Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zeroaccess


  • This topic is locked This topic is locked
28 replies to this topic

#1 Gmach

Gmach

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 21 July 2012 - 10:12 AM

Results of screen317's Security Check version 0.99.43
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Please wait while WMIC is being installed.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
FixCleaner 2.0.4398
Adobe Reader X (10.1.2)
Google Chrome 20.0.1132.47
Google Chrome 20.0.1132.57
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Microsoft Security Client Antimalware MsMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,848 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:07 PM

Posted 21 July 2012 - 01:17 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 22 July 2012 - 12:05 PM

Malwarebytes found the zeroaccess virus and said it quarantined it but the system is still very slow.<br />In Jan/12 MB found and deleted Trojan.agent / Backdoor.agent.gen / rootkit.0access / PUP.Bundleinstaller.OI / Rootkit.dropper. <br />I don't think that MB actually deleted these viruses and MS security essentials doesn't even see them .... what a useless program that is.<br /><br />.<br />DDS (Ver_2011-08-26.01) - NTFSx86 <br />Internet Explorer: 8.0.6001.18702<br />Run by Brian at 11:43:04 on 2012-07-21<br />.<br />============== Running Processes ===============<br />.<br />C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe<br />C:\WINDOWS\system32\spoolsv.exe<br />C:\WINDOWS\Explorer.EXE<br />C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe<br />C:\WINDOWS\system32\SearchIndexer.exe<br />C:\Program Files\Microsoft Security Client\msseces.exe<br />C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe<br />C:\Program Files\Messenger\msmsgs.exe<br />C:\WINDOWS\system32\ctfmon.exe<br />C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe<br />C:\Program Files\Windows Desktop Search\WindowsSearch.exe<br />C:\WINDOWS\System32\alg.exe<br />C:\Program Files\Internet Explorer\iexplore.exe<br />C:\Program Files\Internet Explorer\iexplore.exe<br />C:\Documents and Settings\Brian\Desktop\dds.scr<br />C:\WINDOWS\system32\SearchProtocolHost.exe<br />C:\WINDOWS\system32\SearchFilterHost.exe<br />C:\WINDOWS\System32\svchost.exe -k netsvcs<br />C:\WINDOWS\system32\svchost.exe -k NetworkService<br />C:\WINDOWS\system32\svchost.exe -k LocalService<br />C:\WINDOWS\system32\svchost.exe -k LocalService<br />.<br />============== Pseudo HJT Report ===============<br />.<br />uStart Page = hxxp://www.google.com/<br />uSearch Page = hxxp://www.google.com<br />uSearch Bar = hxxp://www.google.com/ie<br />uSearchAssistant = hxxp://www.google.com/ie<br />uSearchURL,(Default) = hxxp://www.google.com/search?q=%s<br />mSearchAssistant = hxxp://www.google.com/ie<br />BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll<br />BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab1\kaspersky internet security 2011\ievkbd.dll<br />BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll<br />BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll<br />BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab1\kaspersky internet security 2011\klwtbbho.dll<br />TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll<br />uRun: [MSMSGS] &quot;c:\program files\messenger\msmsgs.exe&quot; /background<br />uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe<br />uRun: [swg] &quot;c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe&quot;<br />mRun: [MSC] &quot;c:\program files\microsoft security client\msseces.exe&quot; -hide -runkey<br />mRun: [AVP] &quot;c:\program files\kaspersky lab1\kaspersky internet security 2011\avp.exe&quot;<br />mRun: [Adobe ARM] &quot;c:\program files\common files\adobe\arm\1.0\AdobeARM.exe&quot;<br />mRun: [Malwarebytes' Anti-Malware] &quot;c:\program files\malwarebytes' anti-malware\mbamgui.exe&quot; /starttray<br />dRun: [DWQueuedReporting] &quot;c:\progra~1\common~1\micros~1\dw\dwtrig20.exe&quot; -t<br />IE: Add to Anti-Banner - c:\program files\kaspersky lab1\kaspersky internet security 2011\ie_banner_deny.htm<br />IE: E&amp;xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000<br />IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe<br />IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe<br />IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL<br />LSP: mswsock.dll<br />DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab<br />DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab<br />TCP: DhcpNameServer = 192.168.1.1<br />TCP: Interfaces\{FF48232B-AD28-4A9C-98B5-E5446F8F60CE} : DhcpNameServer = 192.168.1.1<br />Notify: klogon - c:\windows\system32\klogon.dll<br />SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll<br />.<br />============= SERVICES / DRIVERS ===============<br />.<br />R? AVP;Kaspersky Anti-Virus Service<br />R? gupdate;Google Update Service (gupdate)<br />R? gupdatem;Google Update Service (gupdatem)<br />R? iqjfuorv;iqjfuorv<br />R? latcqwrn;latcqwrn<br />R? MBAMSwissArmy;MBAMSwissArmy<br />S? KL1;KL1<br />S? kl2;kl2<br />S? klim5;Kaspersky Anti-Virus NDIS Filter<br />S? klmouflt;Kaspersky Lab KLMOUFLT<br />S? lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter<br />S? MBAMProtector;MBAMProtector<br />S? MBAMService;MBAMService<br />S? MpFilter;Microsoft Malware Protection Driver<br />.<br />=============== Created Last 30 ================<br />.<br />2012-07-21 05:40:06&nbsp;&nbsp;&nbsp; 6891424&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{9912967c-77ab-4d26-973d-c84dfda6ff71}\mpengine.dll<br />2012-07-20 19:12:40&nbsp;&nbsp;&nbsp; 40776&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\drivers\mbamswissarmy.sys<br />2012-07-20 19:09:18&nbsp;&nbsp;&nbsp; 22344&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\drivers\mbam.sys<br />2012-06-27 19:52:36&nbsp;&nbsp;&nbsp; 521728&nbsp;&nbsp;&nbsp; -c----w-&nbsp;&nbsp;&nbsp; c:\windows\system32\dllcache\jsdbgui.dll<br />.<br />==================== Find3M  ====================<br />.<br />2012-06-13 13:19:59&nbsp;&nbsp;&nbsp; 1866112&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\win32k.sys<br />2012-06-05 15:50:25&nbsp;&nbsp;&nbsp; 1372672&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\msxml6.dll<br />2012-06-05 15:50:25&nbsp;&nbsp;&nbsp; 1172480&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\msxml3.dll<br />2012-06-04 04:32:08&nbsp;&nbsp;&nbsp; 152576&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\schannel.dll<br />2012-06-02 19:19:44&nbsp;&nbsp;&nbsp; 22040&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\wucltui.dll.mui<br />2012-06-02 19:19:38&nbsp;&nbsp;&nbsp; 219160&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\wuaucpl.cpl<br />2012-06-02 19:19:38&nbsp;&nbsp;&nbsp; 15384&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\wuaucpl.cpl.mui<br />2012-06-02 19:19:34&nbsp;&nbsp;&nbsp; 15384&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\wuapi.dll.mui<br />2012-06-02 19:19:30&nbsp;&nbsp;&nbsp; 17944&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\wuaueng.dll.mui<br />2012-05-31 13:22:09&nbsp;&nbsp;&nbsp; 599040&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\crypt32.dll<br />2012-05-16 15:08:26&nbsp;&nbsp;&nbsp; 916992&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\wininet.dll<br />2012-05-11 14:42:33&nbsp;&nbsp;&nbsp; 43520&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\licmgr10.dll<br />2012-05-11 14:42:33&nbsp;&nbsp;&nbsp; 1469440&nbsp;&nbsp;&nbsp; ------w-&nbsp;&nbsp;&nbsp; c:\windows\system32\inetcpl.cpl<br />2012-05-11 11:38:02&nbsp;&nbsp;&nbsp; 385024&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\html.iec<br />2012-05-04 13:12:30&nbsp;&nbsp;&nbsp; 2192640&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\ntoskrnl.exe<br />2012-05-04 12:32:19&nbsp;&nbsp;&nbsp; 2069120&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\ntkrnlpa.exe<br />2012-05-02 13:46:36&nbsp;&nbsp;&nbsp; 139656&nbsp;&nbsp;&nbsp; ----a-w-&nbsp;&nbsp;&nbsp; c:\windows\system32\drivers\rdpwd.sys<br />.<br />============= FINISH: 11:44:46.89 ===============

Attached Files


Edited by Orange Blossom, 22 July 2012 - 08:37 PM.
Merged topics. ~ OB


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 PM

Posted 26 July 2012 - 10:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/461752 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 27 July 2012 - 02:56 PM

slow slow slow...ran malwarebits. Found zeroaccess rootkit virus but can get rid of it.

Attached Files

  • Attached File  ark.txt   2.71KB   2 downloads

Edited by Gmach, 27 July 2012 - 02:56 PM.


#6 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 27 July 2012 - 02:57 PM

more logs....seem only to be able to attache one per reply...go figure!

Attached Files

  • Attached File  dds.txt   6.17KB   2 downloads

Edited by Gmach, 27 July 2012 - 02:59 PM.


#7 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 27 July 2012 - 02:58 PM

and still more logs...

Attached Files



#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 PM

Posted 27 July 2012 - 02:59 PM

Hi Gmach,

:welcome: to BleepingComputer.
We sincerely apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Combofix
Please download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • Feedback from you - How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Edited by jntkwx, 27 July 2012 - 03:01 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 27 July 2012 - 04:58 PM

ComboFix 12-07-27.03 - Brian 07/27/2012 17:18:00.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.282 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Brian\WINDOWS
c:\windows\$NtUninstallKB11614$
c:\windows\$NtUninstallKB11614$\2096541271\@
c:\windows\$NtUninstallKB11614$\2096541271\L\emebmadp
c:\windows\$NtUninstallKB11614$\2096541271\loader.tlb
c:\windows\$NtUninstallKB11614$\2096541271\U\@00000001
c:\windows\$NtUninstallKB11614$\2096541271\U\@000000c0
c:\windows\$NtUninstallKB11614$\2096541271\U\@000000cb
c:\windows\$NtUninstallKB11614$\2096541271\U\@000000cf
c:\windows\$NtUninstallKB11614$\2096541271\U\@80000000
c:\windows\$NtUninstallKB11614$\2096541271\U\@800000c0
c:\windows\$NtUninstallKB11614$\2096541271\U\@800000cb
c:\windows\$NtUninstallKB11614$\2096541271\U\@800000cf
c:\windows\$NtUninstallKB11614$\3536941126
c:\windows\system32\
.
.
((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))
.
.
2012-07-27 19:46 . 2012-07-27 19:46 56200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4196E65F-040A-439C-B777-AD68B18956C8}\offreg.dll
2012-07-27 19:34 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4196E65F-040A-439C-B777-AD68B18956C8}\mpengine.dll
2012-07-27 19:21 . 2012-07-27 19:21 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-07-20 19:09 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 08:44 . 2011-10-18 17:58 6891424 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-08-19 22:07 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2011-10-18 01:10 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2011-10-18 01:10 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2011-10-18 01:10 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2011-10-18 01:10 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2011-10-18 01:10 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2011-10-18 01:10 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2011-10-18 01:10 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-10-18 01:07 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-18 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2011 11.0.2.556\\English\\setup.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 5:43 PM 11352]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/20/2012 3:09 PM 655944]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 12:06 PM 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
R3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;c:\windows\system32\drivers\lne100tx.sys [1/11/2012 1:09 PM 70730]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/20/2012 3:09 PM 22344]
S1 iqjfuorv;iqjfuorv;\??\c:\windows\system32\drivers\iqjfuorv.sys --> c:\windows\system32\drivers\iqjfuorv.sys [?]
S1 latcqwrn;latcqwrn;\??\c:\windows\system32\drivers\latcqwrn.sys --> c:\windows\system32\drivers\latcqwrn.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2011 2:56 PM 130248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2011 2:56 PM 130248]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/27/2012 3:21 PM 40776]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 18:55]
.
2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 18:55]
.
2012-07-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab1\Kaspersky Internet Security 2011\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-27 17:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2732)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\SearchIndexer.exe
.
**************************************************************************
.
Completion time: 2012-07-27 17:56:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-27 21:56
ComboFix2.txt 2011-10-17 18:09
ComboFix3.txt 2011-10-17 17:23
.
Pre-Run: 7,746,682,880 bytes free
Post-Run: 8,880,472,064 bytes free
.
- - End Of File - - C1A00D0989AB25D91FE777F9CFA935D6

#10 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 27 July 2012 - 05:13 PM

I couldn't completely remove Kaspersky for some reason. Some files just can't be removed.
The system is still slow and desktop links are very slow to open the program.
I'll run Mbam and post the report.

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 PM

Posted 27 July 2012 - 06:11 PM

Gmach,

As I said previously, please do not run any other tool untill instructed to do so! The reason behind this is that sometimes, running another tool without being instructed to do so can cause more problems.

Rerun Combofix
Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic461752.html

Suspect::[139]
c:\windows\system32\drivers\iqjfuorv.sys
c:\windows\system32\drivers\latcqwrn.sys

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If prompted to update Combofix, please click Yes to allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When Combofix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 27 July 2012 - 09:58 PM

There was no message box that opened, only this log.

ComboFix 12-07-27.03 - Brian 07/27/2012 22:22:43.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.185 [GMT -4:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Kaspersky Internet Security *Enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))
.
.
2012-07-28 02:01 . 2012-07-28 02:01 29904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64758E3-F6FC-48D4-AF97-B7EF7E33FC89}\MpKslbcddbefb.sys
2012-07-27 22:06 . 2012-07-27 22:06 56200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64758E3-F6FC-48D4-AF97-B7EF7E33FC89}\offreg.dll
2012-07-27 22:03 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64758E3-F6FC-48D4-AF97-B7EF7E33FC89}\mpengine.dll
2012-07-20 19:09 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 08:44 . 2011-10-18 17:58 6891424 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2009-08-19 22:07 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2004-08-04 12:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2011-10-18 01:10 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2011-10-18 01:10 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2011-10-18 01:10 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2011-10-18 01:10 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2011-10-18 01:10 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2009-08-06 23:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2011-10-18 01:10 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2011-10-18 01:10 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2004-08-04 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2011-10-18 01:07 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-18 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2011 11.0.2.556\\English\\setup.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 5:43 PM 11352]
R1 MpKslbcddbefb;MpKslbcddbefb;c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64758E3-F6FC-48D4-AF97-B7EF7E33FC89}\MpKslbcddbefb.sys [7/27/2012 10:01 PM 29904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/20/2012 3:09 PM 655944]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/7/2010 12:06 PM 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 19472]
R3 lne100tx;Linksys LNE100TX Fast Ethernet PCI Adapter;c:\windows\system32\drivers\lne100tx.sys [1/11/2012 1:09 PM 70730]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/20/2012 3:09 PM 22344]
S1 iqjfuorv;iqjfuorv;\??\c:\windows\system32\drivers\iqjfuorv.sys --> c:\windows\system32\drivers\iqjfuorv.sys [?]
S1 latcqwrn;latcqwrn;\??\c:\windows\system32\drivers\latcqwrn.sys --> c:\windows\system32\drivers\latcqwrn.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2011 2:56 PM 130248]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2011 2:56 PM 130248]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLBCDDBEFB
*Deregistered* - MBAMSwissArmy
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 18:55]
.
2012-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 18:55]
.
2012-07-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab1\Kaspersky Internet Security 2011\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-27 22:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1600)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-07-27 22:47:29
ComboFix-quarantined-files.txt 2012-07-28 02:47
ComboFix2.txt 2012-07-27 21:56
ComboFix3.txt 2011-10-17 18:09
ComboFix4.txt 2011-10-17 17:23
.
Pre-Run: 8,889,315,328 bytes free
Post-Run: 8,876,412,928 bytes free
.
- - End Of File - - 95E81F48FFB0AFCF68762716F1894938

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 PM

Posted 27 July 2012 - 10:07 PM

Okay, I don't think those files exist anymore, that's why you didn't get any messages pop up.


Please follow the instructions here: http://support.kaspersky.com/faq/?qid=208279463 to run the Kaspersky Removal Tool to fully uninstall Kaspersky.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 Gmach

Gmach
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 28 July 2012 - 11:41 AM

OTL logfile created on: 7/28/2012 12:13:37 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\Brian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.46 Mb Total Physical Memory | 88.09 Mb Available Physical Memory | 17.22% Memory free
1.22 Gb Paging File | 0.80 Gb Available in Paging File | 65.60% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.28 Gb Total Space | 8.78 Gb Free Space | 22.95% Space Free | Partition Type: NTFS
Drive E: | 38.28 Gb Total Space | 18.29 Gb Free Space | 47.77% Space Free | Partition Type: NTFS

Computer Name: SN-AEEF7F9628A1 | User Name: Brian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/28 12:13:18 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian\Desktop\OTL.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/01/08 15:46:09 | 000,004,164 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2009/11/19 05:01:34 | 000,022,723 | ---- | M] () -- C:\WINDOWS\system32\sugw2l3.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/01/08 15:46:09 | 000,004,164 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\latcqwrn.sys -- (latcqwrn)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\iqjfuorv.sys -- (iqjfuorv)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Brian\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 18:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2001/08/17 13:12:24 | 000,070,730 | ---- | M] (Linksys Group, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lne100tx.sys -- (lne100tx)
DRV - [2001/08/17 08:19:34 | 000,040,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6D8B356A-9E61-4F3C-8332-2E8A75081752}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-725345543-920026266-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-725345543-920026266-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-725345543-920026266-1060284298-1003\..\SearchScopes,DefaultScope = {6D8B356A-9E61-4F3C-8332-2E8A75081752}
IE - HKU\S-1-5-21-725345543-920026266-1060284298-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-725345543-920026266-1060284298-1003\..\SearchScopes\{6D8B356A-9E61-4F3C-8332-2E8A75081752}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_enCA454
IE - HKU\S-1-5-21-725345543-920026266-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky Lab1\Kaspersky Internet Security 2011\FFExt\virtualKeyboard@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\KavAntiBanner@Kaspersky.ru: C:\Program Files\Kaspersky Lab1\Kaspersky Internet Security 2011\FFExt\KavAntiBanner@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky Lab1\Kaspersky Internet Security 2011\FFExt\linkfilter@kaspersky.ru

[2011/10/17 16:42:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/31 14:09:37 | 000,000,000 | ---D | M] (Anti-Banner) -- C:\Program Files\Mozilla Firefox\extensions\KavAntiBanner@kaspersky.ru_bak
[2011/07/31 14:09:33 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak
[2010/06/05 14:07:56 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2012/07/27 17:44:52 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (no name) - {E33CF602-D945-461A-83F0-819F76A199F8} - No CLSID value found.
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Brian McLaughlin\Start Menu\Programs\Startup\TalkSwitch Auto Update.lnk = C:\Program Files\TalkSwitch\TalkSwitch Configuration 6.12\TSAutoUpdate.exe (TalkSwitch Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-920026266-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-725345543-920026266-1060284298-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-725345543-920026266-1060284298-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-725345543-920026266-1060284298-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FF48232B-AD28-4A9C-98B5-E5446F8F60CE}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/06 18:22:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/10/14 16:37:58 | 000,000,000 | ---D | M] - C:\AUTOINFO -- [ NTFS ]
O32 - AutoRun File - [2006/09/06 18:22:23 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/06/10 12:23:05 | 000,000,000 | ---D | M] - E:\AUTOINFO -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/28 12:13:08 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brian\Desktop\OTL.exe
[2012/07/27 22:47:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/07/27 16:28:09 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/27 16:28:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/27 16:28:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/27 16:28:09 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/27 16:17:18 | 004,719,842 | R--- | C] (Swearware) -- C:\Documents and Settings\Brian\Desktop\ComboFix.exe
[2012/07/21 11:59:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brian\Desktop\gmer
[2012/07/21 11:43:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Brian\My Documents\My Videos
[2012/07/21 11:43:05 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Brian\Start Menu\Programs\Administrative Tools
[2012/07/21 11:40:55 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Brian\Desktop\dds.scr
[2012/07/20 15:09:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/07/20 15:09:18 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/28 12:23:11 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/28 12:13:27 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/07/28 12:13:18 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brian\Desktop\OTL.exe
[2012/07/28 12:08:24 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/28 12:08:09 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/28 12:07:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/28 12:07:46 | 536,379,392 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/27 17:44:52 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/27 16:11:36 | 004,719,842 | R--- | M] (Swearware) -- C:\Documents and Settings\Brian\Desktop\ComboFix.exe
[2012/07/22 13:57:25 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Brian\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/07/21 11:49:47 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Brian\Desktop\gmer.zip
[2012/07/21 11:40:56 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Brian\Desktop\dds.scr
[2012/07/21 11:39:27 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Brian\defogger_reenable
[2012/07/20 15:09:46 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Brian\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/07/20 15:09:46 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/12 16:37:14 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk
[2012/07/12 10:39:34 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/11 11:57:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/27 16:28:09 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/27 16:28:09 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/27 16:28:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/27 16:28:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/27 16:28:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/27 15:46:30 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Brian\Desktop\gmer.exe
[2012/07/22 13:57:25 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Brian\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/07/21 11:49:44 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Brian\Desktop\gmer.zip
[2012/07/21 11:39:27 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Brian\defogger_reenable
[2012/07/20 15:09:46 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Brian\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/07/20 15:09:46 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/15 21:51:42 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/08 15:34:37 | 000,002,048 | -HS- | C] () -- C:\Documents and Settings\Brian\Local Settings\Application Data\7cf6ae57\@
[2011/10/17 21:20:42 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/10/17 21:08:53 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/10/17 16:56:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/17 16:53:31 | 000,269,392 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/10/16 17:53:23 | 000,002,048 | -H-- | C] () -- C:\Documents and Settings\Brian McLaughlin\Local Settings\Application Data\7cf6ae57\@
[2011/08/23 12:17:15 | 000,419,942 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1482476501-1343024091-1060284298-1003-0.dat
[2011/08/23 12:17:12 | 000,210,110 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat

< End of report >




OTL Extras logfile created on: 7/28/2012 12:13:37 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\Brian\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.46 Mb Total Physical Memory | 88.09 Mb Available Physical Memory | 17.22% Memory free
1.22 Gb Paging File | 0.80 Gb Available in Paging File | 65.60% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.28 Gb Total Space | 8.78 Gb Free Space | 22.95% Space Free | Partition Type: NTFS
Drive E: | 38.28 Gb Total Space | 18.29 Gb Free Space | 47.77% Space Free | Partition Type: NTFS

Computer Name: SN-AEEF7F9628A1 | User Name: Brian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Disabled:Malwarebytes Anti-Malware -- (Malwarebytes Corporation)
"C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2011 11.0.2.556\English\setup.exe" = C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2011 11.0.2.556\English\setup.exe:*:Enabled:Kaspersky Internet Security 2011


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37C4D110-D869-11DF-72AE-0062CCE82CD6}" = Rhvac Version 9
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{686695ED-BB3F-415D-B0DB-18CF535F7B50}" = Driver Manager
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Autodesk WHIP!" = Autodesk WHIP! (Release 4.0-102)
"FixCleaner_is1" = FixCleaner 2.0.4398
"Google Chrome" = Google Chrome
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"PROPLUS" = Microsoft Office Professional Plus 2007
"Second Step" = Second Step
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR 4.01 (32-bit)

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2/22/2012 1:55:26 PM | Computer Name = SN-AEEF7F9628A1 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 2/22/2012 2:04:37 PM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 2/23/2012 4:26:15 PM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 2/27/2012 6:48:32 PM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 2/27/2012 6:59:51 PM | Computer Name = SN-AEEF7F9628A1 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application presentationfontcache.exe, version 3.0.6920.1427,
stamp 488f1424, faulting module kernel32.dll, version 5.1.2600.5781, stamp 49c4f482,
debug? 0, fault address 0x00012afb.

Error - 2/28/2012 11:57:45 AM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 3/11/2012 3:09:41 PM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 3/19/2012 6:40:06 PM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 3/21/2012 9:32:44 AM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 3/21/2012 6:09:31 PM | Computer Name = SN-AEEF7F9628A1 | Source = MPSampleSubmission | ID = 5000
Description =

[ OSession Events ]
Error - 10/18/2011 7:13:34 PM | Computer Name = SN-AEEF7F9628A1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 9999.9999.9999.9999. This session lasted
804 seconds with 0 seconds of active time. This session ended with a crash.

Error - 10/18/2011 7:14:45 PM | Computer Name = SN-AEEF7F9628A1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 9999.9999.9999.9999. This session lasted
754 seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 7/28/2012 12:04:11 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:12 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:46 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:49 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:50 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:52 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:53 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:55 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:04:56 PM | Computer Name = SN-AEEF7F9628A1 | Source = Service Control Manager | ID = 7000
Description = The KLIF service failed to start due to the following error: %%2

Error - 7/28/2012 12:08:18 PM | Computer Name = SN-AEEF7F9628A1 | Source = NetBT | ID = 4314
Description = Unable to read the driver's bindings to the transport from the registry.


< End of report >

#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 PM

Posted 28 July 2012 - 12:43 PM

Gmach,

Did you run the Kaspersky removal tool?


Please open notepad and copy/paste the text in the box below into it:

:step1: Rerun Combofix
http://www.bleepingcomputer.com/forums/topic461752.html

Collect::
C:\Documents and Settings\Brian\Local Settings\Application Data\7cf6ae57\@
C:\Documents and Settings\Brian McLaughlin\Local Settings\Application Data\7cf6ae57\@

Driver::
WDICA
PDRFRAME
PDRELI
PDFRAME
PDCOMP
PCIDump
lbrtfdc
latcqwrn
iqjfuorv
i2omgmt
Changer

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If prompted to update Combofix, please click Yes to allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply (don't attach it).

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.


:step2: FSS
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


In your next reply, please include:
  • New Combofix log
  • FSS log
  • Feedback from you - How is your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users