3
17:43:51.468 Number of processors: 1 586 0x5F02
17:43:51.468 ComputerName: EXPERIENCE UserName:
17:43:52.296 Initialize success
17:43:59.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
17:43:59.156 Disk 0 Vendor: MAXTOR_STM380215A 3.AAC Size: 76319MB BusType: 3
17:43:59.156 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-17
17:43:59.156 Disk 1 Vendor: ST340810A 3.34 Size: 38166MB BusType: 3
17:43:59.171 Disk 0 MBR read successfully
17:43:59.171 Disk 0 MBR scan
17:43:59.171 Disk 0 Windows XP default MBR code
17:43:59.187 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
17:43:59.187 Disk 0 scanning sectors +156280320
17:43:59.265 Disk 0 scanning C:\WINDOWS\system32\drivers
17:44:06.765 Service scanning
17:44:26.296 Modules scanning
17:44:39.593 Disk 0 trace - called modules:
17:44:39.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:44:40.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85820ab8]
17:44:40.125 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\00000063[0x858821f8]
17:44:40.125 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x85825d98]
17:44:40.125 Scan finished successfully
17:44:54.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\MBR.dat"
17:44:54.937 The log file has been saved successfully to "C:\Documents and Settings\Administrator.EXPERIENCE\Desktop\aswMBR.txt"




Can't make any sense of it, but thats to be expected - I wouldn't need help if I knew what any of it meant!

I'll await further instructions.

Many thanks,

Dr Bob

#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 PM

Posted 13 July 2012 - 01:23 PM

Please do this next:

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:430C6D84
    @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B4227B4
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
    :Commands
    [EmptyTemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed click on Yes[/b], to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • OTL Fix log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 Dr Bob

Dr Bob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 16 July 2012 - 03:37 PM

Hi again,

OTL rerun and Combofix successfully negotiated (I think)! The only issue was Combofix detected an uninstalled version of AVG. Resetting the registry required a reboot, so I stopped Combofix, did the necessary with AVG and then re-ran Combofix. Hope this is OK.

Here are the outputs from each:

All processes killed
========== OTL ==========
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:430C6D84 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:0B4227B4 deleted successfully.
ADS C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1659819 bytes
->Temporary Internet Files folder emptied: 26061254 bytes
->FireFox cache emptied: 53103237 bytes
->Flash cache emptied: 11702 bytes

User: Administrator.EXPERIENCE
->Temp folder emptied: 15706761 bytes
->Temporary Internet Files folder emptied: 164176338 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 112221914 bytes
->Flash cache emptied: 1363 bytes

User: ADMINI~1~EXP

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 46455 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 377307 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2148530 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 60032 bytes
Windows Temp folder emptied: 159228 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 267155346 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2075659319 bytes

Total Files Cleaned = 2,593.00 mb


OTL by OldTimer - Version 3.2.54.0 log created on 07162012_203637

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_f84.dat not found!

PendingFileRenameOperations files...
File C:\WINDOWS\temp\Perflib_Perfdata_f84.dat not found!

Registry entries deleted on Reboot...



And log.txt

ComboFix 12-07-16.01 - Administrator 07/16/2012 21:18:40.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.619 [GMT 1:00]
Running from: c:\documents and settings\Administrator.EXPERIENCE\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\program files\Perfect Optimizer
c:\program files\Perfect Optimizer\PerfectOptimizer.ini
c:\windows\system32\Cache
c:\windows\system32\Cache\0dacde0a2327684c.fb
c:\windows\system32\Cache\10c0611034998778.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\85d99e38c6cd59b6.fb
c:\windows\system32\Cache\99ee8af5a888896c.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f914bf46c5d9338c.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\Cache\faa5b1c7a078831e.fb
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\msconfig.exe
.
Infected copy of c:\windows\system32\srsvc.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\srsvc.dll
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
c:\windows\system32\drivers\psched.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\psched.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-06-16 to 2012-07-16 )))))))))))))))))))))))))))))))
.
.
2012-07-16 20:23 . 2008-04-13 23:26 69120 ----a-w- c:\windows\system32\drivers\psched.sys
2012-07-16 20:23 . 2008-04-14 04:42 50176 ----a-w- c:\windows\system32\proquota.exe
2012-07-16 20:23 . 2008-04-14 04:42 171008 ----a-w- c:\windows\system32\srsvc.dll
2012-07-16 20:03 . 2012-07-16 20:03 -------- d-----w- c:\windows\system32\wbem\Repository
2012-07-16 20:03 . 2012-07-16 20:03 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Local Settings\Application Data\tific
2012-07-16 20:03 . 2012-07-16 20:03 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Tific
2012-07-16 19:36 . 2012-07-16 19:36 -------- d-----w- C:\_OTL
2012-07-11 20:44 . 2012-07-11 20:44 -------- d-----w- c:\program files\PC Tools
2012-07-11 20:38 . 2012-07-12 09:56 -------- d-----w- c:\program files\Common Files\PC Tools
2012-07-11 20:38 . 2012-05-11 10:14 203088 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-11 20:38 . 2012-07-12 09:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2012-07-11 20:37 . 2012-07-11 20:37 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\TestApp
2012-07-11 12:08 . 2012-07-11 12:10 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\AVG
2012-07-11 11:52 . 2012-07-11 11:52 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Local Settings\Application Data\Temp
2012-07-08 06:19 . 2012-07-08 06:19 65752 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-07 18:42 . 2012-07-07 18:42 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}
2012-07-02 18:00 . 2012-07-02 18:00 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-07-02 18:00 . 2012-07-02 18:00 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-02 10:01 . 2012-07-02 10:01 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 19:09 . 2012-06-05 09:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-25 19:09 . 2011-06-15 21:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2007-02-17 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2007-02-17 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-05 15:50 . 2006-11-04 19:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-04 04:32 . 2007-02-17 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2009-05-20 20:04 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2009-05-20 20:04 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2009-05-20 18:58 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2009-05-20 18:58 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2009-05-20 18:58 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-05-20 20:04 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-05-20 20:04 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2009-05-20 18:58 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2009-05-20 18:58 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2007-02-17 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-05-20 20:04 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2009-05-20 18:58 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2009-05-20 18:58 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2007-02-17 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-28 20:58 . 2012-05-28 20:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-28 20:58 . 2012-05-28 20:58 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-28 20:58 . 2011-03-27 13:39 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:12 . 2007-02-17 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2005-03-01 16:36 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-05-20 18:57 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-02 18:00 . 2011-12-23 19:43 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
.
[7] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll
.
c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\ctfmon.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2011-06-21 124928]
.
c:\documents and settings\Administrator.EXPERIENCE\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowHelp"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowMyPics"= 1 (0x1)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-27 16:08 904776 ----a-w- c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
2008-06-27 16:01 1325800 ----a-w- c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Maxtor Scheduler2 Service]
2008-06-27 16:03 136472 ----a-w- c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 11:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 11:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 11:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-11-17 04:42 577536 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2004\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Administrator.EXPERIENCE\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [7/8/2012 7:19 65752]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [3/2/2010 17:16 390528]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/20/2011 20:54 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [7/8/2012 7:19 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/8/2012 7:19 166840]
R2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe [6/27/2008 17:03 431384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/8/2012 7:19 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [5/28/2012 22:07 21520]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/15/2012 14:30 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/5/2012 10:50 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/8/2012 18:02 113120]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
Tapisrv
Themes
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN
napagent
hkmsvc
wscsvc
.
Rebuilding ... You need to reboot your machine for this to take effect.
.
ntmssvc
ERSvc
Messenger
SRService
TrkWks
W32Time
helpsvc
uploadmgr
TermService
ip6fwhlp
mhn
sacsvr
trksvr
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-05 19:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8990ef02-37dc-4371-8d84-099b65569ee3%7D&mid=0844cb1c0257a90fffaedbc3af373d2b-06ce4fc639803a2e3563922518183d8e94088cb9&ds=AVG&v=9.0.0.22&lang=en&pr=fr&d=2011-10-15%2017%3A43%3A48&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-PhilipsDM - c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe
MSConfigStartUp-PhilipsLime - c:\program files\Philips\Philips Lime Service\bin\LimeAlive.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-16 21:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(7740)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-07-16 21:30:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-16 20:30
.
Pre-Run: 41,823,178,752 bytes free
Post-Run: 43,057,954,816 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8258284A8F9CD1FDD8F227F1BFACFB17



Thanks for your help,

Dr Bob

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 PM

Posted 16 July 2012 - 05:29 PM

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
c:\windows\ServicePackFiles\i386\ctfmon.exe | c:\windows\System32\ctfmon.exe
c:\windows\ServicePackFiles\i386\regsvc.dll | c:\windows\System32\regsvc.dll
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 Dr Bob

Dr Bob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 18 July 2012 - 07:11 AM

OK, here are the requested logs:

Combofix:

ComboFix 12-07-16.01 - Administrator 07/18/2012 11:44:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.632 [GMT 1:00]
Running from: c:\documents and settings\Administrator.EXPERIENCE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.EXPERIENCE\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\ctfmon.exe --> c:\windows\System32\ctfmon.exe
c:\windows\ServicePackFiles\i386\regsvc.dll --> c:\windows\System32\regsvc.dll
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-18 10:44 . 2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
2012-07-18 10:44 . 2008-04-14 04:42 59904 ----a-w- c:\windows\system32\regsvc.dll
2012-07-16 20:23 . 2008-04-13 23:26 69120 ----a-w- c:\windows\system32\drivers\psched.sys
2012-07-16 20:23 . 2008-04-14 04:42 50176 ----a-w- c:\windows\system32\proquota.exe
2012-07-16 20:23 . 2008-04-14 04:42 171008 ----a-w- c:\windows\system32\srsvc.dll
2012-07-16 20:03 . 2012-07-16 20:03 -------- d-----w- c:\windows\system32\wbem\Repository
2012-07-16 20:03 . 2012-07-16 20:03 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Local Settings\Application Data\tific
2012-07-16 20:03 . 2012-07-16 20:03 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Tific
2012-07-16 19:36 . 2012-07-16 19:36 -------- d-----w- C:\_OTL
2012-07-11 20:44 . 2012-07-11 20:44 -------- d-----w- c:\program files\PC Tools
2012-07-11 20:38 . 2012-07-12 09:56 -------- d-----w- c:\program files\Common Files\PC Tools
2012-07-11 20:38 . 2012-05-11 10:14 203088 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-11 20:38 . 2012-07-12 09:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2012-07-11 20:37 . 2012-07-11 20:37 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\TestApp
2012-07-11 12:08 . 2012-07-11 12:10 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\AVG
2012-07-11 11:52 . 2012-07-11 11:52 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Local Settings\Application Data\Temp
2012-07-08 06:19 . 2012-07-08 06:19 65752 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-07-07 18:42 . 2012-07-07 18:42 -------- d-----w- c:\documents and settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}
2012-07-02 18:00 . 2012-07-02 18:00 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-07-02 18:00 . 2012-07-02 18:00 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-02 10:01 . 2012-07-02 10:01 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-25 19:09 . 2012-06-05 09:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-25 19:09 . 2011-06-15 21:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2007-02-17 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2007-02-17 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-05 15:50 . 2006-11-04 19:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-04 04:32 . 2007-02-17 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 14:19 . 2009-05-20 20:04 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 14:19 . 2009-05-20 20:04 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 14:19 . 2009-05-20 18:58 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 14:19 . 2009-05-20 18:58 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 14:19 . 2009-05-20 18:58 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 14:19 . 2009-05-20 20:04 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 14:19 . 2009-05-20 20:04 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 14:19 . 2009-05-20 18:58 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 14:19 . 2009-05-20 18:58 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 14:19 . 2007-02-17 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 14:19 . 2009-05-20 20:04 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 14:19 . 2009-05-20 18:58 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 14:19 . 2009-05-20 18:58 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2007-02-17 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-28 20:58 . 2012-05-28 20:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-28 20:58 . 2012-05-28 20:58 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-28 20:58 . 2011-03-27 13:39 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-04 13:12 . 2007-02-17 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2005-03-01 16:36 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-05-20 18:57 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-02 18:00 . 2011-12-23 19:43 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_20.25.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-18 10:34 . 2012-07-18 10:34 16384 c:\windows\Temp\Perflib_Perfdata_1ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2011-06-21 124928]
.
c:\documents and settings\Administrator.EXPERIENCE\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowHelp"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowMyPics"= 1 (0x1)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-27 16:08 904776 ----a-w- c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
2008-06-27 16:01 1325800 ----a-w- c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Maxtor Scheduler2 Service]
2008-06-27 16:03 136472 ----a-w- c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-22 11:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-22 11:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-22 11:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-11-17 04:42 577536 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\CambridgeSoft\\ChemOffice2004\\ChemDraw\\ChemDraw.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Administrator.EXPERIENCE\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [7/8/2012 7:19 65752]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [3/2/2010 17:16 390528]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [12/20/2011 20:54 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [7/8/2012 7:19 71480]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/8/2012 7:19 166840]
R2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe [6/27/2008 17:03 431384]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/8/2012 7:19 976728]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [5/28/2012 22:07 21520]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/15/2012 14:30 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/5/2012 10:50 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/8/2012 18:02 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTIASO
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-05 19:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.EXPERIENCE\Application Data\Mozilla\Firefox\Profiles\nx0qvlpp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8990ef02-37dc-4371-8d84-099b65569ee3%7D&mid=0844cb1c0257a90fffaedbc3af373d2b-06ce4fc639803a2e3563922518183d8e94088cb9&ds=AVG&v=9.0.0.22&lang=en&pr=fr&d=2011-10-15%2017%3A43%3A48&sap=ku&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 11:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(744)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(16664)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator.EXPERIENCE\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2012-07-18 11:58:53
ComboFix-quarantined-files.txt 2012-07-18 10:58
ComboFix2.txt 2012-07-16 20:30
.
Pre-Run: 43,067,273,216 bytes free
Post-Run: 43,053,346,816 bytes free
.
- - End Of File - - CB5DC36DEEB48EA6E26491B389CA936E





And Malwarebytes:


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.18.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.11
Administrator :: EXPERIENCE [administrator]

7/18/2012 12:09:07
mbam-log-2012-07-18 (12-09-07).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 330268
Time elapsed: 56 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\.pox (Rogue.FixTool) -> Quarantined and deleted successfully.
HKCR\pofile (Rogue.FixTool) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Administrator.EXPERIENCE\My Documents\Downloads\PerfectOptimizer.exe (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.

(end)

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 PM

Posted 18 July 2012 - 05:23 PM

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please go to www.java.com and press the "Free Java Download" button near the center of the page. Follow the prompts to install the latest version.

Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 Dr Bob

Dr Bob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 22 July 2012 - 05:48 AM

Hi again,

OK, I have followed your most recent instructions. Java is updated and I have run ESET which I think found some stuff. I didn't do anything with it though, as I thought it better to await your instructions.

As for how the computer is running - well I haven't been using it while the cleanup has been underway. In order to answer your question though, I decided to give it a go and use it. I went to Google to download AVG (previously uninstalled for Combofix) and was promptly redirected somewhere else. This continues to occur on a regular basis. I think the redirect trojan is still there and is one of the things that ESET found.

Hopefully you've got some good ideas for what to try next! Here's hoping!

Thanks for your continued help, I appreciate it very much.

The ESET log is below.




ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=261f4bc262493f47be028920fa88bbf8
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-07-22 09:53:36
# local_time=2012-07-22 10:53:36 (+0000, GMT Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 863135 863135 0 0
# compatibility_mode=8192 67108863 100 0 252 252 0 0
# scanned=58238
# found=3
# cleaned=0
# scan_time=5461
C:\Documents and Settings\Administrator.EXPERIENCE\Application Data\AVG\Rescue\PC Tuneup 2011\120711131031734.rsc multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\cmdow.exe Win32/CMDOW.143 application (unable to clean) 00000000000000000000000000000000 I

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 PM

Posted 22 July 2012 - 11:30 AM

Please do this next:

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\ [2012/07/07 19:42:34 | 000,000,000 | ---D | M]
    [2012/07/07 19:42:34 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.EXPERIENCE\LOCAL SETTINGS\APPLICATION DATA\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}
    :Files
    C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul
    :Commands
    [EmptyTemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Please include the following in your next post:
  • OTL Fix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 Dr Bob

Dr Bob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 25 July 2012 - 04:55 AM

OK, here's the latest log as per your request...

All processes killed
========== OTL ==========
File HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\ not found.
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.EXPERIENCE\LOCAL SETTINGS\APPLICATION DATA\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\chrome\content folder moved successfully.
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.EXPERIENCE\LOCAL SETTINGS\APPLICATION DATA\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\chrome folder moved successfully.
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.EXPERIENCE\LOCAL SETTINGS\APPLICATION DATA\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26} folder moved successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\Administrator.EXPERIENCE\Local Settings\Application Data\{D2C7DE1A-C863-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.EXPERIENCE
->Temp folder emptied: 11785363 bytes
->Temporary Internet Files folder emptied: 2359363 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 68937482 bytes
->Flash cache emptied: 602 bytes

User: ADMINI~1~EXP

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 21807919 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 100.00 mb


OTL by OldTimer - Version 3.2.54.0 log created on 07252012_104536

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Is it good news?!

Thanks.

#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 PM

Posted 25 July 2012 - 10:08 AM

Hopefully it's good news - are you still having redirect issues?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 Dr Bob

Dr Bob
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 25 July 2012 - 12:30 PM

Well after some light googling I haven't had a redirect, though it sometimes I didn't get them for a while and then it would return. Does this evidence in conjunction with all your work suggest it has gone?

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 PM

Posted 25 July 2012 - 09:00 PM

It sure sounds like it! Use it normally for a day, then let me know tomorrow if all is still well. If it is I'll have some important cleanup measures for you to tend to.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users