Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Big Problem With Google Redirect & csrss.exe Virus for XP


  • Please log in to reply

#1
jerosakireno

jerosakireno

    Member

  • Member
  • PipPip
  • 38 posts
Im not really sure if the two are related, but:

1- Every time I click a link from google, it redirects me to somewhere else.

2- Spybot keeps telling me I have something called Win32.Fakealert.ttam (C:\Documents&Settings\the...\local settings\temp\csrss.exe). I have read that this is different than the critical executable file found normally in Windows\System32, this one fakes as something critical, but its just bad. I cannot delete it or remove it. I try to disable it in the system configuration utility, but it just keeps coming back every time.

I tried running Malwarebytes Anti-Malware, but all of a sudden, it crashed right in the middle of a scan. Now when I try to open MAM - I get this message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

But I DO always have permissions... & I was just using MAM yesterday (I also tried running in safe mode & that didn't work either).

Then I tried running Hijackthis, which also crashed right in the middle of scanning, and again I get the same message when trying to re-open: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Ok so it seems that whatever it is - it's getting at all my programs and preventing me from opening them. Now I'm hesitant to try & open any other programs because I'm afraid they will gain control of that too & block me from it.

Spybot still runs fine though, & every time I run it - I always get the same two results:

(1)FILE - Win32.Fakealert.ttam
(SBI $7799464D) Executable
C:\Documents and Settings\theonyserpent\Local Settings\temp\csrss.exe

(2)REGISTRY CHANGE - Microsoft.WindowsSecurityCenter.AntiVirusOverride
(SBI $3604910C) Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride(is not)dword:0



So I check these off & fix them in Spybot, restart, then I get this message right when windows starts up:

"Windows cannot find 'C:\DOCUME-1\THEONY-1\LOCALS-1\Temp\csrss.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search."


I click "ok" then I get another message saying:

"Could not load or run 'C:\DOCUME-1\THEONY-1\LOCALS-1\Temp\csrss.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry."


So my guess is to first get rid of those two things that spybot keeps finding, then fix it so I stop getting those google redirects. Maybe I wrong, maybe they are tied together, I don't know, I just want to fix my computer! Please help!



SYSTEM INFORMATION:

Microsoft Windows XP
Professional
Version 2002
Service Pack 2

Intel®
Pentium®4 CPU 2.60GHz
2.59GHz, 512MB of RAM
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Ron
  • 0

#3
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ComboFix 11-08-29.03 - theonyxserpent 08/30/2011 1:31.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.309 [GMT -4:00]
Running from: c:\documents and settings\theonyxserpent\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\install.rdf
c:\documents and settings\All Users\Application Data\defender.exe
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\chrome.manifest
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\chrome\xulcache.jar
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\defaults\preferences\xulcache.js
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\install.rdf
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\chrome.manifest
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\chrome\xulcache.jar
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\defaults\preferences\xulcache.js
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\install.rdf
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\chrome.manifest
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\chrome\xulcache.jar
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\defaults\preferences\xulcache.js
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\install.rdf
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\chrome.manifest
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\chrome\xulcache.jar
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\defaults\preferences\xulcache.js
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\install.rdf
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\chrome.manifest
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\chrome\xulcache.jar
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\defaults\preferences\xulcache.js
c:\documents and settings\Mouth\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\install.rdf
c:\documents and settings\theonyxserpent\Application Data\47D2.A7B
c:\documents and settings\theonyxserpent\Application Data\dwm.exe
c:\documents and settings\theonyxserpent\Application Data\Microsoft\conhost.exe
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\chrome.manifest
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\chrome\xulcache.jar
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\defaults\preferences\xulcache.js
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{1bea190a-a5a8-468d-b10f-c1c2166dd90c}\install.rdf
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\chrome.manifest
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\chrome\xulcache.jar
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\defaults\preferences\xulcache.js
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{20865922-f6b8-4386-bc6d-09cf3a167844}\install.rdf
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\chrome.manifest
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\chrome\xulcache.jar
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\defaults\preferences\xulcache.js
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{6e63418e-b8ef-434f-8d0e-55c24833d871}\install.rdf
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\chrome.manifest
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\chrome\xulcache.jar
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\defaults\preferences\xulcache.js
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{da24410f-e635-488c-bb93-4b2c818e15c6}\install.rdf
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\chrome.manifest
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\chrome\xulcache.jar
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\defaults\preferences\xulcache.js
c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions\{f2901742-7aee-485b-881e-11e8906e3763}\install.rdf
c:\documents and settings\theonyxserpent\wbczjdzfrr.tmp
c:\windows\$NtUninstallKB58346$
c:\windows\$NtUninstallKB58346$\592837978
c:\windows\$NtUninstallKB58346$\639187468\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB58346$\639187468\click.tlb
c:\windows\$NtUninstallKB58346$\639187468\L\xcuixrhe
c:\windows\$NtUninstallKB58346$\639187468\loader.tlb
c:\windows\$NtUninstallKB58346$\639187468\U\@00000001
c:\windows\$NtUninstallKB58346$\639187468\U\@000000c0
c:\windows\$NtUninstallKB58346$\639187468\U\@000000cb
c:\windows\$NtUninstallKB58346$\639187468\U\@000000cf
c:\windows\$NtUninstallKB58346$\639187468\U\@80000000
c:\windows\$NtUninstallKB58346$\639187468\U\@800000c0
c:\windows\$NtUninstallKB58346$\639187468\U\@800000cb
c:\windows\$NtUninstallKB58346$\639187468\U\@800000cf
c:\windows\system32\c_16333.nls
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{C1610B7D-08C0-4A78-981D-4F6E8DFCA536}\RP33\A0015733.exe
.
Infected copy of c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{C1610B7D-08C0-4A78-981D-4F6E8DFCA536}\RP33\A0015732.EXE
.
Infected copy of c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{C1610B7D-08C0-4A78-981D-4F6E8DFCA536}\RP33\A0015731.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_26193a0c
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-30 )))))))))))))))))))))))))))))))
.
.
2011-08-30 05:26 . 2008-08-14 10:34 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-08-30 05:26 . 2008-08-14 10:34 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-29 20:04 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-29 20:04 . 2011-08-29 20:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-29 20:04 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-25 23:54 . 2004-08-04 12:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-08-25 23:49 . 2011-08-25 23:49 -------- d-----w- c:\program files\Windows Media Connect 2
2011-08-25 23:17 . 2011-08-25 23:17 -------- d-----w- C:\0b567addfd69ab4749e4a2a6
2011-08-21 01:15 . 2011-08-21 01:15 -------- dc----w- c:\windows\system32\DRVSTORE
2011-08-21 01:14 . 2006-09-28 20:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2011-08-21 00:28 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-08-09 21:05 . 2004-08-04 03:07 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-08-09 21:05 . 2004-08-04 03:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-18 21:50 . 2011-05-31 02:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-22 03:14 . 2011-06-22 02:14 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-08-18 21:41 . 2011-05-10 03:01 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
2010-01-18 19:28 815104 ----a-w- c:\program files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-08-05 224712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RandMAC"="c:\extracted\MadMACs\MadMACs.exe" [2008-08-06 253245]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 04:07 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 04:19 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 20:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-12 22:47 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/14/2009 1:20 PM 722416]
R3 {E6759E0C-470B-44DC-A4A1-627E68BB3A85};AIM 3.0 SI164;c:\windows\system32\drivers\a302.sys [5/10/2005 3:35 PM 11319]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [6/21/2011 10:14 PM 20552]
S3 VNCTEMP;Gencontrol WinVNC temporary service;c:\vnctemp\WinVNC.exe [6/16/2009 6:18 PM 469504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 17:42]
.
2011-08-30 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-12-12 22:47]
.
2011-07-13 c:\windows\Tasks\photostageShakeIcon.job
- c:\program files\NCH Software\PhotoStage\photostage.exe [2011-07-03 15:29]
.
2011-08-21 c:\windows\Tasks\videopadDowngrade.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-03 15:28]
.
2011-08-08 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2011-07-03 15:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:56848
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 56848
FF - prefs.js: network.proxy.type - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-30 07:01
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
.
**************************************************************************
.
Completion time: 2011-08-30 07:07:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-30 11:06
.
Pre-Run: 8,710,938,624 bytes free
Post-Run: 8,697,049,088 bytes free
.
- - End Of File - - 88545F7747CA47675AF901D500895F88
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
CF found and removed a nasty one.

You also have a malware proxy so let's fix that:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

Now see if you can download and run OTL:

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
  • 0

#5
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Ron, 1st I forgot to say hello, and thanks for helping me out here.

Ok, just wanted to let you know that I made no changes in both IE & Firefox (there were no boxes to uncheck in IE and No Proxy was already selected in Firefox).

Here are my two OTL logs:

OTL.txt

OTL logfile created on: 8/30/2011 4:55:32 PM - Run 1
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\theonyxserpent\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 284.70 Mb Available Physical Memory | 55.82% Memory free
1.21 Gb Paging File | 1.06 Gb Available in Paging File | 87.44% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 8.13 Gb Free Space | 21.82% Space Free | Partition Type: NTFS

Computer Name: WDT-BMARVELL | User Name: theonyxserpent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/30 16:53:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\theonyxserpent\desktop\OTL.exe
PRC - [2009/08/05 06:17:12 | 000,204,800 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2006/02/09 03:50:00 | 000,248,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe


========== Modules (No Company Name) ==========

MOD - [2009/12/09 17:56:17 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/06/16 18:18:45 | 000,469,504 | ---- | M] (Constantin Kaplinsky) [On_Demand | Stopped] -- C:\VNCTEMP\WinVNC.exe -- (VNCTEMP)
SRV - [2008/12/10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2006/02/09 03:50:00 | 000,578,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2006/02/09 03:50:00 | 000,248,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe -- (Wuser32)


========== Driver Services (SafeList) ==========

DRV - [2011/06/21 23:14:52 | 000,020,552 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hitmanpro35.sys -- (hitmanpro35)
DRV - [2009/12/14 17:20:33 | 000,722,416 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2006/02/09 03:50:00 | 000,020,704 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2006/02/09 02:50:00 | 000,011,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kbstuff5.sys -- (kbstuff)
DRV - [2006/02/09 02:50:00 | 000,008,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\idisw2km.sys -- (idisw2km)
DRV - [2005/11/24 19:51:38 | 000,245,248 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2005/02/01 18:18:38 | 000,017,992 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\bcm42rly.sys -- (BCM42RLY)
DRV - [2003/04/15 10:39:54 | 000,011,319 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\a302.sys -- ({E6759E0C-470B-44DC-A4A1-627E68BB3A85})
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 75 2B 18 06 84 C6 C5 4F 94 90 2C 04 01 93 77 62 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56848

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://start.mozilla...en-US:official"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.10.01
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 56848
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/18 17:41:09 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/09 23:01:35 | 000,000,000 | ---D | M]

[2009/12/13 16:09:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\theonyxserpent\Application Data\Mozilla\Extensions
[2011/08/30 01:40:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\theonyxserpent\Application Data\Mozilla\Firefox\Profiles\og0g7s2n.default\extensions
[2010/10/08 23:58:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\THEONYXSERPENT\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\OG0G7S2N.DEFAULT\EXTENSIONS\[email protected]
[2009/12/12 18:47:36 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/08/18 17:41:09 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/09 23:01:17 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/08/30 07:01:15 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Burn4Free Toolbar Helper) - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.3\Burn4Free_Toolbar.dll ()
O4 - HKLM..\Run: [RandMAC] C:\extracted\MadMACs\MadMACs.exe ()
O4 - HKCU..\Run: [DAEMON Tools Pro Agent] C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (DT Soft Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1232729059632 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = onyx
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/10 14:57:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/30 16:53:35 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\theonyxserpent\Desktop\OTL.exe
[2011/08/30 16:47:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/08/30 01:26:05 | 000,138,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\afd.sys
[2011/08/30 01:22:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/30 01:22:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/30 01:22:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/30 01:22:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/08/30 01:16:29 | 004,189,688 | R--- | C] (Swearware) -- C:\Documents and Settings\theonyxserpent\Desktop\ComboFix.exe
[2011/08/29 16:04:34 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/29 16:04:28 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/29 16:04:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/25 19:50:51 | 000,016,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2011/08/25 19:49:53 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2011/08/25 19:17:14 | 000,000,000 | ---D | C] -- C:\0b567addfd69ab4749e4a2a6
[2011/08/23 20:05:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven_data
[2011/08/20 21:15:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2011/08/20 21:14:44 | 000,068,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2011/08/20 20:28:58 | 000,014,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2011/08/20 11:58:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theonyxserpent\My Documents\My Writings
[2011/08/15 13:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theonyxserpent\Desktop\SNES
[2011/08/09 17:05:21 | 000,059,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys
[2011/07/31 18:03:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\theonyxserpent\Desktop\Funny Pics
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/30 16:55:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/30 16:53:34 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\theonyxserpent\Desktop\OTL.exe
[2011/08/30 16:46:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/30 16:46:39 | 000,000,330 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2011/08/30 16:46:29 | 000,000,386 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2011/08/30 16:46:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/30 07:12:08 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/08/30 07:01:15 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/08/30 01:16:27 | 004,189,688 | R--- | M] (Swearware) -- C:\Documents and Settings\theonyxserpent\Desktop\ComboFix.exe
[2011/08/29 18:55:34 | 000,087,552 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/29 18:27:48 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/08/29 17:50:02 | 000,001,183 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/08/29 16:04:35 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/29 12:24:39 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/08/25 19:54:43 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/08/25 19:54:43 | 000,000,782 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\Windows Media Player.lnk
[2011/08/25 19:51:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/25 19:50:15 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/08/25 19:50:15 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/08/25 19:48:10 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/08/23 20:38:19 | 000,038,530 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup
[2011/08/23 20:36:59 | 005,702,780 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven (remixed).mp3
[2011/08/23 20:05:32 | 000,021,290 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup.bak
[2011/08/20 20:29:31 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01007.Wdf
[2011/08/20 20:29:29 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2011/08/20 20:23:33 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\videopadDowngrade.job
[2011/08/18 17:50:53 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/14 10:02:05 | 000,000,741 | ---- | M] () -- C:\Documents and Settings\theonyxserpent\Desktop\Glary Utilities.lnk
[2011/08/12 06:44:42 | 000,000,197 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2011/08/08 17:30:14 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\videopadShakeIcon.job
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/30 01:22:01 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/30 01:22:01 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/30 01:22:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/30 01:22:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/30 01:22:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/29 16:04:35 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/27 21:39:38 | 005,702,780 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven (remixed).mp3
[2011/08/23 20:05:32 | 000,038,530 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup
[2011/08/23 20:05:32 | 000,021,290 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Desktop\The Last Emperor - Heaven.aup.bak
[2011/08/20 20:29:31 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_xusb21_01007.Wdf
[2011/08/20 20:29:29 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2011/07/17 03:05:02 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/06/21 22:14:19 | 000,020,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/05/22 12:46:25 | 000,001,183 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/01/31 00:04:34 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/19 01:00:37 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/11/19 01:00:32 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/11/19 01:00:32 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/11/19 01:00:31 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2010/11/19 01:00:30 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/10/15 21:39:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/12 17:49:31 | 000,002,733 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2007/06/04 16:51:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/03/23 15:59:00 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/11/07 14:25:34 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/10/25 11:25:47 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.Exe
[2006/10/25 11:25:46 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.dll
[2006/10/25 11:25:45 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\SSCoInst.exe
[2006/10/25 11:25:44 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SSCoInst.dll
[2006/10/25 11:25:31 | 000,020,594 | ---- | C] () -- C:\WINDOWS\System32\Dels3LMK.DLL
[2006/10/12 11:51:49 | 000,006,454 | ---- | C] () -- C:\WINDOWS\solomon.ini
[2006/10/12 11:25:50 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\pg32conv.dll
[2006/10/12 11:25:29 | 001,128,448 | ---- | C] () -- C:\WINDOWS\System32\sbl.dll
[2006/10/12 11:25:27 | 000,496,640 | ---- | C] () -- C:\WINDOWS\System32\tls7012d.dll
[2005/05/10 16:41:41 | 000,000,546 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/05/10 16:24:15 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/05/10 16:24:09 | 000,099,965 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2005/05/10 16:24:00 | 000,004,147 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/10 15:43:28 | 000,000,386 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2005/05/10 15:40:10 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2005/05/10 15:00:47 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/05/10 14:53:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/05/10 10:24:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/05/10 10:23:14 | 000,255,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/10/08 04:47:08 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2004/09/29 01:46:40 | 000,087,552 | ---- | C] () -- C:\Documents and Settings\theonyxserpent\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,384,976 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\netid.dll
[2004/08/04 08:00:00 | 000,054,184 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >




AND HERE IS THE OTHER ONE:

Extras.txt

OTL Extras logfile created on: 8/30/2011 4:55:32 PM - Run 1
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\theonyxserpent\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 284.70 Mb Available Physical Memory | 55.82% Memory free
1.21 Gb Paging File | 1.06 Gb Available in Paging File | 87.44% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 8.13 Gb Free Space | 21.82% Space Free | Partition Type: NTFS

Computer Name: WDT-BMARVELL | User Name: theonyxserpent | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- rundll32.exe C:\WINDOWS\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\digest32.exe" = C:\WINDOWS\system32\digest32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\msctf32.exe" = C:\WINDOWS\system32\msctf32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\dpnaddr32.exe" = C:\WINDOWS\system32\dpnaddr32.exe:*:Enabled:Windows Update Service
"C:\WINDOWS\system32\schedsvc32.exe" = C:\WINDOWS\system32\schedsvc32.exe:*:Enabled:Windows Update Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.1 (r518)
"{1727CD47-A408-11d2-AFAD-00C04F72FB3E}" = VBA (3610)
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}" = Google Earth
"{74EC78BC-B379-4E29-9006-8F161DCAABA6}" = Apple Software Update
"{83AD5E71-80C0-4818-B6E4-CA2607B6A141}" = SMS Advanced Client
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0.8
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}" = WinZip 14.0
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ASIO4ALL" = ASIO4ALL
"Audacity_is1" = Audacity 1.2.6
"Burn4Free" = Burn4Free CD and DVD
"Burn4Free Toolbar" = Burn4Free Toolbar
"CleanUp!" = CleanUp!
"Collab" = Collab
"DVD Flick_is1" = DVD Flick 1.3.0.7
"ESET Online Scanner" = ESET Online Scanner v3
"FL Studio 8" = FL Studio 8
"Free Convert to DIVX AVI WMV MP4 MPEG Converter_is1" = Free Convert to DIVX AVI WMV MP4 MPEG Converter 5.8
"FREE Hi-Q Recorder_is1" = FREE Hi-Q Recorder 1.92
"Glary Utilities_is1" = Glary Utilities 2.36.0.1232
"Heroes of Might and Magic IV" = Heroes of Might and Magic® IV
"HitmanPro35" = Hitman Pro 3.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IL Download Manager" = IL Download Manager
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.0.0 (Full)
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox 6.0 (x86 en-US)" = Mozilla Firefox 6.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoStage" = PhotoStage Slideshow Producer
"PoiZone" = PoiZone
"PROSet" = Intel® PRO Network Adapters and Drivers
"ShockwaveFlash" = Adobe Flash Player 9
"Toxic Biohazard" = Toxic Biohazard
"uTorrent" = µTorrent
"VideoPad" = VideoPad Video Editor
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinFF_is1" = WinFF 1.3.2
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"QUICKMEDIACONVERTER" = Quick Media Converter

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/29/2011 1:15:54 PM | Computer Name = WDT-BMARVELL | Source = Application Error | ID = 1000
Description = Faulting application dwm.exe, version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.3520, fault address 0x00011a5e.

Error - 8/29/2011 1:17:57 PM | Computer Name = WDT-BMARVELL | Source = Application Error | ID = 1000
Description = Faulting application conhost.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.3520, fault address 0x00011a5e.

Error - 8/29/2011 1:18:18 PM | Computer Name = WDT-BMARVELL | Source = Application Error | ID = 1000
Description = Faulting application dwm.exe, version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.3520, fault address 0x00011a5e.

Error - 8/29/2011 7:07:01 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:20:17 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:21:17 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:31:08 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:34:11 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:35:06 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:36:04 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 8/29/2011 1:15:54 PM | Computer Name = WDT-BMARVELL | Source = Application Error | ID = 1000
Description = Faulting application dwm.exe, version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.3520, fault address 0x00011a5e.

Error - 8/29/2011 1:17:57 PM | Computer Name = WDT-BMARVELL | Source = Application Error | ID = 1000
Description = Faulting application conhost.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.3520, fault address 0x00011a5e.

Error - 8/29/2011 1:18:18 PM | Computer Name = WDT-BMARVELL | Source = Application Error | ID = 1000
Description = Faulting application dwm.exe, version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.3520, fault address 0x00011a5e.

Error - 8/29/2011 7:07:01 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:20:17 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:21:17 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:31:08 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:34:11 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:35:06 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/29/2011 7:36:04 PM | Computer Name = WDT-BMARVELL | Source = Application Hang | ID = 1002
Description = Hanging application moviemk.exe, version 2.1.4027.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 8/30/2011 1:43:41 AM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 1:44:49 AM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 1:44:49 AM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 1:59:49 AM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 2:29:50 AM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 60 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 3:29:50 AM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 120 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 5:29:50 AM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 240 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 4:46:13 PM | Computer Name = WDT-BMARVELL | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.41 for the Network Card with network
address 0017EE4FA68F has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 8/30/2011 4:46:19 PM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 8/30/2011 4:46:19 PM | Computer Name = WDT-BMARVELL | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.


< End of report >

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
1. Right-click your clock, and then click Adjust Date/Time.

2. Click the Internet Time tab. Click the Server down arrow, and then click time.nist.gov. Notice that Internet time synchronization is enabled by default.

3. Click Update Now. Windows XP contacts the Internet time server and sets your clock. Click OK.

Does it say it worked or do you get an error?


Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 17
J2SE Runtime Environment 5.0 Update 11

Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.


Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56848
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 56848
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C

:Commands
[purity]
[EMPTYFLASH] 
[CLEARALLRESTOREPOINTS] 
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Download and Save the free Avast installer.
http://www.avast.com...ivirus-download
Download and save the norton removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
Uninstall Symantec (save the product license key in case you decide to reinstall it:http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US)

Run the Norton Removal tool.

Reboot

Install Avast. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Ron
  • 0

#7
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Regarding the clock: I did all instructions, it neither said that it worked or gave me any error messages, I just clicked "ok" & it closed, I'm assuming it worked.

I cleared the Java cache & removed the previous versions of java, & installed the latest version.

& Here is the OTL log:



========== PROCESSES ==========
All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 56848 removed from network.proxy.http_port
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\theonyxserpent\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\theonyxserpent\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: Mouth
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: theonyxserpent
->Flash cache emptied: 470 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.26.7 log created on 08302011_185543

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Is there some reason you do not have Service Pack 3 for XP?

Sort of dangerous not to have it. It's a lot more secure. Do you have an Intel or an AMD CPU? IF you don't know then give me the Make and model of your PC.

Ron
  • 0

#9
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
-You said to uninstall Symantec, but I do not see that anywhere on my computer, were you saying that by using the Norton Removal Tool, by doing that it would also be uninstalling Symantec? Or are they two different tasks?

-I'm not sure why I do not have service pack 3. I guess I'll do that next.

-Earlier today I scanned with Avast, my screen turned blue, it was scanning for quite a while, I did notice a couple things listed as corrupted, it was taking long time to scan though & I had to leave so I left for a while & let it scan. I came back home & there it was on my welcome screen, (it rebooted). I entered my name & password as normal & it brought me to my desktop, nothing out of the ordinary, no logs of any scan or anything that said "scan successful". Now I click on the Avast ball which brings me to the interface. I do not see anything regarding logs of the scan. I tried right clicking on the ball & I still don't see anything like that. I'm not sure if it scanned completely? & I'm not sure if I should scan again?
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
You can skip the part about uninstalling Symantec. It has already be uninstalled but it left some stuff like it usually does which is why you should run the Norton removal tool.

Click on the Avast ball (Avast will open in a new window) then on Scan Computer. Below where it says Scan Computer you should now see Boot time Scan and Scan Logs. Click on Scan Logs. There should be a list of scan logs. Click on the last one. View Results.

The best scan is the boot-time scan:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Ron
  • 0

Advertisements


#11
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Aha, there it is, why thank you. Here are the listed threats. All actions moved to chest. All actions successful.

C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE.vir
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir

Edited by jerosakireno, 31 August 2011 - 03:18 PM.

  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Just stuff Combofix had already killed. Nothing new.

Any problems left?

Ron
  • 0

#13
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Still a little slow... There is a real big delay on things when i click on them too.

Avast wont update either, every time it tries - it says it fails.. but i guess that dont matter because its only a trial right?
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Avast not updating is a bad sign unless it is saying that your registration has expired which should not have happened yet since we just installed it. It's not a trial. It's free for a year if you register with them. After a year they ask you to register again but you can still register for the free for another year.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

Right click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is Restarted

Run Combofix again and post the log.


Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator). Click once or twice on the CPU column header to sort things by CPU usage with the big hitters at the top. File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.


Ron
  • 0

#15
jerosakireno

jerosakireno

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
No, it's not saying that it has expired, every now & then I get a pop-up in the lower right-hand side of my screen, telling me that the update was unsuccessful. I click on it & it shows that it's trying to connect to server but it can't.

I ran eventvwr.msc, & when I came back to my computer it was back on the welcome (log in) screen. I didn't get any logs or notices of anything after logging in.

Then I ran sigverif, where it found 81 unsigned files but it also said 1183 files not scanned. All of the unsigned files were from 2005-2007, I don't think I even had this computer then.

Then I ran VEW & got this:



Vino's Event Viewer v01c run on Windows XP in English
Report run at 02/09/2011 4:56:07 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 02/09/2011 3:38:01 PM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0086054C99C7. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.



---OH & ONE MORE THING---

I still cant run Malwarbytes Anti-Malware. I still get that error message telling me I don't have appropriate permission.

Edited by jerosakireno, 02 September 2011 - 03:09 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP