Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan-Clicker.win32.Small.kj infection

Started by t_coop , Nov 28 2011 06:07 PM

Please log in to reply

#1
t_coop

Posted 28 November 2011 - 06:07 PM

Member

Member
46 posts

I'm getting many virus alerts from Vista Antivirus 2012. Some messages are asking to register Vista Antivirus 2012. Others are referring to Trojan-Clicker.win32.Small.kj as trying to take over the system. I have not responded to any of these messages. I'm not able to start Firefox. Getting message that it is blocked. I'm also not able to start Malwarebytes. The following is the OTL log:

Please help,
Tom

OTL logfile created on: 11/28/2011 6:53:57 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = E:\VirusRemoval
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.17037)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.44 Mb Total Physical Memory | 370.85 Mb Available Physical Memory | 36.59% Memory free
2.22 Gb Paging File | 1.33 Gb Available in Paging File | 59.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 60.99 Gb Free Space | 55.28% Space Free | Partition Type: NTFS
Drive E: | 3.81 Gb Total Space | 3.69 Gb Free Space | 96.96% Space Free | Partition Type: FAT32
Drive F: | 5.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: USER-PC | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/28 18:37:20 | 000,584,192 | ---- | M] (OldTimer Tools) -- E:\VirusRemoval\OTL.exe
PRC - [2011/11/27 22:04:48 | 000,275,968 | ---- | M] (Microsoft Corporation) -- C:\Users\user\AppData\Local\rjc.exe
PRC - [2011/05/17 13:29:46 | 000,395,144 | ---- | M] (Ask) -- C:\Program Files\Ask.com\Updater\Updater.exe
PRC - [2011/02/13 15:20:14 | 000,325,000 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/05 10:39:54 | 000,042,288 | ---- | M] () -- C:\Program Files\Offline Course Player\OlpSynch.exe
PRC - [2008/08/14 10:14:20 | 000,200,704 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2008/06/17 18:58:46 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2007/10/29 06:02:38 | 000,102,400 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPStart.exe
PRC - [2007/02/06 20:50:08 | 004,374,528 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2007/02/02 17:56:52 | 000,118,784 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/01/25 20:50:26 | 000,063,096 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2007/01/25 20:47:50 | 000,136,816 | ---- | M] () -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2006/12/20 02:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2006/12/11 11:12:06 | 000,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxcrcoms.exe
PRC - [2006/12/11 11:11:58 | 000,082,864 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 2400 Series\ezprint.exe
PRC - [2006/12/11 11:11:54 | 000,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
PRC - [2006/12/03 18:51:38 | 000,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Protector Suite QL\upeksvr.exe
PRC - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/11/02 04:45:32 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\PING.EXE
PRC - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe

========== Modules (No Company Name) ==========

MOD - [2010/03/29 15:02:48 | 000,520,234 | ---- | M] () -- C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll
MOD - [2008/09/05 10:39:54 | 000,042,288 | ---- | M] () -- C:\Program Files\Offline Course Player\OlpSynch.exe
MOD - [2006/12/11 11:11:54 | 000,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
MOD - [2006/11/02 04:46:10 | 000,227,328 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2006/11/02 04:46:10 | 000,227,328 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2006/08/08 14:54:18 | 000,278,528 | ---- | M] () -- C:\Program Files\Lexmark 2400 Series\lxcrscw.dll
MOD - [2006/05/25 15:20:44 | 000,241,664 | ---- | M] () -- C:\Program Files\Lexmark 2400 Series\iptk.dll
MOD - [2005/12/29 10:34:22 | 000,143,360 | ---- | M] () -- C:\Program Files\Lexmark 2400 Series\lxcrdrec.dll

========== Win32 Services (SafeList) ==========

SRV - [2008/10/02 20:20:50 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/06/17 18:58:46 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/04/07 16:24:40 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/02/02 17:56:52 | 000,118,784 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/01/25 20:50:26 | 000,063,096 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/01/25 20:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/12/20 02:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2006/12/11 11:12:06 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxcrcoms.exe -- (lxcr_device)
SRV - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/10/05 14:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)

========== Driver Services (SafeList) ==========

DRV - [2011/11/27 21:58:28 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{53F7002F-47E6-4ADB-97B6-CD9FBEA10397}\MpKsla0c3eb0c.sys -- (MpKsla0c3eb0c)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2008/02/14 01:34:44 | 000,054,784 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/01/09 12:54:53 | 000,008,413 | ---- | M] (RealNetworks, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mcstrm.sys -- (MCSTRM)
DRV - [2007/11/09 05:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/09/26 13:12:22 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2007/07/26 09:25:12 | 000,039,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SRS_SSCFilter_i386.sys -- (SRS_SSCFilter) SRS Labs Audio Sandbox (WDM)
DRV - [2007/01/26 19:13:40 | 000,017,712 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/01/24 17:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2007/01/03 03:43:19 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2007/01/03 03:43:19 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2007/01/03 03:43:18 | 000,216,320 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/12/19 11:12:22 | 001,786,880 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2006/11/28 17:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/20 01:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2005/06/24 17:36:16 | 000,039,036 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2005/05/26 10:01:36 | 000,038,144 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2005/05/26 10:01:18 | 000,021,344 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AOL Search"
FF - prefs.js..browser.search.defaulturl: "http://aim.search.ao...rud=09-05-2010"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://en-US.start3....en-US:official"
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323
FF - prefs.js..extensions.enabledItems: [email protected]:3.11.3.15590
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..keyword.URL: "http://slirsredirect...05-2010&query="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\user\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll File not found
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\user\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Users\user\AppData\Roaming\nprhapengine.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/07/15 13:01:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/09 13:53:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/09 11:38:57 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Users\user\AppData\Roaming\Move Networks [2009/12/03 09:38:51 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/07/15 13:01:30 | 000,000,000 | ---D | M]

[2008/08/26 17:13:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user\AppData\Roaming\mozilla\Extensions
[2011/11/17 23:38:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\0nqah7al.default\extensions
[2011/11/17 23:38:32 | 000,000,000 | ---D | M] (WOT) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\0nqah7al.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/09/29 17:00:46 | 000,000,000 | ---D | M] (AOL Messaging Toolbar) -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\0nqah7al.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
[2011/11/08 22:52:23 | 000,000,000 | ---D | M] ("Ask Toolbar") -- C:\Users\user\AppData\Roaming\mozilla\Firefox\Profiles\0nqah7al.default\extensions\[email protected]
[2009/06/15 11:21:21 | 000,004,207 | ---- | M] () -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0nqah7al.default\searchplugins\aim-search.xml
[2010/05/08 20:26:50 | 000,002,343 | ---- | M] () -- C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0nqah7al.default\searchplugins\aol-search.xml
[2011/11/09 13:53:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/09 13:53:34 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/23 20:17:34 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/02/19 04:00:02 | 000,061,440 | ---- | M] (Element K Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOlp32.dll
[2011/10/05 09:12:03 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/09 13:53:34 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

Hosts file not found
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
O2 - BHO: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKCU\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 2400 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [LXCRCATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.DLL (Lexmark International Inc.)
O4 - HKLM..\Run: [lxcrmon.exe] C:\Program Files\Lexmark 2400 Series\lxcrmon.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} http://upload.facebo...Uploader4_5.cab (Facebook Photo Uploader 4)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5CF63800-A8B9-4061-BFD6-E01C4FF176F2}: DhcpNameServer = 10.61.0.98 10.61.0.99
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AFDDB606-8004-4245-8C89-96E4B5F69980}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) -C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\psfus: DllName - (C:\Windows\system32\psqlpwd.dll) - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2006/12/11 15:03:59 | 000,000,277 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "C:\Users\user\AppData\Local\rjc.exe" -a "%1" %* (Microsoft Corporation)
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "C:\Users\user\AppData\Local\rjc.exe" -a "%1" %* (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/11/27 22:04:43 | 000,275,968 | ---- | C] (Microsoft Corporation) -- C:\Users\user\AppData\Local\rjc.exe
[2007/05/20 15:56:25 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxcrinpa.dll
[2007/05/20 15:56:25 | 000,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXCRhcp.dll
[2007/05/20 15:56:24 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxcrserv.dll
[2007/05/20 15:56:24 | 000,991,232 | ---- | C] ( ) -- C:\Windows\System32\lxcrusb1.dll
[2007/05/20 15:56:24 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxcriesc.dll
[2007/05/20 15:56:23 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxcrpmui.dll
[2007/05/20 15:56:23 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxcrlmpm.dll
[2007/05/20 15:56:23 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxcrprox.dll
[2007/05/20 15:56:23 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxcrpplc.dll
[2007/05/20 15:56:22 | 000,385,968 | ---- | C] ( ) -- C:\Windows\System32\lxcrih.exe
[2007/05/20 15:56:21 | 000,537,520 | ---- | C] ( ) -- C:\Windows\System32\lxcrcoms.exe
[2007/05/20 15:56:20 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxcrcomc.dll
[2007/05/20 15:56:20 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxcrcomm.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/28 18:44:58 | 000,618,648 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/11/28 18:44:58 | 000,104,024 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/11/28 18:35:43 | 000,008,096 | -HS- | M] () -- C:\Users\user\AppData\Local\r8wr47l8ha3xng
[2011/11/28 18:35:43 | 000,008,096 | -HS- | M] () -- C:\ProgramData\r8wr47l8ha3xng
[2011/11/28 18:31:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/28 18:01:48 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/28 18:01:48 | 000,003,584 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/28 18:01:34 | 1063,313,408 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/27 22:19:53 | 000,000,000 | ---- | M] () -- C:\Windows\System32\vH663o.com.b
[2011/11/27 22:19:24 | 000,000,112 | ---- | M] () -- C:\ProgramData\p6N6d7.dat
[2011/11/27 22:19:16 | 000,115,712 | ---- | M] () -- C:\Windows\System32\vH663o.com_
[2011/11/20 21:59:30 | 000,002,587 | ---- | M] () -- C:\Users\user\Desktop\Microsoft Office Word 2007.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/27 22:19:53 | 000,000,000 | ---- | C] () -- C:\Windows\System32\vH663o.com.b
[2011/11/27 22:17:10 | 000,000,112 | ---- | C] () -- C:\ProgramData\p6N6d7.dat
[2011/11/27 22:16:01 | 000,115,712 | ---- | C] () -- C:\Windows\System32\vH663o.com_
[2011/11/27 22:04:51 | 000,008,096 | -HS- | C] () -- C:\Users\user\AppData\Local\r8wr47l8ha3xng
[2011/11/27 22:04:51 | 000,008,096 | -HS- | C] () -- C:\ProgramData\r8wr47l8ha3xng
[2010/07/15 13:00:38 | 000,023,111 | ---- | C] () -- C:\Windows\hpqins15.dat
[2010/07/14 12:14:18 | 000,201,384 | ---- | C] () -- C:\Windows\hpoins43.dat
[2010/07/14 12:14:18 | 000,000,675 | ---- | C] () -- C:\Windows\hpomdl43.dat
[2008/05/16 11:58:04 | 000,012,632 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2008/04/07 17:13:29 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008/02/14 01:34:44 | 000,054,784 | ---- | C] () -- C:\Windows\System32\drivers\i8042prt.sys
[2008/02/11 19:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/02/09 00:47:30 | 000,000,681 | ---- | C] () -- C:\Windows\mozver.dat
[2008/01/16 18:01:23 | 000,000,047 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2007/11/20 16:11:26 | 000,047,360 | ---- | C] () -- C:\Windows\System32\drivers\Surroundhp_kern_i386.sys
[2007/11/20 16:11:26 | 000,047,104 | ---- | C] () -- C:\Windows\System32\drivers\tshd4_kern_i386.sys
[2007/11/20 16:11:26 | 000,042,112 | ---- | C] () -- C:\Windows\System32\drivers\csiidecoder_kern_i386.sys
[2007/11/20 16:11:26 | 000,039,808 | ---- | C] () -- C:\Windows\System32\drivers\SRS_SSCFilter_i386.sys
[2007/11/18 19:02:00 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2007/10/18 09:12:20 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1350.dll
[2007/06/12 06:57:09 | 000,012,288 | ---- | C] () -- C:\Users\user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/20 18:07:42 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2007/05/20 15:56:25 | 000,274,432 | ---- | C] () -- C:\Windows\System32\LXCRinst.dll
[2007/03/25 11:10:34 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007/03/25 11:10:34 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007/03/25 11:10:34 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007/03/25 11:10:34 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2007/03/02 14:01:09 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007/03/02 14:01:09 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007/03/02 14:01:08 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007/03/02 14:01:08 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007/03/02 14:01:08 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007/03/02 14:01:08 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007/02/28 15:47:07 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007/02/28 14:50:50 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ3.dat
[2007/02/28 14:50:50 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ2.dat
[2007/01/31 19:03:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1187.dll
[2006/12/05 16:05:06 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/11/30 11:32:52 | 000,344,064 | ---- | C] () -- C:\Windows\System32\lxcrcoin.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 001,744,904 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,618,648 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,024 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 02:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 02:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2006/08/14 16:01:48 | 000,065,536 | ---- | C] () -- C:\Windows\System32\lxcrcaps.dll
[2006/08/08 14:58:04 | 000,692,224 | ---- | C] () -- C:\Windows\System32\lxcrdrs.dll
[2006/03/23 03:33:20 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxcrvs.dll
[2006/03/09 13:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/12/20 11:54:04 | 000,061,440 | ---- | C] () -- C:\Windows\System32\lxcrcnv4.dll
[2005/07/23 00:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== LOP Check ==========

[2007/05/20 18:08:43 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\acccore
[2011/05/17 23:06:16 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\FrostWire
[2011/05/18 13:19:27 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\GOL_byHasbro
[2009/08/25 21:29:37 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\iWin
[2011/05/23 11:38:52 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Ludia
[2011/05/18 13:19:05 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Oberon Media
[2011/04/25 21:42:01 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\PandoraRecovery
[2009/06/05 22:43:31 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\PlayFirst
[2008/01/28 01:43:45 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\Ruckus Network
[2007/11/29 11:20:30 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\SecondLife
[2007/05/22 10:15:31 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\WildTangent
[2011/02/26 20:29:30 | 000,000,000 | ---D | M] -- C:\Users\user\AppData\Roaming\WinPatrol
[2011/11/27 22:34:07 | 000,032,604 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:2C6A77F3
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:89C6F032
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:172EB9B5
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:5804A24D

< End of report >

#2
RKinner

Posted 28 November 2011 - 11:03 PM

Malware Expert

Expert
24,625 posts

It's the Zero Access rootkit.

See if you can delete these files:
[2011/11/27 22:19:53 | 000,000,000 | ---- | C] () -- C:\Windows\System32\vH663o.com.b
[2011/11/27 22:17:10 | 000,000,112 | ---- | C] () -- C:\ProgramData\p6N6d7.dat
[2011/11/27 22:16:01 | 000,115,712 | ---- | C] () -- C:\Windows\System32\vH663o.com_
[2011/11/27 22:04:51 | 000,008,096 | -HS- | C] () -- C:\Users\user\AppData\Local\r8wr47l8ha3xng
[2011/11/27 22:04:51 | 000,008,096 | -HS- | C] () -- C:\ProgramData\r8wr47l8ha3xng

(You will need to make hidden system files visible so first:
Open the Control Panel menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit My Computer.
Now your computer is configured to show all hidden files. )

If you can't delete them we will get them later.

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator

change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Ron

#3
t_coop

Posted 30 November 2011 - 06:36 PM

Member

Topic Starter
Member
46 posts

I was able to delete the files except C:\Users\user\AppData\Local\r8wr47l8ha3xng and C:\ProgramData\r8wr47l8ha3xng. Combofix detected the Rootkit.Zero.Access virus and said that it was going to be difficult to get rid and may have to run a second time if it could not access the internet. It rebooted the PC but it seems to be hung up for over a hour. The sign on screen appeared during rebooting but there was no mouse activity and I could not enter a password. The disk light was flashing but now comes on sporadically and the screen saver is displayed. Should Combofix take this long to finish?

Thanks,
Tom

#4
RKinner

Posted 30 November 2011 - 07:53 PM

Malware Expert

Expert
24,625 posts

I'd give it another hour. Zero Access puts up a good fight.

#5
t_coop

Posted 01 December 2011 - 09:04 AM

Member

Topic Starter
Member
46 posts

I rebooted at 10:00 PM EST last night. I'm not able to enter a password to log on. The keyboard or mouse does not respond.

Tom

#6
RKinner

Posted 01 December 2011 - 12:02 PM

Malware Expert

Expert
24,625 posts

What kind of keyboard is this? Old style with round plug, usb, wireless, builtin in?

Have you tried it in Safe Mode?

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Last Known Good, Safe Mode with Networking or Safe Mode or Command Prompt. Login with your usual login.)

#7
t_coop

Posted 01 December 2011 - 04:57 PM

Member

Topic Starter
Member
46 posts

This a a lap top keyboard. I started with the 'safe mode with networking option'. The keyboard or mouse still does not respond.

Tom

#8
RKinner

Posted 01 December 2011 - 05:18 PM

Malware Expert

Expert
24,625 posts

Can you get it to boot into the BIOS setup? Does the keyboard work then?

#9
t_coop

Posted 01 December 2011 - 05:49 PM

Member

Topic Starter
Member
46 posts

I can boot into the system utility (f2). The keyboard works here. Under boot options (f8) I have the following options:
safe mode, no keyboard
safe mode with networking, no keyboard
safe mode with command prompt, no keyboard
enable boot logging
enable low resolution video
directory services restore mode
debugging mode
disable automatic restart on system failure
disable driver signature enforcement
repair your computer

Tom

#10
RKinner

Posted 01 December 2011 - 06:12 PM

Malware Expert

Expert
24,625 posts

You might try a USB keyboard or mouse - see if they work.

Otherwise we are going to have to boot off a CD or USB drive:

Step 1 http://www.geekstogo...ystem-tutorial/

or

Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe
Bytes=97,702,766
MB=93.1
MD5=FC1A07D156DE710955032B1CF7891671

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

Download OTLPEStd.exe to your desktop
Download OTLPENet.exe to your desktop
Ensure that you have a blank CD in the drive
Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
Double-click on the OTLPE icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Drag and drop this attached scan.txt into the Custom scans and fixes box
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive.
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Please post the contents of the C:\OTL.txt file in your reply.

#11
t_coop

Posted 01 December 2011 - 07:07 PM

Member

Topic Starter
Member
46 posts

I'll do the second option. Before I start can I download the OTLPEStd.exe and OTLPENet.exe files and create the CD on a computer that is working and then use the CD to boot up the infected computer?

Thanks,
Tom