Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

wuauclt.exe infection?


  • This topic is locked This topic is locked

#1
gwtwins

gwtwins

    Member

  • Member
  • PipPip
  • 90 posts
I believe my mother's machine is infected again? I have noticed wuauclt.exe running in the background taking up 99% of the CPU resources. She can't get out to the Internet for browsing or even receive her email. I am not a computer novice but I am having a heck of a time getting this machine to run the tools in the malware removal guide. It's taken me almost 12 hours to run Malware bytes, CA Anitvirus scan, ERUNT, GMER and now OTL. As a matter of fact I cannot even get OTL to run. It's been running for about 30 minutes now.

Her machine is by no means new. It's a Celeron 1.6 Gzh with 512MB of RAM running Windows XP Pro SP3. It has all the updates. Below are some of the required logs. Can somebody take a look and advise me please? Thanks!

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit quick scan 2010-10-24 14:09:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Fern\LOCALS~1\Temp\kwnyyfog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \Driver\Tcpip \Device\Ip netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Ip netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\Tcp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Tcp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\Udp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Udp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\RawIp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\RawIp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4929

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/23/2010 5:56:26 PM
mbam-log-2010-10-23 (17-56-26).txt

Scan type: Quick scan
Objects scanned: 157989
Time elapsed: 1 hour(s), 14 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#2
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Anybody had a chance to review this yet?
  • 0

#3
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
There has been 36 views of this post. Doesn't anybody have a suggestion for this infection? I was able to finally get an OTL log. Here it is...the GMER log and MBAM log are in the first post:

OTL logfile created on: 10/24/2010 2:31:00 PM - Run 2
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Fern\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 125.00 Mb Available Physical Memory | 28.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 61.05 Gb Free Space | 81.92% Space Free | Partition Type: NTFS
Drive E: | 980.72 Mb Total Space | 747.95 Mb Free Space | 76.27% Space Free | Partition Type: FAT

Computer Name: ACER-E355056E8B | User Name: Fern | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/24 13:44:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fern\Desktop\OTL.exe
PRC - [2010/06/04 13:23:42 | 000,238,928 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
PRC - [2010/06/04 13:23:42 | 000,226,640 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
PRC - [2010/05/01 15:09:21 | 000,214,256 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
PRC - [2010/05/01 15:09:21 | 000,177,392 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
PRC - [2010/05/01 15:08:38 | 000,014,088 | ---- | M] (CA) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/20 13:27:26 | 000,144,960 | ---- | M] (Computer Associates International, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
PRC - [2007/08/16 21:10:16 | 000,189,704 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
PRC - [2007/08/16 21:10:14 | 000,218,376 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
PRC - [2007/01/17 20:31:44 | 000,074,520 | ---- | M] (OSA Technologies Inc., An Avocent Company) -- C:\Acer\LANScope Agent\awServ.exe
PRC - [2007/01/04 12:10:22 | 000,280,080 | ---- | M] (CA, Inc.) -- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe


========== Modules (SafeList) ==========

MOD - [2010/10/24 13:44:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fern\Desktop\OTL.exe
MOD - [2010/05/01 15:08:38 | 000,083,208 | ---- | M] (CA) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOEHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/06/04 13:23:42 | 000,238,928 | ---- | M] (CA, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe -- (VETMSGNT)
SRV - [2010/05/01 15:09:21 | 000,214,256 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/08/20 13:27:26 | 000,144,960 | ---- | M] (Computer Associates International, Inc.) [Auto | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe -- (CAISafe)
SRV - [2007/08/16 21:10:16 | 000,189,704 | ---- | M] (CA, Inc.) [On_Demand | Running] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe -- (PPCtlPriv)
SRV - [2007/01/17 20:31:44 | 000,074,520 | ---- | M] (OSA Technologies Inc., An Avocent Company) [Auto | Running] -- C:\Acer\LANScope Agent\awServ.exe -- (AWService)
SRV - [2007/01/04 12:10:22 | 000,280,080 | ---- | M] (CA, Inc.) [Auto | Running] -- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe -- (ITMRTSVC)
SRV - [2005/11/14 05:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\psdvdisk.sys -- (psdvdisk)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\psdfilter.sys -- (psdfilter)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Fern\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/06/03 10:49:15 | 000,746,216 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetefile.sys -- (VETEFILE)
DRV - [2010/06/03 10:49:15 | 000,130,280 | ---- | M] (Computer Associates International, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\veteboot.sys -- (VETEBOOT)
DRV - [2010/05/01 15:09:20 | 000,032,240 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetmonnt.sys -- (VETMONNT)
DRV - [2010/05/01 15:09:20 | 000,026,352 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vet-filt.sys -- (VET-FILT)
DRV - [2010/05/01 15:09:20 | 000,021,488 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vetfddnt.sys -- (VETFDDNT)
DRV - [2010/05/01 15:09:20 | 000,021,104 | ---- | M] (Computer Associates International, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vet-rec.sys -- (VET-REC)
DRV - [2010/04/15 15:59:24 | 000,004,736 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\o.sys -- (k)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/02/28 09:57:20 | 000,017,280 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2007/02/28 09:36:00 | 000,318,464 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2007/01/30 14:57:50 | 004,474,368 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/01/03 19:33:24 | 000,019,783 | ---- | M] (OSA Technologies) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys -- (OsaFsLoc)
DRV - [2006/12/20 08:00:00 | 000,041,600 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SiSGbeXP.sys -- (SiSGbeXP)
DRV - [2006/12/11 15:12:56 | 000,007,680 | ---- | M] (OSA Technologies, An Avocent Company) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NetLock.sys -- (netlock)
DRV - [2006/11/09 01:13:06 | 000,010,944 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm)
DRV - [2006/10/27 23:18:26 | 000,006,784 | ---- | M] (OSA Technologies, An Avocent Company) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio)
DRV - [2006/10/03 15:03:14 | 000,018,072 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NetLimiter.sys -- (netlimiter)
DRV - [2006/08/28 06:30:04 | 000,013,952 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2006/01/02 03:03:26 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/14 12:22:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/14 12:22:22 | 000,000,000 | ---D | M]

[2010/05/01 16:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fern\Application Data\Mozilla\Extensions
[2010/09/07 18:22:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions
[2010/06/18 14:27:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/20 19:30:28 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Fern\Application Data\Mozilla\Firefox\Profiles\0pdqitlw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/05/01 16:39:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 01:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [CAVRID] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)
O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [QOELOADER] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe (CA)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll (Sun Microsystems, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1253391220187 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Fern\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Fern\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/02 02:24:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/24 13:44:44 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Fern\Desktop\OTL.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/24 14:01:42 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/24 13:58:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/24 13:58:22 | 469,291,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/24 13:44:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fern\Desktop\OTL.exe
[2010/10/19 16:00:08 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\Fern\Desktop\gmer.exe
[2010/10/13 17:59:29 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/19 16:00:08 | 000,294,912 | ---- | C] () -- C:\Documents and Settings\Fern\Desktop\gmer.exe
[2010/10/16 19:32:48 | 469,291,008 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/21 21:26:44 | 000,012,002 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\2wUN2x572Urj
[2010/04/21 21:26:44 | 000,012,002 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2wUN2x572Urj
[2010/04/18 18:59:12 | 000,014,050 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\1LKwMuQ
[2010/04/18 18:59:12 | 000,014,050 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1LKwMuQ
[2010/04/18 14:29:09 | 000,015,468 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\t62kNvy
[2010/04/18 12:56:47 | 000,015,468 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\t62kNvy
[2010/04/18 12:56:47 | 000,015,318 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\t62kNvy
[2010/04/15 15:59:24 | 000,004,736 | ---- | C] () -- C:\WINDOWS\System32\o.sys
[2010/04/13 20:22:04 | 000,012,354 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\4ML87
[2010/04/13 20:22:04 | 000,012,180 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3976734565
[2010/04/13 17:26:28 | 000,012,354 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4ML87
[2010/04/13 17:26:28 | 000,012,176 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87
[2010/04/12 21:03:35 | 000,000,000 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\o82Ak400MM24
[2010/04/12 17:11:29 | 000,014,406 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\o82Ak400MM24
[2010/04/12 17:11:29 | 000,014,406 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\o82Ak400MM24
[2010/04/12 15:17:37 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\327m1K.dat
[2009/12/25 16:02:09 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/16 17:20:45 | 000,000,050 | ---- | C] () -- C:\WINDOWS\commercial.ini
[2008/08/16 17:14:47 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\fusioncache.dat
[2007/03/07 13:43:12 | 000,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2006/10/03 15:03:14 | 000,018,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\NetLimiter.sys
[2006/08/28 06:30:04 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2006/01/02 03:28:20 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/02 03:04:26 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2006/01/02 03:03:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2006/01/02 03:03:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2006/01/02 03:03:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2006/01/02 02:24:20 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/10/25 04:25:28 | 000,008,073 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/04 01:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2001/12/26 19:12:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 02:46:38 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 19:33:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 01:04:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2010/04/12 21:03:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG
[2008/08/16 19:40:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avocent AdminWorks
[2010/05/01 15:18:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2008/08/18 10:05:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eSobi
[2008/08/16 19:40:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
[2009/06/21 16:46:17 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
[2008/08/16 19:39:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fern\Application Data\Avocent AdminWorks
[2008/08/18 10:06:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fern\Application Data\eSobi
[2009/02/08 16:51:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fern\Application Data\OpenOffice.org

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/01/02 02:24:40 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/10/03 19:47:05 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/10/13 17:59:29 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/01 15:08:46 | 000,034,332 | ---- | M] () -- C:\caavsetupLog.txt
[2010/05/01 15:14:42 | 000,016,300 | ---- | M] () -- C:\caisslog.txt
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/04/24 20:17:58 | 000,013,074 | ---- | M] () -- C:\ComboFix.txt
[2006/01/02 02:24:40 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/10/24 13:58:22 | 469,291,008 | -HS- | M] () -- C:\hiberfil.sys
[2006/01/02 02:24:40 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/10/16 19:18:31 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2006/01/02 02:24:40 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 01:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/09/20 22:34:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/24 13:58:21 | 703,832,064 | -HS- | M] () -- C:\pagefile.sys
[2006/11/30 16:12:38 | 000,000,530 | ---- | M] () -- C:\PDVD.iss
[2006/01/02 02:29:48 | 000,000,077 | RHS- | M] () -- C:\Preload.aaa
[2006/01/02 02:43:28 | 000,000,526 | ---- | M] () -- C:\RHDSetup.log

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2006/01/01 18:17:12 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/01/01 18:17:12 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/01/01 18:17:10 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-09-29 13:01:38

< End of report >
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay - could I have a fresh look at your system and an update on your current problems

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
    Reg - NetSvcs
    Reg - Shell Spawning
    Evnt - EventViewer Logs (Last 10 Errors)
    File - Lop Check
    File - Purity Scan

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

  • 0

#5
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Thanks for getting back to me. I just returned from a Boy Scout camp out and will not have access to the infected PC probably until next weekend. I will do as instructed on Either this coming Thursday or next Saturday. I have the weekend to myself so I will be able to get the issue resolved and follow all instructions then. Sorry it won't be sooner.
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problems - I may lose notifications, so send me a PM when you get the scan posted :D
  • 0

#7
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts

No problems - I may lose notifications, so send me a PM when you get the scan posted :D


Will Do! Thanks for your patience!
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi based on the PM that the system has not been used please carry out the following

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - [2010/04/15 15:59:24 | 000,004,736 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\o.sys -- (k)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    [2010/04/21 21:26:44 | 000,012,002 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\2wUN2x572Urj
    [2010/04/21 21:26:44 | 000,012,002 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2wUN2x572Urj
    [2010/04/18 18:59:12 | 000,014,050 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\1LKwMuQ
    [2010/04/18 18:59:12 | 000,014,050 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\1LKwMuQ
    [2010/04/18 14:29:09 | 000,015,468 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\t62kNvy
    [2010/04/18 12:56:47 | 000,015,468 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\t62kNvy
    [2010/04/18 12:56:47 | 000,015,318 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\t62kNvy
    [2010/04/15 15:59:24 | 000,004,736 | ---- | C] () -- C:\WINDOWS\System32\o.sys
    [2010/04/13 20:22:04 | 000,012,354 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\4ML87
    [2010/04/13 20:22:04 | 000,012,180 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3976734565
    [2010/04/13 17:26:28 | 000,012,354 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4ML87
    [2010/04/13 17:26:28 | 000,012,176 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\4ML87
    [2010/04/12 21:03:35 | 000,000,000 | -HS- | C] () -- C:\Documents and Settings\Fern\Local Settings\Application Data\o82Ak400MM24
    [2010/04/12 17:11:29 | 000,014,406 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\o82Ak400MM24
    [2010/04/12 17:11:29 | 000,014,406 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\o82Ak400MM24
    [2010/04/12 15:17:37 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\327m1K.dat
    [2010/04/12 21:03:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avG

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#9
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
I pasted in the OTL info you gave me but OTS will not let me "run fix"? It says "no fix has been provided" "Do you want to load it from a file?" Can I just copy and paste the info into a txt file and call it fix. Then load that file?
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Or you could use one I prepared earlier

[attachment=46031:fix.txt]
  • 0

Advertisements


#11
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
I just copied the fix info from earlier into a txt file and imported that into OST. I ran that and am running the quick scan now. I should have logs to post shortly. Thanks for your patience.
  • 0

#12
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
As much as I hate to do this... I'm going to have to put this on hold again until Friday. I ran the OST fix you gave me and then generated another log. It took almost 2 hours for the log. I then told CA Anti-virus to snooze and tried to run Combofix. It would not run because of CA. I need to uninstall CA then run Combofix. Because of the nature of this infection (?)it is going to take the machine a while to uninstall CA. As much as I love my Mom I need to spend sometime at me house too.. :D My plan is to return Friday sometime around lunch time and then uninstall CA, run Combofix and then post the logs for you to review. I have shut the machine down so right now it is not running.

Again I apologize for this taking me so long. I've never run into something this stubborn before!! If we can't get it figured out I think I'll just wipe the drive and re-install Win XP Pro!!
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes unfortunatel CA targets Combofix and may damage the machine.. The choice is your if you wish to go for a re-install. It may be quicker considering the distance you are travelling

But whatever you decide I will assist
  • 0

#14
gwtwins

gwtwins

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
The distance isn't that great! It's just time consuming! She's only 17 miles away! I'm a persistent individual when it comes to PC stuff. I really should go through with GeekU training so I can help other also.

I'm going to give uninstalling CA and running Combofix a try. I am not quite ready to throw in the towel just yet! I will do the uninstall and Combofix Friday. I'll send you a PM to let you know I'm working on it and to keep an eye open for the logs. Thanks again for your willingness to help and teach! :D
  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem - 'twill be a fun experience :D
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP