[mikeloeven]

A friend brought in a computer with vista antivirus 2012 on it. i followed my normal removel routine and was able to get rid of the Active part of the infection. however i was unable to remove the google hijack. at first i thought it was a viral proxy override but there was no proxy configured in the registry.

additionaly malware bytes and avira detected no active threats.

i tried combofix but it gets to the point of please wait while your system is scanned but it refuses to perform any of it's normal steps and hung there for 2 days before i killed it

so attached are the otl and hijack this logs this one a bit over my head.

ps this is kinda a rush because the friend wants to just reformat the machine if i cant get this out by tomorow.

also i ghosted the harddrive prior to working on the machine so i can bring it back to it;s origional state no matter how many times we kill windows

OTL logfile created on: 12/14/2011 2:53:37 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\laptop\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19154)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.70 Gb Available Physical Memory | 56.84% Memory free
6.20 Gb Paging File | 5.00 Gb Available in Paging File | 80.61% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 215.33 Gb Total Space | 158.90 Gb Free Space | 73.79% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 9.61 Gb Free Space | 64.04% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: LAPTOP-PC | User Name: laptop | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/14 14:39:32 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\laptop\Desktop\OTL.exe
PRC - [2011/06/15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/04/12 17:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2009/06/03 14:46:38 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/06/03 14:46:38 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2009/05/28 16:28:18 | 001,320,288 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/05/04 04:25:32 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/05/04 04:25:26 | 000,167,936 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/05/04 04:25:26 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/12/21 10:58:06 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/11/12 06:07:24 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/11/12 06:07:20 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/11/12 06:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 13:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/09 04:10:18 | 015,882,240 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MenuSkinning\b438fae7231dfbdb7e8b126b0e05cf0d\MenuSkinning.ni.dll
MOD - [2011/12/09 04:09:57 | 000,284,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\4bcdb78436b238b92d3bfc16d2da53e0\VistaBridgeLibrary.ni.dll
MOD - [2011/12/09 04:09:54 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6bc98e9b5eedaa8f71c5454d36a4b772\System.Management.ni.dll
MOD - [2011/12/09 04:09:53 | 002,574,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\DellDock\3066752682e1f12d66985ab33b768391\DellDock.ni.exe
MOD - [2011/12/09 04:09:51 | 000,286,720 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\ec83141261c770f0d8adea4c1674fd9a\MyDock.Util.ni.dll
MOD - [2011/12/09 04:07:46 | 000,025,600 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\bcb66dbad2b45d05235b37a02f737eb5\Accessibility.ni.dll
MOD - [2011/12/09 04:07:43 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\6d2f689baff5da3df134fdec0742a13c\System.Runtime.Remoting.ni.dll
MOD - [2011/12/09 04:07:39 | 011,804,672 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\e00630ec1e225a2376fdd430645e20f7\System.Web.ni.dll
MOD - [2011/12/09 04:07:19 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\40da9084d0863e07d7ce55953833b8b0\System.Configuration.ni.dll
MOD - [2011/12/09 04:07:17 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\c1c06a392871267db27f7cbc40e1c4fb\System.Xml.ni.dll
MOD - [2011/12/09 04:06:56 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1363115565fff5a641243a48f396f107\System.Windows.Forms.ni.dll
MOD - [2011/12/09 04:06:46 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\367c4043efc2f32d843cb588b0dc97fc\System.Drawing.ni.dll
MOD - [2011/12/09 04:05:40 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\f9c36ea806e77872dce891c77b68fac3\System.ni.dll
MOD - [2011/12/09 04:05:08 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll
MOD - [2010/04/12 17:46:46 | 000,095,528 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2010/04/12 17:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/12/18 04:55:28 | 000,054,784 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/04/27 15:39:26 | 000,208,944 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/06/03 14:46:38 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2007/11/12 06:07:20 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/11/12 06:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/12/14 14:02:00 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{24A7C3FB-B93B-406B-A7A2-1296476E6DE7}\MpKslf1a15c85.sys -- (MpKslf1a15c85)
DRV - [2011/04/27 15:25:24 | 000,065,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/04/18 13:18:50 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2008/12/18 04:55:10 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2008/06/23 07:45:44 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2008/05/04 04:25:24 | 000,164,400 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/03/06 02:58:44 | 000,111,616 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/01/20 21:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/11/12 06:07:28 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/09/06 11:35:16 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/09/06 11:35:14 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/09/06 11:35:12 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Windows\System32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1992915437-708079569-27846691-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=us&ibd=0090811
IE - HKU\S-1-5-21-1992915437-708079569-27846691-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-1992915437-708079569-27846691-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1992915437-708079569-27846691-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaultthis.engineName: "MediaStar2 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "MediaStar2 Customized Web Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..keyword.URL: "http://slirsredirect...0fftrab&query="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/wpi,version=1.4: C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Users\laptop\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4bcdbfd0-fa26-11de-8a39-0800200c9a66}: C:\Users\laptop\AppData\Roaming\Mozilla\FireFox\{4bcdbfd0-fa26-11de-8a39-0800200c9a66} [2010/06/09 14:38:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/08 16:41:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.24\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/14 14:14:10 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{FE4065C7-6B4B-41D2-9D35-AEF8BEF1F98E}: C:\Users\laptop\AppData\Local\{FE4065C7-6B4B-41D2-9D35-AEF8BEF1F98E}\

[2009/08/18 15:31:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\laptop\AppData\Roaming\mozilla\Extensions
[2011/12/14 13:49:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\laptop\AppData\Roaming\mozilla\Firefox\Profiles\wjzthvid.default\extensions
[2011/07/25 19:32:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\laptop\AppData\Roaming\mozilla\Firefox\Profiles\wjzthvid.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/30 18:07:47 | 000,004,212 | ---- | M] () -- C:\Users\laptop\AppData\Roaming\Mozilla\Firefox\Profiles\wjzthvid.default\searchplugins\aim-search.xml
[2010/08/12 09:17:20 | 000,000,923 | ---- | M] () -- C:\Users\laptop\AppData\Roaming\Mozilla\Firefox\Profiles\wjzthvid.default\searchplugins\conduit.xml
[2010/11/19 13:26:59 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========


Hosts file not found
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No CLSID value found.
O2 - BHO: (no name) - -{DBC80044-A445-435B-BC74-9C25C1C588A9} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1992915437-708079569-27846691-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1992915437-708079569-27846691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O15 - HKU\S-1-5-21-1992915437-708079569-27846691-1000\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D7B2F21-21F2-40B3-B75F-E60E2E8D93B0}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D72287D6-F517-4821-8675-A00B2B82C131}: DhcpNameServer = 192.168.1.1
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\laptop\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\laptop\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/01/21 15:00:00 | 000,000,122 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2011/12/08 12:14:30 | 000,532,781 | ---- | M] () - F:\Autoruns.zip -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/14 14:52:48 | 000,000,000 | ---D | C] -- C:\Users\laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/12/14 14:52:47 | 000,000,000 | ---D | C] -- C:\Users\laptop\Desktop\Trend Micro
[2011/12/14 14:41:43 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\laptop\Desktop\OTL.exe
[2011/12/14 14:40:11 | 000,000,000 | ---D | C] -- C:\Users\laptop\AppData\Local\Adobe
[2011/12/14 14:35:44 | 000,000,000 | --SD | C] -- C:\cfnk1
[2011/12/14 14:09:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2011/12/14 14:09:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/12/13 16:02:04 | 000,000,000 | ---D | C] -- C:\Users\laptop\AppData\Local\AOL
[2011/12/13 11:31:53 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Users\laptop\Desktop\ATF-Cleaner.exe
[2011/12/13 11:11:13 | 004,339,049 | R--- | C] (Swearware) -- C:\Users\laptop\Desktop\cfnk1.exe
[2011/12/09 14:32:41 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/12/09 04:00:47 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2011/12/09 03:39:59 | 000,092,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAnimation.dll
[2011/12/09 03:39:57 | 003,023,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbon.dll
[2011/12/09 03:39:57 | 001,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbonRes.dll
[2011/12/09 03:38:47 | 000,369,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMPhoto.dll
[2011/12/09 03:38:42 | 000,321,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PhotoMetadataHandler.dll
[2011/12/09 03:38:42 | 000,252,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiag.exe
[2011/12/09 03:38:42 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiagn.dll
[2011/12/09 03:38:42 | 000,189,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecsExt.dll
[2011/12/09 03:38:40 | 000,519,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d11.dll
[2011/12/09 03:37:49 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\BthMtpContextHandler.dll
[2011/12/09 03:37:49 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDShextAutoplay.exe
[2011/12/09 03:37:43 | 000,060,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceConnectApi.dll
[2011/12/09 03:37:39 | 000,546,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wpd_ci.dll
[2011/12/09 03:37:39 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WpdMtpUS.dll
[2011/12/09 03:37:39 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WpdConns.dll
[2011/12/09 03:37:38 | 000,350,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDSp.dll
[2011/12/09 03:37:38 | 000,334,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceApi.dll
[2011/12/09 03:37:38 | 000,226,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WpdMtp.dll
[2011/12/09 03:37:38 | 000,196,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceWMDRM.dll
[2011/12/09 03:37:38 | 000,160,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceTypes.dll
[2011/12/09 03:37:38 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceClassExtension.dll
[2011/12/08 11:46:44 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2011/12/08 11:46:43 | 000,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2011/12/08 11:46:43 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\Mpeg2Data.ax
[2011/12/08 11:46:43 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSDvbNP.ax
[2011/12/08 11:46:42 | 000,375,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2011/12/08 11:46:36 | 000,979,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MFH264Dec.dll
[2011/12/08 11:46:36 | 000,478,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxgi.dll
[2011/12/08 11:46:36 | 000,135,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsRasterService.dll
[2011/12/08 11:46:35 | 000,357,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MFHEAACdec.dll
[2011/12/08 11:46:35 | 000,261,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfreadwrite.dll
[2011/12/08 11:46:34 | 002,873,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mf.dll
[2011/12/08 11:46:34 | 000,667,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2011/12/08 11:46:34 | 000,302,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfmp4src.dll
[2011/12/08 11:46:34 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2011/12/08 11:46:33 | 000,209,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfplat.dll
[2011/12/08 11:46:31 | 000,098,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfps.dll
[2011/12/08 11:46:31 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2011/12/08 11:46:20 | 002,043,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011/12/08 11:46:03 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2011/12/08 11:45:52 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2011/12/08 11:45:52 | 001,029,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2011/12/08 11:45:52 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2011/12/08 11:45:52 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2011/12/08 11:45:51 | 001,554,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xpsservices.dll
[2011/12/08 11:45:51 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/12/08 11:45:51 | 000,486,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2011/12/08 11:45:51 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2011/12/08 11:45:51 | 000,189,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2011/12/08 11:45:50 | 000,847,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\OpcServices.dll
[2011/12/08 11:45:50 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/12/08 11:45:21 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/12/08 11:45:21 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/12/08 11:45:20 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/12/08 11:45:20 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/12/08 11:45:20 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/12/08 11:45:20 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/12/08 11:45:19 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/12/08 11:45:18 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/12/08 11:45:17 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/12/08 11:45:16 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/12/08 11:45:15 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/12/08 11:45:15 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/12/08 11:45:15 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/12/08 11:45:15 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/12/08 11:45:15 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/12/08 11:45:15 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/12/08 11:45:13 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/12/08 11:45:12 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/12/08 11:44:33 | 000,555,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAutomationCore.dll
[2011/12/08 11:44:33 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\oleaccrc.dll
[2011/12/08 11:43:45 | 003,602,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2011/12/08 11:43:44 | 003,550,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2011/12/08 11:42:24 | 000,231,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msshsq.dll
[2011/12/05 14:04:51 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2011/12/05 14:04:51 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2011/12/05 14:04:51 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2011/12/05 12:56:18 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/12/05 12:55:41 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[2011/12/05 11:14:47 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/12/05 11:14:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/12/05 11:14:45 | 000,000,000 | ---D | C] -- C:\Users\laptop\AppData\Local\temp
[2 C:\Users\laptop\AppData\Local\*.tmp files -> C:\Users\laptop\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/14 14:56:34 | 002,920,330 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/12/14 14:56:34 | 000,933,858 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/12/14 14:55:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/14 14:52:55 | 000,002,671 | ---- | M] () -- C:\Users\laptop\Desktop\HiJackThis.lnk
[2011/12/14 14:44:40 | 001,402,880 | ---- | M] () -- C:\Users\laptop\Desktop\HijackThis.msi
[2011/12/14 14:39:32 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\laptop\Desktop\OTL.exe
[2011/12/14 14:30:50 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{91767A64-EECD-420A-826B-E4A61F56D4C6}.job
[2011/12/14 14:27:57 | 000,000,634 | ---- | M] () -- C:\Users\laptop\Desktop\myuninst.cfg
[2011/12/14 14:26:08 | 000,035,840 | ---- | M] (NirSoft) -- C:\Users\laptop\Desktop\myuninst.exe
[2011/12/14 14:24:45 | 000,000,134 | ---- | M] () -- C:\Users\laptop\Desktop\Internet Explorer Troubleshooting.url
[2011/12/14 14:02:45 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/14 14:01:55 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/12/14 14:01:54 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/12/14 14:01:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/12/14 14:01:44 | 3210,784,768 | -HS- | M] () -- C:\hiberfil.sys
[2011/12/14 13:34:32 | 000,000,680 | ---- | M] () -- C:\Users\laptop\AppData\Local\d3d9caps.dat
[2011/12/13 16:17:27 | 004,339,049 | R--- | M] (Swearware) -- C:\Users\laptop\Desktop\cfnk1.exe
[2011/12/13 11:32:00 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Users\laptop\Desktop\ATF-Cleaner.exe
[2011/12/13 11:11:02 | 000,000,437 | ---- | M] () -- C:\Users\laptop\Desktop\ComboFix - Shortcut.lnk
[2011/12/13 10:10:03 | 000,011,250 | -HS- | M] () -- C:\Users\laptop\AppData\Local\h4il76w5ag3ffl
[2011/12/13 10:10:03 | 000,011,250 | -HS- | M] () -- C:\ProgramData\h4il76w5ag3ffl
[2011/12/09 04:03:32 | 000,270,552 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/12/09 04:00:30 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2011/12/09 04:00:22 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2011/12/09 03:33:40 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/12/05 12:06:21 | 000,000,045 | ---- | M] () -- C:\Windows\System32\initdebug.nfo
[2011/12/05 12:06:21 | 000,000,000 | ---- | M] () -- C:\Users\laptop\Desktop\initdebug.nfo
[2011/12/05 11:03:38 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2 C:\Users\laptop\AppData\Local\*.tmp files -> C:\Users\laptop\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/14 14:52:48 | 000,002,671 | ---- | C] () -- C:\Users\laptop\Desktop\HiJackThis.lnk
[2011/12/14 14:51:44 | 001,402,880 | ---- | C] () -- C:\Users\laptop\Desktop\HijackThis.msi
[2011/12/14 14:27:57 | 000,000,634 | ---- | C] () -- C:\Users\laptop\Desktop\myuninst.cfg
[2011/12/14 13:55:29 | 000,000,134 | ---- | C] () -- C:\Users\laptop\Desktop\Internet Explorer Troubleshooting.url
[2011/12/13 11:28:02 | 3210,784,768 | -HS- | C] () -- C:\hiberfil.sys
[2011/12/13 11:11:02 | 000,000,437 | ---- | C] () -- C:\Users\laptop\Desktop\ComboFix - Shortcut.lnk
[2011/12/13 10:30:59 | 001,008,092 | ---- | C] () -- C:\Users\laptop\Desktop\rkill.com
[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\Users\laptop\AppData\Local\h4il76w5ag3ffl
[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\ProgramData\h4il76w5ag3ffl
[2011/12/09 04:00:30 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2011/12/09 04:00:22 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2011/12/05 12:57:24 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011/12/05 12:06:21 | 000,000,045 | ---- | C] () -- C:\Windows\System32\initdebug.nfo
[2011/12/05 12:06:21 | 000,000,000 | ---- | C] () -- C:\Users\laptop\Desktop\initdebug.nfo
[2011/09/23 00:25:16 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/09/23 00:25:16 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/09/21 01:01:14 | 000,000,000 | ---- | C] () -- C:\Users\laptop\AppData\Local\{48FC1448-2E61-461A-A538-AC98DF8E4D2D}
[2011/09/21 00:34:21 | 000,000,000 | ---- | C] () -- C:\Users\laptop\AppData\Local\{1BDDAC42-7356-497E-AC6F-AC88A1C6AC26}
[2011/09/19 18:17:39 | 000,000,000 | ---- | C] () -- C:\Users\laptop\AppData\Local\{C096B854-058F-46FC-BE91-AF2A9BD3C285}
[2011/07/24 21:31:31 | 000,000,120 | ---- | C] () -- C:\Users\laptop\AppData\Local\Uwitobabamisaba.dat
[2011/07/24 21:31:31 | 000,000,000 | ---- | C] () -- C:\Users\laptop\AppData\Local\Cyuqa.bin
[2010/11/19 09:23:15 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2010/11/19 09:23:15 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2010/11/19 09:23:15 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/11/19 09:23:15 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/11/19 09:23:15 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/11/11 16:14:10 | 000,000,006 | ---- | C] () -- C:\Users\laptop\AppData\Roaming\start
[2010/10/25 10:54:39 | 000,000,221 | -HS- | C] () -- C:\ProgramData\743822685
[2010/10/25 10:54:38 | 000,001,185 | ---- | C] () -- C:\ProgramData\209714801
[2010/10/25 10:53:37 | 000,000,208 | ---- | C] () -- C:\ProgramData\sl1303660495
[2009/08/26 17:50:09 | 000,000,680 | ---- | C] () -- C:\Users\laptop\AppData\Local\d3d9caps.dat
[2009/08/18 18:57:26 | 000,019,456 | ---- | C] () -- C:\Users\laptop\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/14 12:29:40 | 000,006,656 | ---- | C] () -- C:\Windows\System32\bcmwlrc.dll
[2009/08/14 12:29:39 | 000,054,784 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2009/08/14 12:29:38 | 000,026,112 | ---- | C] () -- C:\Windows\System32\WLTRYSVC.EXE
[2009/08/10 21:48:53 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2009/08/10 21:48:53 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2009/08/10 21:48:53 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2009/08/10 21:48:53 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2009/08/10 21:48:53 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2009/08/10 21:48:50 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2009/04/11 13:02:01 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/04/11 11:07:30 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,270,552 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 002,906,934 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,929,060 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

< End of report >

Attached Files

•  OTL.Txt   80.61KB   75 downloads
•  hijackthis.log   4.78KB   109 downloads
•  Extras.Txt   30.79KB   86 downloads

[Advertisements]

It's the Zero Access rootkit.

MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
and
the "File not found" entries in O10 are how you tell it's ZA. Following are malware related but it probably won't help to remove them until we get rid of ZA.

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]


[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\Users\laptop\AppData\Local\h4il76w5ag3ffl
[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\ProgramData\h4il76w5ag3ffl
[2011/07/24 21:31:31 | 000,000,120 | ---- | C] () -- C:\Users\laptop\AppData\Local\Uwitobabamisaba.dat
[2011/07/24 21:31:31 | 000,000,000 | ---- | C] () -- C:\Users\laptop\AppData\Local\Cyuqa.bin
[2010/10/25 10:54:39 | 000,000,221 | -HS- | C] () -- C:\ProgramData\743822685
[2010/10/25 10:54:38 | 000,001,185 | ---- | C] () -- C:\ProgramData\209714801
[2010/10/25 10:53:37 | 000,000,208 | ---- | C] () -- C:\ProgramData\sl1303660495

Turn off or pause you anti-virus. Delete the old Combofix. Boot into Safe Mode with Networking and Download it again from

http://download.blee...Bs/ComboFix.exe
or
http://subs.geekstogo.com/ComboFix.exe

at the same time as you download it, rename it to explorer.exe and save it to your desktop. Right click on it and Run as Admin. See if it will run now.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.


Run OTL, Quickscan and post the log.

If your friend decides to reformat make sure you wipe the drive first. This infection sometimes creates its own hidden partition and infects the MBR so that a simple reinstall won't do the job.

Ron

[RKinner]

It's the Zero Access rootkit.

MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2009/04/11 01:28:22 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
and
the "File not found" entries in O10 are how you tell it's ZA. Following are malware related but it probably won't help to remove them until we get rid of ZA.

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]


[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\Users\laptop\AppData\Local\h4il76w5ag3ffl
[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\ProgramData\h4il76w5ag3ffl
[2011/07/24 21:31:31 | 000,000,120 | ---- | C] () -- C:\Users\laptop\AppData\Local\Uwitobabamisaba.dat
[2011/07/24 21:31:31 | 000,000,000 | ---- | C] () -- C:\Users\laptop\AppData\Local\Cyuqa.bin
[2010/10/25 10:54:39 | 000,000,221 | -HS- | C] () -- C:\ProgramData\743822685
[2010/10/25 10:54:38 | 000,001,185 | ---- | C] () -- C:\ProgramData\209714801
[2010/10/25 10:53:37 | 000,000,208 | ---- | C] () -- C:\ProgramData\sl1303660495

Turn off or pause you anti-virus. Delete the old Combofix. Boot into Safe Mode with Networking and Download it again from

http://download.blee...Bs/ComboFix.exe
or
http://subs.geekstogo.com/ComboFix.exe

at the same time as you download it, rename it to explorer.exe and save it to your desktop. Right click on it and Run as Admin. See if it will run now.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.


Run OTL, Quickscan and post the log.

If your friend decides to reformat make sure you wipe the drive first. This infection sometimes creates its own hidden partition and infects the MBR so that a simple reinstall won't do the job.

Ron

[mikeloeven]

well combo fix does run and i did try renaming it but it gets to the please wait while scanning and hangs

out of curiosity how are the redirects performed i checked the proxy settings and proxy enable was 0 ? thats why i thought the viral proxy was dormant or deleted

Edited by mikeloeven, 15 December 2011 - 07:16 AM.

[RKinner]

It's a bit complex but the thing makes its own hidden partition and sometimes infects the MBR too. As you can see from the OTL scan it is creating its own mswsock.dll file located on the hidden partition. All TCP/IP traffic passes through this on its way to the internet so it's easy to redirect here. Don't need the proxy any more. (That's probably from another infection. I see at least three different infections over the last two years.) If you want to read up on it:

This writeup is a bit dated now but it will give you an idea of how it works. The thing is continually evolving.
http://resources.inf...meware-rootkit/

See if you can get any of the other scans to work. TDSSKiller is also ZA aware and sometimes will fix some of it.

Once you have tried the other scans, first look at the output from the Disk Management (If that one doesn't seem to work then try it from Start, Programs, Accessories, right click on Command Prompt and Run as Admin). We are looking for a small partition without a drive letter or name. Usually either a bit less than 2 GB or 8GB. Note the size (Sometimes you see some leftover disk capacity in the 20 MB range. That can be ignored.) Then:

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows Vista 32-Bit (x86) Recovery Environment

Create a bootable CD, 1 for Gparted and 1 for the Windows Vista Recovery Enviroment, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.


You should be here...
Press ENTER


By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.


Choose your language and press ENTER. English is default [33]


Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is
SIZE OF PARTITION TO REMOVE GOES HERE (Normally I change this line to the correct size)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:


Now you should be here:



Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:


Now double-click the button.

You should receive a small pop up like this:

Choose reboot and then press OK.

Now reboot from the Windows Vista Recovery Environment CD and execute the following commands:

• bootrec /FixMbr
• bootrec /FixBoot
• exit

Once back in Windows.

Download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Attach that file.

try the following:

Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 03 44 E3 04 87 E8 16 45 B9 66 E0 F8 8A 71 5D D8 [binary data]
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No CLSID value found.
O2 - BHO: (no name) - -{DBC80044-A445-435B-BC74-9C25C1C588A9} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\Users\laptop\AppData\Local\h4il76w5ag3ffl
[2011/12/10 16:26:17 | 000,011,250 | -HS- | C] () -- C:\ProgramData\h4il76w5ag3ffl
[2011/07/24 21:31:31 | 000,000,120 | ---- | C] () -- C:\Users\laptop\AppData\Local\Uwitobabamisaba.dat
[2011/07/24 21:31:31 | 000,000,000 | ---- | C] () -- C:\Users\laptop\AppData\Local\Cyuqa.bin
[2010/10/25 10:54:39 | 000,000,221 | -HS- | C] () -- C:\ProgramData\743822685
[2010/10/25 10:54:38 | 000,001,185 | ---- | C] () -- C:\ProgramData\209714801
[2010/10/25 10:53:37 | 000,000,208 | ---- | C] () -- C:\ProgramData\sl1303660495

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2\Parameters %userprofile%\Desktop\windsock2.reg /c
    
:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Then try Combofix again. Make sure you have no antivirus running and that you right click and Run As Admin.

IF all else fails try making Hiren's boot CD. http://www.hirensbootcd.org/download/ it's a zip file so unzip it. Find the .iso and use something like free iso burner http://www.freeisoburner.com/ to burn it. Boot off it, run the miniXP and see if you can get Combofix to run from there. I've never tried it but if the miniXP can download and install the free Avast http://www.avast.com...ivirus-download then you can run a boot-time scan


Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Remove the CD. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Other possibilities:

Create an AVG boot disk and let it scan the system.
http://www.geekstogo...ystem-tutorial/

Bitdefender TDSS removal tool:
http://www.malwareci...eware-1221.html

[mikeloeven]

i figured i would save some time and use the partition manager on my working tech machine just activated deep freeze and plug the drive in as an external.

this is what i got not sure if gparted can detect things partition wizard cant but i found two odd partitions. one was called mediadirect and it looks like a recovery partition which makes no sense since there is already a recovery partition. additionally i saw a partition labled *: but when i explored it it looked like the dell 32bit diag partition.

so my bets are on media direct but i could be missing something.



out of curiosity is it possible to run combofix on my tech machine with a command line switch that makes it target the offline operating system on the infected drive

Attached Thumbnails

• 

[RKinner]

If the sick PC is a Dell then MediaDirect is probably legit. see: http://en.wikipedia....ell_MediaDirect From what I see this is not one of the infections that uses the extra partition.


Don't think Combofix knows how to work on anything but the operating drive.

You can run MBRCheck on the current PC and it will also report the status of the slaved drive. This would be more accurate than when the drive is installed.
Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

You can manually delete the files in the OTL script if you haven't run OTL yet.

C:\Users\laptop\AppData\Local\h4il76w5ag3ffl
C:\ProgramData\h4il76w5ag3ffl
C:\Users\laptop\AppData\Local\Uwitobabamisaba.dat
C:\Users\laptop\AppData\Local\Cyuqa.bin
C:\ProgramData\743822685
C:\ProgramData\209714801
C:\ProgramData\sl13036604957

[mikeloeven]

i am going to have to reinstall the otl fix removed the hijack but left the computer unable to install updates and i have tried to fix this several ways with no success.

[RKinner]

Your call but we may be able to fix the update issue.


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)

sigverif

Press Start in the new window. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


Copy the next line:

net start > \junk.txt

Start, Programs. Accessories then right click on Command Prompt and Run as Admin.

right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

Open the file C:\junk.txt and copy and paste it into a reply.

Ron

[mikeloeven]

Dont have a vista SP2 disk and dont want the hastle of slipstreaming one

Edited by mikeloeven, 20 December 2011 - 08:09 AM.

[RKinner]

Doesn't matter if you have the disk. Just run sfc anyway. With Vista it works a lot better than XP. It will still complain that it couldn't fix everything but it will usually just be a .ini file.

If you want to see what it can't fix then:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

cd  \windows\logs\cbs

copy  cbs.log  cbs.old

del  cbs.log

sfc  /scannow

findstr  /c:"[SR]"  cbs.log  >  junk.txt 

attach the file \windows\logs\cbs\junk.txt to your next reply.

[mikeloeven]

Sorry i forgot to close this issue but i ended up reinstalling the OS i couldn't get sfc to fix it.