Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

file window lacks OPEN so can't upload attachment [Solved]


  • This topic is locked This topic is locked

#31
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

Everything is back to normal size now--the desktop icons, the home page and subsequent websites I went to, and all parts of Yahoo email.

I did the OTL log first, minimized the notepad of it and was going to copy and post the two logs to you. RK killed the notepad of the OTL log, so I will post it in a separate reply next. Thanks, cinbar

Here is the RK log

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: user [Admin rights]
Mode: Scan -- Date: 07/21/2012 12:49:17

¤¤¤ Bad processes: 1 ¤¤¤
[HJ NAME] notepad.exe -- C:\WINDOWS\notepad.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Adobe (rundll32.exe "C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Adobe\pqkdeuds.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Adobe (rundll32.exe "C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Adobe\pqkdeuds.dll",DllRegisterServer) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST320011A +++++
--- User ---
[MBR] a3681b55d67af046e91d4f24cfcdad33
[BSP] 8442c2b5addc63dc93bc83c45a66ea41 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 19085 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

Advertisements


#32
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

Here is the OTL log I just ran

OTL logfile created on: 7/21/2012 1:11:37 PM - Run 4
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.51 Mb Total Physical Memory | 151.04 Mb Available Physical Memory | 29.64% Memory free
1.22 Gb Paging File | 0.87 Gb Available in Paging File | 71.25% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 10.61 Gb Free Space | 56.90% Space Free | Partition Type: NTFS
Drive D: | 53.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: BOURBON-160D789 | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/18 17:00:26 | 000,161,776 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/07/13 20:17:11 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/07/13 20:11:15 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\Downloads\OTL.exe
PRC - [2012/07/03 12:21:30 | 004,273,976 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/01/17 19:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 19:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/21 06:26:32 | 001,787,392 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12072100\algo.dll
MOD - [2012/07/20 18:00:13 | 001,786,880 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12072001\algo.dll
MOD - [2012/07/13 20:17:14 | 002,003,424 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/02/28 09:53:06 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/07/18 17:00:26 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/07/13 20:17:12 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/07/11 19:13:03 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/03 12:21:29 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/01/16 04:09:40 | 000,429,480 | ---- | M] (Faronics Corporation) [Auto | Running] -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe -- (DF5Serv)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\npf.sys -- (NPF)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\bcmwlhigh5.sys -- (BCMH43XX)
DRV - [2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/09/30 20:15:00 | 001,759,584 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athuw.sys -- (AR9271)
DRV - [2004/08/03 18:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
DRV - [2004/08/03 18:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
DRV - [2004/08/03 18:29:46 | 000,025,471 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
DRV - [2004/08/03 18:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
DRV - [2004/08/03 18:29:46 | 000,022,271 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
DRV - [2004/08/03 18:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
DRV - [2004/08/03 18:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
DRV - [2004/08/03 18:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
DRV - [2004/08/03 18:29:42 | 000,011,871 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
DRV - [2004/08/03 18:29:40 | 000,011,807 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
DRV - [2004/08/03 18:29:40 | 000,011,295 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
DRV - [2004/08/03 18:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 18:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
DRV - [2004/08/03 18:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
DRV - [2004/08/03 18:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
DRV - [2001/08/17 08:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes,DefaultScope = {75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\..\SearchScopes\{75ABDE28-AA4B-4F6F-9AA2-30F832CB1166}: "URL" = http://www.google.co...1I7ADRA_enUS487
IE - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: "http://www.msnbc.com"
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/07/10 23:45:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/19 22:59:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/06/05 12:51:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2012/07/01 13:38:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\extensions
[2012/07/19 22:59:28 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/10 23:45:17 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2012/07/13 20:17:47 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/07/13 20:16:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/07/13 20:16:36 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/15 12:58:52 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\tmills\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3690427229-769522622-1429544265-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1298581213742 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/15 13:44:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/02/21 20:43:08 | 000,358,248 | R--- | M] (NETGEAR Inc.) - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2006/05/29 04:27:40 | 000,000,047 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk /k:C *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/21 12:46:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\RK_Quarantine
[2012/07/20 16:57:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\WinPatrol
[2012/07/18 20:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Sun
[2012/07/18 17:20:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/07/18 17:02:28 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/07/18 17:02:26 | 000,772,592 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/07/18 17:02:26 | 000,227,824 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/07/18 17:01:31 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/07/18 17:01:30 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/07/17 17:33:28 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/07/15 12:58:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/14 11:47:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/07/14 11:43:28 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

========== Files - Modified Within 30 Days ==========

[2012/07/21 13:17:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/21 13:12:03 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/21 12:45:47 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to RogueKiller.lnk
[2012/07/21 12:13:14 | 000,001,029 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to OTL.EXE-2C99CF82.pf.lnk
[2012/07/21 11:48:06 | 000,000,316 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/07/21 10:55:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/21 10:55:26 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/21 10:55:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/19 23:00:03 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/07/19 23:00:03 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/07/18 17:00:23 | 000,227,824 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/07/18 17:00:23 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/07/18 17:00:22 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/07/18 17:00:22 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/07/18 17:00:19 | 000,772,592 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/07/18 17:00:19 | 000,687,600 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/07/18 16:57:59 | 000,000,831 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to jre-7u5-windows-i586.lnk
[2012/07/17 16:59:30 | 000,000,883 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC[1].EXE-05ED5B58.lnk
[2012/07/16 11:18:48 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.lnk
[2012/07/16 10:46:45 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.pf.lnk
[2012/07/15 13:39:49 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/15 12:58:52 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/07/14 11:43:30 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2012/07/14 11:43:30 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2012/07/14 11:29:58 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut (2) to OTL.lnk
[2012/07/14 11:29:19 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to OTL.lnk
[2012/07/13 19:06:49 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/07/11 19:12:59 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/07/11 19:12:58 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/07/10 23:47:59 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/07/03 12:21:54 | 000,054,232 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/07/03 12:21:53 | 000,721,000 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/07/03 12:21:53 | 000,353,688 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/07/03 12:21:53 | 000,097,608 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/07/03 12:21:53 | 000,089,624 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/07/03 12:21:53 | 000,035,928 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/07/03 12:21:53 | 000,021,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/07/03 12:21:52 | 000,025,256 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/07/03 12:21:32 | 000,041,224 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/07/03 12:21:28 | 000,227,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

========== Files Created - No Company Name ==========

[2012/07/21 12:45:47 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to RogueKiller.lnk
[2012/07/18 16:57:59 | 000,000,831 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to jre-7u5-windows-i586.lnk
[2012/07/17 16:59:30 | 000,000,883 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC[1].EXE-05ED5B58.lnk
[2012/07/16 11:18:48 | 000,000,873 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.lnk
[2012/07/16 10:46:45 | 000,000,873 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to FSBL.EXE-0406D462.pf.lnk
[2012/07/14 11:43:30 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2012/07/14 11:43:30 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2012/07/14 11:30:20 | 000,001,029 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to OTL.EXE-2C99CF82.pf.lnk
[2012/07/14 11:29:58 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut (2) to OTL.lnk
[2012/07/14 11:29:19 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to OTL.lnk
[2012/07/10 23:48:02 | 000,000,316 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/06/05 00:33:35 | 020,480,000 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\store-pp.jbs
[2012/02/15 10:03:34 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/02/28 13:34:55 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\user\ntuser.pol
[2008/04/17 12:16:42 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

< End of report >

Thanks for your help!
cinbar
  • 0

#33
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Everything is back to normal size now--the desktop icons, the home page and subsequent websites I went to, and all parts of Yahoo email.

Good, there is one file I would like analysed please as follows...

Reboot your machine then ensure hidden files are visible via:-

  • Click on Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now please go to my file submission channel here.

Next to the box:- Link to topic where this file was requested: Add in the below:-

http://www.geekstogo.com/forum/topic/319613-file-window-lacks-open-so-cant-upload-attachment/
Next to the box: Browse to the file you want to submit: click on the Browse... tab and navigate to the below:-

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Adobe\pqkdeuds.dll

Then click on the Send File tab. I will be notified when the file has been uploaded and checked.
  • 0

#34
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

I rebooted and went through the show hidden files part successfully.

I pasted the link to topic at your file submission channel. When I clicked on Browse, tabs kept opening from C through Adobe.

Adobe would only open to show acrobat or reader. I looked through both and never found pqkdeuds.dll As I was clicking on the correct tabs the path to the file never appeared in the Open File box. It never showed when I clicked on Open File after Adobe either (just to see if that would make the last part--pqk appear) either. I tried this several times.

Meanwhile several times as I started from Firefox to go to GTG, on the bottom tool bar appeared "redirected to ieonline.microsoft.com/ieslice#."

Thanks,
cinbar
  • 0

#35
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

When I clicked on Browse, tabs kept opening from C through Adobe.

I am not quite sure what you mean to be honest, do you mean when navigating to locate the file there is a problem going through the various windows once you double-click on C >> Documents and Settings etc?

Anyway please check for myself if you can locate the file this way..

Using Windows Explorer (to get there right-click your Start button and select Explore), navigate to:-

C:\ >> Documents and Settings >> user >> Local Settings >> Application Data >> Microsoft >> Adobe >> pqkdeuds.dll

Just inform myself if you can locate the file or not for now.

Meanwhile several times as I started from Firefox to go to GTG, on the bottom tool bar appeared "redirected to ieonline.microsoft.com/ieslice#."

OK we will apply a custom Host-File now and lock it as nothing regarding that is showing in the last OTL log...If still a issue we can research further what the root cause is etc.

Please Download HostsXpert and unzip it to your computer, somewhere where you can find it.

The root of the system drive would be a ideal location EG: C:\

  • Double click on HostsXpert.exe to launch the programme.
  • Check to see if top button on left hand side says Make Writable?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition
  • When prompted to confirm, click OK.
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Click OK in the box that pops up >> then click on OK again . (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only? to secure it against infection.
  • Exit the programme.

  • 0

#36
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

Sorry I wasn't clear. When navigating every tab opened perfectly in order, from C through Adobe. When I clicked the Adobe tab Acrobat and Reader appeared as choices. I clicked on each one separately and read through all of the files, but there was no pqkdeuds. Also the parts of the path had appeared in the upload file window (appearing as I clicked on the tabs) disappeared.

Today I tried the same thing per your request, from Start to Explore and then doing the navigation steps. Each tab opened perfectly. (The names of files and folders were on the left edge of the screen. Most of the screen was given to icons of file folders that appeared as I clicked on their tabs.)

As I clicked on the Adobe tab, the screen on the right went blank. I tried several times, but the computer would not keep Adobe in the list on the left or in the icon screen on the right.

HostsXpert download
I downloaded this okay. The download put it in My Computer. I moved it to Desktop. I didn't see any place that had the EG root of system drive to move it there. I did all the steps through File Handling and Make Read only.

Using Firefox to go to my homepage I got a few more "connection was reset as file was downloading) and redirects to an ie file (not the is slice, but something else).

Thanks,
cinbar
  • 0

#37
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Sorry I wasn't clear.

Not a problem at all I assure you.

I propose what we do here, is actually uninstall Adobe Reader(we will re-install in due course) and then check if that file is still present on your machine and go from there.

I didn't see any place that had the EG root of system drive to move it there.

By root of the system drive EG C:\, the latter denotes for example C:\. Fair play however as I think in future I will amend that part of my instructions to be more user friendly.

Anyway running HostsXpert from the desktop is fine just make sure not to delete it(and folder) by mistake.

Using Firefox to go to my homepage I got a few more "connection was reset as file was downloading) and redirects to an ie file (not the is slice, but something else).

We will check that out but within the realms of possibility it may connected to that obscure Adobe related file.

Next:

Do you recognise this file in your downloads folder at all hyggee6i.exe ? If not proceed to the below...

Upload the file to my file submission channel per the instructions in post #33 please:-

C:\Documents and Settings\user\My Documents\Downloads\hyggee6i.exe

Next:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader X

To do so, click once on the above highlight and then click on the Remove button.

Scan with SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    pqkdeuds.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Scan with GooredFix:

Please download GooredFix from one of the locations below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • Double-click on GooredFix.exe to run it.
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear.
Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
  • 0

#38
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

1.Here is the SystemLook log. I will post the Goored Fix log in my next reply.

SystemLook 30.07.11 by jpshortstuff
Log created at 18:21 on 22/07/2012 by user
Administrator - Elevation successful

========== filefind ==========

Searching for "pqkdeuds.dll"
No files found.

-= EOF =-

2.No, I do not recognize the hyggee6i.exe or the pqkdeuds.dll from yesterday.

I went to your submission channel and each tab opened in the Browse, C through Adobe. When I clicked on the Adobe tab to see its files, it disappeared from the screen and no files within it showed.

As I clicked through each tab never did its part of the entire file name show in the file window (no C, no Documents and Settings, etc) so that I would have its name to Open and then Upload.

3.I went to Control and Removed Adobe Reader X.

Thanks for your help,
cinbar
  • 0

#39
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
GooredFix by jpshortstuff (03.07.10.1)
Log created at 18:39 on 22/07/2012 (user)
Firefox version 14.0.1 (en-US)

========== GooredScan ==========

(none)

Dakeyras,

Here is the GooredFix log I had pasted it into a reply (after repeated tries to get from home page to GTG) when I got disconnected again, so had to go back and recopy and repaste. In that interval (log was minimized on tool bar) I got disconnected again. That's why I often get only one log posted per reply. Thanks, cinbar

Removing Orphan:
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:59 20/07/2012]

C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"[email protected]"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [23:25 11/06/2012]

-=E.O.F=-
  • 0

#40
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Thanks for the concise update, lets proceed as follows shall we..

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Click on Start >> Run...(or the Windows key and R together) to bring up the Run box and and copy and paste in:
"C:\Program Files\ERUNT\ERUNT.EXE" %SystemRoot%\ERDNT\gtg-backup
and click on OK.

Note: If you have uninstalled ERUNT since we last used it, please inform myself before proceeding any further.

FixPolicies:

Please download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here.

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close.
  • Leave FixPolicies on your desktop please until I otherwise advise, thank you.
Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

How to use ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.

  • 0

Advertisements


#41
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

I still have ERUNT and every other program you told me to download. I didn't uninstall any of them.

I backed up the Registry.

Fixed Policies is now in Desktop.

I read the ComboFix instructions. I can turn off Avast easily, but I have the free version of Malwarebytes and the instructions via your link to bleeping computer are only for the paid version. I didn't find any suggestions on Google except to uninstall it.

Should I do this or go to Control Add/Remove Programs and remove it? (And then I would reinstall it after ComboFix ran)

Since you said didn't mention firewall I assume it's okay not to disable it before running ComboFix.

Thanks,
cinbar
  • 0

#42
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Fixed Policies is now in Desktop.

Do run this if you have not already done so.

I have the free version of Malwarebytes and the instructions via your link to bleeping computer are only for the paid version. I didn't find any suggestions on Google except to uninstall it.

Should I do this or go to Control Add/Remove Programs and remove it? (And then I would reinstall it after ComboFix ran)

The Protection Module for Malwarebytes' Anti-Malware is not active so you can leave that installed for the duration of the ComboFix run.

Since you said didn't mention firewall I assume it's okay not to disable it before running ComboFix.

Correct, this would only apply for a installed third party software firewall, not the Windows SP3 inbuilt version.
  • 0

#43
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

I will let you know how the computer is working later in another reply. I wanted to get the Combo Fix log to you asap. I saw that it deleted a folder and five files. Thanks for your help, cinbar

ComboFix 12-07-21.01 - user 07/23/2012 8:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.185 [GMT -4:00]
Running from: c:\documents and settings\user\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\dfinstall.log
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\EventSystem.log
c:\windows\msconfig.exe
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\RegClean.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-06-23 to 2012-07-23 )))))))))))))))))))))))))))))))
.
.
2012-07-20 20:57 . 2012-07-20 20:57 -------- d-----w- c:\documents and settings\user\Application Data\WinPatrol
2012-07-20 02:59 . 2012-07-14 00:17 136672 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-07-19 00:46 . 2012-07-19 00:46 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Sun
2012-07-18 21:20 . 2012-07-18 21:20 -------- d-----w- c:\program files\Common Files\Java
2012-07-18 21:02 . 2012-07-18 21:00 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-18 21:02 . 2012-07-18 21:00 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-17 21:33 . 2012-07-17 21:33 -------- d-----w- c:\program files\ESET
2012-07-15 16:58 . 2012-07-15 16:58 -------- d-----w- C:\_OTL
2012-07-14 15:43 . 2012-07-14 15:44 -------- d-----w- c:\program files\ERUNT
2012-06-24 00:12 . 2012-06-24 00:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-18 21:00 . 2011-02-24 20:41 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 23:12 . 2012-06-05 04:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-11 23:12 . 2012-03-09 13:07 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2012-05-29 23:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 16:21 . 2012-06-11 23:28 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-03 16:21 . 2012-06-11 23:28 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-03 16:21 . 2012-06-11 23:28 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-03 16:21 . 2012-06-11 23:28 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-03 16:21 . 2012-06-11 23:28 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21 . 2012-06-11 23:28 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-07-03 16:21 . 2012-06-11 23:28 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-07-03 16:21 . 2012-06-11 23:28 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-07-03 16:21 . 2012-06-11 23:25 41224 ----a-w- c:\windows\avastSS.scr
2012-07-03 16:21 . 2012-06-11 23:25 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-06-02 19:19 . 2008-04-17 16:39 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2008-04-17 16:39 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2008-04-15 17:40 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2008-04-15 17:40 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2008-04-15 17:40 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2011-02-24 21:00 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2008-04-17 16:39 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2008-04-15 17:40 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2008-04-15 17:40 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2006-02-28 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2008-04-17 16:39 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2008-04-15 17:40 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2008-04-15 17:40 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2012-01-15 20:09 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2012-01-15 20:09 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:18 . 2012-01-15 20:09 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-02-28 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2006-02-28 12:00 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-04-15 17:38 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-14 00:17 . 2012-07-20 02:59 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-06-05 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\tmills\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660429669-1676308955-572944225-1089\Scripts\Logon\0\0]
"Script"=loginlog.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660429669-1676308955-572944225-2360\Scripts\Logon\0\0]
"Script"=loginlog.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660429669-1676308955-572944225-8904\Scripts\Logon\0\0]
"Script"=loginlog.bat
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6/11/2012 7:28 PM 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/11/2012 7:28 PM 353688]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/11/2012 7:28 PM 21256]
R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [6/18/2012 9:18 AM 1759584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2012 12:01 AM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/5/2012 12:18 AM 250056]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys --> c:\windows\system32\DRIVERS\bcmwlhigh5.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/5/2012 12:01 AM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-05 23:13]
.
2012-07-23 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-07-11 16:21]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-05 04:01]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-05 04:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msnbc.com/
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.zonealarm.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.zonealarm.autoRvrt - true
FF - user.js: extensions.zonealarm_i.newTab - false
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN113468384264695-1001&toolbarId=base&affiliateId=1001&Lan={dfltLng}&utid=3ce146bd000000000000e0469a0245e5&q=
FF - user.js: extensions.zonealarm.id - 3ce146bd000000000000e0469a0245e5
FF - user.js: extensions.zonealarm.instlDay - 15508
FF - user.js: extensions.zonealarm.vrsn - 1.5.24.4
FF - user.js: extensions.zonealarm.vrsni - 1.5.24.4
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.24.421:47
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN113468384264695-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - true
FF - user.js: extensions.zonealarm.admin - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-23 08:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\AVAST Software\Avast\setup\avast.setup
.
**************************************************************************
.
Completion time: 2012-07-23 09:00:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-23 13:00
.
Pre-Run: 11,777,044,480 bytes free
Post-Run: 11,682,729,984 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 55B47DF5B6315F311384C1C8D8E15152
  • 0

#44
cinbar

cinbar

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Dakeyras,

I haven't had much time to be online since I sent the ComboFix log to you in my previous reply, but the computer is running faster and not redirecting me to other sites so far.

Thanks,
cinbar
  • 0

#45
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

the computer is running faster and not redirecting me to other sites so far.

Good...Please move ComboFix to the desktop as it will need to be there for running the custom script below.

It is currently residing in your downloads folder.

Custom ComboFix-Script:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::
    
    File::
    C:\Documents and Settings\user\My Documents\Downloads\hyggee6i.exe
    
    FireFox::
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\gaab9dmo.default\
    FF - user.js: extensions.zonealarm.rvrtMsg - Click Yes to keep current home page and default search settings, Click No to restore original settings
    FF - user.js: extensions.zonealarm.autoRvrt - true
    FF - user.js: extensions.zonealarm_i.newTab - false
    FF - user.js: extensions.zonealarm.tlbrSrchUrl 
    FF - user.js: extensions.zonealarm.id - 3ce146bd000000000000e0469a0245e5
    FF - user.js: extensions.zonealarm.instlDay - 15508
    FF - user.js: extensions.zonealarm.vrsn - 1.5.24.4
    FF - user.js: extensions.zonealarm.vrsni - 1.5.24.4
    FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.24.421:47
    FF - user.js: extensions.zonealarm.prtnrId - checkpoint
    FF - user.js: extensions.zonealarm.prdct - zonealarm
    FF - user.js: extensions.zonealarm.aflt - 1001
    FF - user.js: extensions.zonealarm_i.smplGrp - none
    FF - user.js: extensions.zonealarm.tlbrId - base
    FF - user.js: extensions.zonealarm.instlRef - ZLN113468384264695-1001
    FF - user.js: extensions.zonealarm.dfltLng - en
    FF - user.js: extensions.zonealarm.excTlbr - true
    FF - user.js: extensions.zonealarm.admin - false
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar]
    
    Reboot::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • New ComboFix Log.
  • Malwarebytes Anti-Malware Log.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP