Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I remove UK PCeU Ramsomware?


  • This topic is locked This topic is locked
12 replies to this topic

#1 lenny11

lenny11

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:33 PM

Posted 05 January 2014 - 08:20 AM

I have PCeU ramsomware on a Windows XP Professional PC, 10 year old Dell Dimension 8250.  I can't get access to desktop as it is blocked with ramsomware screen.  I have data backup on a WD MyBook.  I do not have a recovery system on CD/DVD, never been able to create one.

I have looked at United Kingdom Police Ransomware Removal Guide but cannot see where to start as I do not believe I can boot from a USB drive.  (Can boot from floppy, CD/DVD drive)

I have also tried Symantec Web site for support (PC is licencensed with Norton Internet Security - didn't do its job) which suggests using Norton Bootable Recovery Tool.  However, as I am using a Windows 7 PC to access the Internet, the Disc produced by the Symantec Web site for this purpose is unreadable by my infected PC, presumably it is 64 bit Windows 7 which cannot be used by my 32 bit PC.

Can anyone suggest how I can proceeed from here.

 



BC AdBot (Login to Remove)

 


#2 lenny11

lenny11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:33 PM

Posted 06 January 2014 - 11:07 AM

I have managed to overcome the immediate issue of not being able to access my desktop.  Surprisingly I was able to run in Safe mode and run my Norton sofware which appears to have removed the offending files.  However, at startup (after login) I am getting a RUNDLL error which lists one of the files that Norton removed.  I cannot find where that is being invoked at startup.  I would appreciate any ideas about where I should look.  I have tried the registry but it is not listed in there and it is not in "all users" startup.  Where else should I look?



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:33 AM

Posted 10 January 2014 - 09:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets start with these scans.

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#4 lenny11

lenny11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:33 PM

Posted 12 January 2014 - 10:07 AM

nasdaq, thanks for your reply.  I have done the scans and here are the results:

 

Adwcleaner:

# AdwCleaner v3.016 - Report created 11/01/2014 at 15:34:32
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : cdas - DELL8250
# Running from : C:\Documents and Settings\cdas\My Documents\Downloads\BleepingComputer\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found C:\Program Files\AOL Toolbar
Folder Found C:\Program Files\Viewpoint

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\alot
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}
Key Found : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar
Key Found : HKLM\SOFTWARE\Classes\toolband.eb_explorerbar.1
Key Found : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem
Key Found : HKLM\SOFTWARE\Classes\toolband.ipm_printlistitem.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_launcher
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_launcher.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_printmanager
Key Found : HKLM\SOFTWARE\Classes\toolband.pm_printmanager.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_bindstatuscallback.1
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler
Key Found : HKLM\SOFTWARE\Classes\toolband.pr_cancelbuttoneventhandler.1
Key Found : HKLM\SOFTWARE\Classes\toolband.tbtoolband
Key Found : HKLM\SOFTWARE\Classes\toolband.tbtoolband.1
Key Found : HKLM\SOFTWARE\Classes\toolband.useroptions
Key Found : HKLM\SOFTWARE\Classes\toolband.useroptions.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4F7D1B07-6203-41F0-947B-A29CC9ECD9B0}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\alotToolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\alotToolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\Viewpoint
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{327C2873-E90D-4C37-AA9D-10AC9BABA46C}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [4182 octets] - [11/01/2014 15:34:32]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4242 octets] ##########

 

I did not run the clean at this point as the software identified appeared to all be associated with my AOL installation.

 

The Junkware removal produced this:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Microsoft Windows XP x86
Ran by cdas on 11/01/2014 at 15:59:04.84
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.eb_explorerbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.eb_explorerbar.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.ipm_printlistitem
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.ipm_printlistitem.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pm_launcher
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pm_launcher.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pm_printmanager
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pm_printmanager.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pr_bindstatuscallback
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pr_bindstatuscallback.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pr_cancelbuttoneventhandler
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.pr_cancelbuttoneventhandler.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.tbtoolband
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.tbtoolband.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.useroptions
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\toolband.useroptions.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\alottoolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\viewpointmediaplayer
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\viewpoint"
Successfully deleted: [Folder] "C:\Documents and Settings\cdas\Application Data\alot"
Successfully deleted: [Folder] "C:\Program Files\alot"
Successfully deleted: [Folder] "C:\Program Files\aol toolbar"
Successfully deleted: [Folder] "C:\Program Files\viewpoint"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 11/01/2014 at 16:25:14.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

So it removed the stuff that AdwCleaner identified.

 

The DDS scan produced this:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by cdas at 13:13:17 on 2014-01-12
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.322 [GMT 0:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Management\Engine\3.2.2.12\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Norton Management\Engine\3.2.2.12\ccSvcHst.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Common Files\FotoNation\EvLstnr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1159533519\ee\AOLSoftware.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Kaz Guardian Angel\Kazga.exe
C:\Program Files\Plustek\OpticFilm 7400\QuickScan.exe
c:\program files\common files\aol\1159533519\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1159533519\ee\aolsoftware.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.co.uk
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\20.4.0.40\ips\ipsbho.dll
TB: AOL Toolbar: {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.4.0.40\coieplg.dll
TB: Easy-WebPrint: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AOL Toolbar: {4982D40A-C53B-4615-B15B-B5B5E98D167C} -
TB: ALOT Toolbar: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} -
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\20.4.0.40\coieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 4.0\SetHook.exe
mRun: [EVENTLISTENER] c:\program files\common files\fotonation\EvLstnr.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [nwiz] nwiz.exe /install
mRun: [NWEReboot] <no file>
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Symantec Network Driver Update Warning] c:\progra~1\symantec\liveup~1\SNDWarn.EXE
dRunOnce: [SRUUninstall] "c:\windows\system32\msiexec.exe" /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
StartupFolder: c:\docume~1\cdas\startm~1\programs\startup\wlf9mq4r.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kazgae~1.lnk - c:\program files\kaz guardian angel\Kazga.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\msoffice\office\FASTBOOT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicks~1.lnk - c:\program files\plustek\opticfilm 7400\QuickScan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{D286683C-65F2-4B75-ACC0-0A3FF31F8904} : DHCPNameServer = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-10-25 108816]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1404000.028\symds.sys [2013-6-12 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1404000.028\symefa.sys [2013-6-12 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.0.36\definitions\bashdefs\20131218.001\BHDrvx86.sys [2013-12-18 1098968]
R1 ccSet_MCLIENT;Norton Management Settings Manager;c:\windows\system32\drivers\mclient\0302020.00c\ccsetx86.sys [2014-1-6 134304]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1404000.028\ccsetx86.sys [2013-6-12 134744]
R1 RapportCerberus_59849;RapportCerberus_59849;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_59849.sys [2013-12-17 340432]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-10-25 157264]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-10-25 230448]
R1 stltrack;stltrack;c:\windows\system32\drivers\STLTRACK.SYS [2003-6-1 13536]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1404000.028\ironx86.sys [2013-6-12 175264]
R2 MCLIENT;Norton Management;c:\program files\norton management\engine\3.2.2.12\ccsvchst.exe [2014-1-6 143928]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\20.4.0.40\ccsvchst.exe [2013-6-12 144368]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-10-25 1444120]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-3-9 238592]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-3-9 484352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-11-23 108120]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.0.36\definitions\ipsdefs\20140110.001\IDSXpx86.sys [2014-1-11 382608]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.0.36\definitions\virusdefs\20140110.017\NAVENG.SYS [2014-1-11 93272]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_20.3.0.36\definitions\virusdefs\20140110.017\NAVEX15.SYS [2014-1-11 1612376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-3-9 1060864]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2014-01-11 15:58:22 -------- d-----w- c:\windows\ERUNT
2014-01-11 15:34:07 -------- d-----w- C:\AdwCleaner
2014-01-07 22:25:24 -------- d-----w- c:\documents and settings\all users\application data\Temp(Virus)
2014-01-06 21:03:24 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2014-01-06 21:01:07 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2014-01-06 20:58:23 522240 ------w- c:\windows\system32\dllcache\jsdbgui.dll
2014-01-06 20:57:08 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2014-01-06 20:56:45 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2014-01-06 20:56:44 14976 ------w- c:\windows\system32\dllcache\usbscan.sys
2014-01-06 20:52:11 105472 ------w- c:\windows\system32\dllcache\mup.sys
2014-01-06 20:50:51 12928 ------w- c:\windows\system32\dllcache\usb8023x.sys
2014-01-06 20:50:51 12928 ------w- c:\windows\system32\dllcache\usb8023.sys
2014-01-06 20:50:44 60160 ------w- c:\windows\system32\dllcache\usbaudio.sys
2014-01-06 20:50:44 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2014-01-06 20:50:44 123008 ------w- c:\windows\system32\dllcache\usbvideo.sys
2014-01-06 20:31:01 536576 ------w- c:\windows\system32\dllcache\msado15.dll
2014-01-06 20:29:44 139784 ------w- c:\windows\system32\dllcache\rdpwd.sys
2014-01-06 20:29:26 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2014-01-06 20:29:25 32384 ------w- c:\windows\system32\dllcache\usbccgp.sys
2014-01-06 20:29:25 144128 ------w- c:\windows\system32\dllcache\usbport.sys
2014-01-06 20:23:49 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2014-01-06 20:23:45 3072 ------w- c:\windows\system32\iacenc.dll
2014-01-06 20:23:45 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2014-01-06 20:18:08 45568 ------w- c:\windows\system32\dllcache\wab.exe
2014-01-06 17:06:45 -------- d-----w- c:\windows\system32\scripting
2014-01-06 17:06:42 -------- d-----w- c:\windows\l2schemas
2014-01-06 17:06:40 -------- d-----w- c:\windows\system32\en
2014-01-06 16:24:23 -------- d-----w- c:\windows\network diagnostic
2014-01-06 13:18:40 -------- d-----w- c:\documents and settings\cdas\local settings\application data\NPE
2014-01-06 12:42:13 134304 ----a-r- c:\windows\system32\drivers\mclient\0302020.00c\ccsetx86.sys
2014-01-06 12:39:37 -------- d-----w- c:\windows\system32\drivers\mclient\0302020.00C
2014-01-05 22:57:06 -------- d-----w- c:\windows\system32\drivers\MCLIENT
2014-01-05 22:57:06 -------- d-----w- c:\program files\Norton Management
2014-01-05 22:14:47 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2014-01-05 22:14:30 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2014-01-05 22:13:56 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0600000.04A
2014-01-05 22:13:56 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2014-01-05 22:13:50 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2014-01-05 18:23:35 -------- d-----w- C:\FRST
.
==================== Find3M  ====================
.
2013-11-13 02:59:42 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38:51 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03:31 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26:17 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57:34 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57:33 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 07:57:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 00:45:02 385024 ----a-w- c:\windows\system32\html.iec
2013-10-25 02:34:18 108816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-10-23 23:45:49 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-17 17:18:10 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-17 17:18:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 13:16:05.03 ===============
 

and

 

.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 14/01/2003 22:58:50
System Uptime: 12/01/2014 13:02:03 (0 hours ago)
.
Motherboard: Dell Computer Corp. |  |      
Processor:               Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2651/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 12.21 GiB free.
D: is CDROM ()
E: is CDROM ()
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1887: 14/10/2013 13:05:30 - System Checkpoint
RP1888: 17/10/2013 18:47:52 - System Checkpoint
RP1889: 18/10/2013 20:06:51 - System Checkpoint
RP1890: 19/10/2013 21:15:06 - System Checkpoint
RP1891: 20/10/2013 22:03:52 - System Checkpoint
RP1892: 22/10/2013 15:10:52 - System Checkpoint
RP1893: 24/10/2013 09:29:51 - System Checkpoint
RP1894: 29/10/2013 16:26:36 - System Checkpoint
RP1895: 31/10/2013 09:35:37 - System Checkpoint
RP1896: 01/11/2013 10:32:11 - System Checkpoint
RP1897: 08/11/2013 12:43:35 - System Checkpoint
RP1898: 09/11/2013 13:20:52 - System Checkpoint
RP1899: 10/11/2013 13:36:12 - System Checkpoint
RP1900: 11/11/2013 14:38:28 - System Checkpoint
RP1901: 12/11/2013 21:22:01 - System Checkpoint
RP1902: 13/11/2013 00:30:14 - Software Distribution Service 3.0
RP1903: 15/11/2013 13:17:21 - System Checkpoint
RP1904: 16/11/2013 14:10:28 - System Checkpoint
RP1905: 17/11/2013 14:15:25 - System Checkpoint
RP1906: 18/11/2013 14:47:06 - System Checkpoint
RP1907: 21/11/2013 21:21:26 - System Checkpoint
RP1908: 22/11/2013 22:27:59 - System Checkpoint
RP1909: 23/11/2013 23:20:29 - System Checkpoint
RP1910: 25/11/2013 11:40:37 - System Checkpoint
RP1911: 29/11/2013 14:24:43 - System Checkpoint
RP1912: 30/11/2013 14:37:32 - System Checkpoint
RP1913: 01/12/2013 15:45:18 - System Checkpoint
RP1914: 02/12/2013 17:10:23 - System Checkpoint
RP1915: 03/12/2013 19:04:14 - System Checkpoint
RP1916: 05/12/2013 21:01:49 - System Checkpoint
RP1917: 06/12/2013 21:02:52 - System Checkpoint
RP1918: 09/12/2013 18:07:33 - System Checkpoint
RP1919: 13/12/2013 16:35:16 - System Checkpoint
RP1920: 14/12/2013 03:00:26 - Software Distribution Service 3.0
RP1921: 15/12/2013 03:43:20 - System Checkpoint
RP1922: 16/12/2013 04:43:20 - System Checkpoint
RP1923: 17/12/2013 07:28:32 - Installed Rapport
RP1924: 20/12/2013 17:13:00 - System Checkpoint
RP1925: 21/12/2013 18:05:17 - System Checkpoint
RP1926: 22/12/2013 18:38:38 - System Checkpoint
RP1927: 04/01/2014 17:00:40 - System Checkpoint
RP1928: 06/01/2014 14:51:44 - Norton_Power_Eraser_20140106145129687
RP1929: 06/01/2014 15:52:05 - Software Distribution Service 3.0
RP1930: 06/01/2014 22:07:51 - Software Distribution Service 3.0
RP1931: 08/01/2014 18:46:03 - System Checkpoint
RP1932: 09/01/2014 19:10:33 - System Checkpoint
.
==== Installed Programs ======================
.
Active Disk
Adobe Acrobat 4.0, 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Photoshop 5.0 Limited Edition
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
ArcSoft Panorama Maker 3.0
BCM V.92 56K Modem
Belkin Flash Media Reader-Writer
Canon Camera Access Library
Canon CanoScan Toolbox 4.1
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon iP4200
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Setup Utility 2.0
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC 8
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CanoScan LiDE20,30 Manual
CD-LabelPrint
Classic PhoneTools
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DellTouch
Digital Line Detect
DivXCodecPack
DVDSentry
Easy-WebPrint
Easy CD Creator 5 Basic
FotoStation 4.0 (4.0.85)
Google Earth
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB959765)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
IomegaWare 4.0.2
KAZ (Keyboarding A-Z) Version 16
Kaz Guardian Angel 2.1
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
MediaFACE 4.0
MediaFACE 4.0 Business Image Library
MediaFACE 4.0 General Image Library
MediaFACE 4.0 Lifestyle Image Library
MediaFACE 4.0 Music Image Library
MediaFACE 4.0 Special Occasion Image Library
MediaFACE 4.0 Spiritual Image Library
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Download Manager
Microsoft Interactive Training
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Modem Helper
MSXML 6 Service Pack 2 (KB973686)
Nero 7 Premium
Nikon View Ver.3
Norton Bootable Recovery Tool Wizard
Norton Internet Security
Norton Management
Norton WMI Update
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
OmniPage SE
OpticFilm 7400
Paint Shop Pro 7
Pdf995
PdfEdit995
PowerDVD
Presto! ImageFolio 4
Presto! PageManager 7.10
QuickTime
Rapport
RealPlayer Basic
Roxio VideoWave Movie Creator
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2898785)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904-v2)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2847311)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2862152)
Security Update for Windows XP (KB2862330)
Security Update for Windows XP (KB2862335)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2868038)
Security Update for Windows XP (KB2868626)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876331)
Security Update for Windows XP (KB2892075)
Security Update for Windows XP (KB2893294)
Security Update for Windows XP (KB2893984)
Security Update for Windows XP (KB2898715)
Security Update for Windows XP (KB2900986)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Serif DrawPlus 3.0
Signature995
SilverFast UScan-SE 6.6.0r6
Symantec Network Driver Update
Tiscali 10.0
Trusteer Endpoint Protection
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2904266)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual Studio C++ 10.0 Runtime
WD SmartWare
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinZip
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
06/01/2014 18:52:19, error: PlugPlayManager [11]  - The device Root\LEGACY_SMR410\0000 disappeared from the system without first being prepared for removal.
06/01/2014 18:49:01, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
06/01/2014 18:48:19, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  ppa3
06/01/2014 18:48:19, error: Service Control Manager [7022]  - The Automatic Updates service hung on starting.
06/01/2014 18:46:09, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the WD File Management Engine service to connect.
06/01/2014 18:46:09, error: Service Control Manager [7000]  - The WD File Management Engine service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
06/01/2014 18:46:09, error: Service Control Manager [7000]  - The AOL Spyware Protection Service service failed to start due to the following error:  The system cannot find the file specified.
06/01/2014 17:11:00, error: Service Control Manager [7034]  - The Iomega App Services service terminated unexpectedly.  It has done this 1 time(s).
06/01/2014 17:11:00, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  This operation returned because the timeout period expired.
06/01/2014 17:11:00, error: Service Control Manager [7003]  - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the following nonexistent service: WinMgmt
06/01/2014 17:11:00, error: Service Control Manager [7003]  - The Security Center service depends on the following nonexistent service: WinMgmt
05/01/2014 22:15:11, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
05/01/2014 22:02:48, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
05/01/2014 11:56:15, error: DCOM [10005]  - DCOM got error "%3" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
.
==== End Of File ===========================
 

My AOL application complains that Viewpoint is missing but continues to do what I need.

 

When I login I still get the RUNDLL error message, which is reffering to a file the Norton Internet Security removed when I was able to do a full system scan after the Ransomware hit me.

 

 

Finally, there is folder listed in the DDS scan, c:\documents and settings\all users\application data\Temp(Virus), where I have put 3 files that I did not understand why they were there (residing up one level in the folder structure), they are named:

wlf9mq4r.fee (97 MB in size), wlf9mq4r.odd (0 kb) and wlfmq4r.reg

The contents of the latter are:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\Parameters]
"ServiceDll"=hex(2):43,00,3A,00,5C,00,44,00,4F,00,43,00,55,00,4D,00,45,00,7E,00,31,00,5C,00,41,00,4C,00,4C,00,55,00,53,00,45,00,7E,00,31,00,5C,00,41,00,50,00,50,00,4C,00,49,00,43,00,7E,00,31,00,5C,00,72,00,34,00,71,00,6D,00,39,00,66,00,6C,00,77,00,2E,00,6A,00,73,00,73,00,00,00,00

 

The reg file appears to have been created on the day I got hit by the Ransomware virus.  The other 2 are dated on the day I got round the Ransomware by booting in safe mode and, update my virus definitions and run a full scan using Norton anti-virus, which appeared to clear the ransomware trojan.

 

So whilst i appear to be "clean" I am concerned about the RUNDLL error that may be being invoked by a registry entry that the ransomware put there.

 

Can you help me further?

Lenny11
 

 

 

 

 

 

 

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:33 AM

Posted 12 January 2014 - 01:45 PM

We should be able to look after the issues with this tool.

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

#6 lenny11

lenny11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:33 PM

Posted 13 January 2014 - 06:09 AM

Ran ComboFix but the PC blue screened before completion.

I already have Recovery Console installed so Combofix went straight into the scan. After around 10 minutes the log indicated that a resume point had been created and several stages were complete (I think 4) but then I left it, came back 30 minutes later to find the blue screen.

PC boots up OK and I still get the RUNDLL error when I login.  There is now a "shadow" folder structure on the C: drive under a folder called ComboFix (Icon is a PC not the usual folder) and a new folder called Qoobox and the C: drive.  Is it safe for me to run ComboFix again?

I disabled the virus scanning software but there may have been anti-spyware software running, I will ensure that this is not running next time. Also, I have an external hard drive (WD) and software running that catalogues new files to be backed up, I will stop that before using ComboFix again.  Anything else I should be wary of?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:33 AM

Posted 13 January 2014 - 10:09 AM

Navigate to the Startup folder and delete the .lnk file in bold.
StartupFolder: c:\docume~1\cdas\startm~1\programs\startup\wlf9mq4r.lnk - c:\windows\system32\rundll32.exe

Restart the computer normally.

Run ComboFix one more time and post the log if you can.

#8 lenny11

lenny11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:33 PM

Posted 13 January 2014 - 12:38 PM

Successfully run ComboFix.  Log contains

 

 

ComboFix 14-01-12.01 - cdas 13/01/2014  16:34:45.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1023.449 [GMT 0:00]
Running from: c:\documents and settings\cdas\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DirectCDUserNameE.txt
c:\documents and settings\All Users\Start Menu\Programs\Startup\Kazga.exe.lnk
c:\documents and settings\cdas\Recent\DEWPITCHMASTIC.url
c:\documents and settings\cdas\Recent\DfESGo4ItNow.Graduates!Earn£150perweekasyoulearn.url
c:\documents and settings\cdas\Recent\ruitmentofTeachersandreturningteachers.Careersinteaching.url
c:\documents and settings\Guest\Application Data\alot
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\rnaph.dll
c:\windows\system32\SETA4.tmp
c:\windows\system32\SETA9.tmp
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-13 to 2014-01-13  )))))))))))))))))))))))))))))))
.
.
2014-01-11 15:58 . 2014-01-11 15:58 -------- d-----w- c:\windows\ERUNT
2014-01-11 15:34 . 2014-01-11 15:36 -------- d-----w- C:\AdwCleaner
2014-01-07 22:25 . 2014-01-08 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp(Virus)
2014-01-07 20:33 . 2014-01-07 20:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2014-01-06 21:03 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2014-01-06 21:01 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2014-01-06 20:58 . 2013-10-29 07:57 522240 ------w- c:\windows\system32\dllcache\jsdbgui.dll
2014-01-06 20:57 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2014-01-06 20:56 . 2013-07-03 02:12 25088 ------w- c:\windows\system32\dllcache\hidparse.sys
2014-01-06 20:56 . 2013-07-03 01:59 14976 ------w- c:\windows\system32\dllcache\usbscan.sys
2014-01-06 20:52 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2014-01-06 20:50 . 2013-02-12 00:32 12928 ------w- c:\windows\system32\dllcache\usb8023x.sys
2014-01-06 20:50 . 2013-02-12 00:32 12928 ------w- c:\windows\system32\dllcache\usb8023.sys
2014-01-06 20:50 . 2013-07-17 00:58 123008 ------w- c:\windows\system32\dllcache\usbvideo.sys
2014-01-06 20:50 . 2013-07-17 00:58 46848 ------w- c:\windows\system32\dllcache\irbus.sys
2014-01-06 20:50 . 2013-07-17 00:58 60160 ------w- c:\windows\system32\dllcache\usbaudio.sys
2014-01-06 20:31 . 2012-05-28 18:16 536576 ------w- c:\windows\system32\dllcache\msado15.dll
2014-01-06 20:29 . 2012-07-04 14:05 139784 ------w- c:\windows\system32\dllcache\rdpwd.sys
2014-01-06 20:29 . 2009-03-18 11:02 30336 ------w- c:\windows\system32\dllcache\usbehci.sys
2014-01-06 20:29 . 2013-08-09 00:55 144128 ------w- c:\windows\system32\dllcache\usbport.sys
2014-01-06 20:29 . 2013-08-09 00:55 32384 ------w- c:\windows\system32\dllcache\usbccgp.sys
2014-01-06 20:23 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2014-01-06 20:23 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2014-01-06 20:23 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2014-01-06 20:18 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2014-01-06 17:06 . 2014-01-06 17:06 -------- d-----w- c:\windows\system32\scripting
2014-01-06 17:06 . 2014-01-06 17:06 -------- d-----w- c:\windows\l2schemas
2014-01-06 17:06 . 2014-01-06 17:06 -------- d-----w- c:\windows\system32\en
2014-01-06 13:18 . 2014-01-06 15:07 -------- d-----w- c:\documents and settings\cdas\Local Settings\Application Data\NPE
2014-01-05 22:57 . 2014-01-06 13:32 -------- d-----w- c:\windows\system32\drivers\MCLIENT
2014-01-05 22:57 . 2014-01-05 22:57 -------- d-----w- c:\program files\Norton Management
2014-01-05 22:14 . 2012-07-26 05:32 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2014-01-05 22:14 . 2012-07-26 05:32 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2014-01-05 22:13 . 2014-01-05 22:13 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2014-01-05 22:13 . 2014-01-05 22:13 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2014-01-05 18:23 . 2014-01-05 18:23 -------- d-----w- C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-13 02:59 . 2002-08-29 05:00 150528 ----a-w- c:\windows\system32\imagehlp.dll
2013-11-07 05:38 . 2004-04-20 15:59 591360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-11-06 01:03 . 2009-09-02 08:09 7168 ----a-w- c:\windows\system32\xpsp4res.dll
2013-10-30 02:26 . 2002-08-29 05:00 1879040 ----a-w- c:\windows\system32\win32k.sys
2013-10-29 07:57 . 2004-12-07 16:37 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-29 07:57 . 2002-08-29 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-29 07:57 . 2002-08-29 05:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-29 07:57 . 2002-08-29 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-29 00:45 . 2005-03-21 15:10 385024 ----a-w- c:\windows\system32\html.iec
2013-10-25 02:34 . 2013-10-25 02:34 108816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2013-10-23 23:45 . 2002-08-29 05:00 172032 ----a-w- c:\windows\system32\scrrun.dll
2013-10-17 17:18 . 2012-04-01 15:45 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-17 17:18 . 2011-06-10 16:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-02-01 98304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"DellTouch"="c:\windows\MMKeybd.exe" [2001-09-05 163840]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2002-09-17 53248]
"EVENTLISTENER"="c:\program files\Common Files\FotoNation\EvLstnr.exe" [2000-06-20 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-12-20 26112]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2013-01-31 71216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-11 98304]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"HostManager"="c:\program files\Common Files\AOL\1159533519\ee\AOLSoftware.exe" [2010-03-08 41800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"Symantec Network Driver Update Warning"="c:\progra~1\Symantec\LIVEUP~1\SNDWarn.EXE" [2004-04-30 91256]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="c:\windows\System32\msiexec.exe" [2008-04-14 78848]
.
c:\documents and settings\Guest\Start Menu\Programs\Startup\
wlf9mq4r.lnk - c:\windows\SYSTEM32\rundll32.exe c:\docume~1\ALLUSE~1\APPLIC~1\r4qm9flw.jss,GGF0 [2002-8-29 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-9 45056]
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-20 14848]
QuickScan (OpticFilm 7400).lnk - c:\program files\Plustek\OpticFilm 7400\QuickScan.exe [2009-11-15 339968]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-7-19 106560]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159533519\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1159533519\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\AOLBrowser\\aolbrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\SYSTEM32\DRIVERS\RapportKELL.sys [25/10/2013 02:34 108816]
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\symds.sys [12/06/2013 19:38 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\symefa.sys [12/06/2013 19:38 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\BASHDefs\20131218.001\BHDrvx86.sys [18/12/2013 00:32 1098968]
R1 ccSet_MCLIENT;Norton Management Settings Manager;c:\windows\SYSTEM32\DRIVERS\MCLIENT\0302020.00C\ccsetx86.sys [06/01/2014 12:42 134304]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\ccsetx86.sys [12/06/2013 19:37 134744]
R1 RapportCerberus_59849;RapportCerberus_59849;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_59849.sys [17/12/2013 07:34 340432]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [25/10/2013 02:34 157264]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/10/2013 02:34 230448]
R1 stltrack;stltrack;c:\windows\SYSTEM32\DRIVERS\STLTRACK.SYS [01/06/2003 15:27 13536]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\ironx86.sys [12/06/2013 19:37 175264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [23/11/2013 17:37 108120]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\IPSDefs\20140110.001\IDSXpx86.sys [11/01/2014 14:58 382608]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [06/05/2008 15:06 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 17:18]
.
2003-01-14 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
2014-01-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-12-29 22:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
Trusted Zone: royalmail.com\www
Trusted Zone: royalmail.org\www
Trusted Zone: ukrpts.net\royalmail
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-NWEReboot - (no file)
AddRemove-AOL Toolbar - c:\program files\AOL Toolbar\UNWISE.EXE
AddRemove-SilverFast UScan-SE - c:\program files\SilverFast Application\SilverFast UScan-SE\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-01-13 16:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MCLIENT]
"ImagePath"="\"c:\program files\Norton Management\Engine\3.2.2.12\ccSvcHst.exe\" /s \"MCLIENT\" /m \"c:\program files\Norton Management\Engine\3.2.2.12\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-01-13  17:06:35
ComboFix-quarantined-files.txt  2014-01-13 17:06
.
Pre-Run: 13,112,324,096 bytes free
Post-Run: 14,358,720,512 bytes free
.
- - End Of File - - FAB97B73407F852EDC5346093D67A0BF
8F558EB6672622401DA993E1E865C861
 
I've done a restart on th PC and it has booted up OK.
 
Deleting the link has stopped the RUNDLL error.
 
Folder structure looks OK.  C:\Qoobox contains a file called  ComboFix-quarentined-files.txt and another called Add-Remove Programs.txt.  I assume I should hang on to c:\Coobox for now.
 
Am I safe yet?


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:33 AM

Posted 14 January 2014 - 08:41 AM

There is also a wlf9mq4r.lnk file in the
c:\documents and settings\Guest\Start Menu\Programs\Startup\
wlf9mq4r.lnk - c:\windows\SYSTEM32\rundll32.exe c:\docume~1\ALLUSE~1\APPLIC~1\r4qm9flw.jss,GGF0

Delete it.

Delete this file in bold.
c:\docume~1\ALLUSE~1\APPLIC~1\r4qm9flw.jss

Restart the computer normally.
---

Folder structure looks OK. C:\Qoobox contains a file called ComboFix-quarentined-files.txt and another called Add-Remove Programs.txt. I assume I should hang on to c:\Coobox for now.

Will do the clean-up when all is well.

One more scan.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#10 lenny11

lenny11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:33 PM

Posted 14 January 2014 - 03:18 PM

Link file deleted.  .jss file was removed earlier by anti-virus software when I booted in safe mode.

 

I have run SecurityCheck and checkup.txt contains:

 

 Results of screen317's Security Check version 0.99.78 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
Please wait while WMIC is being installed.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
N
o
r
t
o
n
ECHO is off.
I
n
t
e
r
n
e
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Reader 8 Adobe Reader out of Date!
 Adobe Reader XI (KB403742..)
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````
 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:33 AM

Posted 15 January 2014 - 08:46 AM

Remove this old version of Adobe Reader 8 using the Add/Remove Programs.

===



If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#12 lenny11

lenny11
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:33 PM

Posted 18 January 2014 - 09:51 AM

Many thanks for your assistance.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:33 AM

Posted 18 January 2014 - 11:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users