Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

comcat32.exe and crtdll32.exe ?


  • This topic is locked This topic is locked

#1
pch340

pch340

    New Member

  • Member
  • Pip
  • 8 posts
I have two obvious virus files in my system32, and I tried erasing them with KillBox, but to no avail.
I looked up comcat32.exe and crtdll32.exe, and I found "The comcat32.exe has the following beheavor: Enables a COM Object in your system Executed as a Process with different process name...Usualy created by unsafe process. - Registered as a Dynamic Link Library File"


Here is the OTL Log


OTL logfile created on: 8/16/2011 4:14:48 PM - Run 1
OTL by OldTimer - Version 3.2.26.4 Folder = C:\Documents and Settings\hello\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.50 Gb Available Physical Memory | 75.47% Memory free
2.58 Gb Paging File | 2.22 Gb Available in Paging File | 85.77% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.33 Gb Total Space | 12.69 Gb Free Space | 33.10% Space Free | Partition Type: NTFS

Computer Name: HELLO-4F12Z94G4 | User Name: hello | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/16 16:14:05 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hello\Desktop\OTL.exe
PRC - [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\crtdll32.exe
PRC - [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\comcat32.exe
PRC - [2011/08/05 22:21:27 | 001,017,912 | ---- | M] (Google Inc.) -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2010/08/18 22:09:53 | 000,949,376 | ---- | M] (Eset ) -- C:\Program Files\ESET\nod32kui.exe
PRC - [2010/08/18 22:09:53 | 000,552,064 | ---- | M] (Eset ) -- C:\Program Files\ESET\nod32krn.exe
PRC - [2007/05/06 05:11:36 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
PRC - [2007/05/06 05:10:44 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\sttray.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/05 22:21:25 | 000,400,440 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\13.0.782.112\ppgooglenaclpluginchrome.dll
MOD - [2011/08/05 22:21:24 | 004,118,072 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\13.0.782.112\pdf.dll
MOD - [2011/08/05 22:20:23 | 000,300,088 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\13.0.782.112\Locales\en-US.dll
MOD - [2011/08/05 22:19:58 | 000,104,520 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\13.0.782.112\avutil-50.dll
MOD - [2011/08/05 22:19:56 | 000,203,848 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\13.0.782.112\avformat-52.dll
MOD - [2011/08/05 22:19:55 | 001,846,344 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\13.0.782.112\avcodec-52.dll
MOD - [2011/08/05 20:29:30 | 006,338,720 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\13.0.782.112\gcswf32.dll
MOD - [2004/08/04 00:56:44 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\crtdll32.exe -- (SamSs32)
SRV - [2010/11/23 17:22:46 | 000,065,536 | ---- | M] (TODO: <Company name>) [Auto | Stopped] -- C:\Program Files\PCD\Pantech\EUDL\UTM\PantechService.exe -- (Pantech UTM Service)
SRV - [2010/08/30 12:19:48 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/08/18 22:09:53 | 000,552,064 | ---- | M] (Eset ) [Auto | Running] -- C:\Program Files\Eset\nod32krn.exe -- (NOD32krn)
SRV - [2007/05/06 05:11:36 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - [2010/08/18 22:09:53 | 000,512,096 | ---- | M] (Eset ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\amon.sys -- (AMON)
DRV - [2010/08/18 22:09:53 | 000,015,424 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\nod32drv.sys -- (nod32drv)
DRV - [2010/04/02 00:39:40 | 000,167,824 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTHSVSP.sys -- (PTHSVSP) PANTECH Handset Diagnostic Serial Port (UDP)
DRV - [2010/04/02 00:39:32 | 000,167,824 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTHSMDM.sys -- (PTHSMDM) PANTECH Handset Drivers (UDP)
DRV - [2010/04/02 00:39:32 | 000,056,976 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PTHSBUS.sys -- (PTHSBUS) PANTECH Handset USB Composite Device Driver (UDP)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/05/06 05:12:00 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/12/14 04:44:06 | 000,085,120 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/02/13 15:21:34 | 000,048,472 | ---- | M] (Canon Information Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\cis1284.sys -- (cis1284)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://vshare.toolbarhome.com/?hp=df
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 4E 3B E5 03 D1 19 8B 42 BC 93 46 2D 60 C4 8D 36 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Web Search..."
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start3....en-US:official"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0
FF - prefs.js..keyword.URL: "http://vshare.toolba...spx?srch=ku&q="
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\hello\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\hello\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\hello\Local Settings\Application Data\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/08 15:40:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/08 15:40:30 | 000,000,000 | ---D | M]

[2010/08/22 19:01:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\hello\Application Data\Mozilla\Extensions
[2011/08/16 09:43:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\extensions
[2011/08/16 15:47:26 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\extensions\{254a4bbf-ad80-4982-aceb-2a2ac946c393}
[2010/08/31 17:57:21 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/05/13 22:30:24 | 000,000,000 | ---D | M] (vShare) -- C:\Documents and Settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\extensions\[email protected]
[2011/05/13 22:30:32 | 000,001,583 | ---- | M] () -- C:\Documents and Settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\searchplugins\web-search.xml
[2011/08/14 00:47:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/03 19:37:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/18 13:13:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2010/08/19 23:20:57 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {03E53B4E-19D1-428B-BC93-462D60C48D36} - C:\WINDOWS\system32\audiosrv32.dll (People Can Fly)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [MpsOnn] C:\WINDOWS\system32\spool\drivers\w32x86\3\MPSONN.EXE (CANON INC.)
O4 - HKLM..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe (Eset )
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [UpdateReminder] C:\Program Files\ESET\UpdateReminder.exe (ESET, spol. s r.o.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\imon.dll (Eset )
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\imon.dll (Eset )
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1282191596075 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.250.0.12
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\pautoenr32.dll) - C:\WINDOWS\system32\pautoenr32.dll (People Can Fly)
O24 - Desktop WallPaper: C:\Documents and Settings\hello\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\hello\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/08/17 23:56:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\Shell - "" = AutoRun
O33 - MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL TL-Bootstrap.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/16 16:14:32 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hello\Desktop\OTL (1).exe
[2011/08/16 16:13:56 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hello\Desktop\OTL.exe
[2011/08/16 16:05:15 | 000,000,000 | ---D | C] -- C:\!KillBox
[2011/08/16 16:04:51 | 000,092,672 | ---- | C] (Option^Explicit Software [email protected]) -- C:\Documents and Settings\hello\Desktop\KillBox.exe
[2011/08/16 15:58:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/08/16 09:43:19 | 000,706,560 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\comcat32.exe
[2011/08/16 09:43:19 | 000,155,136 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\pautoenr32.dll
[2011/08/16 09:43:17 | 000,706,560 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\crtdll32.exe
[2011/08/16 09:43:16 | 000,328,704 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\audiosrv32.dll
[2011/08/15 15:52:47 | 000,926,560 | ---- | C] (DivX, LLC) -- C:\Documents and Settings\hello\Desktop\DivXInstaller.exe
[2011/08/12 11:54:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/08/12 11:54:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/08/12 10:03:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/08/12 10:03:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/08/05 09:40:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2011/08/05 09:40:38 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2011/08/05 09:40:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2011/08/05 09:40:27 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/08/05 09:40:05 | 000,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2011/08/05 09:40:05 | 000,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2011/08/05 09:40:05 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2011/08/05 09:40:04 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2011/08/05 09:40:04 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2011/08/05 09:40:04 | 000,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2011/08/05 09:40:04 | 000,000,000 | ---D | C] -- C:\f782f91530fbf391702e8932c26d8c8e
[2011/08/05 09:35:56 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2011/08/05 00:12:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2011/08/04 13:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\hello\Desktop\Incomplete
[2011/08/04 03:24:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2011/08/04 03:23:59 | 000,454,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2011/08/04 03:21:51 | 000,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2011/08/04 03:21:50 | 000,352,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2011/08/04 03:18:25 | 000,470,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2011/08/04 03:18:14 | 000,743,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2011/08/04 03:16:04 | 003,555,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2011/08/04 03:15:47 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\colbact.dll
[2011/08/04 03:15:40 | 002,137,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2011/08/04 03:15:37 | 002,181,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2011/08/04 03:15:34 | 002,016,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2011/08/04 03:15:32 | 002,058,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2011/08/04 03:12:00 | 000,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2011/08/04 03:09:13 | 000,655,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mstscax.dll
[2011/08/04 03:09:02 | 000,332,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2011/08/04 03:01:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2011/08/04 03:00:36 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2011/08/03 15:49:58 | 001,435,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\query.dll
[2011/08/03 15:49:54 | 000,168,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\schannel.dll
[2011/08/03 15:49:53 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msyuv.dll
[2011/08/03 15:49:52 | 000,084,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\avifil32.dll
[2011/08/03 15:49:52 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iyuv_32.dll
[2011/08/03 15:49:52 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msrle32.dll
[2011/08/03 15:49:52 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\tsbyuv.dll
[2011/08/03 15:49:51 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\asycfilt.dll
[2011/08/03 15:49:37 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll
[2011/08/03 15:47:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/08/03 15:44:06 | 000,000,000 | ---D | C] -- C:\Program Files\PCD
[2003/03/18 21:20:00 | 001,060,864 | ---- | C] (Microsoft Corporation) -- C:\Program Files\mfc71.dll
[2003/03/18 21:12:12 | 001,047,552 | ---- | C] (Microsoft Corporation) -- C:\Program Files\mfc71u.dll
[2003/03/18 20:44:38 | 000,057,344 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71ENU.DLL
[2003/03/18 20:44:38 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71KOR.DLL
[2003/03/18 20:44:36 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71ITA.DLL
[2003/03/18 20:44:36 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71ESP.DLL
[2003/03/18 20:44:36 | 000,045,056 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71CHT.DLL
[2003/03/18 20:44:36 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71CHS.DLL
[2003/03/18 20:44:34 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71DEU.DLL
[2003/03/18 20:44:34 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71FRA.DLL
[2003/03/18 20:44:34 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Program Files\MFC71JPN.DLL
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\hello\*.tmp files -> C:\Documents and Settings\hello\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/16 16:14:33 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hello\Desktop\OTL (1).exe
[2011/08/16 16:14:05 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hello\Desktop\OTL.exe
[2011/08/16 16:13:07 | 000,000,578 | ---- | M] () -- C:\Documents and Settings\hello\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to procexp.lnk
[2011/08/16 16:08:39 | 000,004,601 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\AVG.Anti-Virus.8.Pro.+.key.torrent
[2011/08/16 16:04:52 | 000,092,672 | ---- | M] (Option^Explicit Software [email protected]) -- C:\Documents and Settings\hello\Desktop\KillBox.exe
[2011/08/16 15:36:43 | 000,063,614 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\090BA1495E5881B97C09BC022CC15AC56CD579E3.torrent
[2011/08/16 15:33:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-682003330-115176313-839522115-1003UA.job
[2011/08/16 15:30:13 | 000,010,745 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\[kat.ph]avg.anti.virus.7.362.full.version.with.keygen.included.torrent
[2011/08/16 15:27:10 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/08/16 15:26:57 | 000,000,012 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ReminderNextRun
[2011/08/16 15:25:54 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/16 15:25:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/16 15:25:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/16 15:25:36 | 2138,427,392 | -HS- | M] () -- C:\hiberfil.sys
[2011/08/16 15:22:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/16 14:33:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-682003330-115176313-839522115-1003Core.job
[2011/08/16 09:43:19 | 000,155,136 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\pautoenr32.dll
[2011/08/16 09:43:19 | 000,000,097 | ---- | M] () -- C:\WINDOWS\System32\2049859956
[2011/08/16 09:43:16 | 000,328,704 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\audiosrv32.dll
[2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\crtdll32.exe
[2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\comcat32.exe
[2011/08/15 22:01:15 | 000,013,312 | ---- | M] () -- C:\Documents and Settings\hello\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/15 15:52:53 | 000,926,560 | ---- | M] (DivX, LLC) -- C:\Documents and Settings\hello\Desktop\DivXInstaller.exe
[2011/08/12 12:13:19 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/11 18:09:34 | 000,067,165 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\aznmuffinn-painting--Blue-ocean.png
[2011/08/11 18:07:46 | 000,090,455 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\forestq.png
[2011/08/11 17:57:23 | 000,007,527 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\Tf4gi.gif
[2011/08/09 19:35:02 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\Google Chrome.lnk
[2011/08/09 19:35:02 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\hello\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/06 09:17:08 | 000,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/08/06 09:17:08 | 000,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/08/06 03:18:07 | 001,429,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/08/06 03:00:50 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/04 13:42:09 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\hello\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2011/08/03 23:49:59 | 000,331,227 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\Lelsley Chiou OCCIDENTAL.pdf
[2011/08/03 18:32:04 | 001,500,327 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\Untitled-1.jpg
[2011/08/02 18:58:52 | 000,067,980 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\281935_2273214075294_1396943527_32652438_7441120_n.jpg
[2011/07/31 23:44:58 | 000,244,149 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\2012TeacherEval1_download.pdf
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\hello\*.tmp files -> C:\Documents and Settings\hello\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/16 16:08:39 | 000,004,601 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\AVG.Anti-Virus.8.Pro.+.key.torrent
[2011/08/16 15:36:42 | 000,063,614 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\090BA1495E5881B97C09BC022CC15AC56CD579E3.torrent
[2011/08/16 15:30:13 | 000,010,745 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\[kat.ph]avg.anti.virus.7.362.full.version.with.keygen.included.torrent
[2011/08/16 09:43:17 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\2049859956
[2011/08/11 18:09:35 | 000,067,165 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\aznmuffinn-painting--Blue-ocean.png
[2011/08/11 18:07:47 | 000,090,455 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\forestq.png
[2011/08/11 17:57:25 | 000,007,527 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\Tf4gi.gif
[2011/08/05 00:12:39 | 000,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/08/03 23:49:58 | 000,331,227 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\Lelsley Chiou OCCIDENTAL.pdf
[2011/08/03 18:32:03 | 001,500,327 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\Untitled-1.jpg
[2011/08/03 15:49:53 | 001,291,264 | ---- | C] () -- C:\WINDOWS\System32\dllcache\quartz.dll
[2011/08/02 18:58:54 | 000,067,980 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\281935_2273214075294_1396943527_32652438_7441120_n.jpg
[2011/07/31 23:45:02 | 000,244,149 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\2012TeacherEval1_download.pdf
[2011/07/18 14:21:29 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ReminderNextRun
[2011/06/29 14:04:48 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2011/05/01 22:45:22 | 000,393,264 | R--- | C] () -- C:\WINDOWS\System32\N067u.dat
[2011/01/20 00:14:28 | 000,000,089 | ---- | C] () -- C:\WINDOWS\System32\imon1.dat
[2010/09/22 18:56:43 | 000,000,208 | ---- | C] () -- C:\WINDOWS\MPASS.INI
[2010/09/06 20:12:27 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\hello\Application Data\winscp.rnd
[2010/09/02 21:22:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\asym.ini
[2010/09/01 14:45:37 | 000,017,836 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/08/22 19:01:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/08/22 12:21:59 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2010/08/22 11:27:57 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/20 12:12:52 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/08/19 22:05:18 | 000,204,800 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4785.dll
[2010/08/19 11:27:47 | 000,013,312 | ---- | C] () -- C:\Documents and Settings\hello\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/18 22:10:25 | 000,015,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\nod32drv.sys
[2010/08/17 23:57:59 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/08/17 23:53:38 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/08/17 19:22:58 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/08/17 19:22:10 | 001,429,216 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2001/08/23 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

I'm new to this forum!
Was referred to this subforum from this thread:
http://www.geekstogo...-me-this-error/

Any help would be greatly appreciated
Thanks for your time
  • 0

Advertisements


#2
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :unsure:

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

Can you please post the Extras.txt log for me to review?


OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    PRC - [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\crtdll32.exe
    PRC - [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\comcat32.exe
    SRV - [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\crtdll32.exe -- (SamSs32)
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    [2011/08/16 15:47:26 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\extensions\{254a4bbf-ad80-4982-aceb-2a2ac946c393}
    [2010/11/03 19:37:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2010/12/18 13:13:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    O2 - BHO: (no name) - {03E53B4E-19D1-428B-BC93-462D60C48D36} - C:\WINDOWS\system32\audiosrv32.dll (People Can Fly)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\pautoenr32.dll) - C:\WINDOWS\system32\pautoenr32.dll (People Can Fly)
    O33 - MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\Shell - "" = AutoRun
    O33 - MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL TL-Bootstrap.exe
    [2011/08/16 09:43:19 | 000,706,560 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\comcat32.exe
    [2011/08/16 09:43:19 | 000,155,136 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\pautoenr32.dll
    [2011/08/16 09:43:17 | 000,706,560 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\crtdll32.exe
    [2011/08/16 09:43:16 | 000,328,704 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\audiosrv32.dll
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\hello\*.tmp files -> C:\Documents and Settings\hello\*.tmp -> ]
    [2011/08/16 16:08:39 | 000,004,601 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\AVG.Anti-Virus.8.Pro.+.key.torrent
    [2011/08/16 15:30:13 | 000,010,745 | ---- | M] () -- C:\Documents and Settings\hello\Desktop\[kat.ph]avg.anti.virus.7.362.full.version.with.keygen.included.torrent
    [2011/08/16 09:43:19 | 000,155,136 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\pautoenr32.dll
    [2011/08/16 09:43:19 | 000,000,097 | ---- | M] () -- C:\WINDOWS\System32\2049859956
    [2011/08/16 09:43:16 | 000,328,704 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\audiosrv32.dll
    [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\crtdll32.exe
    [2011/08/16 09:43:14 | 000,706,560 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\comcat32.exe
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\hello\*.tmp files -> C:\Documents and Settings\hello\*.tmp -> ]
    [2011/08/16 16:08:39 | 000,004,601 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\AVG.Anti-Virus.8.Pro.+.key.torrent
    [2011/08/16 15:30:13 | 000,010,745 | ---- | C] () -- C:\Documents and Settings\hello\Desktop\[kat.ph]avg.anti.virus.7.362.full.version.with.keygen.included.torrent
    [2011/08/16 09:43:17 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\2049859956
    
    :Reg
    
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



What issues are you currently experiencing with your computer right now?
  • 0

#3
pch340

pch340

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the extras

OTL Extras logfile created on: 8/16/2011 4:14:48 PM - Run 1
OTL by OldTimer - Version 3.2.26.4 Folder = C:\Documents and Settings\hello\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.50 Gb Available Physical Memory | 75.47% Memory free
2.58 Gb Paging File | 2.22 Gb Available in Paging File | 85.77% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.33 Gb Total Space | 12.69 Gb Free Space | 33.10% Space Free | Partition Type: NTFS

Computer Name: HELLO-4F12Z94G4 | User Name: hello | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\hello\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome -- (Google Inc.)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Steam\steamapps\zoneyp\counter-strike\hl.exe" = C:\Program Files\Steam\steamapps\zoneyp\counter-strike\hl.exe:*:Enabled:Counter-Strike -- (Valve)
"C:\Program Files\Steam\steamapps\zoneyp\team fortress 2\hl2.exe" = C:\Program Files\Steam\steamapps\zoneyp\team fortress 2\hl2.exe:*:Enabled:hl2
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Steam\steamapps\pch340\counter-strike\hl.exe" = C:\Program Files\Steam\steamapps\pch340\counter-strike\hl.exe:*:Enabled:Counter-Strike -- (Valve)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1965C9BB-9114-4A50-AEC7-E62414BB117B}" = EASEUS Data Recovery Wizard Professional 4.3.6
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F77C418-2C90-459C-BD33-B56A4182B9FA}" = System Requirements Lab CYRI
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 23
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{473AFDFE-636E-434A-95FD-72B31B1A9777}" = Verizon Tool Launcher for CDM8999
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5572DAE5-6D26-43B0-9B34-81BB20EF7E13}" = Verizon_PCD_Pantech_UTM32
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6283826F-59A2-11D9-BB04-000AE6BE6EE7}" = On-line Help Console
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91F9CE38-1D4B-4024-AB9B-C867CE65E946}" = PANTECH Handset Driver
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9B016AF7-29F4-433C-8897-3B08E03ADC49}" = Verizon_PCD_UT_Framework
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9F99EE38-B513-4E54-96DB-B403BF26DA5D}" = Verizon_PCD_D8999VW_UT
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DBC3FDEC-D5F4-439C-9A18-EF454A74E3DE}_is1" = NOD32 FiX
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E47D2974-AA5E-FlvMP3-B984-3CA48DFA2849}_is1" = FLAV FLV to MP3 Converter 2.58.15
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
"Belarc Advisor" = Belarc Advisor 8.2
"DivX Setup.divx.com" = DivX Setup
"FrostWire" = FrostWire 4.20.9
"HDMI" = Intel® Graphics Media Accelerator Driver
"KeyTweak" = KeyTweak - Keyboard Remapper (remove only)
"Magic Swf2Gif_is1" = Magic Swf2Gif 1.35
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.18)" = Mozilla Firefox (3.6.18)
"MultiPASS" = Canon LASER CLASS 1060P
"NOD32" = NOD32 antivirus system
"ST6UNST #1" = QuickLatin 1.3.1
"Steam App 10" = Counter-Strike
"uTorrent" = µTorrent
"Veetle TV" = Veetle TV 0.9.18
"VLC media player" = VLC media player 1.1.3
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.1.8

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/25/2011 3:29:28 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
imon.dll, version 2.70.31.0, fault address 0x00018c60.

Error - 6/25/2011 3:30:08 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
imon.dll, version 2.70.31.0, fault address 0x00018c60.

Error - 6/26/2011 7:18:16 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x000173cb.

Error - 6/28/2011 8:05:25 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x000173c6.

Error - 7/4/2011 6:37:22 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
chrome.dll, version 12.0.742.112, fault address 0x0088018f.

Error - 7/4/2011 9:04:23 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x000173f2.

Error - 7/4/2011 9:04:47 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x000173bd.

Error - 7/4/2011 9:45:15 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
msvcr80.dll, version 8.0.50727.4053, fault address 0x000173c1.

Error - 7/6/2011 5:43:45 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application userinit.exe, version 5.1.2600.2180, faulting
module crypt32.dll, version 5.131.2600.2180, fault address 0x00023fe4.

Error - 7/10/2011 11:05:09 PM | Computer Name = HELLO-4F12Z94G4 | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.

[ System Events ]
Error - 8/16/2011 3:25:51 PM | Computer Name = HELLO-4F12Z94G4 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference
error message: The operation completed successfully. .

Error - 8/16/2011 3:26:12 PM | Computer Name = HELLO-4F12Z94G4 | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 f8c4b4bc, parameter2 00000001, parameter3
00000000, parameter4 804e70e5.

Error - 8/16/2011 3:26:23 PM | Computer Name = HELLO-4F12Z94G4 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 8/16/2011 3:26:23 PM | Computer Name = HELLO-4F12Z94G4 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 8/16/2011 3:26:23 PM | Computer Name = HELLO-4F12Z94G4 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference
error message: The operation completed successfully. .

Error - 8/16/2011 3:26:23 PM | Computer Name = HELLO-4F12Z94G4 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 8/16/2011 3:26:23 PM | Computer Name = HELLO-4F12Z94G4 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 8/16/2011 3:26:23 PM | Computer Name = HELLO-4F12Z94G4 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL.
Reference
error message: The operation completed successfully. .

Error - 8/16/2011 3:42:52 PM | Computer Name = HELLO-4F12Z94G4 | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 8/16/2011 3:42:53 PM | Computer Name = HELLO-4F12Z94G4 | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).


< End of report >




This is the report after running your fix.
Surprisingly, it couldnt find the comcat and crtdll32.
When I ran this fix and reset, I got a blinking cursor error on startup and had to go to the reovery console and do fixboot and fixmbr
Right now, my comp is running fine but everytime I reset it, something seems to be wrong.



All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
No active process named crtdll32.exe was found!
No active process named comcat32.exe was found!
Error: No service named SamSs32 was found to stop!
Service\Driver key SamSs32 not found.
File C:\WINDOWS\system32\crtdll32.exe not found.
Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 removed from extensions.enabledItems
Folder C:\Documents and Settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\extensions\{254a4bbf-ad80-4982-aceb-2a2ac946c393}\ not found.
Folder C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Folder C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03E53B4E-19D1-428B-BC93-462D60C48D36}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03E53B4E-19D1-428B-BC93-462D60C48D36}\ not found.
File C:\WINDOWS\system32\audiosrv32.dll not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\pautoenr32.dll deleted successfully.
File C:\WINDOWS\system32\pautoenr32.dll not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71b6c708-7b5d-11e0-b34d-0019212258cb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71b6c708-7b5d-11e0-b34d-0019212258cb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{71b6c708-7b5d-11e0-b34d-0019212258cb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71b6c708-7b5d-11e0-b34d-0019212258cb}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL TL-Bootstrap.exe not found.
File C:\WINDOWS\System32\comcat32.exe not found.
File C:\WINDOWS\System32\pautoenr32.dll not found.
File C:\WINDOWS\System32\crtdll32.exe not found.
File C:\WINDOWS\System32\audiosrv32.dll not found.
File/Folder C:\WINDOWS\*.tmp not found.
File/Folder C:\WINDOWS\System32\*.tmp not found.
File/Folder C:\Documents and Settings\hello\*.tmp not found.
File C:\Documents and Settings\hello\Desktop\AVG.Anti-Virus.8.Pro.+.key.torrent not found.
File C:\Documents and Settings\hello\Desktop\[kat.ph]avg.anti.virus.7.362.full.version.with.keygen.included.torrent not found.
File C:\WINDOWS\System32\pautoenr32.dll not found.
File C:\WINDOWS\System32\2049859956 not found.
File C:\WINDOWS\System32\audiosrv32.dll not found.
File C:\WINDOWS\System32\crtdll32.exe not found.
File C:\WINDOWS\System32\comcat32.exe not found.
File/Folder C:\WINDOWS\*.tmp not found.
File/Folder C:\WINDOWS\System32\*.tmp not found.
File/Folder C:\Documents and Settings\hello\*.tmp not found.
File C:\Documents and Settings\hello\Desktop\AVG.Anti-Virus.8.Pro.+.key.torrent not found.
File C:\Documents and Settings\hello\Desktop\[kat.ph]avg.anti.virus.7.362.full.version.with.keygen.included.torrent not found.
File C:\WINDOWS\System32\2049859956 not found.
========== REGISTRY ==========
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
Are you sure (Y/N)?processed file: C:\WINDOWS\system32\drivers\etc\Hosts
C:\Documents and Settings\hello\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\hello\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\hello\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\hello\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: hello
->Temp folder emptied: 4650023307 bytes
->Temporary Internet Files folder emptied: 2228358 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 8458683 bytes
->Google Chrome cache emptied: 225862894 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 950272 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 164214025 bytes
->Java cache emptied: 14 bytes
->Flash cache emptied: 10911 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 67405405 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 55413859 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 241007 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 4,935.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: hello
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.26.4 log created on 08172011_195550

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDEFKP6F\1[2].htm not found!
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDEFKP6F\adholder[1].php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDEFKP6F\config_jw[1].xml moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDEFKP6F\crossdomain[4].xml moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDEFKP6F\pacman-advanced[1] moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDEFKP6F\statsnew[1].xml not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GREL1V9X\CAP7VH8W moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GREL1V9X\womens_health[1].xml moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\adholder[1].php not found!
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\CAKPYJGX.php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\celebritycrush.mevio[1] moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\dot[1].gif moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\getconfig[1].php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\hotoff.mevio[1] moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\index[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\news[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CJ65ARW2\tvshows[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C1MBS1M7\celebritycrush.mevio[1] moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C1MBS1M7\GetAdDirector_BannerCreative[1].asp moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C1MBS1M7\index[2].htm moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8TIV0LE3\CA4LIN09.php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8TIV0LE3\CAS7M5A5.htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8TIV0LE3\java_trust[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PUFW9M3\adholder[1].php moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PUFW9M3\adholder[2].php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PUFW9M3\crossdomain[10].xml moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PUFW9M3\iframescript[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PUFW9M3\java_trust[1].htm moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LQV8PE3\adholder[1].php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LQV8PE3\bestofyoutube.mevio[1] moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LQV8PE3\emily[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LQV8PE3\fungames[1].htm moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LQV8PE3\statsnew[1].xml not found!
File\Folder C:\WINDOWS\temp\hsperfdata_SYSTEM\872 not found!
File\Folder C:\WINDOWS\temp\5A05.tmp not found!
File\Folder C:\WINDOWS\temp\fla669E.tmp not found!
File\Folder C:\WINDOWS\temp\fla8034.tmp not found!
File\Folder C:\WINDOWS\temp\fla8FE6.tmp not found!
File\Folder C:\WINDOWS\temp\IH5EC0.tmp not found!
File\Folder C:\WINDOWS\temp\IH77D7.tmp not found!
File\Folder C:\WINDOWS\temp\IH7E6A.tmp not found!
File\Folder C:\WINDOWS\temp\IH7E7F.tmp not found!
File\Folder C:\WINDOWS\temp\IH7E80.tmp not found!
File\Folder C:\WINDOWS\temp\IH7EAC.tmp not found!
File\Folder C:\WINDOWS\temp\IH91A5.tmp not found!
C:\WINDOWS\temp\jar_cache1452768472985460811.tmp moved successfully.
C:\WINDOWS\temp\jar_cache56576353077375588.tmp moved successfully.

Registry entries deleted on Reboot...
  • 0

#4
pch340

pch340

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Also is there any chance your fix did something related to my Google Chrome? Because I can't seem to start it up anymore after using the fix? The chrome install files seem to have vanished...

Edited by pch340, 17 August 2011 - 06:35 PM.

  • 0

#5
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Also is there any chance your fix did something related to my Google Chrome? Because I can't seem to start it up anymore after using the fix? The chrome install files seem to have vanished...

I don't see anything in my fix that should have messed with Google Chrome.

We'll run a more powerful tool right now.


Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#6
pch340

pch340

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok, not a huge deal, but ComboFix totally wiped out my Steam files...not sure what's up with that...
My computer is running fine, there are no sketchy processes. One thing that's bugging me is I can't install Chrome no matter what I do. I uninstalled it, erased the registry files, cleaned everything, but whenever I try to install, it just aborts halfway through with no error message. Very weird...

Anyway, here is the log:

ComboFix 11-08-18.02 - hello 08/18/2011 10:21:21.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1474 [GMT -4:00]
Running from: c:\documents and settings\hello\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 antivirus system 2.70 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\78x2lqyf.default\extensions\{254a4bbf-ad80-4982-aceb-2a2ac946c393}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\78x2lqyf.default\extensions\{254a4bbf-ad80-4982-aceb-2a2ac946c393}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\78x2lqyf.default\extensions\{254a4bbf-ad80-4982-aceb-2a2ac946c393}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\78x2lqyf.default\extensions\{254a4bbf-ad80-4982-aceb-2a2ac946c393}\install.rdf
c:\program files\messenger\msmsgsin.exe
c:\program files\Steam\Steam.exe
c:\windows\system32\system
.
.
((((((((((((((((((((((((( Files Created from 2011-07-18 to 2011-08-18 )))))))))))))))))))))))))))))))
.
.
2011-08-18 14:04 . 2011-08-18 14:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2011-08-18 06:17 . 2011-08-18 06:17 -------- d-sh--w- c:\documents and settings\hello\PrivacIE
2011-08-18 06:14 . 2011-08-18 06:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-08-18 06:13 . 2011-08-18 06:13 -------- d-sh--w- c:\documents and settings\hello\IETldCache
2011-08-18 06:09 . 2011-08-18 06:10 -------- dc-h--w- c:\windows\ie8
2011-08-18 03:17 . 2011-08-18 03:17 -------- d-----w- c:\documents and settings\hello\Local Settings\Application Data\VS Revo Group
2011-08-18 03:17 . 2009-12-30 15:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-08-18 03:17 . 2011-08-18 03:17 -------- d-----w- c:\program files\VS Revo Group
2011-08-18 02:57 . 2011-08-18 02:57 -------- d-----w- c:\program files\Common Files\Java
2011-08-18 00:37 . 2011-08-18 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-18 00:37 . 2011-08-18 00:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-17 22:51 . 2011-08-17 22:51 52736 ---ha-w- c:\windows\system32\calctson.dll
2011-08-17 22:40 . 2011-08-17 22:40 -------- d-----w- c:\documents and settings\hello\Application Data\DDMSettings
2011-08-17 22:36 . 2011-08-17 22:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-08-16 21:52 . 2011-08-16 21:52 -------- d-----w- C:\_OTL
2011-08-16 21:03 . 2011-08-16 21:03 -------- d-----w- c:\documents and settings\hello\Application Data\AVG10
2011-08-16 20:57 . 2011-08-16 20:57 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-16 20:55 . 2011-08-16 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-08-16 20:45 . 2011-08-16 20:45 -------- d-----w- c:\documents and settings\hello\Application Data\CTXfiHelp
2011-08-16 20:05 . 2011-08-16 20:07 -------- d-----w- C:\!KillBox
2011-08-16 19:58 . 2011-08-18 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-12 14:06 . 2011-08-12 14:06 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-08-05 13:35 . 2011-08-05 13:35 -------- d-----w- c:\program files\MSXML 6.0
2011-08-04 07:24 . 2011-08-04 07:34 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-08-04 07:23 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-08-04 07:21 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-08-04 07:21 . 2009-12-31 16:14 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2011-08-04 07:18 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-08-04 07:18 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-08-04 07:16 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-08-04 07:12 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-08-04 07:09 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2011-08-04 07:09 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-08-04 07:06 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-08-04 07:00 . 2011-08-06 10:09 -------- d--h--w- c:\windows\$hf_mig$
2011-08-03 19:49 . 2009-07-17 16:27 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2011-08-03 19:49 . 2009-06-25 08:44 168448 -c----w- c:\windows\system32\dllcache\schannel.dll
2011-08-03 19:49 . 2010-02-05 18:40 1291264 -c----w- c:\windows\system32\dllcache\quartz.dll
2011-08-03 19:49 . 2009-11-27 17:33 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2011-08-03 19:49 . 2009-11-27 16:37 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2011-08-03 19:49 . 2009-11-27 16:37 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2011-08-03 19:49 . 2009-11-27 16:37 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2011-08-03 19:49 . 2009-11-27 16:37 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2011-08-03 19:49 . 2010-03-05 14:57 65536 -c----w- c:\windows\system32\dllcache\asycfilt.dll
2011-08-03 19:49 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-08-03 19:44 . 2011-08-03 19:44 -------- d-----w- c:\program files\PCD
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-27 02:36 . 2011-05-27 02:36 58656 ----a-r- c:\documents and settings\hello\Application Data\Microsoft\Installer\{91F9CE38-1D4B-4024-AB9B-C867CE65E946}\ARPPRODUCTICON.exe
2003-03-19 01:20 . 2003-03-19 01:20 1060864 ----a-w- c:\program files\mfc71.dll
2003-03-19 01:12 . 2003-03-19 01:12 1047552 ----a-w- c:\program files\mfc71u.dll
2003-03-19 00:44 . 2003-03-19 00:44 57344 ----a-w- c:\program files\MFC71ENU.DLL
2003-03-19 00:44 . 2003-03-19 00:44 49152 ----a-w- c:\program files\MFC71KOR.DLL
2003-03-19 00:44 . 2003-03-19 00:44 61440 ----a-w- c:\program files\MFC71ITA.DLL
2003-03-19 00:44 . 2003-03-19 00:44 61440 ----a-w- c:\program files\MFC71ESP.DLL
2003-03-19 00:44 . 2003-03-19 00:44 45056 ----a-w- c:\program files\MFC71CHT.DLL
2003-03-19 00:44 . 2003-03-19 00:44 40960 ----a-w- c:\program files\MFC71CHS.DLL
2003-03-19 00:44 . 2003-03-19 00:44 65536 ----a-w- c:\program files\MFC71DEU.DLL
2003-03-19 00:44 . 2003-03-19 00:44 61440 ----a-w- c:\program files\MFC71FRA.DLL
2003-03-19 00:44 . 2003-03-19 00:44 49152 ----a-w- c:\program files\MFC71JPN.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-18 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2010-08-19 949376]
"SigmatelSysTrayApp"="sttray.exe" [2007-05-06 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"MpsOnn"="c:\windows\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2001-10-16 22528]
"UpdateReminder"="c:\program files\Eset\UpdateReminder.exe" [2011-08-12 462848]
"CTXfiHelp"="c:\documents and settings\hello\Application Data\CTXfiHelp\rundll32.exe" [2011-08-16 1531925]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\zoneyp\\counter-strike\\hl.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\pch340\\counter-strike\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [8/18/2010 10:10 PM 15424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2011 8:02 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/25/2011 8:02 PM 136176]
S3 PTHSBUS;PANTECH Handset USB Composite Device Driver (UDP);c:\windows\system32\drivers\PTHSBUS.sys [5/26/2011 10:36 PM 56976]
S3 PTHSMDM;PANTECH Handset Drivers (UDP);c:\windows\system32\drivers\PTHSMDM.sys [5/26/2011 10:36 PM 167824]
S3 PTHSVSP;PANTECH Handset Diagnostic Serial Port (UDP);c:\windows\system32\drivers\PTHSVSP.sys [5/26/2011 10:36 PM 167824]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/17/2011 11:17 PM 27064]
S4 Pantech UTM Service;Pantech UTM Service;c:\program files\PCD\Pantech\EUDL\UTM\PantechService.exe [11/23/2010 5:22 PM 65536]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GUSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-08-18 14:04]
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-26 22:18]
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-26 22:18]
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-115176313-839522115-1003Core.job
- c:\documents and settings\hello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 04:17]
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-115176313-839522115-1003UA.job
- c:\documents and settings\hello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-18 04:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
FF - ProfilePath - c:\documents and settings\hello\Application Data\Mozilla\Firefox\Profiles\rimo9avw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Steam - c:\program files\Steam\Steam.exe
AddRemove-Steam App 10 - c:\program files\Steam\steam.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-18 10:25
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents]
@Denied: (Full) (LocalSystem)
"OOBETimer"=hex:a8,a4,8a,ce,90,83,66,91,89,5e,c0,8f
"LastWPAEventLogged"=hex:da,07,0c,00,04,00,09,00,14,00,37,00,0a,00,67,01
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\imon.dll
.
Completion time: 2011-08-18 10:27:46
ComboFix-quarantined-files.txt 2011-08-18 14:27
.
Pre-Run: 15,934,533,632 bytes free
Post-Run: 16,102,408,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 0CE5A44F853633C751F66920AA7841DC

Edited by pch340, 18 August 2011 - 08:34 AM.

  • 0

#7
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Ok, not a huge deal, but ComboFix totally wiped out my Steam files...not sure what's up with that...

I'll restore that file for you in a little while.

What Anti-Virus program do you plan on using? ESET or AVG?


I would also like to see a list of files quarantined by ComboFix, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Post the contents of that file in your next reply.
  • 0

#8
SweetTech

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP