Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows Security 2012, Ping.exe, Google Redirect - did I get them all?


  • Please log in to reply

#1
JLLutseck

JLLutseck

    New Member

  • Member
  • Pip
  • 3 posts
My netbook started running veeerrrry slowly after I watched a TV stream online.

I ran Microsoft Security Essentials and Malwarebytes Anti-Malware, and they caught a few things, so I figured I was good.

THEN Windows Security 2012 popped up and disabled MSE. MBAM wouldn't work as an exe, so I renamed it to mbam.com, and it ran and caught another dozen or so items. Again, I thought I was alright, and I downloaded and ran CCleaner, cleaned up a lot of junk, uninstalled things I didn't really want or need on this tiny netbook.

Then, after a reboot, my computer began to run even more slowly than ever. I checked the task manager and noticed ping.exe was using 80% of my CPU, and tried to close it. It popped right back up. I went to Google "ping.exe" and got redirected.

I came here, and downloaded OTL, OTM, Goored, and TDSSKiller. I ran OTM, Goored, and TDSSKiller as recommended to get rid of a Google redirect. After the reboot, ping.exe is not appearing, the Google redirect seems to be cured, and Windows Security 2012 still seems to be gone.

I just want to make sure that I've really gotten rid of all the bad guys... Thanks for your help! Here's my OTL log:

OTL logfile created on: 12/18/2011 8:00:34 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Program Files\OldTimers
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.87% Memory free
1.84 Gb Paging File | 1.58 Gb Available in Paging File | 85.79% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 7.48 Gb Total Space | 1.73 Gb Free Space | 23.14% Space Free | Partition Type: NTFS

Computer Name: TIGGY | User Name: Asus | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/18 04:22:12 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Program Files\OldTimers\OTL.exe
PRC - [2011/12/17 11:03:20 | 000,508,928 | ---- | M] () -- C:\WINDOWS\svcs.exe
PRC - [2010/11/30 12:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 11:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008/09/30 17:46:18 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/09/30 17:46:12 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/07/24 18:07:40 | 000,335,872 | ---- | M] (ELANTECH Devices Corp.) -- C:\Program Files\Elantech\ETDCTRL.EXE
PRC - [2008/07/23 11:22:42 | 000,098,304 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsTray.exe
PRC - [2008/07/23 11:04:56 | 000,479,232 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
PRC - [2008/05/21 00:56:24 | 000,094,208 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2008/04/14 07:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/20 09:04:52 | 000,046,432 | ---- | M] (Microsoft® Corporation) -- C:\Program Files\Microsoft Works\WkCalRem.exe
PRC - [2007/03/30 06:00:00 | 000,182,272 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATICLA.EXE


========== Modules (No Company Name) ==========

MOD - [2011/12/17 11:03:20 | 000,508,928 | ---- | M] () -- C:\WINDOWS\svcs.exe
MOD - [2010/03/15 10:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2008/07/29 14:55:14 | 000,969,728 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2003/08/25 10:49:30 | 000,078,848 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXBMPP5C.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/12/17 11:03:20 | 000,508,928 | ---- | M] () [Auto | Running] -- C:\WINDOWS\svcs.exe -- (NetworkLog)
SRV - [2010/11/11 11:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/12/18 19:55:58 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D5B1098-9B76-4577-922B-F6CE2E2528A8}\MpKslb76559a8.sys -- (MpKslb76559a8)
DRV - [2011/12/18 19:23:21 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1D5B1098-9B76-4577-922B-F6CE2E2528A8}\MpKsld34bd238.sys -- (MpKsld34bd238)
DRV - [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/07/16 17:52:00 | 004,747,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/10 09:33:40 | 000,306,176 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8187Se.sys -- (rtl8187Se)
DRV - [2008/03/11 06:37:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/07/26 19:00:38 | 000,011,264 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/m/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:2.0.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.1.2
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.3.5

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/28 00:21:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.22\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/27 14:05:02 | 000,000,000 | ---D | M]

[2010/11/03 15:55:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Extensions
[2011/12/17 23:20:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{080955ad-b8bb-4500-806f-d2b9ad73d72e}
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{0f97d130-bd1a-11dd-ad8b-0800200c9a66}
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{13654939-2AED-42f2-8786-5C286EAD91A9}
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{182fcd90-5b20-11dd-ae16-0800200c9a66}
[2011/12/08 02:33:59 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{1e78d6c6-55d1-11dc-8314-0800200c9a66}
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{241aae70-0022-11de-87af-0800200c9a66}
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}
[2010/11/06 22:25:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{39fdebe2-176a-423f-94f6-fee9aded7a9f}
[2010/11/06 22:25:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{3ffb7be0-8bde-11de-8a39-0800200c9a66}
[2010/11/06 22:25:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{40397044-467d-11dc-8314-0800200c9a66}
[2010/11/06 22:25:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{a02c0c70-605c-11da-8cd6-0800200c9a66}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{a78f0ac6-753b-491b-9021-cd2aec3502d9}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{BB359C50-BFC9-4f40-8302-3FE5A499A859}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{BF32D2C8-9C75-404b-ACF4-880DB4679236}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{c0bf5e00-5b6e-11dd-ae16-0800200c9a66}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{C288E3D6-3588-4b60-BD4A-7413899D269B}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{c8f71e5b-88f8-42a7-98bb-e4c506161de9}
[2011/12/15 00:08:46 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/11/06 22:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{dd30bf68-268a-4815-ad48-8740b774c764}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{de5809e0-2b07-11dd-bd0b-0800200c9a66}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{E10677F8-D6C2-4ce3-B67F-E14AEC452099}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{EA88F3BB-0667-4ab4-925F-FE66EA9F1875}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{f7ec1807-0076-495a-949c-eaf4716fe412}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{ff356687-aa08-463d-a46c-11c451824939}
[2010/11/06 22:25:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\{ffd21f55-3cdf-4639-b061-77d656a0ead9}
[2010/11/06 22:25:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2011/10/14 15:33:51 | 000,000,000 | ---D | M] (Element Hiding Helper for Adblock Plus) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2010/11/06 22:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asus\Application Data\Mozilla\Firefox\Profiles\gzqotnqn.default\extensions\[email protected]
[2011/12/17 23:20:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/14 05:56:19 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

Hosts file not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [egui] "egui.exe" /hide /waitservice File not found
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Auto EPSON Stylus Photo RX595 Series on KALIS2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe (Microsoft® Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - mswsock.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Asus\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Asus\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/17 22:55:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9f487398-f426-11e0-9426-002243128804}\Shell - "" = AutoRun
O33 - MountPoints2\{9f487398-f426-11e0-9426-002243128804}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f487398-f426-11e0-9426-002243128804}\Shell\AutoRun\command - "" = D:\setup.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/12/18 19:53:53 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/12/18 19:51:57 | 000,000,000 | ---D | C] -- C:\Program Files\GooredFix
[2011/12/18 19:41:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft
[2011/12/18 19:32:17 | 000,000,000 | ---D | C] -- C:\Program Files\OldTimers
[2011/12/18 19:30:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Security
[2011/12/18 19:15:53 | 000,000,000 | ---D | C] -- C:\Program Files\tdsskiller
[2011/12/17 23:59:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Asus\Recent
[2011/12/17 23:16:20 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/12/17 12:26:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/12/17 12:26:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/12/17 04:56:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/12/17 03:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/12/17 03:39:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/12/06 23:42:05 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/11/26 01:43:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/11/26 01:40:55 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/11/26 01:12:43 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Asus\My Documents\My Videos
[2011/11/26 01:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asus\Application Data\DivX
[2011/11/26 00:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2011/11/20 18:32:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2009/07/18 00:22:14 | 015,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\U1 Setup.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/18 20:01:07 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/12/18 19:54:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/18 02:41:20 | 000,380,918 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/18 02:41:20 | 000,053,166 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/17 23:38:01 | 203,635,944 | ---- | M] () -- C:\Documents and Settings\Asus\My Documents\Law Office.zip
[2011/12/17 11:03:20 | 000,508,928 | ---- | M] () -- C:\WINDOWS\svcs.exe
[2011/12/17 03:01:00 | 000,016,364 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\xfspnw3u5ddu0apq5oxm1p687g8l
[2011/12/17 03:00:57 | 000,016,364 | -HS- | M] () -- C:\Documents and Settings\Asus\Local Settings\Application Data\xfspnw3u5ddu0apq5oxm1p687g8l
[2011/12/12 13:22:43 | 000,000,442 | ---- | M] () -- C:\Documents and Settings\Asus\Application Data\wklnhst.dat
[2011/12/06 23:42:05 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/17 23:32:57 | 203,635,944 | ---- | C] () -- C:\Documents and Settings\Asus\My Documents\Law Office.zip
[2011/12/17 11:03:18 | 000,508,928 | ---- | C] () -- C:\WINDOWS\svcs.exe
[2011/12/17 02:35:25 | 000,016,364 | -HS- | C] () -- C:\Documents and Settings\Asus\Local Settings\Application Data\xfspnw3u5ddu0apq5oxm1p687g8l
[2011/12/17 02:35:25 | 000,016,364 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\xfspnw3u5ddu0apq5oxm1p687g8l
[2011/10/14 13:29:14 | 000,000,281 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2011/09/08 14:20:43 | 000,000,025 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2011/09/08 14:20:41 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2011/01/29 23:10:08 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2011/01/29 23:10:07 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2011/01/29 23:10:07 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2011/01/29 23:10:07 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2011/01/29 23:10:07 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2011/01/29 23:10:07 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2011/01/29 23:10:07 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2011/01/29 23:10:07 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2011/01/29 23:10:07 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2011/01/29 23:10:07 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2011/01/29 23:10:07 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2011/01/29 23:10:07 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2011/01/29 23:10:07 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2011/01/29 23:10:07 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2011/01/29 23:10:07 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2011/01/29 23:10:07 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/11/09 05:50:27 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Asus\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/06 18:27:46 | 000,000,442 | ---- | C] () -- C:\Documents and Settings\Asus\Application Data\wklnhst.dat
[2010/07/12 16:36:19 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Asus\Local Settings\Application Data\fusioncache.dat
[2010/04/07 19:49:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/07/18 06:33:01 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/07/18 06:30:50 | 000,178,648 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/17 23:17:29 | 000,049,152 | ---- | C] () -- C:\WINDOWS\INSTALLEEE.EXE
[2009/07/17 23:10:37 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2009/07/17 23:08:20 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\SamSfPa.dat
[2009/07/17 23:06:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/17 23:01:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/07/17 22:47:33 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/08/01 20:51:35 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008/07/18 01:19:18 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/04/25 00:08:42 | 000,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/04/25 00:06:02 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 00:05:48 | 000,380,918 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 00:05:48 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 00:05:48 | 000,053,166 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 00:05:48 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 00:05:43 | 000,004,562 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 00:05:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 00:05:38 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 00:04:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 00:04:59 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 00:03:59 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 00:03:43 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/03/19 20:58:30 | 000,000,173 | ---- | C] () -- C:\WINDOWS\explorer.exe.config
[2008/03/17 14:54:36 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2004/01/13 18:15:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\LXBMIH.EXE
[2004/01/13 18:06:46 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBMLCNP.DLL
[2003/06/13 06:53:38 | 000,000,187 | ---- | C] () -- C:\WINDOWS\System32\lxbmcoin.ini
[2002/11/13 10:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbmvs.dll
[2001/01/19 10:50:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\INSTMON.EXE

========== Alternate Data Streams ==========

@Alternate Data Stream - 232 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24FECE50
@Alternate Data Stream - 213 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:61AF2B29
@Alternate Data Stream - 193 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D507B5A8

< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.


Run OTL, Quickscan and post the log.

Ron
  • 0

#3
JLLutseck

JLLutseck

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hey, thanks for the help :)

Combofix log:
Attached File  ComboFix.txt   301bytes   41 downloads

TDSSKiller log:
Attached File  TDSSKiller.2.6.25.0_24.12.2011_05.21.02_log.txt   89.88KB   39 downloads

aswMBR log:
Attached File  aswMBR.txt   1.56KB   40 downloads

Malwarebytes' Anti-Malware log:
Attached File  mbam-log-2011-12-24 (05-42-10).txt   907bytes   35 downloads

Disk Management JPG:
diskmgmt.JPG

Edited by JLLutseck, 24 December 2011 - 05:08 AM.

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
Combofix did not finish.

Try booting into Safe Mode with Networking and then run Combofix Again (remember to pause your antivirus)


(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

Let it run for at least an hour after you think it is not running.
  • 0

#5
JLLutseck

JLLutseck

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
"Combofix did not finish... Let it run for at least an hour after you think it is not running."

So when it pops up a notification box saying it's finished, it's not really finished? I let the thing run for nearly four hours. It said it found a rootkit, and it reloaded twice during that time.

Edited by JLLutseck, 26 December 2011 - 12:41 PM.

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
See if there is a new combofix.txt log in C:\ or C:\combofix\ If so copy and paste it.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP